Auckland developer Zsolt Pardi is releasing a freeware security tool for Windows NT/2000/XP which he claims will guard systems “against attacks from viruses and [prevents] harm from other malicious software”.
Called Zolt Security Monitor, the program works by monitoring file system I/O by processes. It does so by installing a filtering device driver, which stops unauthorised programs from creating and modifying executable files (for instance, .vbs, .js, .bat, .ocx and .exe type of files).
The ease with which any process can create any type of file even in crucial system areas has been the focus of much criticism of Microsoft’s security model in Windows NT/2000/XP. Pardi, who says he has been developing Windows software for 10 years, has contacted Microsoft about his application.
However, Microsoft has shown to date little interest in the Zolt Security Monitor. Pardi says Microsoft isn’t keen on the program, as it uses “undocumented API calls to access low-level system functions”, but he hopes the company will take notice eventually, and perhaps even support his development efforts.
Pardi says the “the application is a first step towards developing a full antivirus suite” and thinks it has the potential “to save users a lot of money, especially small businesses which might not otherwise be able to afford the very expensive commercial licences for security software”.
As this is a first version, Pardi warns that the program is a work in progress and “not perfect”. It is available as a small (572KB) download here.
Computerworld received a copy of Zolt Security Monitor, and tested it briefly. The program installs itself as a system service (reboot required), and runs unobtrusively in the background with moderate memory requirements – Task Manager reported 1300KB memory usage.
The user interface for Zolt is simple and clean, with a tabbed dialogue box for the settings, and a well-written Help file. It should offer the option to install a System Tray icon, however, so users can see whether or not Zolt is running.
As Pardi promises, the program prevents unauthorised processes from creating certain files. I tried creating a file with a .vbs extension in %windir/system32%, using Notepad, and Zolt intercepted the file save process instantly.
However, the program looks at the extension of the file, and not the actual file contents. The file I created wasn’t a malicious VBS script, just a simple text file. Also, Zolt asked to reboot the system “for maximum security” after interception, which is a bit excessive. Oddly enough, Word .doc and .dot files weren’t monitored, nor were .htm and .hta files.
You can add a maximum of five programs that are allowed to create executable files, and add and delete file extensions which are banned or permitted, via a control panel. Zolt also has to be used for installing and uninstalling programs (as these create and modify system files), which is a bit cumbersome.
Pardi says Zolt Security Monitor isn’t a replacement for antivirus utilities but a complement to them, and Computerworld agrees. As a freeware utility that adds another layer of security (at the cost of some convenience), Zolt delivers on its promises.
While a good start, it isn’t enough to simply look at file name extensions; innocuously named malware could slip through the security net that way, and most antivirus software filters based on file content for that reason.
Installing system device drivers from untrusted sources is something that makes most Windows sysadmins nervous, and Zolt Security Monitor doesn’t have a signed certificate (understandably for freeware).
We didn’t test the program with antivirus utilities running due to time pressure, so we can’t say how well Zolt Security Monitor will co-exist with these.