The Helios FAQ

1) What is Helios?

Helios is a patent-pending advanced malware detection system. This downloadable version is a technology preview, however it is under development to becoming a complete enterprise level solution to managing malware. This includes centralized monitoring, system snapshots etc.

Helios has been designed to detect, remove and innoculate against modern rootkits. What makes it different from conventional antivirus / antispyware products is that it does not rely on a database of known signatures. We believe that malware, by definition, has to perform malicious actions on your system. By observing which software performs malicious behaviour, you can better detect malware. Thus Helios uses a 'behavioural' analysis engine as opposed to signatures. The upside to this is that we can catch malware that is 'unknown' in the wild, or for which signature based products do not have a signature definition.

2) Who is this meant for?
Since legitimate software can use techniques that might be considered malicious, we opted not to decide for you what is malware, and what isn't. Thus, Helios requires that you exercise a certain degree of discretion to decide between legitimate software and malware. This doesn't mean it’s hard to use, any power user can have a look at the manual and use it extremely effectively.

It's also worth noting that Helios is a technology preview. While it is extensively tested and stable, we don't recommend you run a tech preview on the production servers that keep your company in business.

3) Does Helios catch XYZ malware, spyware etc?
We don't know! Since we do behavioural analysis, we don't write signatures for any malware. However, if the malware exhibits the behaviours of modern rootkits, we will pick it up. That said, we have expressly not focused on browser-toolbars, dialers and the other crud that is adequately handled by todays antivirus products.

Helios was designed to operate in tandem with your other security products, not replace them.
We will protect you from the latest and greatest techniques in the stealth malware world.

4) Who are you guys?
We're a group of techies that love doing cool stuff with computer security and code. Penetration testing and application security quickly loses its technical challenge, so research is a good way to keep evil minds occupied. Helios is the result of alot of brainstorming and saying "I wish someone would do XYZ to enhance host security", after doing this for awhile, we decided to step up and try doing it ourselves. We also do research on bluetooth and 802.11 security among other things.

5) Why do you misuse the word rootkits for what are actually (insert stealthkits, invisiware, chinese gongs here)?
We don't like this supposed purist argument and have had numerous debates with well informed people about what to actually call this class of malware. Our take on the whole thing is that the popular usage of words defines their meaning, if the world refers to this class of software as rootkits, then rootkits they are. To quote the PacketStorm T-shirt - "Evolve or die". Our advice to the 'purists' is that their time would be better spent putting research and code into the community than quibbling over etymology.

6) Is Helios open-source?
At present, no. However we have designed API's to tap the core functionality of the product. We want people to extend the capabilities of the technology. More on these API's at a later stage.

Helios is however completely free (as in beer). You can download it and use it without giving us your personal information, selling your soul or paying to unlock key features.

7) Is Helios spyware?
Nope. Absolutely not.
Obviously, trust is a big thing when you execute code from the Internet. We are expressly stating that Helios does not collect any information or do anything malicious with your system.

We're a reputed information security company founded on strong ethics and values.

If this is not enough for you, our names are in our whitepaper. If you feel we wronged you, feel free to come down to have a chat with us. We're also extremely open about the inner-workings of the product, so you can drop us an email with your queries and we will respond.

8) Does the open-source community contribute to the rise of rootkits?
We snuck this one into our FAQ because it really annoys us. Let's make it quite clear, if it wasn't for the community and sites like rootkit.com, the following statements would be true:

1. The antivirus companies would be far behind with this technology
2. The hacker underground would be even further ahead with this technology
3. The antivirus companies would be happy because we wouldn't know what they're not catching.

We could not have built Helios without the help of this community of brilliant people. Helios is what we're giving back to them, and we sincerely hope our whitepaper will become an authoritative resource on offensive and defensive rootkit technology, rather like the 'cryptonomicon' in Neil Stephenson's book by the same name.

9) Help! Helios is telling me something is wrong, what do I do?
Well, the first thing you need to do is figure out whether it's a legitimate program showing traces of malicious behaviour. A look through the (we think) comprehensive manual should help you get started with this.

As always, Google is your friend. Sometimes just looking up a process or module name can go a long way. Be aware that some security products like antiviruses / firewalls may hook system calls. It shouldn't be too difficult to trace the hook back to its source using Helios' features.

10) Why haven't you checked for rootkits that use quad-core, interrupt-trapping inline hyperion hooks to take over the world?
3 words, work in progress. We're constantly adding new behaviours and detection tricks. This is half the fun of developing Helios -- outsmarting the other guy. If you do have a new technique or idea, we'd love to hear about it, add it to the whitepaper / product and give you the appropriate credit. Ideas illustrated in code go down far better with us, so if you have source - show us! And yes, we're working on those hyperion hooks ;).