Preparing a new review of SecureAPlus was not an easy task. How to comprehensively evaluate the product that gets outstanding results in the AVLab and CheckLab tests by verifying protection using many thousands of malware samples? For this reason, Instead of at the beginning, we will start at the end because contextually, it will be easier to understand the operating principle of SecureAPlus. We start the detailed review with a listing of arguments that should not install the security software SecureAPlus. Why should not he do that? Which group of new users should choose the solution from a distant Singapore?

SecureAPlus prompts are readable and understandable for people with excellent knowledge of security. To truly appreciate the benefits of the solution, including understanding the problem that it is highlighting, the average person would have to  learn more about security. This is why it’s worthwhile for us to show how it operates by giving an example of installing a theoretically secure client like Filezilla on Windows 10.

FileZilla is a popular software to exchange files between a user’s computer and a server. It is the most often chosen client for managing files by programmers. To break down the operation of the SecureAPlus antivirus into individual parts, we have used an installer with the following metadata:

  • Downloaded from the developer official website: https://filezilla-project.org
  • With the checksum: f3cb95a52d2bee102e74cb97ddb9669720445fd48f89c6bc922625879bdc6430
  • With a certificate issued by DigiCert.
  • It recognizes the installer as a potential threat by 17 scanners on 20 September 2019.

SecureAPlus in normal mode does not take any automatic decision. Users who are not very insightful can initially have problems with making relevant decisions on appearing questions when installing various types of software.

We have downloaded the installer „FileZilla_3.44.2_win64_sponsored-setup.exe” from the developer official website.  Immediately after its launch, SecureAPlus notifies with first prompt of potential problems with security:

Plik jest niezaufany, pomimo że został pobrany ze strony wydawcy?
The file is untrusted, although it has been downloaded from the developer website?

The installer has a digital signature, as we can see in the green block. The Certificate recipient of the application is Tim Kosse, and the central office issuing the certificate is DigiCert (although, in our opinion, the developer should think about displaying additional information on the central office of certification). A certificate itself does not create software security, just like a green padlock with an HTTPS protocol on a website, therefore, a certificate, despite the fact that it has been issued by a trusted institution that is DigiCert, it is not on the list of trusted certificate authorities built into SecureAPlus. Hence, the warning message:

SecureAPlus bazuje m.in. na białych listach certyfikatów.
SecureAPlus is based on the whitelists of certificates.

To make sure, we can send the uncertain file for scanning in the cloud SecureAPlus. The advantage of many engines scanning in the cloud is that a user receives a file verification from many developers at the same time, and the fact that scanning does not take place on the computer prejudges the lightness of the UniversalAV module. After a dozen or so seconds, we receive another hint that an installer is not trusted. In the present test, we see the activity of the ESET engine.

The last blue bar is additional feedback retrieving information from VirusTotal, where the calculated file checksum, i.e., the hash is sent.

f3cb95a52d2bee102e74cb97ddb9669720445fd48f89c6bc922625879bdc6430

VirusTotal rozpoznaje instalator FileZilla głównie jako PUP, ang. Potentially Unwanted Program.
VirusTotal recognizes the FileZilla installer mainly as PUP, i.e., Potentially Unwanted Program.

Despite the first warning about the untrusted installer, and then — about detected threat by the ESET engine, and also by the VirusTotal service that has turned red because of warnings — let us ignore the SecureAPlus message one more time, and allow the installer to operate.

Otrzymujemy całkiem nowy komunikat od silnika APEX.
We receive a whole new message from the APEX engine.

During installation, the APEX technology sets off an alarm. What is the UAC.dll file for a normal user? An incomprehensible string. An opinion of the APEX engine of threat found in a specific location is more useful, which can be opened by clicking on the blue information bar:

C:\Users\perun\AppData\Local\Temp\nse2032.tmp\

APEX twierdzi, że z UAC.dll jest coś nie tak.
APEX claims that there is something wrong with UAC.dll.

Two files have been extracted into a temporary location, i.e., system.dll and detected as a threat by the APEX engine — UAC.dll. What can a user do is quarantine a file, but then there is a risk that an installer may not work correctly because it is not clear what uac.dll is responsible for. You can also delete that DLL with the same consequences. To complete the test, we need to ignore the prompt once again.

APEX, in cooperation with other components, provides a very high level of protection. This technology of detecting anomalies, malware patterns, learning on extensive data sets, so that it makes quick decisions based on past events even for malware variants never seen before. APEX is available in all versions of SecureAPlus, but in the SecureAPlus Lite version, there is no possibility to change the sensitivity of these technologies. By default, in the higher versions of SecureAPlus, the APEX scanning technology is set to medium level.

For a group of non-technical users, information collected may not be sufficient to dispel doubts related to the considerations of decisions taken by SecureAPlus. Who is right? SecureAPlus or a tester? For what reason the FileZilla installer is suspicious? Let us try to ignore the SecureAPlus warning again and check what happens:

APEX ciągle nie ustępuje.
APEX still does not give up.

Is everything clear now? The installer, although at first sight is safe because it has a digital signature issued by a trusted institution, contains a hidden Avast installer. The second time was a browser extension McAfee WebAdvisor.

To bardzo niedobrze, aby taki sposób „wciskano” oprogramowanie.
It is not good to force software installation like that.

We are dealing with the affiliate cooperation between the FileZilla developers and the unknown advertising network that is revealed by an in-depth analysis of network packets. Review of DNS requests (using tools for Windows, for example, Fidler or Wireshark) shows domains […]:

cloud.nitehe-nutete.com, remote.nitehe-nutete.com, app.nitehe-nutete.com

[…] responsible for verifying every user and attaching such rubbish to the installer.

Practices of placing advertising offers in an installer are correctly identified as potentially unwanted programs. The reaction of SecureAPlus is appropriate at every stage:

  • The warning message was displayed at the beginning. Even though the installer was downloaded from the official source and got a digital signature
  • Then, a user had the opportunity to scan the installer in the cloud by sending a file to the developer’s server. ESET reacted properly here.
  • Next, a user was able to obtain an additional opinion based on the checksum searched in VirusTotal. The file was considered suspicious by as many as 17 engines.
  • As a consequence of our deliberate actions for describing the test (or a real situation on a computer of a non-technical user), APEX reacted appropriately, showing technical details about the attached, suspicious file of the installer.

Let us see on another example how SecureAPlus reacts to 100% safe Wireshark installer

Znowu komunikat. Rozumiecie dlaczego SecureAPlus wyświetla ostrzeżenie jako „Untrusted File”?
Another prompt. Do you understand why SecureAPlus displays a warning as “Untrusted File”?

The answer can be found in the SecureAPlus window in the Application Whitelisting settings.

Dostępnych jest kilka języków oprogramowania SecureAPlus. Nasze recenzje są dwujęzyczne, dlatego bardziej uniwersalnym jest pokazanie interfejsu w języku angielskim.
The SecureAPlus software is available in several languages. Our reviews are bilingual, therefore showing the interface in the English language is universal.

By default, SecureAPlus uses its whitelists of vendor’s certificates that are signed by certificate authorities. A certificate of the Wireshark installer is not on such a list. That is why SecureAPlus warns the user with an appropriate message. From left in the settings of the whitelisting module, there are three options:

  • System certificates trusted by Microsoft
  • List of certificate authorities built into the antivirus (default setting)
  • The same as in the above list, but it also has verification of certificate digital thumbprint.

Trusted central certification authorities in Windows can be displayed by using a shortcut CTRL+R and typing certmgr.msc or by searching for a phrase in the start menu “manage computer certificates”. A similar window will appear:

Zaufane główne urzędy certyfikacji w Windows 10.
Trusted central certification authorities in Windows 10.

The first option from the left in SecureAPlus is responsible for displaying alerts. This is based on the Windows certificate list approved by Microsoft.

The second default option is responsible for using the SecureAPlus list. This is the list of the developer’s rules. For example, this setting trusts installers, e.g., Adobe, during the installation of Adobe Photoshop or Adobe Reader.

Lista zaufanych producentów z wymaganym odciskiem palca certyfikatu (ang. Thumbprint).
The list of trusted developers with the required certificate thumbprint.

The last option contains additional security that checks the certificate thumbprint.

Właściwości certyfikatu wydanego dla aplikacji Wireshark.
Certificate properties issued for the Wireshark application.

In the screenshot above, we see the certificate details with a nod to the certificate thumbprint. It will always be a random sequence of numbers and letters. Every certificate has a thumbprint that is the result of the mathematical algorithm, better known as a hash algorithm, executed with certificate data provided. Different certificates might share the same company data, but a thumbprint must be unique to clear identification of the certificate. So using the certificate thumbprint, we can compare multiple certificates and determine if they are copies of the same file or these files are unique and have different certificates.

During installation, can you recognize the additional application attached to the installer?

If you handle SecureAPlus prompts without any trouble...

Users will have a solution that malware will have extreme difficulty in deceiving at your disposal. Have you watched videos on YouTube showing a privilege elevation in Windows or hacking a clean system using Metasploit? Except for the fact that this way real attacks shall not be carried out, and so-called post-exploitation. With SecureAPlus installed on our computer, infecting and then taking control of our system will be practically impossible because the solution of the developer from Singapore controls the entire area of the executed file, process, & service:

  • Checking if a certificate exists.
  • A certificate thumbprint is verified.
  • Checksums of the executed files are verified.
  • A file can be scanned in the Universal AV cloud.
  • Executed commands in system processes, such as cmd.exe, powershell.exe, and many others, are verified.
  • Less common techniques of system deception using interpreters, e.g., certutil.exe or wmic.exe. are restricted. Downloading is allowed, but executing files through such “weird processes” intended for hacking than regular use is blocked (technical users will understand what I mean).
  • Commands performed in system interpreters usually are the source of the alert or automatically blocked on the basis of the developer’s rules.
  • In critical situations, the user can add his own security rules without waiting for the developer update.

Czy przekonaliśmy was do wypróbowania SecureAPlus?
Have we convicted you to try SecureAPlus?

What else does SecureAPlus Lite, SecureAPlus Essentials, SecureAPlus Pro have to offer?

It is good that we started with explaining how SecureAPlus works because now it will be easier to understand the differences between SecureAPlus Lite, SecureAPlus Essentials, and SecureAPlus Pro versions.

SecureAPlus Lite is free of charge, but with certain restrictions. First of all, some configuration options are not available. The white lists with developer rules shown in the test are not available at all, which we believe significantly affects the protection. The free antivirus and essentials version do not protect processes against a memory injection. The UniversalAV technology that scans files in the cloud does not work in real-time — you have to manually send each unknown file to the cloud, bearing in mind that you have a lower priority of scanning than a user of the paid version. There are also restrictions on the protection management on the SecureAPlus portal.

The SecureAPlus Essentials version and reviewed in this article SecureAPlus Pro do not differ so much. The disadvantage of the Essentials version is the lack of process protection and the inability to protect by hash only, without trusting any digital certificate. The Essentials version is a good proposal for users who want to manage a few devices at home or in a company. Customers who choose the Essentials version will have access to email notifications in the case of finding a threat on a protected device.

SecureAPlus Pro is the best version suitable for everyone and best set by default. It is intended for business (it supports Windows Server), and also for advanced users who need the best available toolkit to protect against all kinds of threats.

Nowy SecureAPlus w wersji 6.
New SecureAPlus version 6.

NEW: SecureAPlus for Android

As of writing the review, SecureAPlus for Android was available in the development version. We are not going to argue about having an antivirus on Android because it is always good to have one, and preferably with a VPN. Given that this review is directed primarily to non-technical users who look for excellent protection for their devices, let us see what SecurePlus for Android has to offer.

SecureAPlus po przeskanowaniu plików pokazuje, które aplikacje wymagają ręcznego przesłania do bardziej szczegółowej analizy.
After scanning files, SecureAPlus shows which applications need to be manually uploaded for more detailed analysis.

SecureAPlus for Android differs from other antivirus software in that a user does not need to choose between the protection effectiveness and the specific developer. The same engines in the cloud are available during scanning as in the UniversalAV technology on a computer. There are a dozen engines from different vendors (AVG, Avira, ClamAV, Emsisoft, ESET, F-Prot, F-Secure, IKARUS, McAfee, Microsoft Security Essentials, and Sophos). The list is not stable and may change over time. But what makes a solution is effective is when the solution has diversity — multiple engines have a better chance of detecting a trojan built into system processes than a single product.

Przesyłana aplikacji do skanowania.
Application uploading to scan.

Today, we often talk about a problem with smartphones during the awareness training aimed at knowledge transfer, necessary for every employee to be aware of threats, behave with caution, and protect confidential information. We use smartphones for banking, social networking, exchanging files, logging into a company infrastructure via a VPN. We leave a lot of data and metadata associated with files sent over the web. However, we forget about protecting our device against unauthorized people. The mobile phones of uninformed users usually are not locked with a pattern, pin, or fingerprint, which poses a threat of access to critical applications, such as banking applications, file exchanging, generating codes. SecureAPlus helps here:

Aplikacja SEJF.
The App Locker.
SEJF umożliwia nałożenie na aplikację kodu blokady w postaci wzoru do odblokowania.
The App Locker allows locking applications with an unlock pattern.

SecureAPlus for Android is available free of charge. However, having an Essentials or Pro license for the desktop version of SecureAPlus on your account with the same credentials lets users gain access to several additional functions, e.g., a remote security check from a phone.

Conclusion

SecureAPlus is tested by AVLab, and CheckLab — a new organization that was founded by AVLab in 2019. We can openly admit that in all our tests of the software from Singapore has achieved the maximum scores:

Below we list all tests in which we have been checking the SecureAPlus software arranged from the oldest to the newest one:

The SecureAPlus software does not have browser protection and anti-spam features. The strength of this solution lies in a risk assessment in real-time based on a few factors: checking certificates, verifying security based on scanning in the Universal AV cloud, manually checking information on VirusTotal, and searching malicious activities by the SecureAge APEX engine.

If by now you are still unconvinced with using SecureAPlus, probably no amount of additional words in a review will. And that is where we will be ending this review.

Summary

The SecureAPlus software does not have browser protection and anti-spam features. The strength of this solution lies in a risk assessment in real-time based on a few factors: checking certificates, verifying security based on scanning in the Universal AV cloud, manually checking information on VirusTotal, and searching malicious activities by the SecureAge APEX engine.

AUTOR:

Adrian Ścibor

Podziel się

Dodaj komentarz