ArcticMyst Security is an endpoint security and software crash monitoring tool for Windows, developed by DeepTide with a focus on XLL / RunDLL32 attack blocking and detecting crashing applications. The software is available on the Microsoft App Store, MajorGeeks and Softpedia. The current version is 20240327a.

ArcticMyst Security Technical Features Overview:

1) Monitoring: Processes executed (file path and command line)

2) Monitoring: SHA256 hash of processes executed

3) Blocking: RunDLL32.exe is not allowed to call Winsock DLLs or the WSAStartup function. These events are blocked and a systray balloon notification appears. Excel not allowed to load XLL files – malware attack vector – balloon notification alert. User can choose to temporarily pause these blocking functions

4) Monitoring: Registry startup changes (Causes systray balloon notification alert)

5) Monitoring: Crashing Processes via Windows Event Log event callback - crashes often occur during an attempted attack. This monitoring function may also help identify problematic software (Causes systray balloon notification alert)

6) Monitoring: Changes to PendingFileRenameOperations registry (monitored because some malware uses this to delete security tools on reboot)

The software is free for home users; business must purchase licensing. If you would like us to provide threat hunting and analytics services based on your ArcticMyst or Microsoft Defender logs, then this can be arranged on a fee-for-service basis. Please contact us for more info.