Skip to content
pierreroger6466 edited this page Oct 25, 2022 · 31 revisions

Welcome to the Wiki!

We at SitinCloud strongly believe that cybersecurity products should always be open-source:

  1. Critical decisions about your company cybersecurity strategy cannot be based only on marketing propaganda
  2. Interface the software with third-party tools, or even customize it, should be easy, or at least possible
  3. Check the software does not add a new vulnerability to your organisation is critical. This cannot be done with closed sources products whose vulnerabilities are only known from attackers (see our blog for a real life example involving fortinet)

Owlyshield is an open-source AI-driven behaviour based antivirus engine written in Rust. As of now, the model was specifically trained to detect and kill ransomwares but we think this technology can be used in a more general way to detect other malwares categories.

How to install the free edition ?

Start by checking which is the latest realease here: https://github.com/SitinCloud/Owlyshield/tags and click on the Download icon to get the installer.

Installation

Here is a direct link to the v1.0.1 release: https://github.com/SitinCloud/Owlyshield/releases/download/v1.0.1/owlyshield-ransom-community_v1_0_1_sig.exe

For the moment your Windows system may still say you that, as the Owlyshield installer is not frequently downloaded, it may be dangerous so you should discard it. Of course that's not true. On the contrary you should keep it using the appropriate option (Keep). Once this achieved please run the installer and follow the installation process.

Click on Run in the security warning (it is just because the free edition is not signed):

Installation

Select installation language and click OK.

Installation

Please read the licence agreement and accept it if you do agree (there is no booby trap since it is the European Union licence for open source products). Please click Next.

Installation

Choose the location you want the installer to put Owlyshield components in. Once done please click Next and confirm by Yes if this suits your desire.

Installation

By default the system suggests you to install the Telemetry module which will allow you to register as a contributor and benefit from better support. Once again there is no booby trap, you will not be tracked and this is not mandatory to use Owlyshield. Once your choice made please click Next.

Installation

If you have activated the Telemetry module please enter your details and click Next.

Installation

If needed change the Start Menu details and click Next to continue.

Installation

Check one last time that all keyed-in data are OK and click Install.

Installation

Then please click Finish since the installation process is finished.

Installation

If you want to make sure Owlyshield runs normally please check that the Owlyshield service is running.

Installation

If Owlyshield detects something dangerous it will post an event in the Windows events viewers.

Installation

How it works - Overview

  1. A minifilter (a file system filter driver) intercepts I/O request packets (IRPs) to collect metadata about what happens on the disks (DriverMsg in the sources),
  2. Owlyshield-predict uses the previously created DriverMsgs to compute features submitted to a RNN (a special type of neural network wich works on sequences). Behavioural as well as static analysis are performed.
  3. If the RNN predicts a malware, owlyshield-predict asks the minifilter to kill the malicious processes and send a very detailed report about what happened to your SIEM tools (and/or a local file).
Architecture

As of now, this model has been trained exclusively on ransomwares (our training exemples set cardinality exceeds 110,000 ransomwares).

Components

Owlyshield consists of the following components:

  • Runtime components:
    • Owlyshield Predict - the prediction unit (user space) collects data from the minifilter to make prediction about running processes. This is a Windows service that depends on the minifilter
    • Installer - to make the installation easier (creation of the two predict and minifilter services and their registry keys)
    • RustWinToast - a basic exe to toast notifications
  • Driver components:
    • Owlyshield Minifilter - the driver (user space), intercepts i/o operations and processes creations that will be used by Owlyshield Predict. The minifilter is also responsible for killing suspect processes families
  • Deep Learning:
    • Keras script used to train the model and create the tflite file used by Owlyshield Predict

Why still another product against ransomwares ?

Cybersecurity is a game where attacking players have a significant advantage over their victims:

  • Sophisticated weaponry is available for free or at very little cost
  • Crypto-currencies have made collecting ransom and laundering it easy and risk-free
  • SMEs and even mid-caps use a plethora of third-party softwares over which they have no knowledge or control

What we see everyday:

  • Critical sofwares, used daily to manage company core activities like ERPs, full of security holes waiting to be exploited, and editors shirking their resposabilities ("we have no bounty program, hide it behind a VPN")
  • Critical state organisations and large corporations be victims of unsubtle attacks (for example, Sopra-Steria and three public hospitals were severy hit by the Ryuk Ransomware in France this year)
  • IT services relying entirely on closed proprietary security products they don't know anything about ("We lost our data with a ransomware last year. But now we bought XYZ and feel protected"). This is not a sound defense strategy

Behavioural analysis is of real interest to help classifying malware as illustrated by these first two principal components of a PCA performed on our training data: PCA

Free vs commercial versions

The Free Edition (community edition) is fully operational and will efficiently protect your system against ransomwares. You don't need anymore to start Windows in test-signing mode since we now provide the signed driver in the community version.

The Pro Edition (commercial edition) adds the following features:

  • A webapp gathering all incidents data to help IT staff to understand the scope of the attack within the company networks and act accordingly (or classify it as a false positive),
  • Interfaces with your log management tools (we even provide an API),
  • Scheduled tasks to auto-update the application.

Within the frame of the free version usage we will do our best to help you finding a solution for any issue you may rise in the GitHub issue management system (https://github.com/SitinCloud/Owlyshield/issues). However we cannot guarantee that we will do it in an immediate nor quick way.

Issues that subscribers to our commercial version or valued added reseelers may rise will of course be handled in priority.

Clone this wiki locally