A proactive Next-Generation Antivirus (NGAV) solution featuring malware analysis functionality with memory forensics, which is specifically designed for malware analysts who performs manually dynamic analysis, comes with a kernel driver (written in C/C++) that protects the device in real time similarly to advanced endpoint protections.
The solution detects a previously unseen variants of data-exfiltrating malware or other processes that steal data from the user without user consent such as Info-stealer #1
Info-stealer #2
Info-stealer #3
Info-stealer #4.
Thank you for the high-quality articles. In malware analysis mode, no malware goes undetected. The solution decisively puts an end to these data-exfiltrating malware threats once and for all.
Key features
- Zero Trust - In this security-enhanced mode, the system implements strict execution controls that block all code from running without the user’s deliberate initiation or explicit consent. Undetected malware is unable to cause harm or exfiltrate sensitive data — at least not without the user’s awareness.
- Root cause analysis
- Reducing the attack surface to almost nothing
- Data breach detection
- Advanced application control based on the certificate signer's name (The user manages the list of allowed applications)
- Proactive Next-Generation Antivirus (NGAV) surpasses traditional signature-based solutions by eliminating the need for signature updates
- The source code is available for purchase as part of a customized software development solution, tailored to meet the specific needs of your company
- Protected Folders (ransomware and data theft protection)
The solution logs all processes along with their command lines and network connections into the database. This supports the investigation of potential data breaches and malware analysis.
Your company’s SOC team or equivalent tests all unknown or untrusted code before adding it to the allowlist. This approach differs from competitors, where trusted applications can be added based solely on their EV code signing certificate. The allowed applications list is maintained by the device user. This can be tailored through software development to suit your organization’s requirements.
Real-time threat prevention in code-signed malware that exploits previously undisclosed zero-day vulnerabilities
Malware signed with a legitimate and valid code signing certificate poses a unique challenge because it is no longer possible to rely solely on code signing certificates, as increasingly sophisticated malware is being signed using certificates acquired through illegitimate means. In practice, only a zero-trust mode can block such state-sponsored threats in real time. The solution offers proactive, real-time defense against even the most elusive threats — code-signed malware leveraging undisclosed zero-day vulnerabilities.
If you have a cybersecurity-related company and can obtain a valid EV code-signing certificate for a kernel driver, please get in touch. Thank you.
Real-time kernel-level features (many already coded feature is to be added):
- Detects whether a running or newly launched process is digitally signed and, depending on the settings, prevents this process from starting if it is not
- Identifies whether the PE file (EXE, DLL or a kernel driver) has a digital signature or not
- Block any process from loading a DLL without a digital signature
- Advanced application control - Allow execution based on digital signature or add the individual process or DLL to the allowed list
- BYOVD (Bring Your Own Vulnerable Driver) protection (detects/prevents administrator-to-kernel transition that is used in kernel mode malwares)
- The solution runs alongside existing endpoint protections and kernel-level anti-cheats, while also providing deep visibility into their behavior
* * * The majority of malwares, if not all, are not digitally signed. An unsigned executable doesn't automatically mean malicious software. If we consider protecting a company's server from cyber threats, it is easier to prevent the execution of an unknown unsigned code at the kernel level with default settings. If a software is needed that uses a DLL (Dynamic Link Library) that is not digitally signed, it is manually analyzed and added to the white list. At this point, the risk of ransomware causing any damage has already been minimized.
- Proactively detects a previously unknown malware, and in a certain situations including those operating in the kernel memory
- Data breach detection
- Kernel physical memory scanner
- User-mode memory scanner, including (WinTcb) protected processes
- Self-integrity checks that detects if the malware attempted to disable the protection at the user or kernel level. In this context, proactivity means that the solution responds in real-time based on predefined measures
- Secure IOCTL communication (The Exploitation #1 and Exploitation #2 mentioned in the article is not possible with this protection). Certificates are not revoked, and your company avoids reputational damage with these measures
Depending on the settings, the solution either reduces the attack surface or completely prevents the operation of the malware in most situations. In practice, this solution forces the malware to become visible.
Availability of the source code
Your malware analysts are as good as the softwares they use. The source code is available for purchase as a software work non-exclusively without resale rights for internal use within a company.
The user interface (UI) has been coded with C# .NET 8.0 so that the project would be easier to customize and be more easily modifiable. The kernel driver is written in C/C++.
This solution does not require or use any third-party additional protection layers. Therefore, the kernel driver is stable, and the source code is maintainable and well-documented.
Currently supported versions: Windows 10 22H2 - Windows 11 24H2 (x64)
Proactivity means that the solution can automatically perform a predefined action, for example, take a physical memory dump and upload it to a remote server for further analysis.
