Behavior Blocker vs Rootkits and MBR Killer

Posted 11/4/2010 10:43 PM
#89894
User avatar

habakuck Member

Date Joined Nov 2016
Total Posts: 6
Hi @ all.

I am trying Bullguard 10 at the moment. Very good product so far. Well done!
(But you should fix the missing rootkit scan for x64 systems... ;) )

I tested the Suite against real world, zero day malware. It did a good job so far! Again well done.

But when it comes to really nasty malware your Behavior Blocker (NovaShield) fails!

Nearly all TDSS, Sinowal or MBR Killer samples went directly through the Bullguard protection.

Are you able to enhance the protection which is given by the behavior guard against those threats?
[1]Note: I am not talking about the signature protection.[/1]

best regards

Habakuck
Posted 11/7/2010 12:48 PM
#89908
User avatar

habakuck Member

Date Joined Nov 2016
Total Posts: 6
No answer from the support? :sad:
Posted 11/7/2010 2:18 PM
#89909
User avatar

anniesboy Advanced member

Date Joined Nov 2016
Total Posts: 72
Have a look at post Bullguard10 in Bullguard customers section
Posted 11/8/2010 4:16 PM
#89929
User avatar

habakuck Member

Date Joined Nov 2016
Total Posts: 6
I am aware of that thread. But my initial question was about the behavior guard.

And i would like to get an answer from the support.
I really think about buying your software cause i really like it's gaming mode.
But if i do not get an answer here i am not sure if it is advisable to spend money here...
Posted 11/9/2010 5:55 PM
#89947
User avatar

Alin Vlad Advanced member

Date Joined Nov 2016
Total Posts: 389
Hi Habakuck,


First off all, sorry for the delayed answer. While 100% security is the goal, no one is ever 100% safe from viruses with any anti-virus product. Unfortunately, people continue to create new viruses that are very sophisticated and often hard to destroy. But with version 10, we’ve taken BullGuard to the next level, introducing technology that positions BullGuard in top. Our Behavioural Detection engine enables us to counter what in the industry is known as Zero-day Attacks, and identifies viruses long before traditional virus detection, based on the behavior of the virus.

We are improving the detection and the removal modules of our product each day, releasing core updates, not only virus definitions.

The new security enhancement features have already proved themselves in several independent virus tests. BullGuard scored detection rates of 100% for both known and unknown viruses, proving that our newly implemented technology combining the Behavioral Detection and the traditional SBD-engine technology, gives our users the highest protection against any form of threat from the internet. En example from these tests is one made by the renowned av-test.org. You can read all about the test here: http://finance.yahoo.com/news/BullGuard-is-the-Best-in-prnews-4097021372.html
Alin Vlad
Community Manager
[url]support@bullguard.com[/url]
www.bullguard.com

Download Free Trial version of BullGuard

You have a BullGuard related problem? Post your question on these forums, contact Support or contact me on Twitter!
Posted 11/9/2010 6:36 PM
#89949
User avatar

habakuck Member

Date Joined Nov 2016
Total Posts: 6
Thank you for your answer!

Don't get me wrong: I think the protection Bullguard offers it quit good.

But not good enough if it comes to MBR and Kernel Rootkits. You desperatly need to improve the behavioral detection at that side!!

And my question was: Are you able to do that or is the NovaShield core of your Behavior Guard just not able to provide such low level protection?
Posted 11/10/2010 4:34 AM
#89951
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12976
habakuck ->





A note from one (me) there are dealing with mbr/kernel rootkits almost every day.




"MBR rootkit use IRP hooks to filter out every attempt to read and write the MBR. Disk.sys Windows driver, disk class driver used for managing disk devices, was hooked and the original Windows functions pointed by the driver and used to handle disk packet requests were replaced by the rootkit ones. Of course every reference to the original address was overwritten by the rootkit, so that it was more difficult for a security product to discover the original function address and restore the legal function.

The new version of MBR rootkit is smarter enough to give researchers some bad days, due to improved hooking techniques.

It doesn't hook anymore disk.sys driver, it goes deeper. It checks which is the lower device to which the device \Device\Harddisk0\DR0 - belonging to disk.sys driver - is attached to.

MBR rootkit and many other ones are all real in the wild attacks that are showing the difficulties of security industry to fight against these threats."



That´s why we need special diagnose and fix tools to deal with them, what I mean is, if BG and other AV companies really could fix them, then it would in many cases be very damaging such as eliminating your internet connection completely or removing legitimate files that are required for your computer to run.









[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


Posted 11/10/2010 7:43 AM
#89953
User avatar

habakuck Member

Date Joined Nov 2016
Total Posts: 6
Thanks for your reply.

I am not talking about the removal of those stuff! I am a malware removal helper so i know exactly what you mean. I was talking about the ability to BLOCK those threats bevor they install using the behavior blocker! A couple of Behavior Blockers are able to successfully block the installation of MBR and Kernel rootkits and my simple question was: Is the NovaShield core of your Behavior Blocker able to block those threats or not?

If it is able to do so i would chary ask you to work on the ruleset to block the threats a bit better. Cause at the moment your behavior blocker is doing bad if it comes to nasty rootkits.
(Everything else, simple malware, keyloggers and so on, is blocked successfully!)

Btw.: Do you update the ruleset for the Behavior Blocker or is NovaShield responsible for that?
Posted 11/15/2010 7:27 AM
#90000
User avatar

Alin Vlad Advanced member

Date Joined Nov 2016
Total Posts: 389
"habakuck" wrote: Do you update the ruleset for the Behavior Blocker or is NovaShield responsible for that?


I'm afraid that we can't reveal the mechanisms behind this. This is an internal rule: we can't divulge internal work procedures or technologies because we are in an open market and we have competitors.

What can i tell is that we are improving the product each day, including the behavioral engine.
Alin Vlad
Community Manager
[url]support@bullguard.com[/url]
www.bullguard.com

Download Free Trial version of BullGuard

You have a BullGuard related problem? Post your question on these forums, contact Support or contact me on Twitter!
Posted 11/15/2010 7:54 AM
#90004
User avatar

habakuck Member

Date Joined Nov 2016
Total Posts: 6
O.k. i understand that!

Thank you for your answers! I really like Bullguard so far. I will buy a licence.

See you.

best regards

Habakuck
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Friday, January 20, 2017, 4:43 AM (GMT +1)
There are a total of 61,163 posts in 13,449 threads.
In the last 3 days there were 1 new threads and 5 reply posts.

Who's online

This forum has 37,989 registered members. Please welcome our newest member, Weiwei.
There are currently no users on-line.
We use cookies to ensure that we give you the best experience on our website. By continuing to browse, we are assuming that you have no objection in accepting cookies. You can change your cookie settings at any time.