Ramblings of an old Doc

 

In the world of AV software, there are two varieties: The first, based on signature which can’t hope to keep up with the variants emerging all the time, and the second based on behavior which is supposed to detect/identify any suspicious behavior and quarantine/delete the offending software and notify you to decide what you wish to do. There are other software types (one of which will ship with Windows 10) which will lock down target areas (files, etc.) which viuses/trojans target.

Raptor (beta) is of the second type, which senses/identifies suspicious behavior and which is not signature dependent. You can get Raptor, or both and they are currently free. Raptor installs itself in C:\Program Files\McAfee\Raptor without installation dialog and runs in the background afterwards. The program folder stores log files and the quarantine as well. In fact, the only way you’ll know it’s there is a systray icon, and the Raptor.exe in Tyour ask Manager.

Raptor will on right click show:

  • Start — Raptor starts monitoring system for malicious behaviors.
  • Stop — Raptor stops monitoring the system.
  • View Log — Displays detection details for malicious files found.
  • Quarantine — Creates backup of files that were repaired to restore if required.
  • About — Provides details about Raptor client and build version.
  • Remove Raptor — Uninstalls Raptor from an endpoint.
  • Exit — Quits Raptor program. Raptor will resume on the next system reboot.

You can download/read more here: http://www.mcafee.com/us/downloads/free-tools/how-to-use-raptor.aspx

Two things to know: Raptor collects and transmits info about your system…

“Q: What user or system details are collected by Raptor?
A: Instead of sending the whole file, Raptor sends the behavioral trace of the file execution which is typically a few bytes of information. This is the minimum amount of information necessary for Raptor to determine the nature of the file. The behavioral trace information includes file name, file path, process ID, event, the OS version, and a randomly generated GUID of the machine.” – ibid

Raptor and Stinger (traditional AV signature app) come together also…but only for x64 systems, whereas solo Raptor comes in two flavors (x486 and x64). You can download the combo here: http://www.mcafee.com/us/downloads/free-tools/stinger.aspx

I wish I could give you comparison data with other AVs and other behavioral detectors…but it just isn’t available at this point. Raptor should not interfere with your native AV…but again, no data is available. It probably does not conflict with Stinger…but no data on that either. Also…Raptor isn’t supported yet:

“Q: How can I get support for Raptor?
A: Raptor is not a supported application. McAfee makes no guarantees about this product.” - McAfee

You’d think McAfee would publish at least initial testing results, but they haven’t: Add no support and I say wait for some kind of reporting before installing it/them.

And have a good weekend!


Comments
on Apr 25, 2015

I've used 'Stinger' in the past....been around for yonks.  It only manages a bunch of the more common/prevalent virii...so is updated/changed to suit current trends frequently.  Because of that it's small [small no of sigs].

Raptor sounds much like a proggy I beta tested [and used] about 15 years ago [InDefense] - a heuristic scanner... though I'd need to check it out to see if it worked the exact same way ...

on Apr 25, 2015

I have been using Avast Pro Anti-virus for the past 2 years. It is relatively inexpensive , runs quietly in the background and does not become annoying as some anti-viruses have a tendency to become. I chose it 2 years ago because it was rated #2 in a benchmark comparison to other well known anti-viruses. The only reason I didn't get the number #1 rated was because it was relatively new in the market and was still in Beta ( don't recall the name of it ). I am absolutely thrilled with the level of protection that Avast provides, so much so that I would have gladly paid twice as much if I had known then, what I know now. It also has a heuristic scan for "suspicious" behavior. I highly recommend it for anyone looking for an extremely reliable paid version Anti-virus. I gave up on all those free versions years ago when I was constantly being disappointed in the protection they were supposedly giving me.        -- Ace --

on Apr 25, 2015


There are other software types (one of which will ship with Windows 10) which will lock down target areas (files, etc.) which viuses/trojans target.

Now that is indeed interesting.  It's something I thought about a couple of years back, where the registry and attack prone areas were locked behind a secondary kind of firewall that could be accessed only by users with administrative priveleges  As always, though, when I have a good tech idea, I lack the expertise to put it into practice.

Oh well, it seems that others with the technical know-how have had similar thoughts and the idea is/will be a reality.

on Apr 26, 2015

Hum.

on Apr 26, 2015

starkers

Now that is indeed interesting. 

Mark: You can read more here: http://www.neowin.net/news/microsoft-unveils-device-guard-another-security-feature-in-windows-10

 

on Apr 26, 2015

DrJBHL


Quoting starkers,

Now that is indeed interesting. 



Mark: You can read more here: http://www.neowin.net/news/microsoft-unveils-device-guard-another-security-feature-in-windows-10

 

Thanks for the link/interesting read, Doc  It's similar but not quite the idea I had.  With the proposed idea it is the digital signature of the software being installed [or trying to], whereas the idea I had is that the registry, program files and associated areas be locked down and only an Administrator could overide this, meaning that malware and such would have nowhere to go in order to operate effectively.

The digital signature for Win 10 sounds promising, particularly for inexperience users who are not tech/malware savvy, but I do have a concern regarding it.  There may be some safe softwares that MS refuses to sign, or other softwares that smaller deveopers cannot afford to present to MS for testing, etc, and therfore are excluded from installation. 

There are 100's of such software titles at various download sites, such as majorgeeks.com and softpedia.com, etc, that are quite safe to install but could still fall by the wayside for the lack of a digital signature.  Hopefully MS realises this, and similarly to Win 8, provides System Adminitrators an option to install unsigned programs they've used and trusted before.

on Apr 27, 2015

Again, similar to the idea I had, in that certain directories and locations are locked out from launching programs and executables, etc, but there was no mention of locking down the Registry so that nasties can't embed themselves there and launch malware apps/programs from there.  I got the idea for a Registry lockdown when my sister's PC became infected with browser hijackers and a self-perpetuating toolbar.  No matter how many times I uninstalled it and restored the browser to its desired settings, it wasback and operational within moments of a reboot, as was the hijacker/page redirections.

Anyway, the upshot of it all was that I researched the issue and discovered that the only way to rid the machine of these parasites was to delete the registry entries prior to uninstalling the toolbar and resetting the browser to it's proper settings., and that's when I got the idea to lock down areas where malware could embed itself, such as the Registry, Program files and App Data, etc.  Thing is, I have no idea how to code such things, hence another of my 'brilliant' ideas went nowhere in a hurry.

Oh well, I can't be good at everything, can I !!!!!!.

on Apr 27, 2015

http://www.askvg.com/all-kinds-of-restrictions-for-windows-2000-xp-2003-and-vista/

Should pretty much give you the tools to lock things down, I think.

When you're done with all that, you'll need admin permission to take a pee, methinks. So, better keep Jafo happy.

on Apr 27, 2015

DrJBHL

http://www.askvg.com/all-kinds-of-restrictions-for-windows-2000-xp-2003-and-vista/

Should pretty much give you the tools to lock things down, I think.

When you're done with all that, you'll need admin permission to take a pee, methinks. So, better keep Jafo happy.

I already gotta ask permission to pee.  In fact, sometimes I gotta beg.  The bladder says "I'm full" but the rest of the plumbing don't always want to cooperate.  My doctor told me that many men suffer with 'stage fright', and I said: "What?  When I'm alone?"

Nah, seriously, with old age and the colder weather coming on, I gotta pee more often... and there'd better not be a queue for the dunny [toilet]  Yeah, I now know what Robert Plant was singing about in the Lemon Song.... "When you squeeze my lemon the juice all runs down my leg."  Okay, so it's not quite that bad, but being at the head of the queue is certainly preferable to being at the back of it.

Anyhow, back to the lockdown tips/ideas.  Well there's some good tips in the link, especially for PCs with more than one user, and perhaps some may assist in the prevention of Malware being installed, but still no specific  lockdown of the registry itself.  While there is an option to disable RegEdit, I don't know that it would prevent a nefarious piece of software from hooking itself into the Registry.

Also, the majority are for OSes from 2000 to Vista, and while the registry is largely unchanged throughout Windows editions, Windows 7 and beyond may have subtle differences that may render these changes ineffective or even harmful.  That's not to say most won't work, but Windows 10 will be a whole new kettle of fish, given the plan to implement a software lockdown feature that goes well beyond UAC.

I guess it's a matter of wait and see.  I am looking forward to Win 10, despite its butt ugly interface and icons.... but since when did MS have a clue when developing a GUI!!!!.  The point is, there will be some major improvements under the hood, and that is my point of interest.