Compile-A-Virus, FileFeeds: a Solution

FileWatcherLogoThe idea started with the advent of the new kind of viruses commonly called Compile-A-Virus which compiles itself in one of the system units of a certain programming language. Nowadays, the most famous one is the W32/Induc-A which targets the old versions of Delphi, but in fact, there are other malware in the same category which targets other platforms. One of the most targeted platforms today is .NET (starting since 2002 already) on which there are even tools and videos (!) how to do it

Of course, there are some antivirus products which provides a certain protection against malware but we thought that a solution dedicated specifically to this would be much better because it will be bulletproof (even against zero-day attacks) and also it will not slow down the system like an antivirus does. On the other hand, locking the files prevents also an accidental delete or overwrite.

Also, having such an engine which will watch our precious files (not only on our computer but also on LAN – because we are a team, right?), we thought that we need a File Feed mechanism in order to provide a central point to monitor and execute different actions with the files which were changed (or added) in the watched folders either on LAN, either in our personal computer. Also, we saw that this improves (a lot sometimes) the cooperation between different teams, because there’s no need anymore to send a dozen of documents through eMail or phoning / chatting between offices to inform that a certain Excel spreadsheed was updated.

Anyway, we decided to make public this internal project because we think that perhaps you’ll find this useful too. Beware: the program is in Beta so feel free to give us feedback about bugs, feature requests and usability issues.

For this beta stage we put it (temporarily) here. Are you interested? Update: Thanks all for the feedback! – Soon we’ll have something to look at…

Download & Feedback.

3 thoughts on “Compile-A-Virus, FileFeeds: a Solution

  1. My computer caught the VIRUT virus (“Virut” is a family of polymorphic memory-resident appending file infectors that have Entry Point Obscuring (EPO) capabilities. Viruses belonging to this family infect files with .EXE and .SCR extensions. All viruses belonging to the Virut family also contain an IRC-based backdoor that provides unauthorized access to infected computers”. F-Secure..). VIRUT affected ALL of my EXE files – that is, many thousands in three disks.

    None of those exe was working after the infection. My computer was about dead. I have tried many antivirus and only Dr.Web LIVE CD antivirus fixed them all – every single exe was back to life …. and among them hundreds of Delphi built exes. Not all of the Delphi built exes have been fixed: Delphi win 32 .exe files only, none of the Delphi .NET .exes. Those file were not fixed even after i restored the .net framework.

    • Yes, the well known problem of Antiviruses. With our tool you could (at least) protect your critical system files from infecting by adding eg. C:\Windows\*.exe to the watched paths and setting the ‘Locked’ property to ‘True’. Btw, locking a large number of files (once locked) doesn’t have any impact in the computer speed (no CPU hog, no HDD trashing etc.).

      Also, by enabling ‘File Feeds’ you will observe suspicious activity – because the program will tell you that a bunch of *.exe files were about to change. And don’t be afraid to watch a big folder – everything is real time. We use the tool currently internally to watch over different folders, and everything works realtime. For example, one of the folders, which is on our LAN, is shared for anyone (but I think that only approx. 30-40 users are on it simultaneously) has at the time of writing 43550 files in 2624 folders having in total 55 GB (I don’t know if is biggest folder, if is just the first example which I had in mind) and there is no delay whatsoever in seeing who changes what inside. Of course, everybody can have on his workstation a copy of program to watch what happens inside.

  2. Pingback: Giving a heading light « Wings of Wind Software

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s