NetBalancer: should you trust it?

kao

Last few months people kept bashing antivirus and security software in general. Like on Twitter or their personal pages. Sure, Twitter is full of opinionated idiots who just love to complain about everything that doesn't match their point of view. On a few occasions they are right and even I have written about some of the issues with antiviruses before.

But!

But you'd be f*king stupid to delete your antivirus just because it has some bugs. Doorlocks get picked by criminals every day and people still use them. Professional lockpickers do exist - it's their job to break lock's security mechanism and get you back in the house when you lose your keys. Tavis Ormandy is a professional lockpicker - only he works in the digital world. It's his job to break digital security mechanisms and help vendors to fix the issues.

Having said that, not all software is created equal. Sometimes new and dangerous features get added to an otherwise great software. These features look good on paper but they can really ruin someone's day. Today, I'll demonstrate one such feature.

Introducing SeriousBit NetBalancer

NetBalancer is a Windows application for local network traffic control and monitoring. It shows you the network traffic on your computer and helps you to set limits, priorities and rules for that traffic. Some sort of a firewall - but better. It can prioritize your traffic, schedule it for specific times, do statistics, make graphs and charts and what not. And it looks really good!

Predefined Priorities

NetBalancer's Predefined Priorities is a feature that looks great on paper.

For those of you who are not sure what priorities are best for your PC we decided in NetBalancer 8.5 to add some predefined priorities.
These priorities include the most used programs and processes, currently about 1700 total (and counting), and are set to match the needs of most users

It could be used for virtually everything:

  • giving high priority to VoIP applications and games
  • making sure background processes (eg. software updaters) don't interrupt your Youtube experience
  • and even blocking malware

The possibilities are endless. In fact, virtually all of the antivirus products use similar databases to preconfigure their firewalls. It makes total sense after all!

However, the devil is in the details. All such databases must be maintained. New version of Skype comes out, you need to update database. League of Legends releases new update, you must update the database. And you must do it very fast, so that your users don't suffer from misbehaved firewall. It's a lot of work.

Since NetBalancer is made by a small company called SeriousBit SRL, I was naturally curious how they manage to do that. 🙂

Inside Predefined Priorities

First, I needed to obtain the complete database of the priorities. You could try to find something in C:\ProgramData\SeriousBit\NetBalancer\ but it would be more interesting to find and download correct files for the official servers, right? 🙂 After a quick string search, I learned that priorities can be downloaded from https://netbalancer.com/api/internal/predefinedpriorities. It's a huge JSON file but isn't encrypted or signed in any way.

That's a serious red flag right there. Security companies vigorously protect their databases - it's their know-how, their crown jewels. And they use digital signatures to make sure that the databases aren't tampered with. After all, which developer wants to see his product in news like "MalwareBytes: multiple security issues"? 🙂

OK, in this case JSON file is downloaded over HTTPS, therefore it's slightly harder to intercept traffic and modify it. So, let's ignore this issue for a moment and look at the JSON data instead.

In a minute or two, I was in the full "WTF?" mode.

Here's an excerpt from the JSON, prettified for easier viewing:

{
    "$type": "Events.PredefinedPriority, Events",
    "ExeNameCrc": 1772190657,
    "Priority": {
      "$type": "Events.AppPriorityInfo, Events",
      "AdapterId": -1521929413,
      "ExecutablePath": "driver.okaya.g200l.rar",
      "DownloadPriority": "High",
      "UploadPriority": "Normal",
      "DownloadLimit": 30000,
      "UploadLimit": 30000,
      "DownloadDelay": 0,
      "UploadDelay": 0,
      "DownloadDelayJitter": 0,
      "UploadDelayJitter": 0,
      "DownloadDropRate": 0.0,
      "UploadDropRate": 0.0,
      "PerConnectionLimits": false
    }
  },
...
{
    "$type": "Events.PredefinedPriority, Events",
    "ExeNameCrc": 3944917558,
    "Priority": {
      "$type": "Events.AppPriorityInfo, Events",
      "AdapterId": 2089926557,
      "ExecutablePath": "msi1f5.tmp",
      "DownloadPriority": "High",
      "UploadPriority": "Normal",
      "DownloadLimit": 30000,
      "UploadLimit": 30000,
      "DownloadDelay": 0,
      "UploadDelay": 0,
      "DownloadDelayJitter": 0,
      "UploadDelayJitter": 0,
      "DownloadDropRate": 0.0,
      "UploadDropRate": 0.0,
      "PerConnectionLimits": false
    }
  },

Setting high priority for RAR and TMP files.. More than 2000 entries like that? WTF?

How about this?

{
    "$type": "Events.PredefinedPriority, Events",
    "ExeNameCrc": 4213633860,
    "Priority": {
      "$type": "Events.AppPriorityInfo, Events",
      "AdapterId": -118159810,
      "ExecutablePath": "sexual babe receives screwed - xnxx.com.flv",
      "DownloadPriority": "High",
      "UploadPriority": "Normal",
      "DownloadLimit": 30000,
      "UploadLimit": 30000,
      "DownloadDelay": 0,
      "UploadDelay": 0,
      "DownloadDelayJitter": 0,
      "UploadDelayJitter": 0,
      "DownloadDropRate": 0.0,
      "UploadDropRate": 0.0,
      "PerConnectionLimits": false
    }
  },

Yes, I want to download my porn with a high priority, thank you very much!

But how on earth that got through the QA process? Is there any QA process in SeriousBit SRL? I highly doubt that..

Unsolicited user data gathering

All those entries made me think - how is it possible that NetBalancer's database contains such crap information? Most obvious answer was - it's submitted by users. To verify the guess, I took a sneak peek inside SeriousBit.NetBalancer.Core.dll. And there it was:

  public static void smethod_1(bool bool_0)
  {
    try
    {
      ...
      using (WebClient webClient = new WebClient())
      {
        NameValueCollection expr_77 = new NameValueCollection();
        expr_77["priorities"] = gparam_.smethod_0(true);
        NameValueCollection data = expr_77;
        bytes = webClient.UploadValues("https://netbalancer.com/api/internal/predefinedpriorities", "POST", data);
      }
    catch (Exception arg_126_0)
    {
      GClass48.smethod_11(arg_126_0, "LoadFromWww", "C:\\wrk\\seriousbit\\netb\\deskapp\\src\\SeriousBit.NetBalancer.Core\\Priorities\\PredefinedPrioritiesTable.cs", 91);
      if (bool_0)
      {
        throw;
      }
    }
    finally
    {
      GClass51.smethod_1("LastPredefinedPrioritiesLoaded", DateTime.Now);
    }
  }

The call is coming from here:

        if (GClass51.smethod_0("PredefinedPrioritiesEnabled", false, true) && GClass51.smethod_0("LoadPredefinedPrioritiesAutomatically", true, true) && GClass51.smethod_0("LastPredefinedPrioritiesLoaded", DateTime.MinValue, true) < DateTime.Now.AddDays(-7.0))
        {
          GClass30.smethod_1(false);
        }

There you have it - if you have enabled "Predefined Priorities", NetBalancer will also silently upload all your priorities to their servers.

Want to wreak some havoc with unsuspecting users of NetBalancer? Post your own JSON file that blocks all traffic for all the browsers - apparently NetBalancer doesn't validate user submissions and will happily distribute them to other users. 😀

Abusing existing database

I was also wondering what is the meaning of ExeNameCrc field. 🙂 Turns out that NetBalancer uses CRC32 of filename as a key in the dictionary that manages process priorities To make matters easier, they also supply you with a proper filename in ExecutablePath field. So, if you want to make sure your malware has unlimited traffic and high download priority, just name it swarm.exe:

{
    "$type": "Events.PredefinedPriority, Events",
    "ExeNameCrc": 1475648703,
    "Priority": {
      "$type": "Events.AppPriorityInfo, Events",
      "AdapterId": 1630508967,
      "ExecutablePath": "swarm.exe",
      "DownloadPriority": "High",
      "UploadPriority": "High",
      "DownloadLimit": 0,
      "UploadLimit": 0,
      "DownloadDelay": 0,
      "UploadDelay": 0,
      "DownloadDelayJitter": 0,
      "UploadDelayJitter": 0,
      "DownloadDropRate": 0.0,
      "UploadDropRate": 0.0,
      "PerConnectionLimits": false
    }
  },

Indeed, CRC32("swarm.exe") = 1475648703, as you can verify in some online CRC32 calculator..

A quick test confirms that too:

Conclusion

Trust is a delicate subject. On the one hand, all the Cloud and Connected things make your life much easier. On the other hand, you must choose wisely who you trust and what data he/she can access. I doubt that SeriousBit intentionally created such buggy and dangerous feature in NetBalancer. But that doesn't mean I would ever want it to be running on my machine!

Have fun and stay safe!

One month with Avast

kao

I've written about my troubles with Bitdefender AV solution before.. XXXX So, when my Bitdefender license expired, I was happy to switch to a different solution. I picked AVAST. In this post I'll try to summarize my my impressions after using it for one month.

Setup

Bitdefender 2016 insisted on me creating user account for their cloud management crapshoot before I was actually able to get installer and install the software.

On the contrary, Avast's setup was a snap. One, two, pick components, done.
01-setup
One minor issue I noticed - I'm quite sure Avast setup did not respect my choices and installed more components than I selected in the setup dialog. Or maybe I mis-clicked one checkbox. I'll give them a benefit of doubt.

Avast - 1 : Bitdefender - 0.

User Interface

After all-dark-and-depressing Bitdefender UI, Avast feels much more brighter, colourful and cheerful. It feels much snappier and faster as well. Everything seems to be intuitive and easy to find.

Avast - 1 : Bitdefender - 0.

Configuration

Avast has all its settings in one place. Bitdefender requires you to open each component separately to access its settings. Avast would be a clear winner here, but..

But good luck trying to find which apps are allowed or blocked by Avast firewall!

Firewall configuration is under "Settings", just like you would expect. From there you can configure "System rules" and "Packet rules". However, you won't find allowed/blocked applications there. Instead, you need to go to Tools->Firewall and locate teeny tiny "Application rules" hidden between "Firewall logs" and "Settings". WTF?
02-firewall-apps

Taking that into account: Avast - 1/2 : Bitdefender - 1/2

Updates

Both antiviruses handle normal updates very well. No ads, no popups, no annoyances of any kind. Avast seems to have sort of ad hoc streaming updates 24/7 - or at least, that's what the Statistics tabs shows:
03-stats

However... Today my Avast received a different kind of update that required restart. From what I can tell, this update replaced most of EXE/DLL files in the %PROGRAMFILES%\AVAST Software\Avast\ folder. After restart, my PC got stuck in semi-working state, services.exe and svchost.exe eating most of the CPU resources and Avast showing "try our new-and-cool-whatever-thing-I-don't-give-a-crap-about" advertisement. In addition to that, Avast claimed that it's firewall module cannot be started.

Few "repair installation" and Windows restarts later the problem disappeared. As a side effect - all my carefully set privacy settings were reset to defaults, "show offers for other Avast products" was enabled again and all File System Shield exceptions are gone.

Even though I really enjoy invisible 24/7 updates of Avast, I have to reduce Avast's score due to this major f*ckup.

Avast - 0 : Bitdefender - 1

Bugs and issues

As I described earlier, Bitdefender was far from being perfect. On the contrary, my first impressions of Avast were extremely positive. Great setup, aesthetically pleasing UI, plenty of user-configurable settings. Everything I could ask for!

However, first few weeks of using Avast has been nothing but a source of frustration.

Issue #1 - I've configured File System Shield to scan files only on execute. All scans on write or access are disabled for executable files using Avast's UI.
04-avast-no-write-scan
05-avast-no-access-scan
However, any time I copy-paste suspicious executable files from one PC to another using Remote Desktop Client, Avast File System shield pops up and blocks the copy operation. WTF?!

06-detect-on-copy-paste

Issue #2 - There is no "Beggar off, I know what I'm doing" option in the detection dialog, even for heuristic detections. The previous issue wouldn't be a big one, if I had a possibility to dismiss detections dialog and continue copying files. But I can't.
07-no-ignore
So, the only option for me is to disable File System Shield completely. That kinda defeats the purpose of having the antivirus, doesn't it?

Issue #3 - Myriad of "Win32:Malware-gen" and "Win32:Evo-gen [susp]" detections.
In effort to reduce number of false positives, I've set the heuristics and HIPS sensitivity to "Low". But even then Avast keeps producing plenty of detections on clean files like Goliath obfuscator, ScyllaHide and other reversing tools.

Issue #4 - Leaving statistics tab open for a long time will cause the CPU usage to go high. No idea what causes it, probably the braindead decision to use embedded Chromium and Flash to show the pretty graphs and stuff.

Taking all that into account: Avast - 1/2 : Bitdefender - 1/2

Summary

Avast is a great product - for your grandma's or neighbour's PC. But if you ever work with malware, cracked files or anything remotely suspicious, Avast's super-sensitive File System Shield will drive you mad.

I'll give it one more shot and try to tweak configuration files manually. But if I can't make it play nice, I'll be looking for a different solution for my PC.

Why do most antiviruses suck?

kao

Mandatory disclaimer - all views in this article are my own and in no way represent views of my employer or my coworkers.

Last few weeks I noticed several gposts about antiviruses, False Positives and how bad the situation is. For example, this essay from atom0s and this complaint (reg required) by mudlord. And then there is this epic rage by evlncrn8. 🙂

To understand why antiviruses work this way, you need to consider plenty of factors. So, let's take a quick look.

Why make antiviruses?

It usually starts with a group of skilled guys wanting to save the world. They make a great product, people like it, company makes some money, more people like the product, company grows even more and so on..

But as company grows, priorities change. The bigger and more popular the company gets, the more managers and investors it attracts. Those guys usually have no clue about technology behind antivirus. And they don't care about technology, they only see numbers and dollar signs everywhere.

And then the primary goal of company changes to making profit for shareholders.

What's with the UI?

Let's face it - readers of my blog are not the usual antivirus users. Antiviruses are used by everyone - from extremely skilled IT geeks to Granma Millie living in the retirement home. And this causes second biggest problem - big companies cannot make product just for skilled IT geeks, as nobody else will be able to use it. You can't make a product for the average user either. You need to make something that even Granma Millie can use.

And that's why most software products in recent years get dumbed-down - managers think that they need to do "inclusive designs" - so even the most retarded of users can use the product.

New shiny features.

One of the most common complaint I hear is that all antivirus products are becoming a huge bloatware. There are several reasons for that. First, product managers just don't know any better.They look at all competitors - if Company A has feature X, you need to have feature X, no matter if it actually makes sense or not. Second reason is that company somehow needs to sell new version of product. You can't say - this version is the same as the old one, we just changed colours and moved buttons around. No, you need to have something like "New version, now with features Z and Q!"

It's not the best way but it's certainly the easiest!

AV reviews and tests.

When you are purchasing a new car, you probably search for the reviews online. You probably do the same when you decide to move to new city, plan your vacation or make any other big decision. That's just normal.

And it's the same with antiviruses - most people will either get a recommendation from someone they trust, or they'll search for reviews online. So, the companies need to invest a lot in PR and make sure their product looks good in tests and reviews.

Testing methodologies most of the times are not representative of any real-life experience of ordinary users. Testers take whatever pieces of malware they can find and test AV products against them. They don't distinguish between different types of malware, sample prevalence or geographical distribution.

I'm sure you feel much safer knowing that your antivirus protects you against a worm that is distributed only through Chinese QQ messenger, or that very nasty banker attacking only Brazilian banks. Don't you?

To test False Positive rate, testers check number of files from popular download sites like CNET, Softpedia or PCWorld, or collected from European SMB companies. Of course, AV companies do the same thing and try to make sure they have no false positives on those sites. But if you're a small software dev and distribute your software using other means, or don't target SMB companies - well, bad luck. False Positive on your file doesn't influence test results. 🙂

It's a load of crap - but every company is still doing it because lots of potential users rely on such "tests" before buying antivirus. Some companies even cheat in tests.

Automation and big data.

Number of new malware and other crap these days is increasing exponentially. According to McAfee Quarterly Threat reports, ~4 million new malware samples appeared in the Q1 2009, ~7mil in the Q1 2012, ~32mil in Q1 2014 and ~48mil in Q1 2015.

Think about it. How can you process 48'000'000 samples?

The answer is simple - automation, automation and more automation. Malware classification is hugely automated process. Does the file look weird? Does it do weird things? Was it sent out in a spammy email? Is it encrypted to prevent automated analysis? Was it protected using stolen Themida? Do other antiviruses think it's bad? Game over, classified as bad!

Sure, sometimes some legitimate software gets classified as bad. In this scale, it's bound to happen.

If automation is not able to classify file, malware researchers will need to analyze it manually. This is where big data software, statistical models and cluster analysis come in. They alert researchers to traffic anomalies, suspiciously similar thousands of files and other "interesting" stuff. Files get prioritized based on prevalence, number of users affected and other factors. And, of course, the bigger the issue, the faster it gets attention from a real human being.

So, if your legitimate software is classified as bad and it affects all your 50 users - it's not because AV company hates you or your product. Really, they don't hate you. They just don't know you even exist. So, the sooner you let the AV company know about the problem, the sooner they will fix the issue.

But hiding your head in sand and saying "I don't have to time to play a cat and mouse game with anti-virus companies" will get you nowhere.

Are we all doomed?

Think about the points I just made. Your product needs to bring company money. You need to make a product Granma Millie can use. Your product needs to behave well in tests. Given the requirements, no matter how skilled the developers and researchers are, the end product will be...

Well, it will be just like the product you're getting now - dumbed-down, feature-bloated money-making piece of software that fares reasonably well in artificial tests.

You're living in the era of globalization and money-making corporations. Deal with it.