Cyberhawk
From CastleCopsWiki
Product: Cyberhawk - New name ThreatFire
Company: PCtools (formerly Novatix Corporation)
Website: http://www.threatfire.com
Support site: forum,
First released: 2005 beta. 2006 final.
Feature list: Main features include intelligent protection from process modification and injection, browser and shell security setting (firewall, WFP) and component (BHO's, etc) modification protection, network sniffer protection, mass-mailer/spambot protection, security settings and registry control, protection of sensitive and easily targeted files and folders including administrative tools and system directories, account rights modification protection, password theft and data theft prevention, hook control, rootkit (hidden process/file/registry) protection, buffer overflow exploitation prevention, focus on in-the-wild threats and techniques, community approach. Intelligent system - expert based system Full Feature list compared to other products
Various reviews and tests: http://www.av-comparatives.org/seiten/ergebnisse/HIPS-BB-SB.pdf, http://www.techsupportalert.com/security_HIPS.htm and PCmag review of Cyberhawk ,Nicm's test against selected "unhookers" malware, pcmag review of ThreatFire,Yet another pcmag review of Threatfire 3.5
Contents |
[edit] Quick review
Cyberhawk claims to use "patent-pending ActiveDefense™ technology offers the highest level of intelligence in determining what constitutes a threat and what does not. This results in the lowest incidence of false positives among currently available behavior-based solutions."
"To scrutinize the behavior of all processes, Cyberhawk uses kernel level monitors which watch every file operation (creation, copy, deletion, etc.), every process creation, modification and termination, every network communication (inbound and outbound) and every interaction with critical components of the operating system (registry, etc.). At the core of Cyberhawk is a process behavior analysis engine coupled with a set of specific pre-defined security rules which describe what is unacceptable from a process behavior analysis. The rules cover a wide range of events related to file operations, network operations, and interactions with the operating system. Every event from every process is efficiently analyzed by Cyberhawk. When a rule is triggered, Cyberhawk can terminate the detected malicious process."
This puts it squarely into the Expert-based behavior blocker HIPS category as opposed to a policy based behavior blocker HIPS. Like Prevx it practises a community based approach.
"The Cyberhawk Secure Community is a worldwide network of active users who volunteer to aid in identifying new threats. Any time a suspect alert is triggered in Cyberhawk, information related to this event is automatically reported to Novatix for analysis through a secure connection"
[edit] Strengths
- Easy to use out of the box, few popups
Because Cyberhawk is supposed to be based on some form of intelligent expert system it does not alert on any single behavior (which creates a lot of prompts) but rather a series of them that together might indicate that something is fishy. There are "smarts" built into the system. Assuming that the system is smart enough to flag really dangerous behavior, this is a great improvement of course.
For example when testing with a tool that does the single change of a registry autostartup for example, Cyberhawk does not react at all. However when testing with a script that carries out a series of borderline dangerous actions, Cyberhawk flags the same change in registry as suspicious.
Not true!!! ??? Inconsistent results when testing with scoundrel simulator (fail) versus spycar (pass) and gwdemo (pass) even though same registry key HKCU\Software\microsoft\currentvesion\run is modified (new value added)?? Some sort of intelligence here (none-interactive processes)?
However it does flag any attempt that does process injection though.
- Customisable rules.
Besides the default intelligence, the user is also give the opportunity to craft his own policy rules. This allows a fairly wide range of rules.
You can either restrict (customisable portions in bold)
- a set of processes
- any process
- a none-interactive process
- browser or email process
from doing the following actions
- access a file (where access can be chosen from Write/delete/copy/create (no read access block though)
- access X files (where x can be any number and access can be chosen as above)
- renames a file
- writes to registry
- creates x network connections (where x can be any number)
- listens for network connections
with the following further specifying options on where the action occurs. In the real display, not all options are available, only appropriate conditions are shown.
- the file getting accessed (if option access a file or accesses X files was chosen)
- 'the folder getting accessed (if option access a file or accesses X files was chosen)
- with a suspicious double extension (if option access a file or accesses X files was chosen)
- so it had a suspicious double extension (if option rename file was chosen_
- that looks like an executable (if option access a file was chosen)
- that looks like an executable (if option access a file was chosen)
- within y seconds (if option access X files or creates X network connections was chosen)
- the file getting renamed to or from (if option rename file was chosen)
- what registry key or value (if option writes to registry was chose)
- on port number (if option creates x network connections was chosen or if listens for network connections was chosen)
- to the same domain or ip (if option creates x network connections was chosen)
- to the domain or ip (if option creates x network connections was chosen)
Except when (state conditions where the rule is turned off). In the real display, not all options are available, only appropriate conditions are shown.
- Source process is on trusted list
- Source process is in system process list
- Source process is in process list
- the target file is in file name
- the target file is in folder list
- the port is port
- the target file is orginally named file name
- the target file is renamed to file name
- target registry key is registry key
- target registry value is registry value
Defining files on the trusted list
You can also customise by filter file extensions
[edit] Weakness
- Unclear what is monitored, lack of control.
Users who are used to being in full control of what changes are being done to their computer might find Cyberhawk to be pretty lacking.
For example, people who are fans of execution monitoring and want to approval any executable before it can run, will find that cyberhawk will not allow them to do so.
Another problem is that unlike policy based HIPS (e.g ProcessGuard) where the logic of the system is clear and transparent, it's much harder to understand why and when Cyberhawk alerts. What you get is basically a blackbox and some experienced users who want total control might not like this.
- Claims to protection against certain types of spyware or adware. only.Main focus is on worms, viruses.trojans
- Privacy concerns.
Information collected may include the cyberhawk rule that fired, the history of relevant events leading to the rule firing, the decision taken, and any relevant IP address information. No date files, emails, or any other relevant data except IP addresses are collected from your machine. The names of files involved in the suspicious actions are part of the data sent.
You can however turn off the community protection.
[edit] Comments for free version
Since Pctools bought over Cyberhawk and released it as Threatfire, the free version is essentially the same as the paid version except the paid version is bundled with PC tools antivirus.
