Behavior Blocker vs Rootkits and MBR Killer

Hi @ all.

I am trying Bullguard 10 at the moment. Very good product so far. Well done!
(But you should fix the missing rootkit scan for x64 systems... ;) )

I tested the Suite against real world, zero day malware. It did a good job so far! Again well done.

But when it comes to really nasty malware your Behavior Blocker (NovaShield) fails!

Nearly all TDSS, Sinowal or MBR Killer samples went directly through the Bullguard protection.

Are you able to enhance the protection which is given by the behavior guard against those threats?
[1]Note: I am not talking about the signature protection.[/1]

best regards

Habakuck

No answer from the support? :sad:

Have a look at post Bullguard10 in Bullguard customers section

I am aware of that thread. But my initial question was about the behavior guard.

And i would like to get an answer from the support.
I really think about buying your software cause i really like it's gaming mode.
But if i do not get an answer here i am not sure if it is advisable to spend money here...

Hi Habakuck,


First off all, sorry for the delayed answer. While 100% security is the goal, no one is ever 100% safe from viruses with any anti-virus product. Unfortunately, people continue to create new viruses that are very sophisticated and often hard to destroy. But with version 10, we’ve taken BullGuard to the next level, introducing technology that positions BullGuard in top. Our Behavioural Detection engine enables us to counter what in the industry is known as Zero-day Attacks, and identifies viruses long before traditional virus detection, based on the behavior of the virus.

We are improving the detection and the removal modules of our product each day, releasing core updates, not only virus definitions.

The new security enhancement features have already proved themselves in several independent virus tests. BullGuard scored detection rates of 100% for both known and unknown viruses, proving that our newly implemented technology combining the Behavioral Detection and the traditional SBD-engine technology, gives our users the highest protection against any form of threat from the internet. En example from these tests is one made by the renowned av-test.org. You can read all about the test here: https://finance.yahoo.com/news/BullGuard-is-the-Best-in-prnews-4097021372.html

Thank you for your answer!

Don't get me wrong: I think the protection Bullguard offers it quit good.

But not good enough if it comes to MBR and Kernel Rootkits. You desperatly need to improve the behavioral detection at that side!!

And my question was: Are you able to do that or is the NovaShield core of your Behavior Guard just not able to provide such low level protection?

habakuck ->





A note from one (me) there are dealing with mbr/kernel rootkits almost every day.




"MBR rootkit use IRP hooks to filter out every attempt to read and write the MBR. Disk.sys Windows driver, disk class driver used for managing disk devices, was hooked and the original Windows functions pointed by the driver and used to handle disk packet requests were replaced by the rootkit ones. Of course every reference to the original address was overwritten by the rootkit, so that it was more difficult for a security product to discover the original function address and restore the legal function.

The new version of MBR rootkit is smarter enough to give researchers some bad days, due to improved hooking techniques.

It doesn't hook anymore disk.sys driver, it goes deeper. It checks which is the lower device to which the device \Device\Harddisk0\DR0 - belonging to disk.sys driver - is attached to.

MBR rootkit and many other ones are all real in the wild attacks that are showing the difficulties of security industry to fight against these threats."



That´s why we need special diagnose and fix tools to deal with them, what I mean is, if BG and other AV companies really could fix them, then it would in many cases be very damaging such as eliminating your internet connection completely or removing legitimate files that are required for your computer to run.

Thanks for your reply.

I am not talking about the removal of those stuff! I am a malware removal helper so i know exactly what you mean. I was talking about the ability to BLOCK those threats bevor they install using the behavior blocker! A couple of Behavior Blockers are able to successfully block the installation of MBR and Kernel rootkits and my simple question was: Is the NovaShield core of your Behavior Blocker able to block those threats or not?

If it is able to do so i would chary ask you to work on the ruleset to block the threats a bit better. Cause at the moment your behavior blocker is doing bad if it comes to nasty rootkits.
(Everything else, simple malware, keyloggers and so on, is blocked successfully!)

Btw.: Do you update the ruleset for the Behavior Blocker or is NovaShield responsible for that?

"habakuck" wrote: Do you update the ruleset for the Behavior Blocker or is NovaShield responsible for that?

I'm afraid that we can't reveal the mechanisms behind this. This is an internal rule: we can't divulge internal work procedures or technologies because we are in an open market and we have competitors.

What can i tell is that we are improving the product each day, including the behavioral engine.

O.k. i understand that!

Thank you for your answers! I really like Bullguard so far. I will buy a licence.

See you.

best regards

Habakuck