how to create a website for free

PROFENSE SDK

Use Profense SDK to add proactive security capabilities to applications that will operate on the Internet to ensure that your application is safe from various attacks, and that once identified, an Intruder can be blocked from accessing the system on any level (including non-network vectors of attack), without incurring high CPU usage.

SHARE THIS PAGE

Profense SDK is a professional software development kit for fast developing of any kind of security applications for Microsoft Windows. Simple APIs of Profense SDK include powerful functions: multilayer packet filter (transport layer and channel layer), system services monitor (SDT monitor), IDT monitor, GDT monitor, LDT monitor, registry and filesystem access monitor, NT object manager monitor, filesystem filtering interface, executive objects monitor (processes and threads), executable objects monitor (executable images and sections), state-of-art hidden executive objects monitor (SMM based), abnormal activity monitor (SMM based), abnormal activity monitor (VMM based, including VMX & SVM interfaces), executive objects manipulation interface (using for hidden objects in-memory heuristic search), Patch Guard manipulation interface (using for internal purposes), interface for search of non-exported symbols in kernel environment, real-time instruction tracer interface (using for catching suspicious interception of system services), interface for heuristic detection of exploits (any kind of exploits, Trojans and viruses), IRP_MAJOR procedures monitor (using for proactive defense’s purpose), hardware interrupt monitor (IRQ monitor, using for lowlevel control of system activity), journal and history logger interface (applicable to any kind of monitor), transport layer network monitor (TDI based filter), low-level network monitor (NDIS based), TcpIp protocol suite (using for avoiding any malicious interception of network traffic), driver – application communication interface (with two simultaneous channel type – Command channel and Data channel, which renders asynchronous interface to communicate with kernel modules), virtual address manipulation interface (search and enumeration of VAD list on per-process basis), finite state machine for behavior-based detection (proactive defense decision module), network firewall interface with flexible rule system (ALLOW/DENY/CONTENT_BLOCK/CONTENT_MODIFY methods on any active network interface).

GET INFO!

Please, tell us about your task and you will served as soon as possible. Full lifecycle service included! Including difficult cases!


Simple APIs of Profense SDK include powerful functions:

- multilayer packet filter (transport layer and channel layer) can be used for double tier control of network activity on protected systems (if packet was found on second layer, but same packet is absend on first - it stands for suspicious NDIS-direct activity). However, often a control process for NDIS level is quite difficult (for content filter, for example, taking into account a fragmentation of data in single ethernet frames); 
- system services monitor (SDT monitor) renders abilities for behavior analysis of executing objects - every valued action is stored to per-thread action buffer, which holds history of operation - floating value, that determines behavior of every running thread in protected system. If any of behavior map matches for behavior signature - alert raises and suspicious thread can be safely terminated, taking into account rollback for per-thread performed actions;
- IDT monitor can be used for analysis of Interrupt Descriptor Table - many malicious software can explore interrupt vector hooking used for hiding their presence on infected system. By detection malicious IDT modification protection software can detect source of modification and safely remove it;
- GDT monitor can be used for same as IDT monitor's purposes. Malicious software can allocate a new GDT entries for malicious purposes;
- LDT monitor can be used for same as IDT/GDT monitor's purposes, including adding new entries to LDT for avoiding signature scanner's detection;
- registry and filesystem access monitor can be used for detection of any modifications in registry (for example, modification of important services entries for disabling security products, antivirus, etc). Filesystem control renders abilities for detection of malicious files a filesystem level;
- NT object manager monitor can be used for filesystem/registry access detection with avoiding any of antidetection routines, used by malicious software. Nt object manager renders a core functionality of entire OS, therefore monitoring of its procedures renders incredible powerful way to detection.
- filesystem filtering interface used for detection malicious files at early stages;
- executive objects monitor (processes and threads) allows control and analysis for running threads and processes, helps to protect protection threads from closing, helps to determine hidden modules and threads (if rootkit software found in system);
- executable objects monitor (executable images and sections) allows detection of hidden images, sections and modules, which was hidden by rootkit of any level. For example, if DRIVER_OBJECT object was unlinked from object manager list, it still exists in memory and referenced in DEVICE_OBJECT - monitor performs heuristic search routines for in-memory search for all orphaned objects(any orphaned object indicates presense of rootkit activity in protected system);
- state-of-art hidden executive objects monitor (SMM based) - this kind of monitor can catch every hidden code execution (hidden thread, for example). External timer(SMM driven) provides external interruption of currently executed thread, then SMM handler analyses interruption offset for matching to any existed threads - if no, bingo - we found hidden thread. Do'nt forget, the system cannot control itself from out - i.e., executed thread cannot determine exact time when it will executed;
- abnormal activity monitor (SMM based) - this kind of monitor allows analysis of hardware interrupt driven actions (for example, NdisIrq handler or low level disk access);
- abnormal activity monitor (VMM based, including VMX & SVM interfaces) - this kind of monitor allows analysis of different suspicious activity on running system - it includes memory access, memory access rights modification, mapping of memory, access to model-specific registers, IRQ delivery, etc;
- executive objects manipulation interface (using for hidden objects in-memory heuristic search)allows detection of hidden images, sections and modules, which was hidden by rootkit of any level. For example, if DRIVER_OBJECT object was unlinked from object manager list, it still exists in memory and referenced in DEVICE_OBJECT - monitor performs heuristic search routines for in-memory search for all orphaned objects(any orphaned object indicates presense of rootkit activity in protected system);
- Patch Guard manipulation interface (using for internal purposes) - this interface allows inline patches in running system for internal purposes;
- interface for search of non-exported symbols in kernel environment - this interface alows a search of non-exported symbols for easily adaptation of security products to released software updates, service packs, etc;
- real-time instruction tracer interface (using for catching suspicious interception of system services) - this kind of interface allows real time tracing, used for detection of control flow modification in important system services - imagine tracer, which calls important system service and goes through it for malicious modification detection;
- interface for heuristic detection of exploits (any kind of exploits, Trojans and viruses) - this kind of interface uses state-of-art system for per-process exploit prevention;
- IRP_MAJOR procedures monitor (using for proactive defense’s purpose) - this kind of monitor allows early detection and analysis for system activity - for example, any hardware devce in protected system presented by device driver - each device driver has table of IRP_MAJOR routines - any access to corresponded device goes through device driver, i.e. through IRP_MAJOR routines;
- hardware interrupt monitor (IRQ monitor, using for lowlevel control of system activity) - this kind of monitor allows detection and early analysis for interrupt driven events (for example, disk access or network interface card interrupts);
- journal and history logger interface (applicable to any kind of monitor) - this interface allows seamless integration of logging and journalling for catched events. Easy and simple interface makes logging more easy than everywhen;
- transport layer network monitor (TDI based filter) - this monitor allows analysis and detection of malicious data patterns on relatively high level - without fragmentation of NDIS level filters. TDI monitor allows Content filtering with Content Blocking and Content Modifying with easily modifiable rule system;
- low-level network monitor (NDIS based) - this monitor allows analysis and per port/per address basis blocking actions - including transparent interception routines on IRQ level;
- TcpIp protocol suite (using for avoiding any malicious interception of network traffic) - this interface allows using of WInsock like network interface (implemented all basic and advanced methods - sockets, connections, IOCTL codes, etc - TCPIP, UDP, ICMP protocols, including non-blocking sockets implementation);
- driver – application communication interface (with two simultaneous channel type – Command channel
and Data channel, which renders asynchronous interface to communicate with kernel modules) allows easy way to communicate from interface dll with kernel mode part of protection system (including synchronous and asynchronous ways);
- virtual address manipulation interface (search and enumeration of VAD list on per-process basis) - this kind of monitor allows search for hidden images on per-process basis (typical case - malicious dll was loaded in address space, then LoadedModuleList fom process was modified - enumeration functions can not find that module, however, VAD enumeration tool can);
- finite state machine for behavior-based detection (proactive defense decision module) - this interface allows unlimited behavior signatures handling with performance-optimized search procedures(search performs in polynomial time). Each behavior signature contains 16 potentialy malicious action codes, which have unique sequence order - every tested hread has same size floating signature, which compares with every behavior table entry - if any matches was found, alert raises and suspicious thread can be safely terminated;
- network firewall interface with flexible rule system (ALLOW/DENY/CONTENT_BLOCK/CONTENT_MODIFY
methods on any active network interface) - this interface allows unlimited rule list with different actions - including content filtering and address/port identification.
If you need any customized feature, not listed above - please, contact us: [email protected]  

SHARE IT NOW!

Application Programming Interface being encapsulated by DLL is simple and powerful. Engine of SDK provide full range of a professional security suite functions, including, but not limited:

- Flexible system of vectors to implementation grants incredible ability for secure end user. 

- Double layer packet filter (transport layer and channel layer) can manage and control data packets of all kinds network protocols quickly and correctly in safe manner;

- Supports filtering of packets both incoming (to the local machine) and outgoing (packets attempting to leave the local machine), including packets from kernel mode malicious modules and rootkits;

- Allows filters to be set up by specifying ranges of IPs and ports, by specific ranges of system points of interest, by specific behavior models and signatures. Behavior analysis allows detection and prevention measures against new malicious software (not known to antivirus vendors at the moment);

- Allows monitors to be set up to block all events by default, or to let all events pass by default;

- Multi-threaded design ensures that high rate of packets filtered does not interfere with the main thread of your application;

 - Allows an access to packet filtering via an ActiveX component (can be used by any environment that can use an ActiveX component);

- Allows filtering and inline modifications on TCP, UDP, ICMP, and other protocols;

- Allows filters to be set up by specifying ranges of IPs and ports;

- Allows packet filters to be set up to block all traffic by default, or to let all traffic pass by default;

- Allows filtering of packets both incoming and outgoing;

- Multi-threaded design ensures that high rate of packets filtered does not interfere with the main thread of your application;

- Provides IP address identification for all local NIC cards (multi-homed)

© Copyright 2009-2020 FXSEC LTD - All Rights Reserved