0

As a programmer I don't use anti-virus programs for a simple reason: I found that viruses are only detected once the executable or a part thereof has been explicitly blacklisted by the anti-virus developer.

At least that is how I experienced it. When I write a simple stupid malicious program, no anti-virus program seems to be blocking it...

Now I'm wondering if there are tools that can simply place themselves as another layer on top of the operating system's API. And allow the user to create a whitelist of which function each executable may access. It would also be nice to get a pop up every time new function is called, revealing the passed arguments asking the user if the wants to grant/deny access.

So that I could for example specify which file/folder/registry/process entry can be read or modified. And also things like which devices can be used, which IP addresses can be communicated with etc.

I know such tools exist for Android (Xprivacy), but I'm curious if tools like this also exist for Windows, Linux and Mac OS X.

And I'd also like to know if there is a technical term for this kind of a tool, as I don't think it would fully fall under the category "anti-virus program" or "firewall".

schroeder
  • 123,438
  • 55
  • 284
  • 319
Forivin
  • 979
  • 1
  • 11
  • 17
  • It seems what you are looking for is essentially sandbox technology. Take a look at Sandboxie (http://www.sandboxie.com/), but I don't think it's capable of modifying WinAPI functions to inject fake data such as XPrivacy for Android. But still might we worth a shot. – user1164108 Nov 22 '16 at 13:58
  • Sounds interesting. But it is really expensive and closed-source. – Forivin Nov 22 '16 at 14:11
  • So, because AV does not catch 100% of threats, it is 0% useful? – schroeder Mar 16 '17 at 07:57
  • The whole concept of regular AV software is flawed and misleading imo. If you ask me, regular AV software is actually counter productive and should be called spyware itself. Just thinking about all the data they are collecting and selling.. it's completely ridiculous. Using common sense when browsing the Internet is a way more effective measure if you ask me. – Forivin Mar 16 '17 at 09:51

4 Answers4

1

First of all, antivirus software doesn't only use a signature database of complete or partial files.

This software also uses behavioral detection to protect from unknown / zero-day malware, for example by monitoring which areas it's trying to access or which files it's trying to change.

Behavioral protection is already included in the popular basic antivirus products - you don't need to get an extended internet security bundle for that.

This is why there are false positives from time to time - the more there are, the more crudely the antivirus engine is tuned.

Most of what you're looking for already exists in some products, in part or all together:

  • A firewall to monitor web traffic with white-listing options
  • Extended protection and permission management for specific files/folders or areas of your computer.

Here's an example of Bitdefender's ransomware protection feature, providing protection at boot for specific folders, which you select yourself:

Bitdefender's ransomware protection feature

Image source: Bitdefender review

Secondly, a quick google search brought me to a nifty little program called WinPatrol which seems legit enough looking at some forums and reviews:

WinPatrol is available in a free version, which offers a handful of ways to monitor just what's going on on your PC. You can see a list of startup programs, which you can choose to disable or delay. You also can see a list of recently used programs, hidden files, file types by associated program, active tasks and services, and much more.

Source: PC World

It gives you the opportunity to stop something that you don't want running. It gives you the opportunity to investigate what is running and check it you really need it. It's one little pet that I've relied on since Windows 95

Source: Avast forums

Check it out, this might be something you will find useful as an addition to an active antivirus protection.

Affiliation disclaimer: I'm not affiliated with WinPatrol in any way, but I work for the antivirus reviews site from which I took the image.

FatSecurity
  • 507
  • 3
  • 8
  • Well, in theory this all sounds great. But I've written different simple programs that for instance just delete or manipulate random files and they were not detected as malware (according to websites like Virustotal). But yeah... how is an AV program supposed to know? So what I'm looking for is a tool that just intercepts every single call to an OS function and let's me define filters and static/dynamic fake data. – Forivin Dec 05 '16 at 14:38
  • What you're asking for sounds a bit overzealous, I was curious so I searched for something like that but couldn't find anything that goes this deep. I think that this type of software is bound to create unnecessary load on a system, and would require a whole lot of management from a user overall, so nobody would actually use it. Furthermore, the malware that you say you developed is very simple and since it doesn't actually benefit the developer but only damages the user's files, it's unlikely malware developers would write something similar. They're only trying to get rich those buggers. – FatSecurity Dec 05 '16 at 16:28
  • Malware developers will always be one step ahead. Just try to think out of the box. I mean by modifying files I could easily inject malicious code into them, tricking other programs into executing it. Also, damaging the victim could easily benefit the developer, even "get him rich". You also have to keep in mind that you become almost untraceable by cutting out the spying component. – Forivin Dec 05 '16 at 17:57
1

This type of program is called an application firewall:

An application firewall is a form of firewall that controls input, output, and/or access from, to, or by an application or service. It operates by monitoring and potentially blocking the input, output, or system service calls that do not meet the configured policy of the firewall.

Yes, there are implementations of this for all major operating systems. For example AppArmor is a Linux kernel security module that allows app developers or packager to write profiles for an application. However, these kinds of tool is usually considered too difficult for most end users to generate a profile. So most of the time, AppArmor profile would be written by packager or the app developer rather than by end users. The problem with such tool is that even in simple applications there would be many false positives and you usually need deep knowledge of the application internal to figure out what is and what is not acceptable.

Many antivirus product also have behavior detection, this usually goes by the name heuristic analysis or behavioral analysis. Note that for many parts of heuristic/behavioral engine to work you have to actually execute the program, so online antivirus like virustotal usually may not detect them. Behavioral detection are usually tuned to detect malware that attempts to hide itself in system files, gain privilege, or do other such things that destroys system integrity, malwares that works entirely from userspace like Ransomware are generally much harder to detect with behavioral analysis without producing lots of false positives.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
0

Glasswire includes a few (but also more) of the features you are asking for (with free, nagware, and full-commercial versions):

HMPA (Hitman Pro Alert) is another commercial solution, owned by Sophos (one of the best EPPs as seen in the Feb 2017 Gartner MQ) -- https://www.hitmanpro.com/en-us/alert.aspx

Or for another competitor, check out -- https://www.netlimiter.com

The above will simply block network connections or access to webcams and mics (but they will ask first, and do not necessarily block at the process level). To block every process, try -- http://voodooshield.com -- or -- http://www.novirusthanks.org/products/exe-radar-pro -- or even -- http://www.appguardus.com

atdre
  • 18,885
  • 6
  • 58
  • 107
-1

If you are running Windows XP (32-bit), the older project WinPooch might be your answer.

https://sourceforge.net/projects/winpooch/

dark_st3alth
  • 3,052
  • 8
  • 23