Today I’ve tested a less known security tool, Patriot NG 1.1 from www.security-projects.com. Maybe the program is less known because it’s in spanish, not translated yet in english, though all the options and settings are very easy to understand for a native english speaker. The program resides in the system tray, from where you can get access to its main options via context menu-right click. The Control Panel named in spanish “Panel De Control” is very simple and intuitive :
As you already guess, the program is watching for alteration all the sensitive area of your Windows system, alerting the user when a program try to make a new connection on the Internet or try to change something in the registry or in the most attacked by trojans areas of the system : startup entries, hosts file, Internet Explorer configuration and so on. A message window will appear allowing the user to choose if to discard the changes(connections) or to allow them.
You can choose with what options the program must work, what areas of the file system and what actions the program must monitor :
- Modifications in the registry (startup entries);
- New files created in the StartUp folder;
- New created system users;
- New installed services;
- Changes in the hosts file — preventing unwanted browser redirections;
- New “Task Scheduled” processes;
- Changes in Internet Explorer configuration and settings — it prevents browser hijacking and infecting BHO;
- Creation of the hidden command line windows — mainly used by the rootkits;
- NetBIOS (Network Basic Input/Output System) connections;
- NetBIOS processes and shares;
- Protection of TCP/IP stack – monitor TCP/IP connections;
- Files in the sensitive folders – such as system32 folder which as you know is the Windows core;
- New installed drivers;
The user is alerted every time a new connection is made, displaying the IP and port used for connection:
The program can easily be categorized as an IDS – Intrusion Detection System, a system more and more needed nowadays, when we are facing new and advanced Internet threats.
However, the program was tested with an advanced program able to simulate a trojan installation in the system including the injection into the legitimate processes. With all the options checked, Patriot NG failed to detect the main “trojan” component dropped in system32 folder but another component, a dll triggered an alarm.
In the same time, the program failed again to detect a less known start-up entry created in the registry, the so called “ActiveX start-up” used even from the old days of SubSeven trojan. This entry can be easily unveiled by Autoruns from sysinternals.com for example and is located under “HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components” keys. Aswell, the initiated reverse connection imitating the trojans prefered method of communication with the Command & Control server, was missed out.
As the last words, Patriot NG runs on any version of Microsoft Windows 32 bits and can be a good complement to your antivirus, though it lacks some features as a list with all connections(IP:port) made by the computer, possibility to produce a log file, a processes list window, indispensable things to a good security tool.
Though I find this program very promising, I’d rather catalogue it at this stage of development as “unfinished” but definitely it worth a try, adding an extra layer of security to your system.
Keep safe !