GuardedID

TOF said:

Why would it need to be updated on a regular basis? It's a patented encrypted tunnel from the keyboard to the application. The software doesn't need to update any definition list because all it has to do is check and see if the drivers are signed by Microsoft or not. If it's not signed, it will send out a warning.

That logic is clearly unsound: "we'll check for the presence of kernel-mode malware by using a mechanism which would have to fail for kernel-mode malware to be present."

In fact, their description (which you quoted) does not directly imply that they're using driver signatures to detect "untrusted" drivers. It just says they "constantly monitor the keyboard driver stack" (although they also "eliminate time-consuming memory scans"!).

My point is that such a game of detection one-upmanship with malware drivers would be pointless without a constantly evolving definition of just what it is that they're looking for, hence the need for regular updates.

H2SO4

I was looking at the following pdf.

• Does Not require any spyware database updates (page 5 or 6)
• MSI installer includes update service with automatic updates (page 15 and 16)

The software does not depend on spyware definitions like most other anti-keyloggers because it protects the user using a different mehtod. I'm assuming that these are the updates you were talking about?

http://www.guardedid.com/pdf/GID_30.pdf

TOF said:

H2SO4

I was looking at the following pdf.

• Does Not require any spyware database updates (page 5 or 6)
• MSI installer includes update service with automatic updates (page 15 and 16)

The software does not depend on spyware definitions like most other anti-keyloggers because it protects the user using a different mehtod. I'm assuming that these are the updates you were talking about?

http://www.guardedid.com/pdf/GID_30.pdf

I don't think I'm explaining my concerns regarding GID very well. Let me try another angle.Think of all software running on the machine as belonging to one of two categories:

1) PRIVILEGED - includes the OS kernel, most modules called "drivers", and malware in the "rootkit" category on sufficiently unfortunate machines.

2) UNPRIVILEGED - everything else. The vast bulk of all apps, including browsers, media players, services, yadda yadda, all runs as unprivileged code which requires the cooperation of something in the first category in order to have access to hardware and to run at all.

There is no hierarchy within the PRIVILEGED category. Once a code module somehow manages to get down there, courtesy of the administrator installing it, or through some underhanded trickery (a rootkit), it is all-powerful. If it's malware, it can subvert the kernel itself, install whatever it likes, deactivate or fool all software firewalls, communicate via the network... anything it wants to do.

What GID does is to place a tunnel from a particular point in the PRIVILEGED area to browsers and other similar apps. Its achilles heel is the fact that malware which has successfully gained the ability to work as privileged code can "peek" at the data as it enters the secure tunnel - if it knows the tunnel exists!

That's why I'm harping on about the importance of updates. Because of a lack of hierarchy, privileged code which would seek to prevent other privileged code from doing certain things must constantly evolve in response to the changing nature of the threat. Otherwise, if the "good" privileged code remains static, "bad" privileged code can be written to work around any and all obstacles put in front of it.

The GID brochures seem quite vague on the topic of how their checks for privileged malware are implemented. That's partially because they don't want to make it too easy for the bad guys, but probably also because it's ####ing hard to win that game, especially if you don't regularly provide updates! Creating a static secure tunnel is relatively easy. Keeping privileged malware from interfering with the tunnel's entry is much harder. That's why they're coy about their update strategies, including those phrases from the PDF you linked to (I had a look through it).

About the best thing you could say would be that few malware authors would bother to specifically circumvent GID, especially if its own profile kept on changing. The cartels which develop phishing scams and keyloggers are into the theory of large numbers - they throw their stuff out there and enough people get hit by it to make the venture commercially viable (somebody has to pay the competent nerd to code the keylogger). The fact that GID would be found on <<1% of all machines makes it more trouble than it's worth to bother circumventing.

But they could. If they wanted to.

I see what you are saying. So in order to keep the product effective, they would need to monitor and patch any discovered vulnerabilities.

TOF said:

I see what you are saying. So in order to keep the product effective, they would need to monitor and patch any discovered vulnerabilities.

Yes, exactly. In privileged mode, all software is equal in terms of authority. Constant metamorphosis is the only way to stay ahead if you're hoping to detect or prevent something that doesn't want to be detected and prevented.

That's why the AV companies spend so much of their time and effort on updates. It's an expensive game though, and my guess is that GID doesn't really feel thrilled about having to play it. They'd rather de-emphasise that aspect of the problem, as would I in their place.