Jump to content

Anti-Virus to become obsolete.

rhythmnsmoke
 Share

Recommended Posts


dman

dman

Posted
Posted (edited)
I have made one believer, and I'm willing to make more.
What I BELIEVE is that you have a fascinating piece of code, but my forte is database application development, not security. Not at this level anyway. I am well versed in virus and spyware removal but I am not an admin. While the code appears to be doing exactly what you claim I really am not sure what the implications of deploying this would be at a practical level.

As a programmer I would appreciate the complexity of this code and the things it is doing EVEN IF I KNEW FOR A FACT (which I don't) that it wasn’t a viable replacement for antivirus. This application was NOT written by some kid at jr. college. Just seeing it run in the demo is enough to know that it is serious code. Also presentation would be worth it just to see livemeeting (if you aren't already jaded to that).

So, If I make DonDamm into a non-skeptic. What then? Would that then spark that flame of curiosity in you? Is that what it's going to take for the rest of you? Will you nominate DonDamm as your representative to go seek the truth and the rest of you will follow suite. If so, THEN DonDamm come on down. I will send you a PM and you can be the person that bridges the gap between the skeptics and me.

As far as MSFN representative, I nominate Martin Zugec (sorry for dragging you into this Martin, but you said you would watch it :) ). He is at least one of, maybe THE most knowledgeable about security on the forum (MS MVP). He is skeptical and believes he has seen code like this tried and failed before, like many here are saying. You can read his blog here or his posts on this forum to see he knows what he is talking about.

If you can convince him I will be a TRUE BELIEVER.

Edited by dman
Link to comment
Share on other sites
Martin Zugec

Martin Zugec

Posted
Posted

No problem, I already sent PM to rhytmandsmoke about his demo, I am in fact quite interested.

I want to say few things first.

I HAVE NOT seen the demo yet. So it is my opinions, not anything based on facts.

The product/concept is NOT new. However all previous products for exec lockdowns were not suitable for real life use. So I am really interested how this will work. When I saw previous products, they were GREAT for lockdowns (very secure computers), but NOT for home users and normal company workstations.

I used this sometimes for kiosk based PCs or public PCs, now I am using SAFER for locking them down.

So this concept is NOT bad - however it depends on implementation. It wont replace AV - it is just another kind of security soft.

I am looking for ADS modification software for a long time, which is something quite similar. When you download something from the web, some informations are stored in ADS (from where, which security zone etc.) and I would like to see something similar to this in network environment.

So I am kindly asking the members in this thread - dont criticize before you see. For most people this security concept is new. If rhytmnsmoke would try to sell it to us, it would be something different, however he is only trying to allow us to see it.

Which is ideal case :) Because it is for sure (IMHO) kernel based app, we could develop our open source product similar to his :) I really appreciated what he does - and I think it is quite similar to Microsoft providing webcasts/live meeting demos for their beta products.

Let us see how it looks like.

Let us try the shareware version afterwards.

Let us buy it if it will be interesting for us.

Link to comment
Share on other sites
Blam-O!

Blam-O!

Posted
Posted (edited)
No problem, I already sent PM to rhytmandsmoke about his demo, I am in fact quite interested.

I want to say few things first.

I HAVE NOT seen the demo yet. So it is my opinions, not anything based on facts.

The product/concept is NOT new. However all previous products for exec lockdowns were not suitable for real life use. So I am really interested how this will work. When I saw previous products, they were GREAT for lockdowns (very secure computers), but NOT for home users and normal company workstations.

I used this sometimes for kiosk based PCs or public PCs, now I am using SAFER for locking them down.

So this concept is NOT bad - however it depends on implementation. It wont replace AV - it is just another kind of security soft.

I am looking for ADS modification software for a long time, which is something quite similar. When you download something from the web, some informations are stored in ADS (from where, which security zone etc.) and I would like to see something similar to this in network environment.

So I am kindly asking the members in this thread - dont criticize before you see. For most people this security concept is new. If rhytmnsmoke would try to sell it to us, it would be something different, however he is only trying to allow us to see it.

Which is ideal case :) Because it is for sure (IMHO) kernel based app, we could develop our open source product similar to his :) I really appreciated what he does - and I think it is quite similar to Microsoft providing webcasts/live meeting demos for their beta products.

Let us see how it looks like.

Let us try the shareware version afterwards.

Let us buy it if it will be interesting for us.

Well Said and I Agree! :)

edit:

* Name: Blam-O!

* Sign here:_______________ (lol) * Date: 07-03-05

Edited by Blam-O!
Link to comment
Share on other sites
^_^

^_^

Posted
Posted

I think part of the reason for some strong statements being made in this thread are reflected in the thread title.

Martin says it won't replace AV, I rather agree with that, although I do think it could be a good supplement, possibly even subverting AV to second place if it works as rythmnsmoke says.

rythmnsmoke kinda came on here and basically said he's smarter than all of us, so can you blame the reaction?

as for using us for training purposes, what legitimate company doesn't provide good training for it's sales team vs. having a junior exec go about trying to create a buzz in the tech world? See, it all reeks of incompetence, thus the accusation of snakeoil salesman

I have found 1 place to buy said software, and there's not even a description of the software on that website. It's expensive, so I would hope there is some support, but there's no mention of it at the purchase point.

Guess I'll just have to wait for the company to grow up if it actually survives this growing pain

Link to comment
Share on other sites
rhythmnsmoke

rhythmnsmoke

Posted
  • Author
Posted
So this concept is NOT bad - however it depends on implementation. It wont replace AV - it is just another kind of security soft.

The only thing standing in our way of that statement is peoples ability and willingness to accept CHANGE. Now, I know you haven't seen it yet, to which you will sometimes next week, but I will explain how we replace and coexist with AV software. Originally our position was to compliment AV technology. We didn't want to burn any bridges. But we were asked to do the impossible, to which we prevailed. We were asked to go this route and bring computer security to the next teir level.

The PRO's and CON's about being at the next level:

CON: I will tell you that during the demo.

PRO: Security evolves, and we basically become the Microsoft of computer security.

Which is ideal case :) Because it is for sure (IMHO) kernel based app, we could develop our open source product similar to his :) I really appreciated what he does - and I think it is quite similar to Microsoft providing webcasts/live meeting demos for their beta products.

Are you familar with the Reference Monitor for Linux? Our chief programmer(I'm just going to start typing CP for short) often refers to it being similar to that. I'm not familar with the RM for Linux. But he said it was I guess the understanding point in creating this technology for the Windows environment.

Let us see how it looks like.

Let us try the shareware version afterwards.

Let us buy it if it will be interesting for us.

Looking forward to the demo.

Link to comment
Share on other sites
rhythmnsmoke

rhythmnsmoke

Posted
  • Author
Posted
I think part of the reason for some strong statements being made in this thread are reflected in the thread title.

I apologize for that. I can see your point. By the way, I just love your avatar pic. Wonder were I can score a bra like that for my girl...heehe. :D

Martin says it won't replace AV, I rather agree with that, although I do think it could be a good supplement, possibly even subverting AV to second place if it works as rythmnsmoke says.

True to the extent that it will take some people quite some time to accept it's adoption. And with history and political pull behind current technology, it will be a wake up call to many people.

rythmnsmoke kinda came on here and basically said he's smarter than all of us, so can you blame the reaction?

If I came off this way, I apologize for that. But I was only merely trying to convey that our software stops what AV can't. And it protects the machine in a way that AV can't. I'm not the smartest guy here. I've only been out of college for about 3 years now. However, my understanding of computer security has come from a very respectable mentor. Our CP is a former Marine Corps Officer, ex-CIA operative and other lucrative job titles, the list goes on and on. He has been programming since he was a teen, and he is in his mid forties now. The stories he tells me, are just absolutely insane. He was a survivor of the Marine barracks bomb blast in Beirut, Lebanon during 1983. I have never seen such an individual with as much knowledge of the Microsoft environment as him. If you can imagine some real "James Bond" stuff, he is that type of person. So, everything I know and have learned comes from him. I have never read a single book on hacking. I have picked all my knowledge of hacking and breaking Windows by working here, and seeing actuall gov. "RED" teams go toe to toe with our software. I do have a hacking book that I have yet to read. I intend on reading it to find out how much I already know (from experience) that's in the book.

as for using us for training purposes, what legitimate company doesn't provide good training for it's sales team vs. having a junior exec go about trying to create a buzz in the tech world? See, it all reeks of incompetence, thus the accusation of snakeoil salesman

We are to small to do all that. We don't have a "team" per-say of salesmen running around. The training purposes are for me. I want to get good with Live meeting, not ImmuneEngine.

It's expensive, so I would hope there is some support, but there's no mention of it at the purchase point.

Now you see why we don't push out the home version. With our heavy involvement with contracts from major players, we don't have time to entertain 100+ thousands of people calling in asking questions to which they can find the answer to in the manual. I use to work in a tech. call center for Dell (worst IT job I've ever had) and you would be surprised at the number of people who called in about stuff they could have solved themselves. Now, imagine the volume of calls we would get when people are forced to actually READ the manual on a more advaced technology such as ours.

Link to comment
Share on other sites
^_^

^_^

Posted
Posted

Ok then, let's assume this technology takes off.

Why not offer a rebranding/reselling option so I can offer the technology in my company name, and include the support in my pricing model?

Of course, I would get volume discounts so I could actually make money, and you would get income from my selling/packaging with computer systems, so it would generate consistent cashflow for you guys, and you wouldn't get bogged down with support calls because I would have to handle that.

See, now you get to see my bra again, plus get some good ideas for your boss.

And as a potential reseller, would I get to preview the software? :thumbup

Link to comment
Share on other sites
Aegis

Aegis

Posted
Posted
1) No signatures required.  No database is created of know viruses.  It contains the first ever binary search engine.  Designed to pick up any executable, be it desguised or un-desguised, known or un-known.
By binary search, you mean identifying a file through comparing zeroes and ones. Nearly all files can still function correctly by changing a single byte, rendering your authenticaton useless. If you mean by identifying all binaries, it's just a matter of searching for the right extensions ;).
2) It has an automatically deployed authentication defense thread that analyzes every executable on the system.  If not originally apart of the computers matrix, then that executable will not run at all.  It will intercept every executable before it is passed to the kernal.  Then the binary search engine will sweep and eradicate it(not quarantine) from the computer.

Your system has no idea whether the executable is safe or not, unless you were to use heuristics or AI. AI has yet to develope to a usable state, and heuristics are not very reliable. The process would also be processor-hungry, regardless of how efficient the code is. If the system relies on a black/white-list, then it will be very burdensome for an administrator to add all executables he/she will ever use. This burden will be even greater for the average user, who installs programs on a regular basis. I'm also assuming this is all without user-intervention? If so, then a malicious user has only to modify a critical system executable and guess what happens?

3)  When installed, system idle process is an average of 95 to 98%.  Designed to be literally undetectable to system resources.
Such tasks as scanning the entire system for executables and searching through the files for specific instructions are not possible using such low resources. If you lower processor priority, then the user will notice a lag between opening a program and actually having it to run, since the software will require it to suffer a slow scan first.
4)  Runs independently of the Microsoft OS.  Traditional AV relies on the OS to tell it something has happend.

Not relying on built-in Windows functions means a larger install, less reliable code, and even more processor usage.

5)  Protects from the inside threat.
How? Any marketer can claim something, but without information to back it up, it's literally useless.
6)  Because it does not use the System driver approach, it continues to provide protection in Safe Mode.

Without the system driver, you usually can't grant kernel access, aka monitoring the kernel. The above claims rely on monitoring the kernel, thus you're contradicting yourself.

This is the only software solution that will literally make you get out a screw driver to change the hardware of the box to break it.  It has been put up against "RED" teams of certain government agencies to be broken.  It has been in a line up test with the basic AV software in government test facilities and come out the winner by a landslide, just for the simple reason it has a binary search engine.  You guys have never seen this software, so I'm sure you all are skeptical about it.  But it does live.  Viruses are not designed to combat with such a system as this.  You have to turn off the software if you want to get a virus in.  And if you don't have access to it, then your not turning it off.  Nothing can do what this software can do.  And I've only described just the core stuff.  There are other little tid bits of security that it depolys that I have not explained, such as securing the cmd.exe program.  It's not in the public sector, so I figured that's the reason none of the polls have it mentioned.

I'm sure it cannot go so low of a level as to prevent someone from booting up from a Windows XP CD to format the computer. No software is capable of it, so I hope to not hear claims that this software prevents formatting also <_< .

Link to comment
Share on other sites
rhythmnsmoke

rhythmnsmoke

Posted
  • Author
Posted (edited)

By binary search, you mean identifying a file through comparing zeroes and ones. Nearly all files can still function correctly by changing a single byte, rendering your authenticaton useless. If you mean by identifying all binaries, it's just a matter of searching for the right extensions.

Example:

Non-harmful .bat file on the system.

ImmuneEngine is installed.

Since the .bat file is apart of the origninal matrix, ImmuneEngine will allow it to run.

Now, edit that .bat file to something else and save it.

It is thus far have been changed, so when you try to run it now, ImmuneEngine will analyze and stop it's execution, before it is passed to the kernal. This goes for scripts too.

Your system has no idea whether the executable is safe or not, unless you were to use heuristics or AI. AI has yet to develope to a usable state, and heuristics are not very reliable.

A computer can't reason. You either allow executables or not. Don't look to deep into it. It's pretty simple. Because of that simple reason that they can not reason, it is up to the user to know if any new executables are coming from a legit source. Simply put, it is those executables that you have no knowledge about being downloaded to the machine that you want to stop, or those that you accidentally execute yourself. Why waste time in trying to GUESS what is good or not. GUESS the wrong answer, and your toast as you have seen with some other methods of protection.

The process would also be processor-hungry, regardless of how efficient the code is.

As of right now, this statement is your theory. And is unfounded. If you haven't seen it, how can you be certain this is the case. In the live meeting, I will show you the task manager for proof that it's not processor-hungry.

If the system relies on a black/white-list , then it will be very burdensome for an administrator to add all executables he/she will ever use. This burden will be even greater for the average user, who installs programs on a regular basis. I'm also assuming this is all without user-intervention?

You started that response with IF it has a black/white-list. I noted above that there is no "list", "database", "signature" in our system.

If so, then a malicious user has only to modify a critical system executable and guess what happens?

Previous post I stated that in our analyzation methods, a check sum is done. The check sum is just one part that we anaylze amongst other occurences that happen when whe analyze the executables. You change an existing OS executable, it won't run. Also, upon install, (out of the box installation that is, no extra configuration done), it will automatically build a backup for the critical system executables. Therefore, you modify something, it will 1) Report it, 2) Not allow you to execute it, and 3) Put back the original. Not to mention, Windows File protection would be in place as well.

Such tasks as scanning the entire system for executables and searching through the files for specific instructions are not possible using such low resources.

Again, why would I make a claim if it wasn't true. You have to see to believe. To which you have yet to see it in action.

If you lower processor priority, then the user will notice a lag between opening a program and actually having it to run, since the software will require it to suffer a slow scan first.

Again, you are going to have to see to believe. The scan is rather fast quite frankly. What's more important, wating 2 extra seconds to do a scan of something that might have been changed to be malicious, or being wide open and rather have 2 sec. of time not waiting?

Not relying on built-in Windows functions means a larger install, less reliable code, and even more processor usage.

Again, I wouldn't make a statement if that was true. It has no more extra HDD space taken up than any normal application would. Microsoft Office takes up more space than we do. I assure you, the install is quick and small.

How? Any marketer can claim something, but without information to back it up, it's literally useless.

Previous post, I stated, that I would explain things in more detailed over the phone during the demo as appose to typing them out.

Without the system driver, you usually can't grant kernel access, aka monitoring the kernel. The above claims rely on monitoring the kernel, thus you're contradicting yourself.

Again, If it hasn't been done, I wouldn't say that it was possible. Truth is, it has been done, and it is being done right now. Because we are doing it.

I'm sure it cannot go so low of a level as to prevent someone from booting up from a Windows XP CD to format the computer. No software is capable of it, so I hope to not hear claims that this software prevents formatting also <_< .

For a software solution to do that, wouldn't you have to install it into the BIOS of the computer? Nothing has that ability. But I do have an answer for you. And thank you for point that out.

1) My home PC, and a lot of MB have a feature to turn on a BIOS password. If you have the BIOS set to only boot to the HDD, and then password protect it, how are you going to boot from your boot disk?

2) In order to change the BIOS password, you are going to have to open the case and reset the CMOS jumper to clear out the password and BIOS.

This brings you around to the point that in order to get around this software, you are going to have to LITERALLY get out your Skrew Driver and physically change the hardware of the computer. And even then, the admin is going to know that the probe on your machine is no longer ACTIVE, because the admin console is going to tell him. Then he is going to come down to your desk and inquire why your machine is not reading ACTIVE only to find out that you are sitting there with a Skrew Driver and a open computer. Yes I know, this has not been heard of before with a Software Solution. But, I have an advantage with knowing the software, and if I can't get around it with it in lockdown mode, then someone who doesn't know, is going to have a stroke trying to figure it out.

Edited by rhythmnsmoke
Link to comment
Share on other sites
rhythmnsmoke

rhythmnsmoke

Posted
  • Author
Posted
Ok then, let's assume this technology takes off.

Why not offer a rebranding/reselling option so I can offer the technology in my company name, and include the support in my pricing model?

Of course, I would get volume discounts so I could actually make money, and you would get income from my selling/packaging with computer systems, so it would generate consistent cashflow for you guys, and you wouldn't get bogged down with support calls because I would have to handle that.

See, now you get to see my bra again, plus get some good ideas for your boss.

And as a potential reseller, would I get to preview the software? :thumbup

Would be a good idea, but you would have to follow the proper channels to get something like that done. I'm not in sales, so you are going to have to talk to someone on that side of the field.

Link to comment
Share on other sites
Aegis

Aegis

Posted
Posted
Non-harmful .bat file on the system.

ImmuneEngine is installed.

Since the .bat file is apart of the origninal matrix, ImmuneEngine will allow it to run.

Now, edit that .bat file to something else and save it.

It is thus far have been changed, so when you try to run it now, ImmuneEngine will analyze and stop it's execution, before it is passed to the kernal.  This goes for scripts too.

Whatever this "matrix" is, the matrix has to be stored somewhere in the system, most likely in a file. Whatever you decide to [not] call this file, in the end it will still be a database no matter how much you deny it. Now there's two things wrong with having a database: corruption\modification, and contradiction. Also, more advanced hackers know that it's as easy to simply modify the registry so as to have batch files have a new extension of say .baw. Then they rename their file and, voila, it runs! Using a database of good and bad files also doesn't work with CDs. Some CDs might contain malware, but others needed for programs. The only way you can get these files into your matrix is to ask the user to insert all of his/her CDs to be scanned.
A computer can't reason.  You either allow executables or not.  Don't look to deep into it.  It's pretty simple.  Because of that simple reason that they can not reason, it is up to the user to know if any new executables are coming from a legit source.  Simply put, it is those executables that you have no knowledge about being downloaded to the machine that you want to stop, or those that you accidentally execute yourself.  Why waste time in trying to GUESS what is good or not.  GUESS the wrong answer, and your toast as you have seen with some other methods of protection.
Let's see, "it is up to the user to know if any new executables are coming from legit source", but you also say "why waste time in trying to guess what is good or not". So the user gets to decide, but not guess. Since usually the user guesses when faced with a decision dialog, your statements do not make sense, hence another contradiction. If I understood you wrong, and the computer does this, then the computer has no way to know if you know these executables are being downloaded.
As of right now, this statement is your theory.  And is unfounded.  If you haven't seen it, how can you be certain this is the case.  In the live meeting, I will show you the task manager for proof that it's not processor-hungry.
So if you just optimize a code enough, you can get Doom 3 to run with zero processor usage? And of course it's possible to have your software run with low processor usage, on an Athlon FX-57.
You started that response with IF it has a black/white-list.  I noted above that there is no "list", "database", "signature" in our system.

I only use IF so as to not assume anything is true, but to be open to all possibilities. If you do not use lists, databases, or signatures, then what is this "matrix"? Is it stored in memory? Hard-coded into the program executable?

Previous post I stated that in our analyzation methods, a check sum is done.  The check sum is just one part that we anaylze amongst other occurences that happen when whe analyze the executables.  You change an existing OS executable, it won't run.  Also, upon install, (out of the box installation that is, no extra configuration done), it will automatically build a backup for the critical system executables.  Therefore, you modify something, it will 1) Report it, 2) Not allow you to execute it, and 3) Put back the original.  Not to mention, Windows File protection would be in place as well.
A checksum is also a SIGNATURE. Another contradiction there. Do you know all of the critical system files? If so, what are they? And from what I have read, I assume that this software is installed on a client and reports to a server? A well-hidden malicious software can disable the Internet connection, delete the original and replace the backup and WFP with a malicious copy, leaving you unable to report, unable to replace the bad copy with a good copy, and also corrupting your "database".
Again, why would I make a claim if it wasn't true.  You have to see to believe.  To which you have yet to see it in action.

I'd prefer a trial version. I also have removed Netmeeting a long time ago. And seeing how long and processor-intensive a filename search is, how much more so do you think a checksum scan will be?

Again, you are going to have to see to believe.  The scan is rather fast quite frankly.  What's more important, wating 2 extra seconds to do a scan of something that might have been changed to be malicious, or being wide open and rather have 2 sec. of time not waiting?
Prove this not by asking me to see a demo that I absolutely refuse to see, but by explaining to me how the code functions.
Again, I wouldn't make a statement if that was true.  It has no more extra HDD space taken up than any normal application would.  Microsoft Office takes up more space than we do.  I assure you, the install is quick and small.

You didn't mention anything about processor usage, so I'm guessing that there is a speed decrease? And read above sentence, I cannot and do not want to see a demo, but a trial version. What is the use of telling us about some software we cannot get?

Again, If it hasn't been done, I wouldn't say that it was possible.  Truth is, it has been done, and it is being done right now.  Because we are doing it.

I know lots of snake oil products that say something is possible when it can't be done. Give me code proof.

And my conclusion: You are not really what you claim you are. As an IT pro, you should be able to know that checksums are used to create a signature in AVs, that this matrix has to exist somewhere and if it does, as a database, that the use of this matrix makes it a database, that the matrix has an obvious flaw of not being able to detect CD files and of all the ways to bypass this matrix, that optimizing code does not take away from obviously processor-intensive tasks, and finally, all of the contradictions of yours. I have also read the whitepapers on the site, and find it nothing more than describing its product superiority, and gives no reasons whatsoever as to how it does something, the entire purpose of a whitepaper.

Link to comment
Share on other sites
dman

dman

Posted
Posted
I also have removed Netmeeting

OK, I not trying to talk you into the demo, you made that clear. But for others, just so you know, you don't need anything installed for LiveMeeting, it is purely web based. You can even use knoppix livecd or the like if you are worried about your machine being attacked (It won't be). I never saw it used before, and it is pretty slick.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...