Thursday, November 16, 2006


GUI is going to be completely new, I was working (for 3 weeks) on changing old GUI but decided to start from ZERO to have a completely new and optimized GUI.

Anyway, I'm not going to post so many things in new future cause I'm very busy working on it.

Hope for a user-friendly, simple and effective GUI.

I'll post some pics ASAP.

Wednesday, October 18, 2006

Beta 2 public release

And finally NG v1.0 Beta 2 publicly released.

for more info visit NG's website:
or download page:

please report bugs to feedback [at] neoava [dot] com

I will publish a list of new features on the website.
I have to work on its graphic parts and will publish first version as soon as it seems to be complete.

for now, download NG beta 2 and

Friday, October 06, 2006

Beta-testing final steps

The NG beta 2 is almost ready for public release.

beta-testers reported several bugs (including 1 BSOD triggering bug) all of them debugged successfully and NG beta 2 is now more stable and better.

I've received a lot of suggestions most them either related to GUI (which is going to be changed after beta 2 public release) or requires a lot of change in NG code, that may produce more bugs as a result of added functionality. So I saved them for future versions.

thanks to all beta-testers the NG is going to be released by the next week.

Friday, September 29, 2006

Testing Beta 2

The beta 2 version has been sent to beta-testers.

I'm working with them debugging NG beta 2.

thanks to all beta testers.

Saturday, September 23, 2006

Beta 2

The beta is ready, but the last minute bug caused a delay.

I'll will work to debug it tomorrow and send it for beta-testers.

Sunday, September 10, 2006

Testing learning-mode

And the learning-mode finished,

I finally decided to make the Learning-Mode (LM) as simple as possible,
as it may cause complications if I use a complex routine to decide whether or not to add a particular application to trusted-mode while on LM.

so the LM just a state in which driver adds all executables executed into trusted apps, so the driver is actually not protecting against anything. By default, the LM is enabled for 5 hours of working with computer after installation (can be chosen to be disabled).

I'm currently testing it, cause it made a lot of change in several parts.

Wednesday, September 06, 2006



in the last 5-6 days I was busy working on another thing, so I have to start working on learning-mode from today.

but I have some ideas on how to design the learning-mode part, its going to be very unique.

im really sorry, ill work on NG beta 2 as hard as possible.

Monday, August 28, 2006


after some testing and installating NG, I decided to add another thing to NG beta 2: a learning-mode.

that makes the first days of NG installation a lot easier for user.

I think it takes at least 1 week.

BTW, the number of beta-testers is getting a little bit more in these days and its really good.

Saturday, August 26, 2006

driver file modification protection

I've done the driver file modification filter, and yesterday was a new record for me, working for 13 hours.

i'm preparing the NG wizard and setup and I will send the debug version of NG beta 2 to beta-testers, in the next few days.

Friday, August 25, 2006

Direct physical memory access & driver loading

number 4 and 5 from the previous post is done.

just want to note that the protection against direct memory writing also helps defend against restoring SDT. the method described in This method uses the physical memory access too (\device\physicalmemory). So, by applying this filter we effectively stop SDTrestore from gaining write access to physical memory.

Now, I will work for number 7, modifying driver files on disk.
thats going to be a little bit hard.

Monday, August 21, 2006

Attacking Host-based Intrusion Prevention Systems

Few days ago Thomas emailed me a document about Attacking HIPS. (thanks thomas)
the document written by Eugene Tsyrklevich from . It is a very interesting article and covers some interesting attacking methods to bypass HIPS. Here is a list of the attacks related to my HIPS:

  1. Using Symbolic Links to bypass filters
    NG is actually protected against this kind of attack as it is designed to completely resolve all names before checking them against filters

  2. Using Service Control Manager (SCM) to install drivers or something
    NG detects all requests to SCM and check them against service & driver creation/modification settings/filter and can allow or deny them

  3. ZwLoadDriver()
    This one is also already protected by NG.

  4. Using ZwSetSystemInformation's SystemLoadAndCallImage & SystemLoadImage to load drivers
    I'm currently working on protecting NG's users from this kind of attack (takes some time)

  5. Inject code by directly modifying the kernel memory (\Device\PhysicalMemory)
    NG is not protected against this attack, I will work on this one after zwsetsysinfo one, it takes little time.

  6. If a trusted system process is still allowed to load kernel drivers, use DLL injection to inject userland code into the trusted process and then load a malicious kernel driver
    NG protect processes against DLL injection.

  7. Modify an existing kernel driver in disk
    It is also possible against NG protection, I'll work on it in the next few days.
I think thats enough description about attacks,
I'll work on them and report back.

document link:

Saturday, August 19, 2006

partition table protection done

low-level disk access filter done, now all applications trying to access harddisk directly can be detected.

the beta-testing will start next week cause there is a couple of things I want to add, I will write about it in next post.

Thursday, August 17, 2006

low-level disk access

thanks Krazaf,

after a new sample from Krazaf, I successfully found how this kind of attack can be detected.

it is not hard to implement and should take some hours/1 day.

I'll work on it, tomorrow.

GeSwall incompatibility

While running GeSwall along with NG, a BSOD triggers on almost random times, debug analysis didn't show anything, I think I should leave it and recommend not to use NG and GeSwall together.

as the BSOD triggered very rarely on my system, its harder to debug it.
So I give up on debugging this incompatibility issue.

Wednesday, August 09, 2006

everything is fine

there was just a couple of bugs.

they are ok now, but Im still looking for bugs.

20 Aug, the new beta 2 is going to start its tests by beta-testers who decided to help me debug NG b2.

till then I will work alone on debugging.

I have enabled a couple of features which was disabled, or I was decided to disable them in beta 2. I think I have enough ideas to keep future versions interesting.

BTW, I will keep NG free. and I don't keep it free to help people protect their systems or fight against malwares but to show the power of my software to everyone and to become famous. thats all.

Tuesday, August 01, 2006


as several incompatibility and bugs reported while using NG along with some other firewalls, anti-viruses, etc... . I have decided to run them on my computer and test them throughly, this is going to be the last step in NG beta 2 development.

I'll report bugs.

Monday, July 31, 2006

program execution filter done


well after a lot of where-is-the-bug stuff, I've done program execution filter, and I have to say that it looks great, not just only for its main purpose (which is preventing malwares from running) but it also can be used by user to easily add her new executables to Trusted Executables, as it will prompt user when a new, untrusted executable going to be executed.

I should mention this method of adding programs to trust somewhere in help and in the new GUI's Graphical User Guide.

and yes, thats another new feature which can make using NG easier for end-users by showing them how they can do something with NG.

Saturday, July 29, 2006

old suggestion

there is an old and cool suggestion I have recieved by website's feedback form.

Kevin suggested:

Neoava should also have a filter that prompts the user for launching executables. This can prevent malicious programs from starting.

Actually I've been thinking about this one when begin working on NG project but for some reason (that I can't remember now) ignores it. But this should be a part of every HIPS software.
I'll work on this one from tomorrow after finishing the "driver & services" tests.

i'll report back when it is finished,
thanks Kevin.


I've been really busy working for seperating Drivers & Services in NG's configurations, settings, alerts and prompts.

and its almost done, but I have to test it, I think it takes a couple of hours.

right now I feel that nice headache, that I have when programming for 11+ hours in one day.
So I've decided to leave the rest of the work for tomorrow.

regarding another Navin's suggestion:

If possible perhaps you can make NG´s driver load as a boot
driver, this way it protects the system from the start.

I have to say that a System driver protects everything, and there is no need for Boot driver as a driver can do anything from there, for example a driver can bypass NG's protection. I think this applies to all HIPS softwares.

Friday, July 28, 2006

Monitoring Low-level disk access

Also thanks Krazaf for reminding me the low-level access monitoring.

I've researched a little bit about this kind of access but still can't find information necessary for protection. If anyone (including Krazaf) have a Trojan, virus (or any malware) file which uses low-level access to do damage, please contact me.

If you know exactly how these kind of malwares access and modify MBR or something (that needs low-level access) in Windows NT family, please leave a comment here.

my busy days are just starting, hoping for better


there is a dozen of suggestion from Navin, I leave the completely GUI-related suggestions for the first release version as I plan to make big changes in GUI for first non-beta release.

- It might be a conflict but often the "Executable options" can´t load, I get the following error: "error ReadRegString failed". And then Neoavaguard.exe will crash. This is quite a serious bug.

It's debugged before.

- I see that there isn´t a way to delete an entry from the "Executable
options" window? This should be changed. I mean if a process is not trusted
or does not have any special permissions (or violations) it should not be
on the list constantly.
- About "My Protected Files", isn´t it a good idea to make this work like
Hide Folders XP? I´m not sure if it´s working correctly at the moment and
it can even be dangerous, because if not correctly used, the OS will not
start anymore.

They will be fixed by changing GUI, the first one is actally something which can be is easily done as it is supported by lower parts. Actually there will be clean-up option, which will also automatically ask user to remove these executable entries.
The second one needs some filters so it does not allow critical files to become unaccessible by system processes.

- You should have the ability to password protect Neoava Guard´s GUI, with
that I mean that as a non-admin you should be able to see the settings but
you shouldn´t be able to change anything and can´t allow (only deny)
certain behavior when prompted by an alert, unless you have a password.

This is also a very good feature which will be applied by new GUI.

- I think you should make a difference between "Services" and
"Drivers" in the "Custom security" settings. If I´m correct drivers (.sys
files) are used to install rootkits and can be more dangerous than Services
(.exe files).

Thats right, I will try to apply this today, I'll report back.

thank you Navin!

Wednesday, July 26, 2006

Currently working on...

I'm working on Beta 2 version, the GUI is the same as Beta 1 but debugged and it contains a new feature which the user can choose during Wizard so NG will add all programs in computer to trusted applications so after reboot there will be very little amount of alerts (if any).

tomorrow I'm going to start GUI part of this feature.

those of you who are interested in beta-testing NG, please send me an email at and also write a little bit about yourself.

I'll write about some bugs which is now corrected. I will write about other HIPS softwares here ASAP.

I'm very positive about NG, it does have very nice performance by considering very detailed filtering.

Tuesday, July 25, 2006

Creating this weblog


My name is Arman Nayyeri, Im the author of Neoava Guard.

I decided to create this weblog to stay in touch with everyone and publish news, updates, bugs and debugging information to this weblog for those who are interested in Neoava Guard (or HIPS softwares).

For more info visit official Neoava Guard website:

For more info about myself:

I'll be back