AppSamvid - Application Whitelisting (Discussion)

[Ink]

Discovered by Indian Govt Launches Free Anti-Virus & Anti-Malware Solution for PC & Mobiles (@Yash Khan) | Filed under Latest Security News.

AppSamvid is an application white-listing software for Microsoft Windows based operating systems. White-listing allows only pre-approved files to execute on operating system. This is in contrast to traditional signature based antivirus software approach of blacklisting the virus files. White-listing has the advantage over blacklisting as it does not require frequent virus definition updates. AppSamvid can protect operating system against computer malware (such as Viruses and Trojans).

Features

• White-lists executable and java files (.exe, .class, .war, .jar)
• Has Installation Mode:
  1. To allow updating of software
  2. To allow installation and/or un-installation of software
• Folder Scan and File scan option to add executable files to database
• Password based access to user interface
• Supports operating system updating visa Microsoft Updates
• Bundled with heuristic malware engine to gain confidence on which files to white-list
• Allows files to be made as Trusted Updater
• Can identify potential updater files to help the user find which files can be made as trusted updater(s)

Spoiler: Changelog & Known Bugs

Version 2.0.1 - Improvements

• Removed Add To White-list from the context menu access denied bug.
• Allowed un-installation from control panel.

Known Issues:

• If user tries to run blacklisted executable consecutively in a quick succession the system goes into not responding state.
• Some antivirus software stops the AppSamvid service. This will disable the white-list enforcement.
• If user-interface of AppSamvid is running and AppSamvid uninstall is done without exiting the UI, uninstaller does not delete all the files of the software. This can create problem when AppSamvid is reinstalled at later point of time.
• If there are multiple entries for same executable file in database and only one is blacklisted, it can sometimes result in executable to run rather than being blocked from execution.
• After a change in white-list, sometimes it takes few seconds of time for the changes to come to effect. And few other times a service restart is required by disabling and enabling the enforcement.

May be flagged by your Antivirus software, potential FP | VirusTotal
User Guide, Troubleshooting and Manual included in Download package (.zip).
Supports Windows 7 and 10; 32-bit and 64-bit.

I have not tried this software, except for the Avast FP.

 

[TheMalwareMaster]

Looks good.. Waiting for someome's testing report

 

[DracusNarcrym]

A lot of government initiated security software projects recently...

I'd like to see the Chinese develop one next.

 

[Deleted member 2913]

Hello,

Tried it...
Seems good...
Attached are the screenshots -

Requires Visual C++ 2012 & 2015 Redistributable (Downloaded/Installed on install)
During install, C++ 2015 install completed & mentioned "restart required to work" with options restart & close, I selected close & Appsamvid install continued...(I think, selecting restart on C++ install window would abort Appsamvid install)
On install, you need to provide "Password" i.e Password Protect Appsamvid
On install, you get an option to run or skip initial scan...I skipped & continued...

After install completed, I restarted the system...
Started Appsamvid, I got window, program requires .Net 3.5 "Download & Install" & "Skip". Downloaded/Installed .Net 3.5

Started Appsamvid...Run initial scan...Initial scan completed in app 10-12 mins here...
After initial scan completed, protection was on "Suspend whitelist enforcement till next reboot"
I restarted the system & protection was on "Enable whitelist enforcement"

2 processess under 30MB

I tested with 21 portable programs
4kvideodownloader
4kvideotomp3
Avidemux
DnsJumper
Firefox
FreeFileSync
HDSentinel
IObitUninstaller
KasperskySystemChecker
MediaInfo
Microsoft PID Checker
MKVToolnix
qBittorrent
RevoUninstaller
Rufus
SecureMyBit
SubtitleEdit
TeamViewer
VidCoder
Vivaldi
ZemanaAntimalware

All the above were allowed except VidCoder was blocked & detect.dll of HDSentinel was blocked

I tested with harmless samples
PotentiallyUnwanted from AMTSO
CloudCar from AMTSO
LeakTest from grc.com

All the 3 were blocked

Program seems light, simple & clean GUI

Win 10 64 Pro
Alerts are Win 10 alerts (Notification) so no allow/etc options (Dont know if alerts are that way i.e no options Or some kinda Win 10 notification limitation? i.e like Comodo (V10) AutoSandbox alerts on Win 7 have "Dont isolate again" option on alerts But "Dont isolate again" option is not there on AutoSandbox alerts on Win 10)

Seems effective...would like to see few tests And cruelsister's attack...

UPDATE -
You can "Unblock" blocked programs through logs
Programs install that use temp file (different temp file every time), you can use "Install Mode"
To close GUI, you need to click "X" on the top right corner, clicking "Exit" on the GUI exits the program i.e protection disabled.

NOTE/CAUTION - I used "Install Mode" to install DriverTalent. After install, I opened GUI to enable protection again, it was on "Disable Mode", you need to click "Apply" & protection is enabled BUT protection was on "Suspend whitelist enforcement till next reboot". I selected "Enable whitelist enforcement" & "Apply"...
I tried the blocked programs again & were not blocked. I thought, may be re-enabling protection from install/disable mode require program exit or system restart. I tried program exit but blocked programs were still not blocked. I restarted the system AND on boot got BSOD "Unmounted Bootable" or something...

Reverted to clean snapshot with Rollback Rx...

Thank You

 

[shmu26]

Hello,

Tried it...
Seems good...
Attached are the screenshots -

Requires Visual C++ 2012 & 2015 Redistributable (Downloaded/Installed on install)
During install, C++ 2015 install completed & mentioned "restart required to work" with options restart & close, I selected close & Appsamvid install continued...(I think, selecting restart on C++ install window would abort Appsamvid install)
On install, you need to provide "Password" i.e Password Protect Appsamvid
On install, you get an option to run or skip initial scan...I skipped & continued...

After install completed, I restarted the system...
Started Appsamvid, I got window, program requires .Net 3.5 "Download & Install" & "Skip". Downloaded/Installed .Net 3.5

Started Appsamvid...Run initial scan...Initial scan completed in app 10-12 mins here...
After initial scan completed, protection was on "Suspend whitelist enforcement till next reboot"
I restarted the system & protection was on "Enable whitelist enforcement"

2 processess under 30MB

I tested with 21 portable programs
4kvideodownloader
4kvideotomp3
Avidemux
DnsJumper
Firefox
FreeFileSync
HDSentinel
IObitUninstaller
KasperskySystemChecker
MediaInfo
Microsoft PID Checker
MKVToolnix
qBittorrent
RevoUninstaller
Rufus
SecureMyBit
SubtitleEdit
TeamViewer
VidCoder
Vivaldi
ZemanaAntimalware

All the above were allowed except VidCoder was blocked & detect.dll of HDSentinel was blocked

I tested with harmless samples
PotentiallyUnwanted from AMTSO
CloudCar from AMTSO
LeakTest from grc.com

All the 3 were blocked

Program seems light, simple & clean GUI

Windows 10 64 Pro
Alerts are Windows 10 alerts (Notification) so no allow/etc options (Dont know if alerts are that way i.e no options Or some kinda Windows 10 notification limitation? i.e like Comodo (V10) AutoSandbox alerts on Win 7 have "Dont isolate again" option on alerts But "Dont isolate again" option is not there on AutoSandbox alerts on Windows 10)

Seems effective...would like to see few tests And cruelsister's attack...

Thank You

thanks for great review!
when it allowed your list of programs, how did it decide they are good? Does it have a ready-made whitelist, or a list of trusted vendors?

 

[Deleted member 2913]

thanks for great review!
when it allowed your list of programs, how did it decide they are good? Does it have a ready-made whitelist, or a list of trusted vendors?

I think "Initial Scan" whitelist stuffs...

And I am going to edit my post in few mins...do check "UPDATE" in few mins...

 

[shmu26]

I think "Initial Scan" whitelist stuffs...

And I am going to edit my post in few mins...do check "UPDATE" in few mins...

and another well-intentioned idea bites the dust

 

[Ink]

@Yash Khan Would you consider this software Stable, or Beta with the existing Known Bugs?

 

[cruelsister]

This is a very clever application. One can run the Whitelist scan on installation as well as at any time on-demand. There is also a right-click context menu entry to Whitelist something like an internal update for a pre-existing Whitelisted program.

As to malware, there is one glaring issue, but far be it from me to be Cruel...

 

[Deleted member 2913]

@Yash Khan Would you consider this software Stable, or Beta with the existing Known Bugs?

It does seems fairly stable But do read the files in the zip package...

 

[Deleted member 2913]

This is a very clever application. One can run the Whitelist scan on installation as well as at any time on-demand. There is also a right-click context menu entry to Whitelist something like an internal update for a pre-existing Whitelisted program.

As to malware, there is one glaring issue, but far be it from me to be Cruel...

When are you going to do a test...?

 

[cruelsister]

I should have a chance to do it within a week (target this weekend). But please understand that on the whole this is a fairly cool application even as it currently exists, and the fact that the Indian Government cared enough to release this and the other applications speaks very highly of them.

 

[Deleted member 2913]

I should have a chance to do it within a week (target this weekend). But please understand that on the whole this is a fairly cool application even as it currently exists, and the fact that the Indian Government cared enough to release this and the other applications speaks very highly of them.

Yeah, it does seems a good app overall...
Logs should have an option to hide allowed/blocked apps...
TrayIcon rightclick options should have "Install Mode" option...
There should be an option to not set password...
File/Folder scan with allow/block option is good too...
I dont like the dependencies .Net 3.5, C++, MSXML

What do you mean by "As to malware, there is one glaring issue, but far be it from me to be Cruel..."?...You can PM me...

Looking forward to the test...

P.S - Kinda shocking/surprising was...its in Comodo whitelist i.e I tried with CFW install too & installed fine i.e not autosandboxed...
Just checked, digital sign is there in trusted vendor...

 

[HarborFront]

If you have VS/SecureAPlus do you need this? What's so good/bad of this program over VS/SecureAPlus?

Thanks

 

[Deleted member 2913]

AppSamvid guide mention -

"Executable file Analysis
AppSamvid software comes with a ‘heuristic binary analysis engine’ which allow user to analyse a selected file and get an information upon which user can build the consensus if the file is malicious in nature or a benign file. The output of analysis is a numeric score starting with 0. The low score value indicates that it’s potentially a clean file and can be whitelisted. The high score indicates that file can be potentially malicious and needs cross-examination before whitelisting. Please note that high score for a file not always indicates that it’s a malicious file. There are examples of clean files that are compressed to decrease their size and for them analysis can give a high score."

I didn't noticed this...may be I missed it or may be the mentioned feature was in earlier version & later removed, etc.

 

[HarborFront]

Yeah, it does seems a good app overall...
Logs should have an option to hide allowed/blocked apps...
TrayIcon rightclick options should have "Install Mode" option...
There should be an option to not set password...
File/Folder scan with allow/block option is good too...
I dont like the dependencies .Net 3.5, C++, MSXML

What do you mean by "As to malware, there is one glaring issue, but far be it from me to be Cruel..."?...You can PM me...

Looking forward to the test...

P.S - Kinda shocking/surprising was...its in Comodo whitelist i.e I tried with CFW install too & installed fine i.e not autosandboxed...
Just checked, digital sign is there in trusted vendor...

Hi

Can I check whether the program auto-scans for whitelisting upon first install or need the user to initiate the scan? Also, what if you install new programs after the first scan? Will it auto scan or need the user to manual scan? It would be best if the program can run automatically

Thanks

 

[Deleted member 2913]

Hi

Can I check whether the program auto-scans for whitelisting upon first install or need the user to initiate the scan? Also, what if you install new programs after the first scan? Will it auto scan or need the user to manual scan? It would be best if the program can run automatically

Thanks

There is no scan i.e some kinda analysis/scanning to whitelist programs...

Initial scan is there i.e during install, there is an option to run or skip initial scan. If you skip then on start of the GUI, initial scan is there & need to run...
Once initial scan is completed, you see an option, scan file/folder with option allow/block i.e if you select a folder & choose allow, folder will be scanned & added to allow (scan here, I dont think some kinda analysis but find files & adds to allow...)

New programs/updates, etc... will be blocked as not in the whitelist. You can rightclick program executable & select "Add to Trusted" or use "Install Mode".
I think in GUI, in whitelist section, you can select programs & set as "Updater" so those programs updates, etc will be treated as safe/whitelisted.

 

[HarborFront]

There is no scan i.e some kinda analysis/scanning to whitelist programs...

Initial scan is there i.e during install, there is an option to run or skip initial scan. If you skip then on start of the GUI, initial scan is there & need to run...
Once initial scan is completed, you see an option, scan file/folder with option allow/block i.e if you select a folder & choose allow, folder will be scanned & added to allow (scan here, I dont think some kinda analysis but find files & adds to allow...)

New programs/updates, etc... will be blocked as not in the whitelist. You can rightclick program executable & select "Add to Trusted" or use "Install Mode".
I think in GUI, in whitelist section, you can select programs & set as "Updater" so those programs updates, etc will be treated as safe/whitelisted.

So the scans are similar to VS.

In your opinion is this program needed if you have VS/SecureAPlus? If needed then what makes this program a need?

Thanks

 

[Deleted member 2913]

AppSamvid guide mention -

"Executable file Analysis
AppSamvid software comes with a ‘heuristic binary analysis engine’ which allow user to analyse a selected file and get an information upon which user can build the consensus if the file is malicious in nature or a benign file. The output of analysis is a numeric score starting with 0. The low score value indicates that it’s potentially a clean file and can be whitelisted. The high score indicates that file can be potentially malicious and needs cross-examination before whitelisting. Please note that high score for a file not always indicates that it’s a malicious file. There are examples of clean files that are compressed to decrease their size and for them analysis can give a high score."

I didn't noticed this...may be I missed it or may be the mentioned feature was in earlier version & later removed, etc.

Ok, I checked & its there...But I didn't like the implementation...i.e -

In GUI, in whitelist section, you can rightclick programs entry & select "Analysis" & score is shown in the right side...
But those are already whitelisted programs or whitelisted by you so "Analysis" there is not much helpful...It is helpful in a way i.e you allow a program & then check that program to see the score...

I find the program little buggy...i.e...
Alerts sometimes dont appear, unknown programs are blocked & you get the window not authorized or not found but AppSamvid notification is not there...
Install mode & re-enable protection is buggy i.e after using install mode & re-enabling protection, sometimes unknown programs are correctly blocked & sometimes not...

 

[Deleted member 2913]

So the scans are similar to VS.

In your opinion is this program needed if you have VS/SecureAPlus? If needed then what makes this program a need?

Thanks

Yeah, like VS takes initial snapshot, likewise ASV does initial scan to create whitelist...

Not needed...VS & ASV are similar programs i.e whitelisting i.e whitelisted allowed & not in whitelisted blocked

ASV is more kinda lockdown i.e you have to do stuffs manually more...& require you to enter password for whitelisting programs, etc...
VS is similar but VS alerts have allow/block, etc option too...so kinda easy access to allow/whitelist programs...