Extensions Profense SDK contains many extensions, each for different purposes. Profense SDK's Licensing model assumes differentiation on single module licensing. You can license any of available modules (or extensions). Here you can see a list of available for licensing modules. For request a qoutes, please, send your request to [email protected] Application layer interface module: PFSDK.DLL Kernel mode helper module: pfsdk.sys Kernel mode monitors: - sdtmon.lib, sdtmon.h – SDT monitor module - idtmon.lib, idtmon.h – IDT monitor module - gdtmon.lib, gdtmon.h – GDT monitor module - ldtmon.lib, ldtmon.h – LDT monitor module - objproc.lib, objproc.h – NT object manager monitor module - reg.lib, reg.h – registry & filesystem callback interface module - fsmf.lib, fsmf.h – filesystem filtering interface(FilterManager) module - psthr.lib, psthr.h – processes and threads monitor(PsNotify) module - ccmgr.lib, ccmgr.h – cache manager load & run monitor module - etm.lib, etm.h – external thread monitor (SMM) module - vmm.lib, vmm.h – abnormal activity monitor (VMM) module - smm.lib, smm.h – abnormal activity monitor (SMM) module - objlist.lib, objlist.h – in-memory heuristic search for objects module - pg.lib, pg.h – Patch Guard interface manipulation module - sym.lib, sym.h – non-exported symbols resolver module - trace.lib, trace.h – instruction tracer module - nox.lib, nox.h – no exploit interface module - irp.lib, irp.h – IRP_MAJOR procedures monitor module - irq.lib, irq.h – IRQ handler monitor module - log.lib, log.h – monitor logger module - tdi.lib, tdi.h – transport layer network monitor module - ndis.lib, ndis.h – NDIS layer network monitor module - tcp.lib, tcp.h – TcpIp suite module - link.lib, link.h – kernel – user communication interface module - vad.lib, vad.h – virtual address descriptor interface module - fsm.lib, fsm.h – decision finite state machine module - netmon.lib, netmon.h – network filtering interface monitor - sscan.lib, sscan.h – signature based scanner module - pfsdk.lib, pfsdk.h – consolidated module Profense API: PFAPI.DLL PFAPI.h API C++ header PFAPI.lib API C++ import library Simple APIs of Profense SDK include powerful functions: - multilayer packet filter (transport layer and channel layer) can be used for double tier control of network activity on protected systems (if packet was found on second layer, but same packet is absend on first - it stands for suspicious NDIS-direct activity). However, often a control process for NDIS level is quite difficult (for content filter, for example, taking into account a fragmentation of data in single ethernet frames); - system services monitor (SDT monitor) renders abilities for behavior analysis of executing objects - every valued action is stored to per-thread action buffer, which holds history of operation - floating value, that determines behavior of every running thread in protected system. If any of behavior map matches for behavior signature - alert raises and suspicious thread can be safely terminated, taking into account rollback for per-thread performed actions; - IDT monitor can be used for analysis of Interrupt Descriptor Table - many malicious software can explore interrupt vector hooking used for hiding their presence on infected system. By detection malicious IDT modification protection software can detect source of modification and safely remove it; - GDT monitor can be used for same as IDT monitor's purposes. Malicious software can allocate a new GDT entries for malicious purposes; - LDT monitor can be used for same as IDT/GDT monitor's purposes, including adding new entries to LDT for avoiding signature scanner's detection; - registry and filesystem access monitor can be used for detection of any modifications in registry (for example, modification of important services entries for disabling security products, antivirus, etc). Filesystem control renders abilities for detection of malicious files a filesystem level; - NT object manager monitor can be used for filesystem/registry access detection with avoiding any of antidetection routines, used by malicious software. Nt object manager renders a core functionality of entire OS, therefore monitoring of its procedures renders incredible powerful way to detection. - filesystem filtering interface used for detection malicious files at early stages; - executive objects monitor (processes and threads) allows control and analysis for running threads and processes, helps to protect protection threads from closing, helps to determine hidden modules and threads (if rootkit software found in system); - executable objects monitor (executable images and sections) allows detection of hidden images, sections and modules, which was hidden by rootkit of any level. For example, if DRIVER_OBJECT object was unlinked from object manager list, it still exists in memory and referenced in DEVICE_OBJECT - monitor performs heuristic search routines for in-memory search for all orphaned objects(any orphaned object indicates presense of rootkit activity in protected system); - state-of-art hidden executive objects monitor (SMM based) - this kind of monitor can catch every hidden code execution (hidden thread, for example). External timer(SMM driven) provides external interruption of currently executed thread, then SMM handler analyses interruption offset for matching to any existed threads - if no, bingo - we found hidden thread. Do'nt forget, the system cannot control itself from out - i.e., executed thread cannot determine exact time when it will executed; - abnormal activity monitor (SMM based) - this kind of monitor allows analysis of hardware interrupt driven actions (for example, NdisIrq handler or low level disk access); - abnormal activity monitor (VMM based, including VMX & SVM interfaces) - this kind of monitor allows analysis of different suspicious activity on running system - it includes memory access, memory access rights modification, mapping of memory, access to model-specific registers, IRQ delivery, etc; - executive objects manipulation interface (using for hidden objects in-memory heuristic search)allows detection of hidden images, sections and modules, which was hidden by rootkit of any level. For example, if DRIVER_OBJECT object was unlinked from object manager list, it still exists in memory and referenced in DEVICE_OBJECT - monitor performs heuristic search routines for in-memory search for all orphaned objects(any orphaned object indicates presense of rootkit activity in protected system); - Patch Guard manipulation interface (using for internal purposes) - this interface allows inline patches in running system for internal purposes; - interface for search of non-exported symbols in kernel environment - this interface alows a search of non-exported symbols for easily adaptation of security products to released software updates, service packs, etc; - real-time instruction tracer interface (using for catching suspicious interception of system services) - this kind of interface allows real time tracing, used for detection of control flow modification in important system services - imagine tracer, which calls important system service and goes through it for malicious modification detection; - interface for heuristic detection of exploits (any kind of exploits, Trojans and viruses) - this kind of interface uses state-of-art system for per-process exploit prevention; - IRP_MAJOR procedures monitor (using for proactive defense’s purpose) - this kind of monitor allows early detection and analysis for system activity - for example, any hardware devce in protected system presented by device driver - each device driver has table of IRP_MAJOR routines - any access to corresponded device goes through device driver, i.e. through IRP_MAJOR routines; - hardware interrupt monitor (IRQ monitor, using for lowlevel control of system activity) - this kind of monitor allows detection and early analysis for interrupt driven events (for example, disk access or network interface card interrupts); - journal and history logger interface (applicable to any kind of monitor) - this interface allows seamless integration of logging and journalling for catched events. Easy and simple interface makes logging more easy than everywhen; - transport layer network monitor (TDI based filter) - this monitor allows analysis and detection of malicious data patterns on relatively high level - without fragmentation of NDIS level filters. TDI monitor allows Content filtering with Content Blocking and Content Modifying with easily modifiable rule system; - low-level network monitor (NDIS based) - this monitor allows analysis and per port/per address basis blocking actions - including transparent interception routines on IRQ level; - TcpIp protocol suite (using for avoiding any malicious interception of network traffic) - this interface allows using of WInsock like network interface (implemented all basic and advanced methods - sockets, connections, IOCTL codes, etc - TCPIP, UDP, ICMP protocols, including non-blocking sockets implementation); - driver – application communication interface (with two simultaneous channel type – Command channel and Data channel, which renders asynchronous interface to communicate with kernel modules) allows easy way to communicate from interface dll with kernel mode part of protection system (including synchronous and asynchronous ways); - virtual address manipulation interface (search and enumeration of VAD list on per-process basis) - this kind of monitor allows search for hidden images on per-process basis (typical case - malicious dll was loaded in address space, then LoadedModuleList fom process was modified - enumeration functions can not find that module, however, VAD enumeration tool can); - finite state machine for behavior-based detection (proactive defense decision module) - this interface allows unlimited behavior signatures handling with performance-optimized search procedures(search performs in polynomial time). Each behavior signature contains 16 potentialy malicious action codes, which have unique sequence order - every tested hread has same size floating signature, which compares with every behavior table entry - if any matches was found, alert raises and suspicious thread can be safely terminated; - network firewall interface with flexible rule system (ALLOW/DENY/CONTENT_BLOCK/CONTENT_MODIFY methods on any active network interface) - this interface allows unlimited rule list with different actions - including content filtering and address/port identification. Last Updated on Friday, 01 May 2009 17:57 www.profense-sdk.com Cost : $50000.00 System requirements : Minimum requirements - Windows 2000, your favourite IDE