Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Product Topic: ICE


  • Please log in to reply
25 replies to this topic

#1 bystorm

bystorm

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 24 April 2015 - 03:41 PM

Hello, I am looking for feedback and opinions on a new product we are building. 
 
This product probably isnt for you, but for the non-tech savvy people in your life.
 
Were calling it ICE
 
ICE works differently than other products since we dont scan files looking for signatures.  Nor do we try to do fancy heuristics or other methods of guessing. 
 
We simply block program files (exe, dll, ocx, scr, sys, bat, wsh, etc) from being written to the hard drive.  We also block switchblade attacks.
 
When defining the feature set, I figure that there will be three different types of users:
  • Tech-savvy users,  lets call him Sam
  • Non-tech savvy users, lets call him Bob
  • Kids.  Kids like to explore and will actively search for stuff to install, lets call her Audrey
Bob needs to know that it is still working for him.  For this, I have a sound effect and a tooltip popup whenever an operation is blocked.
 
Sam on the other hand, needs to be able to make changes that ICE would normally block and be able to tweak the system overall.  Sam can Pause ICE to install software and updates, view past activity, set up safeguards, designate Trusted programs for ICE to ignore, etc..
 
And we need to protect the system FROM Audrey.  If she can figure out how to Pause, she will be able to bypass the protection and install anything or get infected.  For Audrey, a question must be answered before the configuration screen can be accessed.
 
Im trying to keep the product simple and useful.  Any feedback is welcome.
 
Thank you.
 
You can download a fully functioning 21 day trial from here.
 
ICE hasnt officially been launched but we do have people protecting their computers with it.  So its not really a beta, but sort of is. <grin>

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:04 PM

Posted 24 April 2015 - 03:46 PM

Hello bystorm and :welcome: to BleepingComputer.

Thank you for taking the time to visit us and explain your product in more detail.

Since you appear to be an Authorized Company Representative (Author, Developer), please read the information I have just sent via PM to your inbox.

Authorized Reps and software developers are permitted to create a topic on BleepingComputer to present their product to our members....see these pinned announcement: Announcement: Product Topics and how to create them. However, it is required they contact Grinler first in order to get his authorization to post a new topic.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 bystorm

bystorm
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 24 April 2015 - 03:51 PM

I contacted him yesterday and he said to create a product topic and send him a link do it.  

 

That's what I just did.  



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:04 PM

Posted 24 April 2015 - 03:53 PM

Great...then you are ahead of the game. :thumbup2:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:11:04 PM

Posted 24 April 2015 - 04:02 PM

Hi there,

I must admit, your product sounds like a nice idea - I've looked into anti-executables, but they only block non-trusted executables from launching instead of preventing write to disk like ICE does. The same goes for Group Policies.

I see the potential for home users (especially people with Home Premium Edition of Windows) when they run ICE alongside a solid AV and AM protection, and maybe exploit protection to minimize the attack surface.

Looking forward to see your work :thumbup2:

Regards,
Alex

#6 bystorm

bystorm
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 24 April 2015 - 04:08 PM

Thank you Alex.  

 

I have ICE running on a few friends computers and the only thing, we've seen that it SHOULDN'T have blocked are programs that JIT.  That's why I had to add the 'Trusted Programs' feature.

 

If you want to play with it, here's a link: http://ice.bystorm.com.  I would love your expert opinion of what I've built.



#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:05:04 PM

Posted 24 April 2015 - 04:22 PM

Will there be a whitelist feature offered in the feature that will allow the installation of legitimate software? Or if you add the executable to ICE's whitelist, it'll be able to run without any problem? Do you have a known list of Antivirus, Antimalware or other security programs that aren't compatible with ICE?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 bystorm

bystorm
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 24 April 2015 - 04:34 PM

Hi Aura,  

 

You would 'Pause' ICE when you need to install software, update drivers, etc..  Protection will automatically turn back on after X number of minutes (different choices on the start menu).

 

ICE will completely ignore any program listed in it's 'Trusted programs' list.

 

The only problem I forsee with other AV/Security tools is if they attempt to AutoUpdate, at which point, you COULD add them to the trusted programs list but I don't recommend it since malware writers have pretended to be auto-updaters before.  

 

I better approach would be to Pause ICE and then manually update any programs that need updating.



#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:05:04 PM

Posted 24 April 2015 - 04:44 PM

I could see a lot of issues with that to be honest. Something should be done to allow at least Antivirus and other security software to update themself without being blocked by ICE. Not everyone will think everyday to pause ICE and update their Antivirus product. Most of them will also update multiple times a day. I can see ICE breaking the real-time protection of Antivirus products that way. So far I can understand that it's not implemented since the product is new, not yet released, etc. but it should really be something to be added in the future and as soon as possible. ICE is axed around security, but it could prevent other security software from working, it's quite ironic. Let me know what you think.

Scratch that, I misread your last post. If we add the Antivirus program to the "Trusted programs" list, everything's good. And I never heard of an Antivirus that pushed malware on system using the Auto-Update feature. I can understand for non-security products (like puush lately), but not Antivirus.

Edited by Aura., 24 April 2015 - 04:45 PM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 bystorm

bystorm
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 24 April 2015 - 04:52 PM

Actually, ICE is just a simple UI and a pre-configured version of FileSure Defend for Workstations which has been shipping for about 10 years and we've never had a problem with AV.  

 

Since my virus scanners run as Local_System, anything they do will be ignored.  If they don't use the service to apply updates, whatever program they are using will need to be 'trusted'



#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:05:04 PM

Posted 24 April 2015 - 10:20 PM

Alright, I'll check it out then. Also on a side note, you might want to get the link (URL) in the OP edited. Since it includes a "." at the end, we're trying to access ice.bystorm.com. and it gives a "Bad Request - Invalid Hostname".

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 bystorm

bystorm
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 24 April 2015 - 11:12 PM

Crap!  I even remember trying to make sure that didn't happen.  I guess I changed how the URL looks but not the underlying link.

 

Thank you for pointing it out. I'll try to get it fixed.



#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:04 PM

Posted 25 April 2015 - 07:10 AM

bystorm I fixed the link with the bad request in your first post.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 bystorm

bystorm
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 26 April 2015 - 09:03 PM

thank you!



#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:04 PM

Posted 26 April 2015 - 09:07 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users