Neoava Guard

Suspending NG development

2007-10-28T09:49:00.000+03:30

I'm sorry to say this but after trying to continue NG development along with my new work and my new life, finally I decided to suspend NG development for a few months untill I have more time to spend on it. Cuz NG development needs my mind to be focused on it and currently this is impossible.

And to all NG fans: Don't worry this is not an end to NG project, its development will continue, be sure.

This is your help and support which keep me from ending this project. I will do my best to respond your support by developing the NG, the best free HIPS.

Still debugging....

2007-08-20T12:52:00.000+03:30

Its been a long time from my last post, NG beta 3 debugging is still countinues and also some requested features in the support forum added to Beta 3. If you have any suggestion/request or bug report you can post it in support forum. Many bugs fixed but still a lot more testing is needed to have a stable version, I ask anyone interested in HIPS to download and install latest build of NG from support forum, test it and post any bug, suggestion or feature request there.

Here is a copy of Neoava Guard Beta 3 progress log:

Features:

Adding more registry keys for protection - [COMPLETED]
Kernel debugging protection - [COMPLETED]
Protection against disabling task manager and regedit - [COMPLETED]
~~Change execution alert to High risk - [COMPLETED]~~
Hide empty Groups - [COMPLETED]

Update (05 Aug 2007):
Learning-Mode option for Wizard - [COMPLETED]
Removing outbound connection - [COMPLETED]

Update (18 Aug 2007):
Debug output - [COMPLETED]
Silent mode - [COMPLETED]
Adding dll name to Global hook alert - [COMPLETED]
Installation warning about alerted windows file - [COMPLETED]
Fix icons - [COMPLETED]
Terminate option in alert window - [COMPLETED]

Executable modified alert - [PENDING]
An option to skip scanning programs in Wizard - [PENDING]
Adding hot-keys - [PENDING]
Configure button in wizard to add more executables - [PENDING]
Option to import and export all rules and configuration - [PENDING]
Reverse alert name and risk (also service) - [PENDING]

Graphical guide - [PENDING]
Help file - [PENDING]

Bugs:
Isearch adware BSOD - [FIXED]
Service status error - [MOST_LIKELY_FIXED]
"Clear log" bug - [MOST_LIKELY_FIXED]

Update (05 Aug 2007):
Prueba trojan freeze - [FIXED]

Update (18 Aug 2007):
BSOD on startup - [MOST_LIKELY_FIXED]
Tray icon bugs - [MOST_LIKELY_FIXED]

MS File sharing bug - [PENDING]

You can check latest progress from this thread.

NG Beta 3 being tested by Smokey's forum users

2007-07-22T11:27:00.000+03:30

OK, after a long hard work, NG gets ready for a harder test by Smokey's security forums users. I'm inviting all my NG serious users to download it from Smokey's forums in this thread. Of course you can join there if you are not a member yet.

Having a support forum makes things a lot easier, especially for reporting bugs and debugging them while everyone can see others problems and tell if they have such problem or not. It is also very good for other kind of feedback, for example when a user suggests some feature or option other users can tell me their opinion about them so I can decide better.

Nothing more to say, just a screenshot from Neoava Guard extension for Explorer.

Neoava Guard Support Forum

2007-07-02T21:29:00.000+03:30

As NG Beta 3 is almost ready for the release, NG Support Forum started on Smokey's Security Forums.

NG forums on Smokey's Security Forums consists of 3 parts:

Neoava Guard Support Neoava Guard Related Issues, with exception of discovered bugs. Please report bugs in the special Bug Reports Forum.
Neoava Guard Knowledge Base Neoava Guard Knowledge Base/FAQ Forum. Users can start here multiple topics but cannot reply in others. Please read the Neoava Guard Knowledge Base Forum Rules before posting.
Neoava Guard Bug Reports Please report here all Neoava Guard bugs.

Smokey's Security Forums:
http://www.smokey-services.eu/forum/index.php

You can join Smokey's Security Forums and post bug reports or questions about NG there.

I hope to see you there.

Configuration Tab

2007-06-19T04:30:00.000+03:30

Configuration Tab was almost finished a week ago, but I encountered some problems and bugs that took a week for debugging and coding some parts again.

Another thing is that I decided to remove Processes tab in order to finish this beta as soon as possible, cause this tab needs some changes in NG driver code and I don't want to change it in the last minute and don't have enough time to test driver completely again.

here is some snapshots (I hope you enjoy it)

Applications Tab

2007-05-20T19:48:00.000+03:30

Sorry I forgot to put Applications tab snapshots, Applications tab was ready a few days ago.

I'm currently working on configuration tab and there will be a little delay in release.

Here is the snapshots:

Thank you for your suggestions, ideas and support.

NG beta 3 development progress

2007-05-08T17:17:00.000+03:30

OK, as some asked about NG progress and not sending any new snapshots, now I want to describe it:

The progress was nice about 12 days ago when I had a cold and was unable to work hard on NG and this cold later causes a middle-ear infection and becomes a real problem for me. Today I'm okay and started working hard on NG again. This event may cause a delay on release but Im trying my best to release NG beta 3 as soon as possible. I apologize for another delay in release, I hope beta 3 satisfy NG users.

Executables tab is complete, I will send a few snapshot in the next few days.

Alert dialog

2007-04-12T15:30:00.000+03:30

Hi,

Alert dialog finished, here is some snapshots:

Note: GUI is in Advanced mode

It is small window that will be displayed with a Always-On-Top property, but if the client GUI was not loaded yet (e.g before user login) then the old alert window will be displayed by NG service.

With this dialog I've tried to make it easier for users to configure their executables and rules with just a few clicks.

Send your suggestion/ideas.

Thanks

events tab

2007-03-12T16:10:00.000+03:30

Here is a snapshot from events tab of new GUI. It is not complete yet.
("More options" is not shown cause i'm still working on it, it should display details about the selected event.)

This snapshot shows a log from NG protection against spt.exe, NG protects against all kind of attacks. APT tool by diamondcs is also completely covered in the new NG version, so NG will provide the same kind of defense against process termination as ProcessGuard.

Note that window is horizontally resizable, so user can see all columns without scrolling.

Please feel free to send your suggestions to me.

suggestions

2007-03-12T15:51:00.000+03:30

Thanks to MaB69 for his suggestions, here is answers which may help other people learn about NG.

Maintenance task to delete rules related to non existant executables
the non-existent executables will stay in database but not shown for configuration, this way the application permissions will be available if the same executable executed again.

Self protection for the service and in case of attack, the service could relaunch the UI process
In the new NG UI will be shown by client (executed as user login) and it is protected against termination.

Hidden files/process detection
It is something which will be done by root-kits after they load into kernel, althought it is possible to detect hidden files/process in some cases but it is not possible to control a kernel-mode driver as it already had the highest possible access to system.

More Registry keys monitoring ( like IE settings or system settings (regedit actived/disabled))
It is easy to add more keys but currently the work is just too much for me. Thanks it will be in future versions.

Keylogging detection (GetKeyState, GetAsyncKeyState and DirectX request interception)
New NG protects against all kind of keylogging except DirectX, which till now I was unable to find a way to filter it. If anyone knows any technical details about inner work of this function contact me.

Look at the new version

2007-02-25T20:27:00.000+03:30

Although GUI is still under development but the new version should look like this:

the best way to help me is sending your ideas/suggestions.
more pictures coming soon....

News

2007-01-19T20:28:00.000+03:30

Neoava.com is up and running, everything is OK!

The news is that the new version of Neoava Guard will have some amazingly innovative stuff which make the this HIPS unique in ease of use among other HIPS.

Against the last two beta's which focused on just protecting against more attack ways, this time features added to comfort beginner users, and also provide a highly flexible configuration for advanced users.

In previous versions most users can't find a lot of configs etc.., but in next version everything can be configured from several places, the new interface allow users to change options/rules by few clicks.

4 completely new concepts added to increase ease of use, integration to system and installed programs, Internet attacks protection and overall protection. This completely new features allow NG to minimize alerts and most things automatically done (although can be configured not to be done automatically).

There will be a little visual tutorial along with NG next version to help people just know how to protect their computer using NG.

I will publish the new beta version to public and will update it every 2 weeks or so until no more bugs reported. Then the first non-beta version will be released.

I estimate the new beta to be ready for public release around mid March.

This time I promise the new version can make it as the best HIPS available on net, not only among the free ones but also others.

I will just keep it free, not to help people protect their computers (which will be done anyways) but to show how powerful Neoava Guard is and how creative I am in programming.

Just wait and see, cuz u aint seen nothin yet!

neoava.com is down

2007-01-15T08:41:00.000+03:30

Neoava.com is down (for the last few days) due to hosting problems and it will come back online soon.

NG progress is good but due to a series of changes in NG driver it needs a lot of time for testing and a lot of work on GUI, so the GUI show what the driver can offer to user.

anyway, sorry I can't update NG blog regularly cause I'm very busy.

New GUI

2006-11-16T14:00:00.000+03:30

GUI is going to be completely new, I was working (for 3 weeks) on changing old GUI but decided to start from ZERO to have a completely new and optimized GUI.

Anyway, I'm not going to post so many things in new future cause I'm very busy working on it.

Hope for a user-friendly, simple and effective GUI.

I'll post some pics ASAP.

Beta 2 public release

2006-10-18T00:26:00.000+03:30

And finally NG v1.0 Beta 2 publicly released.

for more info visit NG's website: http://www.neoava.com
or download page: http://www.neoava.com/download.htm

please report bugs to feedback [at] neoava [dot] com

I will publish a list of new features on the website.
I have to work on its graphic parts and will publish first version as soon as it seems to be complete.

for now, download NG beta 2 and
Enjoy!

Beta-testing final steps

2006-10-06T12:41:00.000+03:30

The NG beta 2 is almost ready for public release.

beta-testers reported several bugs (including 1 BSOD triggering bug) all of them debugged successfully and NG beta 2 is now more stable and better.

I've received a lot of suggestions most them either related to GUI (which is going to be changed after beta 2 public release) or requires a lot of change in NG code, that may produce more bugs as a result of added functionality. So I saved them for future versions.

thanks to all beta-testers the NG is going to be released by the next week.

Testing Beta 2

2006-09-29T10:22:00.000+03:30

The beta 2 version has been sent to beta-testers.

I'm working with them debugging NG beta 2.

thanks to all beta testers.

Beta 2

2006-09-23T00:26:00.000+03:30

The beta is ready, but the last minute bug caused a delay.

I'll will work to debug it tomorrow and send it for beta-testers.

Testing learning-mode

2006-09-10T22:32:00.000+03:30

And the learning-mode finished,

I finally decided to make the Learning-Mode (LM) as simple as possible,
as it may cause complications if I use a complex routine to decide whether or not to add a particular application to trusted-mode while on LM.

so the LM just a state in which driver adds all executables executed into trusted apps, so the driver is actually not protecting against anything. By default, the LM is enabled for 5 hours of working with computer after installation (can be chosen to be disabled).

I'm currently testing it, cause it made a lot of change in several parts.

busy

2006-09-06T11:21:00.000+03:30

hi,

in the last 5-6 days I was busy working on another thing, so I have to start working on learning-mode from today.

but I have some ideas on how to design the learning-mode part, its going to be very unique.

im really sorry, ill work on NG beta 2 as hard as possible.

learning-mode

2006-08-28T13:43:00.000+03:30

after some testing and installating NG, I decided to add another thing to NG beta 2: a learning-mode.

that makes the first days of NG installation a lot easier for user.

I think it takes at least 1 week.

BTW, the number of beta-testers is getting a little bit more in these days and its really good.

driver file modification protection

2006-08-26T08:54:00.000+03:30

I've done the driver file modification filter, and yesterday was a new record for me, working for 13 hours.

i'm preparing the NG wizard and setup and I will send the debug version of NG beta 2 to beta-testers, in the next few days.

Direct physical memory access & driver loading

2006-08-25T11:39:00.000+03:30

number 4 and 5 from the previous post is done.

just want to note that the protection against direct memory writing also helps defend against restoring SDT. the method described in www.security.org.sg/code/sdtrestore.html. This method uses the physical memory access too (\device\physicalmemory). So, by applying this filter we effectively stop SDTrestore from gaining write access to physical memory.

Now, I will work for number 7, modifying driver files on disk.
thats going to be a little bit hard.

Attacking Host-based Intrusion Prevention Systems

2006-08-21T12:46:00.000+03:30

Few days ago Thomas emailed me a document about Attacking HIPS. (thanks thomas)
the document written by Eugene Tsyrklevich from SecurityArchitects.com . It is a very interesting article and covers some interesting attacking methods to bypass HIPS. Here is a list of the attacks related to my HIPS:

Using Symbolic Links to bypass filters
NG is actually protected against this kind of attack as it is designed to completely resolve all names before checking them against filters
Using Service Control Manager (SCM) to install drivers or something
NG detects all requests to SCM and check them against service & driver creation/modification settings/filter and can allow or deny them
ZwLoadDriver()
This one is also already protected by NG.
Using ZwSetSystemInformation's SystemLoadAndCallImage & SystemLoadImage to load drivers
I'm currently working on protecting NG's users from this kind of attack (takes some time)
Inject code by directly modifying the kernel memory (\Device\PhysicalMemory)
NG is not protected against this attack, I will work on this one after zwsetsysinfo one, it takes little time.
If a trusted system process is still allowed to load kernel drivers, use DLL injection to inject userland code into the trusted process and then load a malicious kernel driver
NG protect processes against DLL injection.
Modify an existing kernel driver in disk
It is also possible against NG protection, I'll work on it in the next few days.

I think thats enough description about attacks,
I'll work on them and report back.

document link: http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-tsyrklevich.pdf

partition table protection done

2006-08-19T10:59:00.000+03:30

low-level disk access filter done, now all applications trying to access harddisk directly can be detected.

the beta-testing will start next week cause there is a couple of things I want to add, I will write about it in next post.

low-level disk access

2006-08-17T22:16:00.000+03:30

thanks Krazaf,

after a new sample from Krazaf, I successfully found how this kind of attack can be detected.

it is not hard to implement and should take some hours/1 day.

I'll work on it, tomorrow.

GeSwall incompatibility

2006-08-17T22:01:00.000+03:30

While running GeSwall along with NG, a BSOD triggers on almost random times, debug analysis didn't show anything, I think I should leave it and recommend not to use NG and GeSwall together.

as the BSOD triggered very rarely on my system, its harder to debug it.
So I give up on debugging this incompatibility issue.

everything is fine

2006-08-09T20:54:00.000+03:30

there was just a couple of bugs.

they are ok now, but Im still looking for bugs.

20 Aug, the new beta 2 is going to start its tests by beta-testers who decided to help me debug NG b2.

till then I will work alone on debugging.

I have enabled a couple of features which was disabled, or I was decided to disable them in beta 2. I think I have enough ideas to keep future versions interesting.

BTW, I will keep NG free. and I don't keep it free to help people protect their systems or fight against malwares but to show the power of my software to everyone and to become famous. thats all.

debugging

2006-08-01T11:49:00.000+03:30

as several incompatibility and bugs reported while using NG along with some other firewalls, anti-viruses, etc... . I have decided to run them on my computer and test them throughly, this is going to be the last step in NG beta 2 development.

I'll report bugs.

program execution filter done

2006-07-31T21:32:00.000+03:30

phew,

well after a lot of where-is-the-bug stuff, I've done program execution filter, and I have to say that it looks great, not just only for its main purpose (which is preventing malwares from running) but it also can be used by user to easily add her new executables to Trusted Executables, as it will prompt user when a new, untrusted executable going to be executed.

I should mention this method of adding programs to trust somewhere in help and in the new GUI's Graphical User Guide.

and yes, thats another new feature which can make using NG easier for end-users by showing them how they can do something with NG.

old suggestion

2006-07-29T22:34:00.000+03:30

there is an old and cool suggestion I have recieved by website's feedback form.

Kevin suggested:

Neoava should also have a filter that prompts the user for launching executables. This can prevent malicious programs from starting.

Actually I've been thinking about this one when begin working on NG project but for some reason (that I can't remember now) ignores it. But this should be a part of every HIPS software.
I'll work on this one from tomorrow after finishing the "driver & services" tests.

i'll report back when it is finished,
thanks Kevin.

busy

2006-07-29T22:24:00.000+03:30

I've been really busy working for seperating Drivers & Services in NG's configurations, settings, alerts and prompts.

and its almost done, but I have to test it, I think it takes a couple of hours.

right now I feel that nice headache, that I have when programming for 11+ hours in one day.
So I've decided to leave the rest of the work for tomorrow.

regarding another Navin's suggestion:

If possible perhaps you can make NG´s driver load as a boot
driver, this way it protects the system from the start.

I have to say that a System driver protects everything, and there is no need for Boot driver as a driver can do anything from there, for example a driver can bypass NG's protection. I think this applies to all HIPS softwares.

Monitoring Low-level disk access

2006-07-28T10:47:00.000+03:30

Also thanks Krazaf for reminding me the low-level access monitoring.

I've researched a little bit about this kind of access but still can't find information necessary for protection. If anyone (including Krazaf) have a Trojan, virus (or any malware) file which uses low-level access to do damage, please contact me.

If you know exactly how these kind of malwares access and modify MBR or something (that needs low-level access) in Windows NT family, please leave a comment here.

my busy days are just starting, hoping for better

suggestions

2006-07-28T10:19:00.000+03:30

there is a dozen of suggestion from Navin, I leave the completely GUI-related suggestions for the first release version as I plan to make big changes in GUI for first non-beta release.

- It might be a conflict but often the "Executable options" can´t load, I get the following error: "error ReadRegString failed". And then Neoavaguard.exe will crash. This is quite a serious bug.

It's debugged before.

- I see that there isn´t a way to delete an entry from the "Executable
options" window? This should be changed. I mean if a process is not trusted
or does not have any special permissions (or violations) it should not be
on the list constantly.
- About "My Protected Files", isn´t it a good idea to make this work like
Hide Folders XP? I´m not sure if it´s working correctly at the moment and
it can even be dangerous, because if not correctly used, the OS will not
start anymore.

They will be fixed by changing GUI, the first one is actally something which can be is easily done as it is supported by lower parts. Actually there will be clean-up option, which will also automatically ask user to remove these executable entries.
The second one needs some filters so it does not allow critical files to become unaccessible by system processes.

- You should have the ability to password protect Neoava Guard´s GUI, with
that I mean that as a non-admin you should be able to see the settings but
you shouldn´t be able to change anything and can´t allow (only deny)
certain behavior when prompted by an alert, unless you have a password.

This is also a very good feature which will be applied by new GUI.

- I think you should make a difference between "Services" and
"Drivers" in the "Custom security" settings. If I´m correct drivers (.sys
files) are used to install rootkits and can be more dangerous than Services
(.exe files).

Thats right, I will try to apply this today, I'll report back.

thank you Navin!

Currently working on...

2006-07-26T01:46:00.000+03:30

I'm working on Beta 2 version, the GUI is the same as Beta 1 but debugged and it contains a new feature which the user can choose during Wizard so NG will add all programs in computer to trusted applications so after reboot there will be very little amount of alerts (if any).

tomorrow I'm going to start GUI part of this feature.

BTW,
those of you who are interested in beta-testing NG, please send me an email at arman@neoava.com and also write a little bit about yourself.

I'll write about some bugs which is now corrected. I will write about other HIPS softwares here ASAP.

I'm very positive about NG, it does have very nice performance by considering very detailed filtering.

Creating this weblog

2006-07-25T21:02:00.000+03:30

Hi,

My name is Arman Nayyeri, Im the author of Neoava Guard.

I decided to create this weblog to stay in touch with everyone and publish news, updates, bugs and debugging information to this weblog for those who are interested in Neoava Guard (or HIPS softwares).

For more info visit official Neoava Guard website:
http://www.neoava.com

For more info about myself:
http://www.4rman.com

I'll be back