LeMinhThanh

From LMT Anti Logger
Verified
Developer
Last edited:

Mops21

Level 28
Verified
Trusted
Content Creator
Hi @@@LeMinhThanh

LMTAntiLogger 3.0


LMTAntiLogger 3.1


And see my 2 Pictures that says the Fileversion is 0.0.0.0 is that so right and no Copyright info

With best Regards
Mops21
 

Attachments

Last edited:

LeMinhThanh

From LMT Anti Logger
Verified
Developer
Hi @@@LeMinhThanh

LMTAntiLogger 3.0


LMTAntiLogger 3.1


And see my 2 Pictures that says the Fileversion and no Copyright info is 0.0.0.0 is that so right

With best Regards
Mops21

With best Regards
Mops21
Hi!
I sent a false positive report to MS but they still haven't responded.
About 2 pics, I dont get what you mean?
 

ichito

Level 9
Verified
Content Creator
Hi ichito
1. This is the result when i tested with Security Test Tool:
(...)
2. About protect webcam, my app only disable the webcam :)
3. The real-time protection only checks processes when they are created using Virustotal, heuristic AI and Yara rules. It's not like HIPS/BB.
4. It's secure desktop.
5. I only checked on windows 10 so maybe it had some problems on windows 7. I will check it.
Best regards,
Thành
Thanks for reply and nice you added new feature to protect registry...I understand that we can add our own entries? What's job of feature called "Kill"...is it only for closing detected process what would means that "Delete" do the same and additionaly delete phisicaly instance of process?
Could you add info about supported Windows versions?
BTW...the last version unfortunately don't want to work on Win7...:(
 

LeMinhThanh

From LMT Anti Logger
Verified
Developer
Thanks for reply and nice you added new feature to protect registry...I understand that we can add our own entries? What's job of feature called "Kill"...is it only for closing detected process what would means that "Delete" do the same and additionaly delete phisicaly instance of process?
Could you add info about supported Windows versions?
BTW...the last version unfortunately don't want to work on Windows 7...:(
Hi ichito!
I forgot about Windows 7 problem, I will install Windows 7 to check. Hopefully the upcoming version will support Windows 7 :)
 

Lenny_Fox

Level 13
Verified
@LeMinhThanh

Thanks for the rapid response, I have another question and a suggestion:

Question: when are you planning to move the AI to client side (to prevent overloading your own server)?

Suggestion: because your program uses several interesting detection mechanisms (e.g. heuristics, AI and Yara), you could position it as a true client side host intrusion detection system. In this scenario the heuristics, AI and Yara engine only function is to detect something suspicious (the intrusion detection part), next the VirusTotal check is triggered and depending on user setting a block (e.g. more than 10) or a prompt (less than 10 but more than 5 AV's on virus total think it is malware) or a message (less than 5) is shown.

This has the advantage that you can fine tune your protection mechanisms, without having to worry about false positives (detection based on your engines, but block is dependant on VT-results and the settings of the user) and you will be allowed to use VT (because your program feeds VT based on its own detection's) and you have a unique selling point (a consumer host intrusion detection system with user configurable VT intrusion prevention check).

Regards

Lenny
 

Parsh

Level 25
Verified
Trusted
Malware Hunter
Nice suggestions Lenny :)
@LeMinhThanh congratulations on building a nice security companion (y)
Did you check if your process can be easily killed by malware (self-defense)? Do you allow process to run while the files are being scanned or are they blocked at first to avoid consequences?

The potential for additions is unlimited. Alerting about vulnerable system processes (can refer to some related infamous tactics from Mitre Attack directories), command-line scanning like VDS (different from any checks done in Yara rules), digital signature validation and verification. Though some of these are very secondary features and may get heavy.
Flexible configurations like @Lenny_Fox suggested is a good tweak. You can compartmentalize the modules on the main screen with labels so that those can be easily related with the security keywords provided in the settings.

but block is dependant on VT-results and the settings of the user and you will be allowed to use VT (because your program feeds VT based on its own detection's) and you have a unique selling point (a consumer host intrusion detection system with user configurable VT intrusion prevention check).
Something like what Voodooshield does ..
Screenshot (645).pngScreenshot (647).pngScreenshot (646).png
 
Last edited:

LeMinhThanh

From LMT Anti Logger
Verified
Developer
@LeMinhThanh

Thanks for the rapid response, I have another question and a suggestion:

Question: when are you planning to move the AI to client side (to prevent overloading your own server)?

Suggestion: because your program uses several interesting detection mechanisms (e.g. heuristics, AI and Yara), you could position it as a true client side host intrusion detection system. In this scenario the heuristics, AI and Yara engine only function is to detect something suspicious (the intrusion detection part), next the VirusTotal check is triggered and depending on user setting a block (e.g. more than 10) or a prompt (less than 10 but more than 5 AV's on virus total think it is malware) or a message (less than 5) is shown.

This has the advantage that you can fine tune your protection mechanisms, without having to worry about false positives (detection based on your engines, but block is dependant on VT-results and the settings of the user) and you will be allowed to use VT (because your program feeds VT based on its own detection's) and you have a unique selling point (a consumer host intrusion detection system with user configurable VT intrusion prevention check).

Regards

Lenny
Hi Lenny_Fox!
About the question: Yes, it is in my to-do list, but I think I will do it after some version because I need to convert it to run on Windows.
And thanks for nice suggestions, I will add this feature in the next version.
Best regards,
Thành
 

LeMinhThanh

From LMT Anti Logger
Verified
Developer
Nice suggestions Lenny :)
@LeMinhThanh congratulations on building a nice security companion (y)
Did you check if your process can be easily killed by malware (self-defense)? Do you allow process to run while the files are being scanned or are they blocked at first to avoid consequences?

The potential for additions is unlimited. Alerting about vulnerable system processes (can refer to some related infamous tactics from Mitre Attack directories), command-line scanning like VDS (different from any checks done in Yara rules), digital signature validation and verification. Though all of these will be very secondary features and perhaps heavy.
Flexible configurations like @Lenny_Fox suggested is a good tweak. You can compartmentalize the modules on the main screen with labels so that those can be easily related with the security options provided in the settings.


Something like what Voodooshield does ..
View attachment 238157View attachment 238155View attachment 238156
Hi Parsh!
Yes, my app can be easily killed by malware, so I think I can add a watcher to protect it or something like this. Maybe in some next version.
Yeah, the potential for additions is unlimited. I will try my best to add these feature in every version.
Best regards,
Thành
 

Parsh

Level 25
Verified
Trusted
Malware Hunter
Hi Parsh!
Yes, my app can be easily killed by malware, so I think I can add a watcher to protect it or something like this. Maybe in some next version.
Yeah, the potential for additions is unlimited. I will try my best to add these feature in every version.
Best regards,
Thành
My intention was only to highlight methods used by users to customize their SRP/HIPS (like referring to Mitre examples) and highlight some features used by other companion apps like VDS. Some checks could be added if you monitor certain processes for XYZ, making a unique point. Though this would require a good efforts and understanding of the internals.
It's best up to your idea of the scope of the app. What you intend to provide. How much time and efforts you can/want to dedicate to this project. What little things can be feasibly added for good, and what is absolutely unnecessary ;)

BTW does your app detect kernel-mode keyloggers? I doubt that it would need a kernel mode driver for that. And that's difficult with Windows x64 restrictions.
 
Last edited:

LeMinhThanh

From LMT Anti Logger
Verified
Developer
My intention was only to highlight methods used by users to customize their SRP/HIPS (like referring to Mitre examples) and highlight some features used by other companion apps like VDS. Some checks could be added if you monitor certain processes for XYZ, making a unique point. Though this would require a good efforts and understanding of the internals.
It's best up to your idea of the scope of the app. What you intend to provide. How much time and efforts you can/want to dedicate to this project. What little things can be feasibly added for good, and what is absolutely unnecessary ;)

BTW does your app detect kernel-mode keyloggers? I doubt that it would need a kernel mode driver for that. And that's difficult with Windows x64 restrictions.
Hi!
Your suggestions are interesting but I'm not sure if I can do it or not 😅
I created this application during the Covid19 isolation period in VietNam, so I'm not sure how much determination I could devote to this application. But for now I will focus on bringing AI to the client!
And...yes, my app cannot detect kernel-mode keyloggers, it is quite difficult to do 😅
Best regards,
Thành
 

Parsh

Level 25
Verified
Trusted
Malware Hunter
I created this application during the Covid19 isolation period in VietNam, so I'm not sure how much determination I could devote to this application. But for now I will focus on bringing AI to the client!
The app already seems to provide quite some interesting features for a basic companion, or an antilogger especially :)
This period indeed is an opportunity to learn and develop on your ideas. Even I am up to something ;) Just not about security. It involves hybrid mobile apps and predictive analysis models on cloud.
Keep up the good work friend (y)
 

Lenny_Fox

Level 13
Verified
Your suggestions are interesting but I'm not sure if I can do it or not. My app cannot detect kernel-mode keyloggers, it is quite difficult to do.
There was a famous soccer player in the Netherlands who used to talked in cryptic sentences, one of his quotes "every disadvantage has an advantage", meaning try to turn your weakness into a strength. Considering the time you have and the added value of yet another security application, let's think free and try to remove 'go to market' thresholds (I am a digital marketeer).

Position your application as the ideal antivirus companion focusing on user land threats. The rational behind it is that malware has limited operating room when it runs as an unelevated process. At the same time users are not warned when malware changes a HKCU autorun registry key (UAC does not protect those), so even while the operating system limits the damage an unelevated process can do, it still can do a lot of things average users don't want to happen: like a spyware application living in user folders surviving reboot by adding itself as an HKCU autorun entry.

Another advantage of changing your promise (only warning against ring 3 - user land intrusions) is that you don't need to protect against kernel based keyloggers (which has the advantage that your application is not considered to have a weakness or missing something).

So my suggestion would be: limit the intrusion detection to
1. Userland hook protection (e.g. keyloggers)
2. Userland registry protection (only HKCU)
3. Yara rules protection
4. Heuristics (explain what it involves???)

Newly created unelevated processes which are marked suspicious by one of the above detection mechanisms are checked at Virus Total

When you have moved the AI from server side to client side you can add that as an additional intrusion detection mechanism. This saves time so you can write a monitor which protects your processes from being terminiated.

Shortest GO2MARKET road I can think of. When protection module is ready launch your companion as a fremium program (1 year free then ask a yearly micro-fee, say 2.95 US dollar, that is less than the price of a big-mac).
 

Parsh

Level 25
Verified
Trusted
Malware Hunter
Position your application as the ideal antivirus companion focusing on user land threats. The rational behind it is that malware has limited operating room when it runs as an unelevated process. At the same time users are not warned when malware changes a HKCU autorun registry key (UAC does not protect those), so even while the operating system limits the damage an unelevated process can do, it still can do a lot of things average users don't want to happen: like a spyware application living in user folders surviving reboot by adding itself as an HKCU autorun entry.

Another advantage of changing your promise (only warning against ring 3 - user land intrusions) is that you don't need to protect against kernel based keyloggers (which has the advantage that your application is not considered to have a weakness or missing something).
So my suggestion would be: limit the intrusion detection to
1. Userland hook protection (e.g. keyloggers)
2. Userland registry protection (only HKCU)
3. Yara rules protection
4. Heuristics (explain what it involves???)
While the anti-logger sounds like a good AV companion, to be more readily considered a good freemium companion, it will have to complement rather than overlap the typical features of the AVs out there.
Scope of UAC is another matter. I am sure most AVs keep an eye on at least their own registry entries and the autoruns, though the effectiveness of flagging malicious changes may vary. Heuristics and user-mode Keylogger protection are covered by a typical AV and a few reputed AVs do use Yara rule engine. It wouldn't be a surprise if they use and have improved on the use of existing Yara rules repository. Still they can be handy to flag suspicious files and initiate further check or an alert.

Some other interesting mods could include harnessing VT results as you suggested earlier for a second check, and a few more secondary features that can be strongly marketed other than for calling it an "antilogger"... like VDS loves to be called a computer lock or an anti-exe with VT, sandbox, commandline verification and cloud whitelists ...
I do think that it is a good program with a lot of potential if it wants to invite a freemium tag :)
The not so common features like configurable VT-based rules, the AI engine, adding guarding of vulnerable apps maybe or maybe not, just showing results of cloud sandbox analysis of suspicious files like VDS did with cuckoo — could be paid. I am not saying integrate all of it. However, adding some of these will increase the USP of the product desirably.

He'll have to expand the training of the AI engine with more datasets than the one initially used as seen in the link, to keep things relevant. He has apparently used supervised learning.Then, tuning via more validation datasets followed by test datasets. The amount of (correctly labeled) samples in the dataset is key for the model accuracy, so large representative datasets are needed for a good AI module. If it only checks on VT for suspicious files as suggested, the risk of flagging system files should not rise. And for the many new data that the app would confront throughout its use, an unsupervised learning model could become useful, and clustering could help with labeling there. That's next level and would require a steady support to development.
Rather, the AV results from VT could be intuitively used if the list of detecting engines is shown (is it? I haven't checked. Will try soon). If it includes the ML engines of reupted AVs, cherry on the cake!

Shortest GO2MARKET road I can think of. When protection module is ready launch your companion as a fremium program (1 year free then ask a yearly micro-fee, say 2.95 US dollar, that is less than the price of a big-mac).
I get your point you're keeping with a micro-fee. It could be justified. However, don't you think that average people tend to judge the value of protection also based on the fees - and a micro-fee might sound discouraging for a buyer per se?
Marketing some unique points over an AV would more easily justify a slightly higher ask amount IMHO.
 
Top