New Update Hawk Eye Website Analysis Showcase

Sampei.Nihira said:
Your extension, perhaps.;)
But extensions usually have an impact.
Coincidentally, DCL is also a parameter measured by Speedometer 3.1.
You can ask the AI or check this old test:

Chrome Extension Performance Lookup
Click to expand...
Yes, I am aware of this test.

Most of these numbers are not significant enough for the user to notice any difference during browsing.

There are many Chromium built-in features as well, which despite being C++ based can negatively affect browsing speed and CPU usage. These won’t really appear on the speedometer test unless the user relaunches the Chromium browser with the relevant flags.
 
  • +Reputation
  • Like
Reactions: Sorrento, simmerskool, Sampei.Nihira and 1 other person
simmerskool said:
sidenote chatGPT said Apple optimizes for this test: my M4_mini safari score 44.0 +/- 3.0 while my VMware Rocky linux firefox 3.60 +/- 0.11. at the keyboard don't really see ("feel") any slowdown, and chatGPT says 3.60 is average for VM browser...
Click to expand...
My mobile safari scores this, but it doesn’t feel faster than the Windows Edge:
IMG_3243.png
 
  • Like
  • Hundred Points
Reactions: Sorrento, EASTER and simmerskool
@Trident

First you are doing an amazing job developing security.

A few years ago I was helping a small security startup. They did not tell me much about the software (I was helping them with all other stuff other than software development).

They were working on secure virtual web gate ways ( employees of their clients were not allowed to connet to the internet, but ran a browser on the servers of that startup).

Point is they were talking about creating a light version which ran as an extension. The company was bought by a large security company and apparently they were paid so much that they thanked me and paid the rest of my year salary (I was working freelance), while I was only working 6 months for them.

They divided the internet into 4 zones: first party private cloud environment, third party public cloud services, free world and hostile world.

The first two were determined by company specific domain lists. The difference between third (free) and fourth (hostile) was based on 1 origin, 2 age and 3 reputation of the visited domain. In hostile world all sorts of checks were imposed and nothing was allowed to downloading. In free world only non ecutable formats were allowed to download and a javascript sanatizer would identify malicious patterns using a blacklist of suspicious code snippets (like Snort checks pieces of code)

I remember talking to one of the investors and he said they had another startup which used AI for reputation services and they wanted to combine the two.

Since I recognise some of your ideas I thought I share it with you.
 
  • Like
  • Hundred Points
  • Thanks
Reactions: Sorrento, Miravi, simmerskool and 2 others
I would like to suggest a kind standalone mode that would scan electron based app ( I personally avoid them but the project seem to be aimed at people that tend to use electron based application like discord which are often weaponized. ). Just a random suggestion from a random dingus.
- Ideas : sbom verifications, boot files hashing to detect rogue/unwanted changes, easy to deploy wdac, gpo,similar to hardened configurator lolbin/lolbas firewall blocking rules with stupid simple option to revert changes.
 
  • Like
Reactions: Sorrento, Zero Knowledge, simmerskool and 2 others
helioscan said:
I would like to suggest a kind standalone mode that would scan electron based app ( I personally avoid them but the project seem to be aimed at people that tend to use electron based application like discord which are often weaponized. ). Just a random suggestion from a random dingus.
- Ideas : sbom verifications, boot files hashing to detect rogue/unwanted changes, easy to deploy wdac, gpo,similar to hardened configurator lolbin/lolbas firewall blocking rules with stupid simple option to revert changes.
Click to expand...
Thank you for your suggestion.

The project doesn’t target any specific malware type or distribution method, it is aimed at generic malware detection.

What’s coming soon is much better than generic LOLBin blocking.

The following has been developed already:
User interface:
IMG_3260.jpeg

Behavioural Monitoring Hook

Behavioural AirLock: it is a blend of behavioural analysis, traffic control and LOLBin control, plus control of access to sensitive resources and processes. When a not so trusted app is executed, you can expect Behavioural AirLock to block the process from connecting, terminate some LOLBins or disconnect others from the internet.

Hawk Eye Safety Net: this is already in testing stage. You can expect it to block malicious downloads (whether it is Electron package or anything else).

TuneUp: this is the CPR box from the script. It cleans and repairs the system.

Scam Assist Model: this is already complete.

What’s currently in development: AI model for behavioural analysis

Backup - this is nearly done

Static Analysis: this requires a second model that will be trained soon.

@LinuxFan58 thanks for your feedback!

Some ideas indeed sound similar but the entire implementation is very unique.
 
  • Hundred Points
  • Applause
  • Like
Reactions: Sorrento, Jonny Quest, Zero Knowledge and 5 others
Trident said:
Thank you for your suggestion.

The project doesn’t target any specific malware type or distribution method, it is aimed at generic malware detection.

What’s coming soon is much better than generic LOLBin blocking.

The following has been developed already:
User interface:
View attachment 293558
Behavioural Monitoring Hook

Behavioural AirLock: it is a blend of behavioural analysis, traffic control and LOLBin control, plus control of access to sensitive resources and processes. When a not so trusted app is executed, you can expect Behavioural AirLock to block the process from connecting, terminate some LOLBins or disconnect others from the internet.

Hawk Eye Safety Net: this is already in testing stage. You can expect it to block malicious downloads (whether it is Electron package or anything else).

TuneUp: this is the CPR box from the script. It cleans and repairs the system.

Scam Assist Model: this is already complete.

What’s currently in development: AI model for behavioural analysis

Backup - this is nearly done

Static Analysis: this requires a second model that will be trained soon.

@LinuxFan58 thanks for your feedback!

Some ideas indeed sound similar but the entire implementation is very unique.
Click to expand...
Very nice interface. Reminds me of AVG. (y)
 
  • Like
  • +Reputation
  • Thanks
Reactions: Sorrento, Jonny Quest, simmerskool and 1 other person
Kongo said:
Very nice interface. Reminds me of AVG. (y)
Click to expand...
Yes, however here there are no separate settings, every setting and option needed appears when you click on the category. So it never requires too many clicks.

Scanning here is called “Audit”.

This to differentiate it from the standard file by file scans.

Detections are called “incidents”.
 
Last edited:
  • +Reputation
  • Like
  • Applause
Reactions: Sorrento, Jonny Quest, simmerskool and 2 others
Trident said:
@LinuxFan58

Some ideas indeed sound similar but the entire implementation is very unique.
Click to expand...
Yes I understand, just mentioned it to show that the direction you are heading was (and probably is) interesting for investors and large security companies.

It seems that your new tool not only looks at what goes in, but looks at exfiltration (which is a corporate issue).

I intended to word a (maybe complicated formulated) heads up
 
Last edited:
  • Like
  • +Reputation
Reactions: Sorrento, simmerskool, EASTER and 1 other person
LinuxFan58 said:
Are you still opting for an extension (works also on Linux and Mac) or are you opting for an executable (works probably only on Windows)?
Click to expand...
Both… the extension will work in browsers.

The agent is a bunch of native C++ 23 executables that control the traffic for every other process, ignoring the browser traffic. The design is slightly monolithic, similar to the Webroot one. The big (and highly optimised assembly) is unattractive for reverse engineering plus the lack of DLL modules means no hijacking/sideloading risk, although I did explore as well options like locking the module via handle, calculating the SHA256 and calling the main() only if it is really my module.

This is because the browser is a door to unpredictable traffic (could connect to anything) whilst for other processes the network control will be way more stricter.

The Browser is handled by the custom Vertex AI (business version of Gemini), plus a bunch of feeds. For other processes, I have an agreement with Sophos, the network monitoring will be powered by them plus very aggressive heuristics.

Behavioural Monitoring is handled as well by a custom Vertex AI model plus several APIs for reputation monitoring.

The way the agent is designed, it uses heuristic rules with IDs from 1 to 4.
1 means that there are slight indications the process could be suspicious and the response is disconnect.
2 means there are slight indications the process is suspicious and results in additional restrictions.
3 means there are clear indications that the process is suspicious and results in termination.
4 means there are indications that the assembly/process is malicious and results in termination + automatic Total Care scan (which runs an audit known to users like @EASTER from the script + backup + junk cleaning and health reparation).

There is memory analysis as well but it is not scanning for malware in memory, the memory analysis can elevate the rules from one ID to another.

Example of rule: 3.1001.6: process launches too many suspicious-ranked processes in a rapid sequence. Response will be to terminate the process + everything it launched.

Hope that sheds some light on the design.
 
Last edited:
  • Like
  • +Reputation
Reactions: simmerskool, Digmor Crusher, Jonny Quest and 4 others
Such that phased-array approach design, especially and including 'Behavioural Monitoring', seems pretty good odds of strictness by category and/or levels. Comprehensive with exactness intertwined.

Many thanks @Trident for explaining in simplistic terms various functions and what to expect by each so far. The never too many clicks shows the automation is there in full when called on.

Behavioural AirLock: it is a blend of behavioural analysis, traffic control and LOLBin control, plus control of access to sensitive resources and processes. When a not so trusted app is executed, you can expect Behavioural AirLock to block the process from connecting, terminate some LOLBins or disconnect others from the internet.
Click to expand...
 
  • Like
Reactions: simmerskool, Trident, Gandalf_The_Grey and 1 other person
EASTER said:
Such that phased-array approach design, especially and including 'Behavioural Monitoring', seems pretty good odds of strictness by category and/or levels. Comprehensive with exactness intertwined.

Many thanks @Trident for explaining in simplistic terms various functions and what to expect by each so far. The never too many clicks shows the automation is there in full when called on.
Click to expand...
This is the reason why I chose Vertex AI.

Although I could have trained a model on Azure for example, it is important to note that these models start from 0. This will probably cost me less and has generous grace periods. Anyway, Google is covering the costs for me at the moment as well.

Vertex AI does not start at zero, it understands semantics, it understands the program type (for example for a backup software it makes sense to access many files in a rapid sequence and to constantly update backup.log), whilst for an app that claims to be a calculator, it is not acceptable. And when you add to that that it has no visible window and drops randomly named files (which AI is extremely good at spotting, much better than Shannon Entropy or included dictionaries), it becomes much more powerful.

In terms of LOLBin control, LOLBins spanned will always be disconnected. LOLBin will only be allowed connection when it is initiated by the user and in no other circumstance.

However if the process is suspicious, PowerShell and other interpreters will also be terminated. The program will not be allowed to use these.

Behavioural AirLock also disables connection in the following scenarious:

-One of the loaded modules loaded is unsigned, unknown to the partners I use

-The process exhibits signs of code injection that is not expected for it (it is not an interpreter/compiler)

-The parent-child relationships are weird, complex/convoluted, deviating from the standard execution patterns

For termination and remediation, a bit more than that will be needed.

I think the script already set the bar on remediation quite high.
 
  • +Reputation
  • Like
Reactions: Gandalf_The_Grey, simmerskool, Morro and 1 other person

You may also like...