A proactive anti-malware solution with memory forensics, which is specifically designed for malware analysts who performs manually dynamic analysis, comes with a kernel driver (written in C/C++) that protects the device in real time similarly to advanced endpoint protections. The solution offers robust security while prioritizing user privacy. It's a great choice for home users who want effective protection without compromising their personal data.
The author has a simple but one could say, the most effective solution to the entire malware problem, including their worst versions, namely ransomwares, which prevents their operation at the kernel level before any damage can occur.
The solution is largely developed based on OSINT principles. Thanks to the analysts of AV solutions for the quality technical articles. Based on these articles, the author developed a comprehensive solution to the ransomware problem. Note that this approach/implementation is missing from almost all of the long-standing solutions currently on the market.
The user interface (UI) has been coded with C# .NET 8.0 so that the project would be easier to customize and be more easily modifiable.
This solution does not require or use any third-party additional protection layers. Therefore, the kernel driver is stable, and the source code is maintainable and well-documented.
If you have a cybersecurity-related company and can obtain a valid EV code-signing certificate for a kernel driver, please get in touch. Thank you.
Real-time kernel-level features (many already coded feature is to be added):
- Detects whether a running or newly launched process is digitally signed and, depending on the settings, prevents this process from starting if it is not
- Identifies whether the PE file (EXE, DLL or a kernel driver) has a digital signature or not
- Block any process from loading a DLL without a digital signature
- Zero day protection
- BYOVD (Bring Your Own Vulnerable Driver) protection (detects/prevents administrator-to-kernel transition that is used in kernel mode malwares)
* * * The majority of malwares, if not all, are not digitally signed. An unsigned executable doesn't automatically mean malicious software. If we consider protecting a company's server from cyber threats, it is easier to prevent the execution of an unknown unsigned code at the kernel level with default settings. If a software is needed that uses a DLL (Dynamic Link Library) that is not digitally signed, it is manually analyzed and added to the white list. At this point, the risk of ransomware causing any damage has already been minimized.
These few "simple" but crucial features significantly reduces manual work. Instead of dealing with thousands of suspicious events, there are only a few that need to be reviewed manually.
Most AV solutions that the author tested so far, lacks integrity checks at the kernel level. Therefore this solution provides significantly better protection for home users than any traditional cybersecurity solution. This solution respects user privacy and does not track your browsing history, unlike almost all others.
After these measures, malware is forced to reveal itself , and the malware author must use a leaked code signing certificate. The attack surface has now significantly decreased. If an unsigned DLL is allowed to run as an administrator privileges (the operation of a typical ransomware), the damage has very likely already occurred and manual analysis is necessary in any case.
This solution employs a "simple" yet effective novel approach to a problem that is missing from almost all of the current competing solutions as of 06/2024.
- Detects a previously unknown malware, and in a certain situations including those operating in the kernel memory
- Self-integrity checks that detects if the malware attempted to disable the protection at the user or kernel level. Proactivity in this context means that the solution responds to this in real-time according to predefined measures
- Secure IOCTL communication (The exploitation mentioned in the article is not possible with this protection)
- Works alongside your other security software, such as Windows Defender or any other
- It's easy to use, and with just one setting change, a home user becomes a malware analyst. Best of all, home users get better protection for their devices than what's even found in most enterprise EDR/XDR/EPP/NGAV solutions!
Depending on the settings, the solution either reduces the attack surface or completely prevents the operation of the malware in most situations. In practice, this solution forces the malware to become visible.
In other words the Keuda.fi case would have been detected and prevented with this protection in real time.
* * * The author will provide soon a video presentation with a real-life example where the operation of notorious ransomware is prevented in real time without the need to remediate anything.
If the running user-level process is protected even a little with the kernel's built-in features, then in practice before the malware can do anything, the user must run the malicious code with an administrator user rights. If the malware runs as the current user, it can only inject itself to a process with the same privilige.
Availability of the source code
Your DFIR-team or malware analysts are as good as the softwares they use. The source code is available for purchase as a software work non-exclusively without resale rights for internal use within a company.
For instance, if an educational institution wants to independently start developing a version that suits their purposes right away. As a result, the further development of the solution may no longer necessarily depend on the original developer.
The source code has many kernel-level anti-cheat features because they work pretty much the same way as an anti-malware solutions. Therefore, a product derived from the source code could, for example, be sold to foreign gaming companies who do not have proper kernel-level anti-cheat protection developed.
With this source code, you can almost immediately reach the same level as what the best competing products on the market offer if the user interface (UI) is not counted.
Anti-ramsomware
A ransomware that uses a zero-day vulnerability begins ruthlessly encrypting files and destroying backups immediately, as happened in the case of Keuda. There is no other option but to stop the ransomware's operation in real-time, and a mere antivirus (AV) is no longer necessarily sufficient.
Proactivity means that the solution can automatically perform a predefined action, for example, take a physical memory dump and upload it to a remote server for further analysis.