On the Road to 7.0: File and Registry Activity

Once you pop into the old good Host Protection, now renamed Proactive Protection for what it really is, you'll see a tab neighboring to also familiar Process activity. That will be another monitor of what's going on in your system - File and Registry Activity Monitor. In other words one can choose a process displayed in Process activity and see what sort of operations it triggers.

An invaluable aid for advanced users, the monitor provides a big picture of (as you may have guessed) current file and registry activity. The user can analyze every active process, its path and time as well as track registry modifications in order to take action with Outpost's ample functionality.

In Process Activity one may right-click on a process and choose to terminate, quarantine or – monitor activity for it – that's when the new feature jumps in. The Monitor provides nifty filtering options so that you can exclude or include running processes and concentrate on what's precisely of interest at the moment.

Besides, using Start/Stop monitor buttons you may opt to take a snapshot of the monitor's records for deeper analysis.


The concept of such tool traces back to Mark Russinovich with his Filemon and Regmon utilities, afterwards replaced with Process Monitor, now part of Microsoft's product offering. Although Outpost's File and Registry Activity Monitor was based on a similar principle, the specifics in our case is that the module is part of a comprehensive security solution and, backed with other log and protection tools, it provides a deeper insight.

You'll soon be able to judge for yourself as the public beta of Outpost 7 is a stone's throw away from now.

Stay tuned!

Pavel Goryakin, Agnitum

Anti-Malware. Part 2: Auto-Update Engine 5.0 and Heuristic Analyzer

In my last blog post, I discussed the antivirus engine advancements in the current version 6.7.3. Outpost 7 will continue this auto-update and traffic-saving approach and add even more stability and better performance. All this is thanks to the new anti-malware engine, version 5.0, which will be smoothly integrated into Outpost's other services in version 7.0.

Just to remind you of the improvements in Outpost Security Suite Pro and Outpost Antivirus Pro:

• Continual signature-flow: The new engine allows increased frequency of malware database updates: three times a day on weekdays – twice with antivirus signatures and once with antispyware. Tip! Just tweak Outpost’s settings to opt for updates on an hourly basis instead of the default daily updates.
• Smart updates: Version 5.0 of the anti-malware engine (anti-virus + anti-spyware) automatically updates itself as needed at the same time as the regular malware database updates (no separate product update is needed).
  

All these new benefits were introduced in a seamless fashion so you won't experience any PC slowdowns or performance disruptions. On the contrary, automatic updates do a great job in reducing traffic and easing the product operation. We are working hard to bring forward the public beta date when all of you will be able to judge the improvements for yourselves. The release of version 7 will come hand in hand with the new anti-malware engine, which will provide a solid foundation for future detection and disinfection improvements.


I’d also like to tell you about another important technology we’ll make visible in the Outpost 7.0 anti-malware module - HAX. HAX is designed to improve the accuracy of our detection, and has been in development for quite a long time. Outpost 7.0 will put this formerly hidden mechanism in the anti-malware's on-demand scan settings center stage, as you can see in this screenshot:

HAX’s full name is Heuristic Analyzer for eXploits, and it’s specifically designed to detect potentially harmful packed objects such as ZIP and RAR files as well as suspicious encrypted and protected files.

Packed objects can be monitored using both signature and heuristic, or non-signature, methods. The signature-based approach employs an updated base of packer definitions. The heuristic method builds on a static classifier which receives such input data as:

• Characteristics of PE (portable executable) structure
• Section chart check
• Results of import chart analysis
• Assessment of file section entropy

A separate check is performed in case there is an attempt by the malware to disguise an executable as a Windows system component.

That's it for now. Feel free to subscribe to Outpost 7 series and learn what's up and what's new while we develop Outpost 7 solutions. Your comments are always welcome!

Pavel Goryakin, Agnitum

Agnitum delivers Outpost 6.7.3 with new auto-update functions

Good news, everyone! :-)

Today we shipped another iteration of Outpost 6.7 solutions - 6.7.3.

With this release Agnitum introduces daily updates of Outpost installation packages. What we mean is regular incorporation of new malware and rule databases into Outpost. During the workday, these bases come embedded into the installation package and downloadable from the web-site.

It is the result of new internal automation processes in Agnitum's R&D implemented since 6.7.2 edition.

This tweak brings great savings for customers who won't have to waste time and Internet traffic to constantly download updated bases. A good advantage over competitors who tend to bloat their installation packages up to 150% of the original volume just for that reason.

To sum up, the improvements ensure:

• increased frequency of malware database updates: updates are now delivered three times a day (minimum) on weekdays
• Anti-Malware engine now gets auto-updated through regular malware database updates, meaning that for receiving new features and fixes no separate product update is needed

You may find Outpost 6.7.3 solutions at http://www.agnitum.com/products/.

11 is not binary 3 :-) - Agnitum's 11th birthday!

Last year we must've been so busy developing security software as to forget to fish for anniversary congrats - this time we'd like to fix that bug :-) February 1 is Agnitum's official establishment date, so we gladly accept best wishes for our 11th birthday.

Also we'd like to thank our devoted customers and supporters! We wouldn't be what we are without your help, understanding and loyalty. So you guys are welcome to celebrate with us!

Eleven years is quite an age for an Internet-catering firm, we've changed a lot since 1999 so have our products. The only thing that went unaltered is our commitment to defend your PC from all sorts of web nasties and exactly as our slogan goes - take care of your security while you may indulge yourself to something more pleasant :-)

Before we get down to shot glasses as this pirate country's tradition implies we remind you to keep your eye on this blog - more product news and descriptions should follow soon.

P.S. Customer Support remains on duty.

Pavel Goryakin, Agnitum

Outpost 6.7.2 available

The New Year brings a new interation of Outpost 6.7 product line, another step to Agnitum's 2010 (7.0) security solutions. You can now download the latest Outpost Security Suite Pro, Outpost Firewall Pro and Outpost Antivirus Pro 6.7.2 from Agnitum's web-site.

The full history of updates is available by the security suite link.

Upgrade and enjoy!

Pavel Goryakin
Agnitum

Anti-Malware Improvements - Part 1. Interface

This time we'd like to share with you some tweaks made within Outpost's Anti-malware module for the new line-up. The dramatic growth of our malware database (more than 2,000,000 added signatures for now) goes without saying.

Generally, all product alerts become more visible and clear, this specifically concerns Anti-Malware. More transparent information is delivered with an emphasis on threat type and source and Outpost module in charge, plus the warnings are designed in a user-friendly fashion to indicate relevancy of this or that event.

Here we'll demonstrate some usability advancements in more detail:

• In compliance with antivirus protection standards, the option to automatically cure infected objects detected by the real-time monitor is now set as default action and applies to all suspicious/infected objects found. This measure caters to average users who rightfully prefer the program to perform an optimal operation rather than rely on their own decision.

• Actionable Quarantine facilitates decision-making regarding neutralized suspicious objects; quarantined files can be easily restored, removed or removed in bulk right from the new menu in a couple of clicks. Detected malware can also be filtered and sorted by certain criteria. For known "beasts" detailed information is available.



• The overall structure of Anti-malware Settings was improved to combine General and Additional Real-Time Protection settings in a single window.

And there are more nice options such as heuristic analyzer settings, to name just one thing of a few. Part of the Antimalware module, the heuristic analyzer turns visible in the interface and more flexible due to adjustable sensitivity levels (normal/high).

This is how it is in Outpost Pro 2009:



And here's the 2010 structure:



This was a sneak peak of Anti-Malware 2010, keep on reading! And if you haven't yet subscribed to Agnitum Blog, it's high time to do so ;-)

Maxim Korobtsev
CTO, Agnitum

Outpost Pro 7.0: Seven Improvements of the Firewall Module

This blog posting is a New Year gift for advanced Outpost users. We heard and read some complaints concerning lack of information about the firewall improvements. Indeed, we may have overlooked the firewall development announcements in the past as they usually refer to something "not visible" and intangible. Now we'd like to correct this mistake and tell you more about Outpost firewall technology 2010.

Warning! Watch out! Gobbledygook ;-)

1. Windows 7-related activity

Agnitum's R&D has implemented a new mechanism of network activity and content filtration using Windows Filtering Platform (WFP) technology. This has helped to resolve compatibility issues with Windows 7 and – potentially – with future Microsoft OS's, because WFP is positioned as the major platform for future Windows releases. As a result this new mechanism brings more stability to Outpost solutions (including the aspect of interaction with other network filters).

2. Windows Filtering Platform on Vista

Due to successful and stable operation of WFP-based filter on Windows 7 we decided to use the same technology for Vista (from SP 1) instead of TLI filter built on the principle of intercepting OS's undocumented interfaces. As WFP interfaces on Vista and Windows 7 significantly differ in a number of critical aspects, our team performed the integration of WFP-filter into Vista. This helped resolve critical errors which may have led to a BSOD when using TLI.

3. Using the new filtration mechanism on receipt of packets for Vista/Windows 7. Optimized performance in high-speed channels.

The packet filter underwent deep remodeling in the aspect of processing incoming packets on increased IRQLs. The workaround was to organize delayed processing of such packets with an aid of worker thread pool. This enabled lower burden on CPU during filtration and improved system "responsiveness" within intensive network operation.

4. Channel load between the driver and managing service was dramatically decreased. Increased system stability and lower CPU load as a result.

Special rules for packet sniffer were introduced in order to precisely configure the packet sniffer for receiving only essential information about filtered packets, for example, blocked packets and packets related to installation/connection termination. Minimizing packet notification between the driver and service led to decreased system load.

5. Content filtration improvements (loopback, no binary flow filtration)

The mechanism of rules creation and behavior control for content filtration that helped limit the volume of filtered data at the expense of the data transmitted via loopback channel as well as binary data irrelevant in terms of content control. At that the mechanism of detection and non-filtration of binary streams has been fully realized in the driver, which minimizes the number of messages between the driver and service, facilitates content filtering and ensures less impact on system performance.

Besides, critical errors in TDI/TLI filters applied in Windows 2000/XP/Vista RTM were fixed, which enabled advanced system stability.

6. SPI for UDP implemented (regards to old good Outpost 4.0)

We introduced a mechanism that can be used for blocking attempts of using non-TCP endpoints in server regime. In other words, incoming datagrams for endpoints are allowed only for those remote hosts from which at least one datagram was sent from the current endpoint. The mechanism allows to limit datagram endpoint usage only to the model of client behavior in the client-server scheme. This adds flexibility in terms of network security settings.

7. Filtration of invalid TCP flags

The packet filter checks TCP flags and classifies a packet as unwanted in case of incorrect combination of TCP flags. This mechanism decreases the firewall and network stack load in case of host-focused bombarding by such packets, as the packets are blocked on initial stages.

That's it for now. Hope you'll find enough food for reflection in this article :-) Looking forward to your feedback!

Last but not least we'd like to wish you a Happy New Year! Best luck, happiness and health in 2010!

Maxim Korobtsev, CTO, Agnitum