Jump to content

Some questions/observations on Immunet


Recommended Posts

It's been a while since I last used Immunet, probably that was v4/v5. I see in the release notes you have since added Advanced Threat Prevention, System Process Protection, Malicious Activity Protection(anti ransomware), Exploit Prevention Engine, Orbital, Credo ML engine, ScriptID, "New endpoint threat activity detection engine", and they also mention a Behavior Protection Engine which I have not seen as a new feature in the changelogs, so it may be the same as one of the other features with a special name.
The GUI however is still exactly the same, not that that is a problem, I am not a fan of forced new GUI just for the point of having something new. I mean EXACTLY the same however, including the Settings menu. All these new features haven't been added to the settings menu. I find that rather strange. Why aren't they present in the settings menu?
Immunet's processes also don't use (CFG) Control Flow Guard mitigation to help protect itself from exploits, CFG has been available for quite some years now in Windows and multiple AV products use it.
I also noticed the bundled OpenSSL files are from a still supported branch (1.1.1), but they are still on 1.1.1d released 2 years ago, quite a few security updates have been released for 1.1.1 since.
 
 
Link to comment
Share on other sites

Those are some concise observations that you made!

I was hoping an Admin or Dev would have responded to your topic as one of them could have given you better insight into the workings of Immunet.

However, unless you're an IT security expert, it's my personal opinion that if Immunet's settings gave users the opportunity as to which security code/protocols to enable or disable that would cause a lot of confusion with many Immunet users. That I have no doubt at all!

Rarely the history.db files can get corrupted, either by a user attempting to access these files or by some other means which then requires an uninstall & reinstall to correct, so perhaps the Control Flow Guard protocols for the history files could be beneficial to the software. 

Best wishes, Ritchie...

Link to comment
Share on other sites

9 hours ago, ritchie58 said:

Those are some concise observations that you made!

I was hoping an Admin or Dev would have responded to your topic as one of them could have given you better insight into the workings of Immunet.

However, unless you're an IT security expert, it's my personal opinion that if Immunet's settings gave users the opportunity as to which security code/protocols to enable or disable that would cause a lot of confusion with many Immunet users. That I have no doubt at all!

Rarely the history.db files can get corrupted, either by a user attempting to access these files or by some other means which then requires an uninstall & reinstall to correct, so perhaps the Control Flow Guard protocols for the history files could be beneficial to the software. 

Best wishes, Ritchie...

Hi,

I am hoping a Dev will still reply..
I can understand that Immunet might not want to add the option to disable certain features so Immunet users will not shoot themselves in the foot. However, I don't think that is the reason why these new features are not visible in the settings menu, as it was already possible with the old features. For example you can disable monitoring of program start, program install and you can disable the different engines individually(ETHOS, SPERO and ClamAV).

Control Flow Guard does not protect files, but processes. Like DEP and ASLR. An antivirus program needs to be able to parse tons of filetypes in order to scan those files, that means they parse a lot of untrusted data and that could be exploited by an attacker. AV's are an interesting target because they run with system privileges in order to protect the system, but that also means succesfully exploiting an AV will get the attacker system privileges. Tavis Ormandy from Google Project Zero for example has discovered and reported quite a few vulnerabilities in different AV products that could be exploited. Using mitigations like CFG would make exploitation harder. And as far as I know, CFG was available in Windows even before Windows 10.

 

Edited by BoerenkoolMetWorst
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...