FMA Intel-Secure™ 2014

[Mateotis]

Congrats on your new host Nico!

I've got a question: I registered and logged in. The downloaded file says it's "Windows 7 32-bit Only". I assume it doesn't have a Win 8 version yet?

Edit: The installation went flawless and the program is running without problem on my Win 8 system.

 

[Nico@FMA]

Congrats on your new host Nico!

I've got a question: I registered and logged in. The downloaded file says it's "Windows 7 32-bit Only". I assume it doesn't have a Win 8 version yet?

The previous posts about the latest updates already mentioned that this was going to be put online soon.
However Hostinger has destroyed the full versions.
Now i have to compile it all again which will set me back at least a month.
Because as it is, the un-compiled projects served as a template to add updates and have the program itself update them using internal call back and string patching.
Now that whole system is fried...
As you can imagine i am pissed off about that.
Please do note the version which is now online is NOT the new version as that got destroyed.
But to have at least a working version online i uploaded the one Umbra used in his review.

 

[Mateotis]

The previous posts about the latest updates already mentioned that this was going to be put online soon.
However Hostinger has destroyed the full versions.
Now i have to compile it all again which will set me back at least a month.

I've read about the unfortunate event, that's why I asked. Will test the product as it is soon.

Also, after rescanning it on VT, Symantec still flags it as "Ws.Reputation.1". Link: https://www.virustotal.com/en/file/...7f9d9c419b64a83e97c7c2425eaca93d086/analysis/

 

[Nico@FMA]

I've read about the unfortunate event, that's why I asked. Will test the product as it is soon.

Also, after rescanning it on VT, Symantec still flags it as "Ws.Reputation.1". Link: https://www.virustotal.com/en/file/...7f9d9c419b64a83e97c7c2425eaca93d086/analysis/

Thats not my problem its a VT problem as they are slow in updating their site scripts to fetch the latest definitions.
Here is a screenshot stating that my file is 100% clean and that their software is going to see my file as clean.

 

[Mateotis]

Thats not my problem its a VT problem as they are slow in updating their site scripts to fetch the latest definitions.
Here is a screenshot stating that my file is 100% clean and that their software is going to see my file as clean.
[IMAGE]

Right, no worries, just a heads-up.

Either way, I did a small test. FMA does not work under Windows 8. Yes, it installs and launches properly, but every function is unusable. If you run a scan (System, Network or Internet), command prompts start to appear and disappear quickly and constantly. I'm pretty sure that only one of them is meant to be left open. These prompts won't disappear when you shut down FMA/kill the process, reboot is the only option. Killing conhost.exe won't help either, as it automatically closes and reopens itself in every second.
When I tried to open the logbook, it dropped an exception error. Didn't try anything else so far.

 

[Nico@FMA]

Right, no worries, just a heads-up.

Either way, I did a small test. FMA does not work under Windows 8. Yes, it installs and launches properly, but every function is unusable. If you run a scan (System, Network or Internet), command prompts start to appear and disappear quickly and constantly. I'm pretty sure that only one of them is meant to be left open. These prompts won't disappear when you shut down FMA/kill the process, reboot is the only option. Killing conhost.exe won't help either, as it automatically closes and reopens itself in every second.
When I tried to open the logbook, it dropped an exception error. Didn't try anything else so far.

I am aware of that this version does only work on 7 32bit.
Try it on any other OS and it fails.
The updated version i was referring to in the previous posts will work correctly but due to this whole crap its going to take longer then planned.
So bare with me as this is out of my hands.
That said use it on 7/32b and you will be very fine and enjoy the full options the program has (See review by umbra)

 

[Deleted member 178]

glad to hear that your new host looks more serious

Right, no worries, just a heads-up.

Either way, I did a small test. FMA does not work under Windows 8.

in my review and nvt announcement , we clearly said that the old version can run only on win7 , if you don't have it ; use it on a VM; it works fine there. until you got new version.

 

[Nico@FMA]

glad to hear that your new host looks more serious

Yeah they are a hell of a lot more serious, as they also host critical infrastructure for the government so that on its own as a fact should undoubted proof that they are not your average host and i am most happy about it.
And it has plenty of room and options to grow with the site and its services as well.
I mean the package i did buy is upgrade-able in real-time as all their systems use HS (Hot Swap) which is insanely handy you can just move a site from cluster to cluster from rack to rack without being a second offline and without having to change anything.
It works on all servers (If supported by HS)

 

[Deleted member 178]

cool

 

[Nico@FMA]

Update: As mentioned earlier we are about to move the whole site http://fma-is.nl and services to our new host, also the following new domains have been registered: http://fma-is.com & http://fma-is.eu these will be online within 48 hours.
As of this moment we are going to take down the site on our current host which means that clients and testers cannot login or use our online services, the webpage will be down and we will post a update status on twitter (Do you follow us already?) and here on malwaretips.com

Kind Regards
FMA Intel-Secure (FMAIS)

 

[Plasmadragon]

Hi there everyone, I am rather new to the forum and am by no means a professional with IT systems or a software engineer (yet, working on that one) but while browsing around through the forums I happened upon FMA Intel-Secure, and I have to say I'm quite impressed!

After working with this program for a few days, I would whole heartedly agree with Umbra Polaris's assertion of this being a program to turn to when one believes there might be an infection but nothing is finding it. Simply astounding amounts of information are presented in the log files generated by FMA processing, and using comparison software makes identifying specific modules within the system having been changed compared to previous logs unbelievably easy! The only real technical know how involved honestly speaking is knowing what to do AFTER you see what is different. Regular joe blows certainly won't be able to deal with registry maintenance without risking doing real damage, so again I agree with Umbra, it isn't a program for just anyone... However, I can say this much: even though I am no professional and don't readily know what files are infectious just by sight alone as some can, this program is quite seriously allowing me to learn what kind of changes are made between all the different stages of computer processing due to its high level of data presentation, whether it be what files are edited from installation, registry additions, edits, software detail, hardware detail... All in one place. To be able to see so much of what happens between two points in time is an invaluable tool, and from what I can see, this program in just its initial stages is providing more actionable raw data than ANYTHING I've ever seen from any software ever before.

Astounding work n.nvt, I am excited to see what is yet to come since you say you have much to do still! It also intrigues me to see the built in tools such as the KAV TDSSKILLER and Norton NPE utility programs as supplemental tools to go above and beyond the initial expectation of just having a scanning tool for network administrator type users (which is also something I haven't seen before).

I can't help but wonder n.nvt, where will the software be headed in the coming days? You've mentioned here: http://malwaretips.com/threads/dual-review-fmt-intel-secure-system-forensic-tool.24567/ and earlier on in this topic the FMAS1 FMAS2 and FMAS3 the levels of analysis and some of the capabilities of each. To someone like me, the sheer number of scans and core findings performed within each are already very powerful... what else could you even add?

I could see making it more user friendly, perhaps making the client do a few extra tricks after the scans are completed as well? Oh well, have to wait and see won't we?

 

[Deleted member 178]

I could see making it more user friendly, perhaps making the client do a few extra tricks after the scans are completed as well? Oh well, have to wait and see won't we?

it is why i asked Nvt to include a log comparator to make the cross-checking easier, it will be done but not right now , anyway we have time ^^
As you said i also wonder what else he can add , since for me it is quite complete already.
maybe be adding something that shows non-verified signers on the main window or an Hash comparator (in a way Hashtab does)

 

[Mateotis]

it is why i asked Nvt to include a log comparator to make the cross-checking easier, it will be done but not right now , anyway we have time ^^

If that gets added, FMA will be the go-to tool for AV/malware testing purposes.

 

[Nico@FMA]

it is why i asked Nvt to include a log comparator to make the cross-checking easier, it will be done but not right now , anyway we have time ^^
As you said i also wonder what else he can add , since for me it is quite complete already.
maybe be adding something that shows non-verified signers on the main window or an Hash comparator (in a way Hashtab does)

Uhhh news flash the sign or cert check is already within the program, and judging from your comment you did not yet read the whole log.
As if you would you would see that this is active and working flawless, in terms of hashing and checking the new version will have:

* SHA-256
* MD5
* MHash (Mur)

Note this is just a snip of a basic example (Wiki) as i am not going to post the real code DUHHH lol.
uint32_t hash = seed;
    const int nblocks = len / 4;
    const uint32_t *blocks = (const uint32_t *) key;
    int i;
    for (i = 0; i < nblocks; i++) {
        uint32_t k = blocks[i];
        k *= c1;
        k = (k << r1) | (k >> (32 - r1));
        k *= c2;
        hash ^= k;
        hash = ((hash << r2) | (hash >> (32 - r2))) * m + n;
    }

Where it basically seeds itself to be scanning blocks and cross ref them with all other previous generated data.
Additionally to the Hash abilities which are by default information gathering only there is a feature as a side product that allows to determine the very nature of a infection and create a visual root map where you can see how where and what happened.
It already does that in TEXT form but this is limited to the output code generated by the scans, so i am building a universal bridge that is capable of converting scan output code which consists of different languages into one universal language.
And due to the fact you are actually cross ref each data file over 7 times with other system sources you actually can see hidden and poly type of rootkits, malware and other pests.
The very side effect is that it acts as a de-cloak and forces individual data strings to be validated locally and on remote.

Scenario a hacker penetrates your system, and corrupts (Turns) files to benefit him, while they still work within your pc so you will not be alerted due to the cross ref and the call back to other info sources it becomes clear that even the best hacker cannot register the same malicious code without alerting the system of the injection across all the information points the windows OS has.
Most people do not know that windows by design has LOTS of functions not even accessible to users BUT generating VERY accurate logs.
You might be able to play tricks on UAC, Registry, Firewall, AV, User profile, Services but in the end of the day you cannot fool the system settings by the hidden authority account (A AV developer will be able to explain you what i mean)
So windows OS by nature has over 8 or 9 control points, 5 of them are used when you are using the PC, 2 of them are semi active and 1 is checking everything.
So the register might class a file as legit, your AV might as well and so might the other surface level checks, but the very core of windows and its authority account ALWAYS knows, and even tho it might not be able to see something is rogue it will by default log the very route a injection or a string of commands while executing a file, code or any other action.
Now without going to much into details i can tell you if only ONE check does fail then by default the file is corrupt.
It is not a majority vote but the system is based upon a absolute VETO vote in terms of comparing data within the logs.
So one strike out system, and it does not make mistakes, it cannot lie, it cannot be faked and you cannot bypass it, because by nature it cannot it only does collect, store, encrypt and keep it updated. My program does only call a cross ref and outputs the findings.

@Plasmadragon Omg dude what a damn nice review.
Thanks.

@Mateotis What if i tell you that we are only scratching the surface yet? I am not going to bog down the program and i am not going to add functions that you do not need or are to much, but there is at-least 400 different internal options that are going to be added, as believe it or not the program is still in skeleton mode. Specially when the whole CCSU and IRPVS toolbox is going to be added OEPS...did i just tell you a little secret.

Cheers guys.

 

[Deleted member 178]

lol ,this is what i like with Nvt, he answers questions before you even thought about it

 

[Nico@FMA]

lol ,this is what i like with Nvt, he answers questions before you even thought about it

So what were you going to ask and what did i say in my post that did make those questions go away? please enlighten me?
lolz

 

[Deleted member 178]

the hash stuff especially MD5 ^^

 

[Nico@FMA]

the hash stuff especially MD5 ^^

Right i see, but thats not what i mean? please be specific about what you would like to achieve just by hashing files? because like winrar each file has already a CRC and SHA & MD5 by default, so even without the hash function it will still be cross ref, with application, dependency, process, keys and source & function itself.
For example if you upload a file to VT you will see in the additional info section the various unique hash and source keys being generated.
Each file has those codes by default as its part of the very source itself. call it file dna.
The one could do is output them and look for variants and inconsistencies.
So my question is (Disregarding what i said) what would you like to achieve with it? what where you hoping for that the program was going to do for you?

Cheers

 

[Deleted member 178]

yes i know, i used to use Hashtab : http://www.implbits.com/hashtab.aspx

it integrate itself in the file properties and then you can compare the hash from the present exe with its should-be-legit-one.

so FIAS could (already?) do the same job and highlight the said file if difference are found.

all this for make it average Joe Friendly; it is not really vital

 

[Nico@FMA]

yes i know, i used to use Hashtab : http://www.implbits.com/hashtab.aspx

it integrate itself in the file properties and then you can compare the hash from the present exe with its should-be-legit-one.

so FIAS could (already?) do the same job and highlight the said file if difference are found.

all this for make it average Joe Friendly; it is not really vital

Yes by default FMAIS does actually already cross ref those sources but it does not directly outputs them, as its a background task during the generation of the process and log itself.
But what i try to achieve (And it works ^^) is to use HASH as a authority tool or aka another source.
And by doing so i can use the Authority system within the OS to transform its function to log regardless what data to a point where it has the ability to actually see if the data is rogue or not.
Because as it stands it does not care what data or what the code is it just logs them no more no less.
And i want it to be able to class the code as windows, program or rogue.
Keep in mind windows ALWAYS knows if a file is bad, it just does not tell you as the function to do so is sleeping but it is present.
And with a little work around you can actually tell windows to be its own judge.

Alright let me show you something ok?

1: http://www.microsoft.com/en-us/download/details.aspx?id=11533 Download Microsoft File Checksum Integrity Verifier (Win 7 32b)
2: Extract it in c:\FMA (If you do not have folder then create it manually)
3: Open elevated cmd.exe
4: Type code: c:/fma/fciv c:/windows/ -r -s >>c:/hash.txt (Must be exact!!!)
5: Wait till the command is done.
6: Navigate to c:/fma/hash.txt and open it up.
You will see the exact HASH of each file under %windows% as they SHOULD be as the check does make sure they are integrity wise correct.

dd502a2e7b85ea7a3814c1034e6c23d3 c:/windows/\AppPatch\AcGenral.dll
96c70bd48d49b87475f4572dedc62eb9 c:/windows/\AppPatch\AcLayers.dll
2110ce8cb4c6937200a973ad0b70f33d c:/windows/\AppPatch\AcRes.dll
323e85ec2f18ee5380c7668d4bff832f c:/windows/\AppPatch\AcSpecfc.dll
3cce7c726b88918915a1ef712b9d5f58 c:/windows/\AppPatch\AcXtrnal.dll
59c7dd2eafdbe86b2e23bcdabb575448 c:/windows/\AppPatch\apihex86.dll
2fa8458d3ad94e2393e1a6583293d8dc c:/windows/\AppPatch\drvmain.sdb
feed731d80e4cccc5be0a5308552d178 c:/windows/\AppPatch\en-US\AcRes.dll.mui
87900a56a4391cbc8718b65e7eec5d56 c:/windows/\AppPatch\msimain.sdb
125b25bae163c7ed0887ac66d9ef7b68 c:/windows/\AppPatch\pcamain.sdb
1d8c1280d38c526c7041e72db8d70dc1 c:/windows/\AppPatch\sysmain.sdb
f7f759a5cd40bc52172e83486b6de404 c:/windows/\assembly\Desktop.ini

And you will see output in the log like above.

Now if you have additional information sources like my program has then a example file called: imightbeinfected.exe located in %windows% will have the same hash as it will have in for example %appdata% as location of the file itself is not a factor if the hash changes BUT if you alter the code or create a clone which does happen 9.9/10 times then the files seem to be the same but their hash is totally different as the checksum does not match anymore. As it will have more then one source to validate its very own file source code and check the very route a file might use to execute its commands and functions.
There is no way you can fake all that.
So each string, path, name, source and so on has to be the same in order to validate.
And if injected, corrupted or hacked or whatever alteration it will FAIL and it will show in the log making it 100% failsafe and accurate.
I know that due to my limited english i might be explaining this a bit wrong, but i am sure you can visualize what i mean.
So its not a one way check it a series of checks and each check MUST be validated if just one fails?
Then you know the file is bogus.

Cheers