LMT AntiMalware
- Thread starter LeMinhThanh
- Start date
- Apr 11, 2020
- 305
Hi!
LMT Anti Logger 3.1 released
Changelog:
Screenshot:
To add more rules, you can edit "registry_rules.txt" on the program folder, then re-enable Registry Guard options.
Looking forward to your feedback.
Best regards,
Thành
LMT Anti Logger 3.1 released
Changelog:
- Added Registry Guard. It will notify you when a software tries to access critical registry keys.
- Added "Kill" option.
- Fix some bugs.
Screenshot:
To add more rules, you can edit "registry_rules.txt" on the program folder, then re-enable Registry Guard options.
Looking forward to your feedback.
Best regards,
Thành
Last edited:
Hi @@@LeMinhThanh
LMTAntiLogger 3.0
LMTAntiLogger 3.1
And see my 2 Pictures that says the Fileversion is 0.0.0.0 is that so right and no Copyright info
With best Regards
Mops21
LMTAntiLogger 3.0
LMTAntiLogger 3.1
And see my 2 Pictures that says the Fileversion is 0.0.0.0 is that so right and no Copyright info
With best Regards
Mops21
Attachments
Last edited:
- Apr 11, 2020
- 305
Hi!Hi @@@LeMinhThanh
LMTAntiLogger 3.0
LMTAntiLogger 3.1
And see my 2 Pictures that says the Fileversion and no Copyright info is 0.0.0.0 is that so right
With best Regards
Mops21
With best Regards
Mops21
I sent a false positive report to MS but they still haven't responded.
About 2 pics, I dont get what you mean?
Hi @LeMinhThanh
I mean there stands by the File Versionumber 0.0.0.0 as example 3.1.0.0 and no Copyright info
With best Regards
Mops21
- Apr 11, 2020
- 305
- Dec 12, 2013
- 542
Thanks for reply and nice you added new feature to protect registry...I understand that we can add our own entries? What's job of feature called "Kill"...is it only for closing detected process what would means that "Delete" do the same and additionaly delete phisicaly instance of process?Hi ichito
1. This is the result when i tested with Security Test Tool:
(...)
2. About protect webcam, my app only disable the webcam
3. The real-time protection only checks processes when they are created using Virustotal, heuristic AI and Yara rules. It's not like HIPS/BB.
4. It's secure desktop.
5. I only checked on windows 10 so maybe it had some problems on windows 7. I will check it.
Best regards,
Thành
Could you add info about supported Windows versions?
BTW...the last version unfortunately don't want to work on Win7...
- Oct 1, 2019
- 1,120
- Apr 11, 2020
- 305
Hi ichito!Thanks for reply and nice you added new feature to protect registry...I understand that we can add our own entries? What's job of feature called "Kill"...is it only for closing detected process what would means that "Delete" do the same and additionaly delete phisicaly instance of process?
Could you add info about supported Windows versions?
BTW...the last version unfortunately don't want to work on Windows 7...
I forgot about Windows 7 problem, I will install Windows 7 to check. Hopefully the upcoming version will support Windows 7
- Apr 11, 2020
- 305
- Oct 1, 2019
- 1,120
@LeMinhThanh
Thanks for the rapid response, I have another question and a suggestion:
Question: when are you planning to move the AI to client side (to prevent overloading your own server)?
Suggestion: because your program uses several interesting detection mechanisms (e.g. heuristics, AI and Yara), you could position it as a true client side host intrusion detection system. In this scenario the heuristics, AI and Yara engine only function is to detect something suspicious (the intrusion detection part), next the VirusTotal check is triggered and depending on user setting a block (e.g. more than 10) or a prompt (less than 10 but more than 5 AV's on virus total think it is malware) or a message (less than 5) is shown.
This has the advantage that you can fine tune your protection mechanisms, without having to worry about false positives (detection based on your engines, but block is dependant on VT-results and the settings of the user) and you will be allowed to use VT (because your program feeds VT based on its own detection's) and you have a unique selling point (a consumer host intrusion detection system with user configurable VT intrusion prevention check).
Regards
Lenny
Thanks for the rapid response, I have another question and a suggestion:
Question: when are you planning to move the AI to client side (to prevent overloading your own server)?
Suggestion: because your program uses several interesting detection mechanisms (e.g. heuristics, AI and Yara), you could position it as a true client side host intrusion detection system. In this scenario the heuristics, AI and Yara engine only function is to detect something suspicious (the intrusion detection part), next the VirusTotal check is triggered and depending on user setting a block (e.g. more than 10) or a prompt (less than 10 but more than 5 AV's on virus total think it is malware) or a message (less than 5) is shown.
This has the advantage that you can fine tune your protection mechanisms, without having to worry about false positives (detection based on your engines, but block is dependant on VT-results and the settings of the user) and you will be allowed to use VT (because your program feeds VT based on its own detection's) and you have a unique selling point (a consumer host intrusion detection system with user configurable VT intrusion prevention check).
Regards
Lenny
- Dec 27, 2016
- 1,480
Nice suggestions Lenny
@LeMinhThanh congratulations on building a nice security companion
Did you check if your process can be easily killed by malware (self-defense)? Do you allow process to run while the files are being scanned or are they blocked at first to avoid consequences?
The potential for additions is unlimited. Alerting about vulnerable system processes (can refer to some related infamous tactics from Mitre Attack directories), command-line scanning like VDS (different from any checks done in Yara rules), digital signature validation and verification. Though some of these are very secondary features and may get heavy.
Flexible configurations like @Lenny_Fox suggested is a good tweak. You can compartmentalize the modules on the main screen with labels so that those can be easily related with the security keywords provided in the settings.
@LeMinhThanh congratulations on building a nice security companion
Did you check if your process can be easily killed by malware (self-defense)? Do you allow process to run while the files are being scanned or are they blocked at first to avoid consequences?
The potential for additions is unlimited. Alerting about vulnerable system processes (can refer to some related infamous tactics from Mitre Attack directories), command-line scanning like VDS (different from any checks done in Yara rules), digital signature validation and verification. Though some of these are very secondary features and may get heavy.
Flexible configurations like @Lenny_Fox suggested is a good tweak. You can compartmentalize the modules on the main screen with labels so that those can be easily related with the security keywords provided in the settings.
Something like what Voodooshield does ..
Last edited:
- Apr 11, 2020
- 305
Hi Lenny_Fox!
About the question: Yes, it is in my to-do list, but I think I will do it after some version because I need to convert it to run on Windows.
And thanks for nice suggestions, I will add this feature in the next version.
Best regards,
Thành
- Apr 11, 2020
- 305
Hi Parsh!Nice suggestions Lenny
@LeMinhThanh congratulations on building a nice security companion
Did you check if your process can be easily killed by malware (self-defense)? Do you allow process to run while the files are being scanned or are they blocked at first to avoid consequences?
The potential for additions is unlimited. Alerting about vulnerable system processes (can refer to some related infamous tactics from Mitre Attack directories), command-line scanning like VDS (different from any checks done in Yara rules), digital signature validation and verification. Though all of these will be very secondary features and perhaps heavy.
Flexible configurations like @Lenny_Fox suggested is a good tweak. You can compartmentalize the modules on the main screen with labels so that those can be easily related with the security options provided in the settings.
Something like what Voodooshield does ..
View attachment 238157View attachment 238155View attachment 238156
Yes, my app can be easily killed by malware, so I think I can add a watcher to protect it or something like this. Maybe in some next version.
Yeah, the potential for additions is unlimited. I will try my best to add these feature in every version.
Best regards,
Thành
- Dec 27, 2016
- 1,480
My intention was only to highlight methods used by users to customize their SRP/HIPS (like referring to Mitre examples) and highlight some features used by other companion apps like VDS. Some checks could be added if you monitor certain processes for XYZ, making a unique point. Though this would require a good efforts and understanding of the internals.
It's best up to your idea of the scope of the app. What you intend to provide. How much time and efforts you can/want to dedicate to this project. What little things can be feasibly added for good, and what is absolutely unnecessary
BTW does your app detect kernel-mode keyloggers? I doubt that it would need a kernel mode driver for that. And that's difficult with Windows x64 restrictions.
Last edited:
- Apr 11, 2020
- 305
Hi!My intention was only to highlight methods used by users to customize their SRP/HIPS (like referring to Mitre examples) and highlight some features used by other companion apps like VDS. Some checks could be added if you monitor certain processes for XYZ, making a unique point. Though this would require a good efforts and understanding of the internals.
It's best up to your idea of the scope of the app. What you intend to provide. How much time and efforts you can/want to dedicate to this project. What little things can be feasibly added for good, and what is absolutely unnecessary
BTW does your app detect kernel-mode keyloggers? I doubt that it would need a kernel mode driver for that. And that's difficult with Windows x64 restrictions.
Your suggestions are interesting but I'm not sure if I can do it or not
I created this application during the Covid19 isolation period in VietNam, so I'm not sure how much determination I could devote to this application. But for now I will focus on bringing AI to the client!
And...yes, my app cannot detect kernel-mode keyloggers, it is quite difficult to do
Best regards,
Thành
- Dec 27, 2016
- 1,480
The app already seems to provide quite some interesting features for a basic companion, or an antilogger especially
This period indeed is an opportunity to learn and develop on your ideas. Even I am up to something
Just not about security. It involves hybrid mobile apps and predictive analysis models on cloud. Keep up the good work friend
- Oct 1, 2019
- 1,120
There was a famous soccer player in the Netherlands who used to talked in cryptic sentences, one of his quotes "every disadvantage has an advantage", meaning try to turn your weakness into a strength. Considering the time you have and the added value of yet another security application, let's think free and try to remove 'go to market' thresholds (I am a digital marketeer).
Position your application as the ideal antivirus companion focusing on user land threats. The rational behind it is that malware has limited operating room when it runs as an unelevated process. At the same time users are not warned when malware changes a HKCU autorun registry key (UAC does not protect those), so even while the operating system limits the damage an unelevated process can do, it still can do a lot of things average users don't want to happen: like a spyware application living in user folders surviving reboot by adding itself as an HKCU autorun entry.
Another advantage of changing your promise (only warning against ring 3 - user land intrusions) is that you don't need to protect against kernel based keyloggers (which has the advantage that your application is not considered to have a weakness or missing something).
So my suggestion would be: limit the intrusion detection to
1. Userland hook protection (e.g. keyloggers)
2. Userland registry protection (only HKCU)
3. Yara rules protection
4. Heuristics (explain what it involves???)
Newly created unelevated processes which are marked suspicious by one of the above detection mechanisms are checked at Virus Total
When you have moved the AI from server side to client side you can add that as an additional intrusion detection mechanism. This saves time so you can write a monitor which protects your processes from being terminiated.
Shortest GO2MARKET road I can think of. When protection module is ready launch your companion as a fremium program (1 year free then ask a yearly micro-fee, say 2.95 US dollar, that is less than the price of a big-mac).
- Dec 27, 2016
- 1,480
While the anti-logger sounds like a good AV companion, to be more readily considered a good freemium companion, it will have to complement rather than overlap the typical features of the AVs out there.
Scope of UAC is another matter. I am sure most AVs keep an eye on at least their own registry entries and the autoruns, though the effectiveness of flagging malicious changes may vary. Heuristics and user-mode Keylogger protection are covered by a typical AV and a few reputed AVs do use Yara rule engine. It wouldn't be a surprise if they use and have improved on the use of existing Yara rules repository. Still they can be handy to flag suspicious files and initiate further check or an alert.
Some other interesting mods could include harnessing VT results as you suggested earlier for a second check, and a few more secondary features that can be strongly marketed other than for calling it an "antilogger"... like VDS loves to be called a computer lock or an anti-exe with VT, sandbox, commandline verification and cloud whitelists ...
I do think that it is a good program with a lot of potential if it wants to invite a freemium tag
The not so common features like configurable VT-based rules, the AI engine, adding guarding of vulnerable apps maybe or maybe not, just showing results of cloud sandbox analysis of suspicious files like VDS did with cuckoo — could be paid. I am not saying integrate all of it. However, adding some of these will increase the USP of the product desirably.
He'll have to expand the training of the AI engine with more datasets than the one initially used as seen in the link, to keep things relevant. He has apparently used supervised learning.Then, tuning via more validation datasets followed by test datasets. The amount of (correctly labeled) samples in the dataset is key for the model accuracy, so large representative datasets are needed for a good AI module. If it only checks on VT for suspicious files as suggested, the risk of flagging system files should not rise. And for the many new data that the app would confront throughout its use, an unsupervised learning model could become useful, and clustering could help with labeling there. That's next level and would require a steady support to development.
Rather, the AV results from VT could be intuitively used if the list of detecting engines is shown (is it? I haven't checked. Will try soon). If it includes the ML engines of reupted AVs, cherry on the cake!
I get your point you're keeping with a micro-fee. It could be justified. However, don't you think that average people tend to judge the value of protection also based on the fees - and a micro-fee might sound discouraging for a buyer per se?
Marketing some unique points over an AV would more easily justify a slightly higher ask amount IMHO.
Similar threads
