[Dual Review] FMT Intel Secure - System Forensic Tool

[Deleted member 178]

what is Nico Forensic Malware Tool (FMT) ?

From its creator, N.nvt (member of malwaretips.com):

The goal of the tool is to utilize internal windows functions, like Netstat, ipconfig, Netsh, InetCpl, wevtutil and some other smaller functions.
These functions and variations will create a huge log file, with everything about your computer in terms of:
Software, Security, Processes, Policies, firewall rules, connections (TCP,UDP,ICMP) and various other deep level information sources.
This log file is seriously huge and extremely advanced. The program will also make some small repairs as standard practice. To enhance the next time logfile.

you can ask him the batch file to test it yourself.

ok, let's run it (it requires admin privileges)

As you can see you have various options, the most notable are the system checks and internet connections repairs; FMT can also download MBAM and run it directly (useful for beginners)

now i will do a system check & connections logs on a VM with WinXP x86 by selecting the "a" and "b" command

right away FMT deleted my browser's cookies and history settings , then generate a log (located on C drive) listing my system infos, processses, active connections, etc...

(the log is attached , feel free to check it.)

Now i will infect my system with "a malware (click to enlarge)



then i run the same checks as before.

now i just have to compare the logs to see what have been changed.

in the new log, the malware's service (anyvaccinesvc.exe) is listed with the related modules , modules i can't see or was allowed to see by using Task Manager or even Process Hacker ! that is very good especially for malware-remover guys.

Thanks

 

[Nico@FMA]

Hello Umbra

First of all thank you for your review, and even while its short and simplistic it does explain in general terms what it is about. And yes if you like you can test and review ANY future version.
So i will keep you guys updated.

what is Nico Forensic Malware Tool (FMT) ?

From its creator, N.nvt (member of malwaretips.com):

The goal of the tool is to utilize internal windows functions, like Netstat, ipconfig, Netsh, InetCpl, wevtutil and some other smaller functions.
These functions and variations will create a huge log file, with everything about your computer in terms of:
Software, Security, Processes, Policies, firewall rules, connections (TCP,UDP,ICMP) and various other deep level information sources.
This log file is seriously huge and extremely advanced. The program will also make some small repairs as standard practice. To enhance the next time logfile.

The program is going to be called: FMT
And in regards to the little tekst i wrote to explain what the program does in a nuttshel, one has to realize this is by NO means a antivirus and neither does it provide ANY protection (Yet) but it does focus specific on detecting fragmented malware traces and hidden changes that traditional protection misses, the aim of this program is to snap shot a system config (clean state)
That in case of a bad infection that it enables a system admin, to go deep into the computer config and digg up any malware hidden or to sniff out hacker traces and other problems security breaches.
It is really comparing clean log versus a dirty log, find the changes and fix them manually.
Note of caution: This program is NOT to play around, if you do not handle it with care and you do not understand what you are doing then you can destroy your system, afteral this is a Forensic Malware Tool and the log books should be used by skilled people.

Another note: The idea behind the program is that it was intended to stay as far away from traditional advanced features within windows to avoid being compronised by malware (Because most advanced features within windows are always targetted by malware infection) and to assure that the system can run the program using low level and yet very advanced modules within the OS at root level as windows has very simple basic modules hidden in the OS that traditional malware does not care about.
Yet these features are amonghst the most advanced and most detailed information sources.
So as the saying goes : Stay as far away as you can, but at the same so close that you can touch it.
And thats exactly how the program is written, the program was written in such way that it can hit and scan ANY part of the OS even beyond the Admin rights scope, but in such way that it is totally harmless for active malware and protection policies that usually block and deny deep level malware detection.
Also this program does not use signatures or ANY malware detection info as it was not (yet) made to do this.
The program just fetches the info and YOU as a system admin need to compare the program and do your forensic investigation.


That being said, Umbra i do have a few questions:

1: Do you think there is a market for it?
2: Do you think that this FMT program can fill a gap that traditional AV misses?
3: What features would you recommend?
4: Are there any personal notes, comment you would like to make?
5: How should the data be interpeted according to you and how deep does the program really go compared to proceshacker and other tools?
6: Which options did you use and which options did you not use? **
7: If other reviewers would want to review this program then according to you how should the review this program and what should be their point of focus considering its in BETA build.?

** Btw just checked the logs myself, and i assume you did delete the firewall and system config entrees from the "aditional options within the program? as they actually contain info you do not want to be shared on the net like how your firewall is being set up and which protocols and such i need to target to get control so you either did remove those entrees or you did not run the program to the fullest.

Kind Regards Nico

 

[Dubseven]

It's a good tool, i support it
Must be rated 4/5

 

[Deleted member 178]

Hello Umbra

First of all thank you for your review, and even while its short and simplistic it does explain in general terms what it is about. And yes if you like you can test and review ANY future version.
So i will keep you guys updated.

good ^^

That being said, Umbra i do have a few questions:

1: Do you think there is a market for it?

at the moment, more a niche market since your program is more advanced-users oriented (like OTL and other specialized forensic/removal tools

2: Do you think that this FMT program can fill a gap that traditional AV misses?

like above, it will be mostly a support tool for IT guys/malware geeks; unless you can implement some automated functions.

3: What features would you recommend?

- automatic comparisons between logs that will highlight the differences.
- self-protect feature, when i ran a rogue AV , FTM was shutdown right away and can't be loaded anymore ( as well as other executable like process hacker)

4: Are there any personal notes, comment you would like to make?

i will wait the shell version, for the moment FTM does what it supposed to do

5: How should the data be interpeted according to you and how deep does the program really go compared to proceshacker and other tools?

if fact i used Process Hacker alongside FTM , since PH (on "hide signed process" view) shows unrecognized processes; both are different ; i use PH as a monitor and process killer ; while FTM help me to pinpoint the said suspicious process' interactions in the system more accurately.

6: Which options did you use and which options did you not use? **

MBAM stuff , since i have it already. i think you should replace it by more advanced tools.

7: If other reviewers would want to review this program then according to you how should the review this program and what should be their point of focus considering its in BETA build.?

they must test it as if they were infected (like i did) to grasp the full possibilities and weaknesses of FTM.
You know i am a beta tester for some vendors and i used their closed/public betas softs as if they were final versions, so i can report everything i seems buggy/wrongly done.

** Btw just checked the logs myself, and i assume you did delete the firewall and system config entrees from the "aditional options within the program? as they actually contain info you do not want to be shared on the net like how your firewall is being set up and which protocols and such i need to target to get control so you either did remove those entrees or you did not run the program to the fullest.

Nope, i used FTM raw ("a" then "b" option, "b" overwriting "a" ) , i did the test on a VM with default settings on Win7.

i spent more time finding a proper malware that testing FTM

 

[Nico@FMA]

Right ok i see so you are used option A & B. For the test you did A & B are good enough howver for more indepth C & D would provide even more info specificly to your Firewall and Policy settings and rules.

- automatic comparisons between logs that will highlight the differences.
- self-protect feature, when i ran a rogue AV , FTM was shutdown right away and can't be loaded anymore ( as well as other executable like process hacker)

Automatic comparison is technically not possible within the CMD command range hence this feature will be implemented when the full version comes out.
The same applies for self protection, as CMD itself does not allow it as the command does not exsist to do so.
So in the future shell versions this will be implemented as well. In regards to rogue AV killing the program it actually does not kill the program but it does kill CMD which is the carrier for the program. Afteral the program itself does not have a running process.

6: Which options did you use and which options did you not use? **
MBAM stuff , since i have it already. i think you should replace it by more advanced tools.

Agreed malwarebytes was right now the only option to have a build in command line scanner to implement into this batch.
It does not really serve a real reason for being in it, as it was more a try out and a sort of bail out function when i used the program to test on a infected system with malware known to malwarebytes.
However in the future this will be replaced by a ondemand engine from a thirt party. Talks are underway as we speak to see if a ondemand command scanner can be implemented in the future.

Anyway thanks again and i hope this explains, that said let me give the heads up about the progress that is being made.
Right now i have added new functions that would give the ability to scan for traces and information similair to GMER.
As i mentioned before we are working with a external party to develop a engine that has the ability to download and apply fixes per problem per case and per scenario (so not as a AV) but more as a dedicated problem patcher.
Within the new version we are running into some technical difficulties as coding does have its limits without over sophisticate the program to a point where it becomes unuasable.

But we have high hopes and fingers crossed...

 

[Deleted member 178]

Right ok i see so you are used option A & B. For the test you did A & B are good enough howver for more indepth C & D would provide even more info specificly to your Firewall and Policy settings and rules.

i played the average Joe user ^^ (the best way to test a product)

Automatic comparison is technically not possible within the CMD command range hence this feature will be implemented when the full version comes out.
The same applies for self protection, as CMD itself does not allow it as the command does not exsist to do so.
So in the future shell versions this will be implemented as well. In regards to rogue AV killing the program it actually does not kill the program but it does kill CMD which is the carrier for the program. Afteral the program itself does not have a running process.

it is why i said i will wait the full version
yes , you know what i meant

Anyway thanks again and i hope this explains, that said let me give the heads up about the progress that is being made.
Right now i have added new functions that would give the ability to scan for traces and information similair to GMER.

it is what i meant by "advanced tools"

But we have high hopes and fingers crossed...

i wish you the best

 

[Deleted member 178]

ok ! there is the latest version:

PRESENTATION

the purpose of this app is to compare the system parameters between the original clean-state and the latest state; this is not a malware scanner by itself. You will have to dig through the logs to pinpoints changes caused by infections.

The UI

simple and clean, you have all the various scans available and buttons for the malware scan/removal tools.

i will suggest to show the ram usage in this format : xxx.xxxmb.

The Scans:

1- System Analysis



As you can see multiple audits are ran and summarized in detailed log file. (see attachement for details).

all relevant infos about your system configuration is there (processes, services, Windows Updates fixes, etc...)
2- Network Analysis



this analysis will reveals active connections, route tables and statistics for IPV4/6



3- Internet Analysis



This detailed analysis will show you your network card , IP adress, firewall status, etc...

I STRONGLY think that Network Analysis should be renamed as Internet Analysis and Internet Analysis as Network Analysis. But this is just my opinion



Various Tools:

- Check logbook: will instantly open the latest log available
- Fix System files: just checkdisk ^^
- Single File scan: will open your browser to Virus Total website, then you can check the files you need
- KAV TDSS Killer/Norton PE: will open and update those well know removal tools.


ok we got a good idea of how our system is configured and now?!!!

bah i will just infect it ( coming soon )

 

[Deleted member 178]

AFTER INFECTION

i will use all those malware samples from our Hub:

Operation Saffron Rose Samples (Iranian Cyberespionage)

i will also install some windows Updates then reboot, let see what FMA can tell us... (check attachments)

 

[Deleted member 178]

LOG COMPARISON

for comparison and easier way to show you the differences, i use Beyond Compare ( a log comparison tool); changes are in red:

Windows hotfixes (some are added since i updated the OS)

added processes (the malware is shown)

new connections

CONCLUSION:

FMA is a very nice tool to check changes to your system , but a minimum of knowledge is necessary to fully grasp its potential.

I used it since few weeks and i can tell that if i feel that my security softs failed somewhere and i may be infected FMA will be my first tool to be used. It gave me a fast summary on everything running and "living" on my system. Making the logs took me few minutes, and comparing the logs were less hazardous than just checking my system for some irregularities.



i will rate it 4/5 since at the moment it is still in development and need some features.
SPECIAL OFFER:

N.nvt (FMA's developer) will offer 5 full copies for trusted members only.

The requirements are:

1: Member has to be recognized as skilled and capable member.
2: Member needs to be a serious and present member with a well known status on MalwareTips.
3: Member needs to have technical knowledge and needs a respectable reputation when it comes to testing and such.
4- Member will be automatically added as Closed Beta-tester and be expected to give valuable feedbacks to the development team and keep them only between you and the team.

if you are VERY interested by it, will intensively use it and think you are worthy of it, make your voice heard in this thread. Giving some comments about FMA is a plus.

 

[Moose]

Interesting! Thanks! For sharing!

 

[ALi]

ThanksFor sharing

 

[Deleted member 178]

Review Finished (see first post)

 

[illumination]

interesting indeed.

 

[Nico@FMA]

@Umbra Polaris

Thanks for the great review and i hope that the program did serve you in the way it was intended to do.
That being said you have deeply impressed me with your review and i thank you for the time invested to test and use my program.

 

[Deleted member 178]

you are welcome

 

[Nico@FMA]

@ Admin & Mods

Can someone add the old review in the main topic as reference?
http://malwaretips.com/threads/quick-review-nico-o-forensic-malware-tool-version.24567/

Thanks in advance.

 

[nissimezra]

great review
thx

 

[Nico@FMA]

Thanks for merging the topic's. This seems a bit better.

 

[Deleted member 178]

merged the 2 review, so you can see its active development

 

[Nico@FMA]

New updates coming soon....