Saturday, April 26, 2008

In the Semi-Secret PC Tools Lab!

My interaction with PC Tools software products has been limited to endorsements and usage of their free ThreatFire product.

While I know and have heard positive remarks about their PC Tools AntiVirus Free Edition and Spyware Doctor products, I haven't used them. Instead I have just stuck with ThreatFire.

ThreatFire provides a heuristic-based level of anti-virus/anti-malware protection that isn't dependent on DAT file signatures for detection of threats. Instead, it monitors processes and their activity. If suspicious behavior is caught, it halts the activity and alerts the user to assess the threat and then either allow or block the action.   Kinda like having an intelligent internal software firewall.

There are many other programs (free and $) that provide a similar method of protection (AntiHook ($), DefenseWall HIPS ($), WinPatrol (free/$), ProcessGuard ($), and Prevx 2.0 ($) to name just a few).

A number of them are incorporated in other Anti-Virus (AVG Free 8's "Resident Shield" and Comodo Firewall Pro's "Defense+" come to mind).  However, I generally disable these when so "bundled" if possible and rely on a more compartmentalized approach.  My reasoning is based on a tiered security ring model.  If one security application program were to become compromised or shut down, other independent security programs might remain un-breached and able to detect the threat.  It's no guarantee, and puts a bit more strain on my system RAM and CPU cycles, but it has worked well for me to this point.

ThreatFire provides this type of protection to my systems, is very light on resources and not only provides real-time monitoring of threat activity, but also (as I learned this week poking around in it) actually can do manual and scheduled scans of the systems, including detecting rootkits!

But this post isn't about ThreatFire, it is about what I found exploring the public PC Tools laboratory

Hello? Dr. Frankenstein?

My adventure started innocently enough.  I was doing some background research for my post Keeping an Eye on Malware where the PC Tools CEO was alleged to have made some smack comments towards fellow security product companies.

in doing so I was clicking around the PC Tools Software website looking for a press release that might have a company response to the ruckus.

While I didn't find what I was looking for, under the "Company" link, buried amongst the Career and Press Room links I found a little link simply called "Labs".

Hoping just to find a PC Tools blog site that might have some good security-news angles, I instead found a mother-lode of clever freeware security utilities, not quite ready (by PC Tool's standards I guess) for prime-time.

The PC Tools Labs Freeware Offerings

PC Tools describes these Lab Creations of theirs thusly:

PC Tools Labs showcases some of the projects that are currently being explored by our Research and Development teams.

At PC Tools we are constantly researching and creating new technologies and applications with the goal of providing our users the best anti-malware and system utilities in the industry. Some of these creations may only have specific uses or be too technical for every-day use, therefore would normally not be released to the public.

This page previews some of the projects and research that PC Tools is involved with. You can even download some of the tools that have been developed by us and are used internally by our research staff. Feel free to browse through our projects and participate in discussions or send in your suggestions via our Forum.

Before using any of these tools please read the instructions as some of these tools are very powerful and could potentially damage your system if not used correctly.

Downloading and using software from this Web Page is subject to the disclaimer below and the EULA for the software.

Clearly a warning to be heeded....so I immediately decided to play with them!

  • Browser Defender - This is a toolbar (ughh!) that displays ratings for sites as you surf the web. It pre-checks the URL links against their servers and returns a safety rating.  Nice and good in theory, I've already fussed about "security" toolbars as have others, and there are other link-scanners that I think are less intrusive.

  • Threat Expert - It's not so much a software application as a threat-analysis center.  It collects information from a variety of sources and after analysis, provides a report of the object behavior. The website doesn't immediately provide the "utility" to visitors, instead it shows a number of threat categories with items ranked accordingly. You must scroll down to the bottom of the page to find the true gems: the ability to submit samples from your desktop or scan your PC for threats. Also linked are the aforementioned ThreatFire page and the interesting ThreatExpert Blog covering automated threat analysis.  The sample submission tool is actually a mini-app called rightly enough, the ThreatExpert Submission Applet which is a standalone tool to upload files for review and report generation. There is also an online submission form available.

  • Alternate Operating System Scanner (AOSS) - this is a very clever and amazing piece of work!  What the AOSS is is a boot-disk that allows a user to boot a Windows system in an alternative operating system environment. It then runs a scan of the file system off the drive so it can fully check the drive contents for virus signatures, malware, and other baddies without fear of masking techniques.  What is even more amazing is that it also supports the ability to access a USB drive where DAT files used by Spyware Doctor may be updated and stored. This ensures that the boot disk is able to use the most current DAT files available and not static or old files burned on the boot disk itself.  Very clever!  In my tests it worked quite well. It found one false-positive of a Quicken file, and at removal prompted for a license key.  Because I didn't want to remove the file, I was unable to test removal effectiveness or if I really needed a key to remove the file, so my test wasn't fully completed.  While I am aware of other scanning programs that can be run off a boot disk, this is the only fully-integrated model like this that I am currently aware of.  At the very least, a researcher can note down the files encountered then use another PE or Linux based boot disk to capture and/or remove the file(s) previously identified from the system.

  • Startup Explorer - I was able to make a "portable" version of this for my USB stick. After launch, a scary warning appears. Once confirmed, you are able to use a surprisingly useful application to view startup programs, scheduled tasks, system services, loaded drivers, system ini files, print monitors, safe boot "minimal" parameters, safe boot "network" parameters, open command files, view known and shared DLL's, Explorer, Shell Execute hooks, and Shell Service Objects.  Items may be disabled, and some actually deleted. You can also view details of each object and jump to the item's properties and file location in Explorer. Finally, you can save the selection content view in a file for later inspection.  While I much prefer Microsoft Sysinternal's AutoRuns for Windows, Startup Explorer is certainly more "approachable" than this or other well-known startup monitoring utilities.  Certainly worth playing with at the very least.

  • Browser Explorer - I was also able to make a "portable" version of this for my USB stick. Supporting Internet Explorer, Firefox (pre 3.0), and Opera, this tool allows you to view browser program details, settings, cookies, favorites, history, plugins and "zone maps".  It also shows basic "common settings" for system/browser interactions.  Certainly not a heavy-duty utility for browser auditing and tweaking, it nevertheless provides an overview of common browsers and their settings.

  • Patch Scanner - Yep. I put it on a USB stick as well. Contains a single exe and dll pair. This micro-tool does a scan of your system to look for missing Windows updates.  Certainly no replacement for the real Windows Update website for patching a Windows system, nor the more comprehensive web-based security/patch scanner The Secunia Software Inspector or their simply unbelievable and free Personal (PSI) scanner, Patch Scanner quickly does what it promises; checking your system for missing software updates. When ran on my system, it found no security patches, but nine "optional" software downloads available for my system. These matched those offered (and declined by me) from Windows Updates.  Nice backup tool for checking in your Windows Updater is damaged or corrupted.

  • ThreatExpert Memory Scanner - Now this one is simply cool! No other way to describe it.  The ThreatExpert Memory Scanner can be run as a "post-mortem diagnostics tool" to search for high-profile malware threats remaining in system memory.  In concept, an administrator would run this tool (I put it on a USB stick) on a system once it had been potentially cleaned of malware/virus activity to see if any additional threat behaviors are still found resident in the system memory.  Three tabs are present in this "micro-app"; Memory Scan (start/cancel), Submit Sample (to upload suspicious files to PC Tools for review and analysis), and Settings to choose to run a scan for hidden processes or a comprehensive Heap scan.  It runs really, really quick on my systems. Funny thing was that when I ran this tool on the system where I have ThreatFire installed, ThreatFire kicked off an alert! Sibling rivalry?  Once completed, you can view the results in a report format if you desire more than the default statistics view.  No, this tool doesn't remove anything found, but it will bring your attention to suspicious things for additional investigation work using your own l33t sysadmin skillz and other favorite tools. Definitely worth checking out and keeping handy!  In my opinion, the gem-quality find of the bunch.

  • Finally, there is Pocket Guardian.  This tool is actually for Windows Mobile devices and works to "detect and block changes to sensitive settings and load points" on your device. From the description, it is HIPS-based and not DAT based. Alas, I don't have any Windows Mobile devices on which to test it on. Were I to do so, I would so.

PC Tools has some certainly remarkable toys in their semi-hidden lab for those who like to play with such things.

Hope they continue to offer, improve, and expand the lineup.

I myself always enjoyed lab-work.

--Claus

No comments: