Version 9 (modified by cseifert, 10 years ago)



md5: 5d05f31cf55eff0f965d71d6e6c7cabf

The source can be obtained through the following command: svn co

md5: 0b5435d6fb138061b6bd8d71f8bf5b35

The source can be obtained through the following command: svn co


Release Notes 2.5.1

  • added preprocessor plugin architecture. Preprocessor plugins allow to handle the input urls before they are passed onto capture. For instance, this could be used to create a crawler or filtering plugin.
  • added processor ids for state changes (this value is only set if the client plug-in supports this). This allows the client plug-in to determine what URL the attack originates even if multiple URLs are visited at once.
  • Added internetexplorerbulk plug-in that takes advantage of the processor id functionality. Allows to run multiple URLs without the need to revisit the URLs. A mapping of the state changes to the process id will determine which URL was malicious.
  • modified client plug-in to communicate the algorithm it is able to support (Divide-and-conquer, bulk, sequential)
  • upgraded vmware server to 1.0.6, java 6 update 7, NSIS 2.38, boost 1.35.0, visual studio 2008 (requires new VC++ Redist Libraries!)
  • removed timeout factor and added absolute timeout/delay config values (see documentation for description of each option)
  • modified tailing of input file; if no more URLs after a specific timeout are detected, the capture server can configured to terminate or keep tailing the input file for new URLs.
  • implemented staggering revert of virtual machines. If server is configured with multiple VMs, they are not all reverted at the same time.
  • changed threading structure to be more stable (leads to less client inactivity errors)
  • changed IE plugin to close all IE windows (fixes pop ups hanging around)
  • optimized handling of zipping of files - leads to speedup if network capture is not enabled
  • fixed bug 718,729,709

Known Issues

  • 737 capture client crashes when installing a program (lots of events).
  • 736 When IE instance locks up, close method fails leading to a VM stalled error. (but those failures are now retried once)
  • 735 When Capture-Client crashes, it will lead to a client inactivity errors. (but those failures are now retried once)
  • 734 Terminate process is not recorded
  • 615 Registry monitoring can't handle a key named
  • 690 Capture is not able to detect file renames
  • 676 Empty password on the user of the guest vm in the config.xml causes the capture server to crash (Windows only).
  • 706 Capture seems to ignore the VM server port.
  • 719 Closing a browser during visitation does not cause this event to be reported back to the server
  • 721 filedownloader writes to const file name preventing dac algorithm to be applied for applications that make use of this feature

Release Notes 2.1.0

  • Implemented divide & conquer algorithm that allows to visit URLs faster (685)
  • Added Safari plugin (693) (Note that the safari plug in does not support the divide & conquer algorithm.)
  • Network traffic collection can now be configured to occur on malicious as well as benign URLs. Previously, only network traffic on malicious URLs was pushed to the server. (707)
  • Added stats log to for tuning capture and troubleshooting issues.
  • Adjusted error handling. Now errors are only logged in the error.log file. The operator needs to decide on how to handle these errors.
  • Redirect client output to log file for debugging purposes.
  • Added option -r to server parameters that can instruct the server to exit upon encountering an error (turn on by setting "-r true"). For debugging purposes.
  • A malicious classification is now reported even if the client machine crashes (e.g. drive by download causes blue screen).
  • Logs that capture state changes are now only created if state changes are detected.
  • The process,malicious,safe and eror log format now includes a new column that is related to the divide & conquer functionality . It shows the group ID number.
  • Because of the new features, the config file format has changed.

** the client-path attribute now points to a bat file

** global options changed and some were added

  • removed jni usage for revert and replaced with a stand alone C prg for stability reasons
  • fixed bug 696, 655, 657, 613, 689, 711

Release Notes 2.01

  • fixed bug 699, 666, 673
  • increased some timeouts on the server that trigger upon the client connecting to the server. Should allow to use more client instances with one server.
  • compiled vix libs are compatible with vmware server 1.0.4

Release Notes 2.0

  • support for any client application that is http protocol aware (for example, Microsoft Excel)
  • ability to automatically collect downloaded malware
  • ability to automatically collect network traffic on the client
  • ability to push exclusion lists from the Capture Server to the Capture Client
  • improved control of Internet Explorer: obtain html error codes; specify visitation delay AFTER page has been retrieved; retry visitation of URLs in case of time outs or network errors
  • support for plug-in architecture, that allows to create fine grained control of clients (for example, as provided for Internet Explorer), but also allows for integration of client applications that require complex interactions to retrieve content from the web (e.g. Safari is such an application. It doesn’t allow retrieval of web content by passing the URL as a parameter)
  • enhancement to file monitor to monitor file deletions
  • communication between Capture Client and Server has been converted to XML. This allows one to easily write custom Capture Servers that utilize the existing Capture Client.
  • added installer/uninstaller for the Capture Client
  • improved reporting
  • improved stability
  • improved performance
  • numerous bug fixes

Release Notes 1.1

  • enhancements in stability & speed
  • java implementation of server component
  • multi-browser support
  • fix in exclusion list minus notation
  • compatibility with Microsoft Vista

Release Notes 1.0

  • addition of registry monitor
  • reimplementation of monitors as kernel drivers utilizing kernel callbacks

Capture is written and distributed under the GNU General Public License.