Dynamic Security Agent : Malware Tests

 

 

 

Dynamic Security Agent Tests

 

 

These pages were made to share the results of tests conducted about Dynamic Security Agent, a HIPS (Host Intrusion Prevention System) released as freeware by Privacyware in 2006. This program is intended to be used as a 'signature-less anti-malware', thanks to the proactive protection provided by the various components of the program : It can control, or block, damages whenever an infection happens to run on the system.

Link : http://www.privacyware.com/dynamic_security_agent.html

 

Basically, the programs has 5 main components : Application monitor, Registry monitor, Process monitor, Email anomaly analyzer, System anomaly analyzer. Besides these, a full inbound/outbound packet filter is integrated, actually the same as in PrivateFirewall - along with the application-level firewall of DSA. The main difference between both programs, DSA and PrivateFirewall, is that DSA doesn't offer any functionality to set specific rules per app : That's true for the 'firewall' part of DSA (new programs require allow access to the network, but rules are basically allow/deny - that means that no 'custom' rules can be created per app), but it is the same to some extent, for the 'HIPS' part of DSA : Rules can only be set when an event occurs. For example, a program will trigger an alert about autostart, then autostart will be allowed or denied within DSA, without any possibility to review these rules for specific programs later. There is no configuration window per app. It can be seen as a lack of control for the user, but on the other hand, it allows the program to stay simple to use.

Process monitor, Email anomaly analyzer and System anomaly analyzer can be enabled/disabled. But the 3 other defense means are always enabled, unless you exit DSA (right-click on its systray icon) : Registry monitor, Application monitor, Firewall. These 3 components are at the 'core' of malware prevention, that's probably the reason of this special status. 

The main window looks like this :

Programs for which rules were created are listed in the Process/Applications lists, and when 'deny' rules are set for a program, it is added into the 'quarantine' panel : All subsequent attempts to run, or to perform changes denied will be automatically denied, with a reminder popup alerting about it.

 

 

____________________________________________________________________________

 

The goal of these tests was to show the ability of the program to prevent/control infections , to resist to malwares trying to install on the system : In one word, we 've tested its 'strengh'. That's the reason why most of these tests (probably 95 %) were made with REAL malwares, and why very few testing utilities were used; in fact, the 'testing utilities' used were some demo rootkits, some keyloggers. We agree that some testing utilities would have helped to show some points of the behaviour of  DSA, but we focused on malwares notwithstanding : Malwares are what DSA is supposed to protect against, and what it is likely to deal with on people's computers, thus the 'real life' approach was singled out.

 

One detail : These tests were at first started without any intention to publish them : It was just some personal 'playing around', to see how it behaves in front of some malwares. A few tests were made, 5, 8, 15... then the idea to share this experience was growing gradually. I've never done any website before, and for this reason I'm sorry for the poor quality of this one... But if the website is rustic, I've tried to make this review as relevant as I could; a wide range of malware behaviours was then set, to try to pinpoint both the strengh and the weakness points of DSA. There are no virus at all in the tests, but the set of malwares tested and included in this review was carefully established to show its behaviour in front of a wide range of infections technics : Several kinds of trojans, some backdoors, some worms, bunches of rootkits, some keyloggers, and finally what looks like a rising threat : The HIPS/firewall killers.

The choice was made not to include any virus : We see less and less virus anyway, the most prevalent threats today are trojans/spywares, sometimes including rootkit to make removal harder.

Ideally, the same work should have been done on several programs, in order to make a comparative : It wasn't conceivable here though, since it would need too much time for one tester to make all the tests, compile screenshots, and write all the pages for several programs - at least not with such a set of tests (80 tests total). It could be done with a lighter tests set, but we preferred to make a kind of 'in-depth' work about one single program at a time. Whatever, stay tuned, other programs should follow ;) 

The test files : Were used to 95 % very recent threats (tests started in april/may 2007), current malwares, spreading at the time tests were made (some we can see today in HiJackThis logs on Malware Removal forums). Actually, a lot of these files were collected during voluntary infections, on 'live' malware links. Very few files only are old samples. A note on theses test files : Were selected for the review the most virulent samples, the most aggressive. These test files are often difficult tests to pass...

How tests are performed : Basically, we show IF DSA can block each threat, and if yes, how . However, the most 'complex' test files are tested twice for the write-up :

* One time where infection is allowed to install : The goal is to show 1) what is the malware doing on the system ? (to evaluate what can be blocked or not, and to show the behaviour of the malware) and 2) what is the behaviour of DSA during this infection ? (what is detected, what is not, does DSA stay stable during infection, etc). This is only by doing so that we've gradually discovered the entire extent of the protection offered by DSA : Some of its features and detection abilities are not mentioned on the Privacyware website, indeed.

* One 2nd time to show how it can block the infection - or not.

 

Doing so for these samples was more informative than just trying to block the threat the first time (one of the reasons is that these samples are tested about 2 or more different behaviours; ie the Bagle worm test, consists of 3 tests : One about the worm behaviour itself, one about the antivirus/services killing, one about the rootkit). The samples tested this way are those which have their own test pages : Most of the sample, in opposite, are tested in grouped pages.

 

ALL tests were done several times, in order to ensure that each result was convincing, repeatable.

 

Configuration used for these tests : One important detail, Email anomaly analyzer, and System anomaly analyzer were not tested. The reason is, we've tested DSA about its 'classic' HIPS features, at the beginning; then, the whole set of tests was made the same way. However these 2 modules are tested separately. Tests were made on a system running Jetico firewall (version 1), Antivir, and DSA. Few tests were made with another firewall, Zone Alarm free, and another antivirus, AVG free. One test was done with McAfee Viruscan. The antiviruses were disabled during the tests.

 

 

The tests

_______________

 

A total of 80 tests were selected, grouped together in categories : 10 Trojans/Spywares (and 5 AV/FW/Services killers Trojans), 5 Backdoors, 4 Worms, 22 Keyloggers, 27 Rootkits, and 6 SSDT restorers (1 test about exploits, too). As you can imagine, the distinction between categories is sometimes artificial : All files which are not Backdoors, Worms, can be seen as Trojans; some of these trojans are Rootkits, some are not, and some are even some kind of this new threat : SSDT restorers.

For these reasons, categories are merely set for methodical purposes : Some files can belong to several categories. The Verdict page , at the end of the review, does list every tests including multiple tests about the same sample. Some malwares are tested about 2 of their behaviour (example : Backdoors, using rootkit technology : 1 test about the backdoor itself, one test about the rootkit, in regards to tests grading). Only one sample is tested about 3 different behaviours (worm Bagle.gl).

 

Tables are available on the last page, 'final verdict', listing every passed/failed results.

 

Trojans Tests

Trojans_tests.htm

AV-FW-services_killers.htm

Delphi-trojan.htm

LdPinch_test.htm

TrojanDownloader-SmallDDT1.htm

Trojan-LoadADVgen_test.htm

__________

 

Backdoors Tests

Backdoor-tests.htm

Hupigeon_test.htm (rootkit)

Haxdoor-test.htm (rootkit, 2 samples)

__________

 

Worms Tests

Worm-Brontok-Test.htm

Worm-Bagle-GL_test.htm (rootkit, AV/Services killer)

Worm-VB-AS-21.htm

__________

 

Keyloggers Tests

Keyloggers_Tests.htm

__________

 

Rootkits Tests

Rootkits_tests.htm

DNS-changer.htm

Goldun.htm

Rustock-rootkit-Test.htm (4 variants)

Magic-control-test.htm

MsSync-rootkit-test.htm

__________

 

The rising threat : SSDT restorers, the 'HIPS/firewalls killers'

 

Agent-alm_test.htm

Bifrost_unhook_test.htm (rootkit)

Rootkit-Agent-FQ-Test.htm (rootkit)

Trojan-Small-emw-Test.htm

Rootkit-EY-test.htm (rootkit)

rootkit-agent-ez_test.htm (rootkit)

__________

 

Email and System anomaly analyzers

 

email_sys_anomaly.htm

 

_____________________________________________

 

*****   The verdict   ***** 

 

final_verdict.htm

 

 

 

 

Disclaimer : These tests are independant from Privacyware, the editor of Dynamic Security Agent.

 

hit counter
hit counter