Just a test of ur HIPS if u think that ur HIPS is giving a good termination protection.

Take a good backup or use a test PC.
Download and install sysinternals RegMon, mark it as trusted in ur HIPS rules and give it protection against termination by ur HIPS( if there is such an option).
Download and install Music Video Downloader 4.0 from here.( change hxxp to http).

hxxp://www.zheadware.com/products/mvdown.htm

It will create a shortcut icon Video Link Parser on ur desktop or in Start Menue/ All programs.
Run Regmon and let it running.
Now run Video Link Parser and it will immediatelt kill Regmon( See if ur HIPS gives popup about this and blocks this). Also u can run Video Link Parser first and while it is running, try to run Rgmon, Regmon will be killed even before loading.( See if ur HIPS protects it).
I tested on XP SP2. Interestingly Video Link Parser does not install a driver but still it is very brutal in killing RegMon.

HIPS failed without any popup:

SSM free
ProSecurity Pro( Not sure if ther are some special settings for termination protection) but it seems to fail( anybody can confirm it pls?).
NeovaGuard Beta 2
AppDefend- Not tested( any volunteer please).

Older thread showed that ProcessGuard and AntiHook failed too at that time, not sure now with there latest versions. Thread is here.

http://www.wilderssecurity.com/showthread.php?t=128594

SSM Pro blocked it successfully( even when I did not gave any termination protection to RegMon in advanced rules)
Out of curiosity, I started Video Link Parser isolated in GeSWall and good that it was unable to kill Regmon.

I found it very interesting so I am posting it here( for those who are HIPS crazy!!) BTW I am not sure if Music Video Downloader is clean or not? Antivir, BOClean and AVG antispyware did not flag it.

-{ Quote: "ProSecurity Pro( Not sure if ther are some special settings for termination protection) but it seems to fail( anybody can confirm it pls?).
" }-
Confirmed. Tried also with 'Enforce protection' option set - same result. Will notify PS developer.

Thansk a lot Kenjin.
As I read at that time even ApDefend was probably failed here.
Its, too weired and interesting as well. Strange that these HIPS did not even detect termination atempt, what to speak of protecting against it.

i wonder how eqsecure and DSA would do against this test.

Infact i wanted to try last version of PG, AD and some other HIPS but unfortunately I had no time and no immediate recovery except SS and ATI. So I posted my findings. It will be easier for anyone to test his own HIPS that is already installed. Too much of a work for me to install soo many HIPS and make new images with ATI on a single PC.

BTW while testing I used SS and instaled SP, SSM, NG all at the same time( though one was active at a time-- luckily no BSOD).;D

well aigle, i just tried it with eqsecure 3.3 and DSA and they both failed to stop regmon from being terminated. they didnt' even show a pop-up warning that something was up.

This test is realy very interesting.

I tested SSM Free using SPT and APT against mspaint.exe

It failed for APT:
User-mode Kill 2 (WM_CLOSE)
User-mode Kill 3 (WM_QUIT)
User-mode Kill 4 (SC_CLOSE)

For SPT -e (-f doesn't work on my system):
Method 7 (terminate process as part of a job)
Method 11 (terminate process by sending WM_SYSCOMMAND)
Method 15 (simulation of normal process exit)
Method 16 (terminate process by "bruteforce" message posting)

Will be interesting to check it with DefenceWall, SandBoxie etc.
Any volunteers?
Come on guys, test ur HIPS against this.

By default gss 1.1 doesn't stop the termination. If i adjust the rules i can stop regmon from being terminated however regmon does stop monitoring the registry.

-{ Quote: " however regmon does stop monitoring the registry." }-
Oh, unfortunately I forgot to check for this thing during testing It,s important as well. Ok, may be some time later or I will wait if someone tests with SSM Pro. I will test with GW now. SSM pro is no more on my system.

GSS 1.2 detects the termination attempt by default. I blocked it and both programs continue to function.

Ok tried with GeSWall, RegMon was not terminated and continued moniroring registry.( Anyone for SSM Pro?)

Well Tried with Sandboxie version 2.86 and DefenceWall version1.74.

DefenceWall passed( RegMon not terminated and still monitoring registry) but unfortunately SandBoxie failed. A hint that of policy based sandboxing might be more secure than complete file and registry virtualization? I posted on their forums.

( In all cases Video link parser was installed outside sandboxed and then it was run isolated via right click menue option).

SSM pro detects the termination attempt. Blocked it and both programs still function correctly. LOL i'm so bored today i got nothing better to do than test this stuff out.

nice job guys! so far the only "passes" we have are geswall, SSM pro, GSS 1.2, and Defensewall.

Hi Zopzop, In my opinion GSS1.2 partially passed as Regmon stopped working, though not killed. It,s very imp( loss of function is practically equal to termination).

Edit: Sorry I missed that GSS 1.2 was passed( GSS 1.1 did not).

-{ Quote: "SSM pro detects the termination attempt. Blocked it and both programs still function correctly. LOL i'm so bored today i got nothing better to do than test this stuff out." }-
lol, thanks for that BTW.

I tried out cFosWatch which is a piece of freeware that monitors dialers, autostarts, filewrites and process termination and it wasn't able to stop it.

anyone down to try bufferzone?

Ya, plz any buferzone user?

Why does music video downloader terminate regmon?

See this thread.

http://www.wilderssecurity.com/showthread.php?t=128594

I am looking for BZJet!

Thanks for the info, really cleared things up for me. I would do some testing, but I have recently settled with DefenseWall which we know passes.

Hi all,

Thanks aigle for these interesting tests

Tested with Online Armor 2 beta 178 and OA succeed in protecting regmon from termination (OA did not notify for this kind of actions)

One more thing, before beginning to test, regmon was capturing nothing but procmon did. ( Video Link Parser did not target procmon to protect itself )

MaB

EDIT : Without Protection from termination, OA detects the WM_CLOSE sended by VLP to Regmon

http://img87.imageshack.us/img87/1658/oaul1.th.png (http://img87.imageshack.us/my.php?image=oaul1.png)

-{ Quote: "nice job guys! so far the only "passes" we have are geswall, SSM pro, GSS 1.2, and Defensewall." }-

What version of GW was that? Freeware (2.5.1/Beta 2.6) or Pro (2.5.1)

BTW what software is GSS 1.2?

Thx.

GeSWall 2.6 beta
GSS- ghost Security Suite

-{ Quote: "Hi all,

Thanks aigle for these interesting tests

Tested with Online Armor 2 beta 178 and OA succeed in protecting regmon from termination (OA did not notify for this kind of actions)

One more thing, before beginning to test, regmon was capturing nothing but procmon did. ( Video Link Parser did not target procmon to protect itself )

MaB

EDIT : Without Protection from termination, OA detects the WM_CLOSE sended by VLP to Regmon

http://img87.imageshack.us/img87/1658/oaul1.th.png (http://img87.imageshack.us/my.php?image=oaul1.png)" }-
Nice to see that.
thanks for sharing. So one more winner!

-{ Quote: "What version of GW was that? Freeware (2.5.1/Beta 2.6) or Pro (2.5.1)

BTW what software is GSS 1.2?

Thx." }-

i actually tested geswall 2.2.5 a while ago against this sort of thing and it passed. aigle recently tested it vs version 2.6 and it passed. geswall's been on top of this for at least a few months :)

-{ Quote: "
I found it very interesting so I am posting it here( for those who are HIPS crazy!!) BTW I am not sure if Music Video Downloader is clean or not? Antivir, BOClean and AVG antispyware did not flag it." }-

I think this product protect itself in this way from cracking

I am very surprised to see that top hips could fail to intercept a WM_CLOSE sended to regmon but very happy to see that GeSwall pass this test

MaB

-{ Quote: "I think this product protect itself in this way from cracking
" }-
Have a look here.

http://www.wilderssecurity.com/showthread.php?t=128594

Hi Zopzop and MaB69!

Run Windows task manager isolated in GW via right click menue. Run wordpad as trusted( non-isolated). On applications tab of Task manager, select WordPad and opt for End Task- --- that,s it. Untrusted task manager is able to kill trusted wordpad. Shhhh..... Don,t tell anyone.

BTW, defenceWall is able to protect here too. I already let GW people know this.

Here is news regarding PS' failure to block this: I talked to PS developer about it and it turned out that this is caused by a bug which has been introduced somewhere in the 1.30 beta versions. The protection against this type of termination attack was already implemented long ago. Here is a screenshot showing PS 1.26 successfully blocking this:
http://img163.imageshack.us/img163/1588/psblockbl9.th.png (http://img163.imageshack.us/my.php?image=psblockbl9.png)

A fixed 1.3x version will be released in the next days.

Thansk for update!

-{ Quote: "Have a look here.

http://www.wilderssecurity.com/showthread.php?t=128594" }-

ICE protectors
Thanks aigle, did not read this thread.

-{ Quote: "Hi Zopzop and MaB69!

Run Windows task manager isolated in GW via right click menue. Run wordpad as trusted( non-isolated). On applications tab of Task manager, select WordPad and opt for End Task- --- that,s it. Untrusted task manager is able to kill trusted wordpad. Shhhh..... Don,t tell anyone.

BTW, defenceWall is able to protect here too. I already let GW people know this." }-

You are right aigle but in GSwall logs i had this


2007.04.25 20:37:42 taskmgr.exe ISOLATE on start from explorer.exe
2007.04.25 20:37:42 taskmgr.exe DENY 7F message to notepad.exe (Process)


obviously, used notepad instead of wordpad
Strange that i could kill notepad

Did you reported this to Gentle Security Forum or Brian ?

MaB

Yes! since last beta version or before and yesterday as well. I hope they will fix it. Actually I expect there r many of granular settings/features/ tweaks/ GUI things to come but ATM their priority seems to be stability and I agree with that.

-{ Quote: "Hi Zopzop and MaB69!

Run Windows task manager isolated in GW via right click menue. Run wordpad as trusted( non-isolated). On applications tab of Task manager, select WordPad and opt for End Task- --- that,s it. Untrusted task manager is able to kill trusted wordpad. Shhhh..... Don,t tell anyone.

BTW, defenceWall is able to protect here too. I already let GW people know this." }-

nice catch aigle. i can confirm this works in geswall 2.5.1 too

Just got it by chance.

did anyone try with viguard?

It,s hard to find a ViGuard user here though I will be interested. Last time I tried it, it will not install if u have an AV on ur system( Antivir at least).

Lets, wait for:

BufferZone
ViGuard
??
?

Ok, another experiment. I am not sure if it is justified or not.

I tried RotKit Unhooker and IceSword to kill notepad.exe while using different HIPS as protection against termination of notepad.exe( using maximum HIPS protection settings- if there were any). Results are as follows:

- SSM free 2.0.8.583 -- failed
- SSM Pro 2.3.0.612 -- failed( even I was able to kill syssafe.exe itself)
- PS free failed
- PS Pro 1.30 failed
- NG beta 2 -- failed against IceSword, succedded against RKU.
- AppDefend version 1.110 -- failed against IceSword, succedded against RKU.

Poor results are obvious as IS and RKU load a kernel driver so they are very strong in killing the processes.
Sandboxes( GW, DF, SIE) can,t be checked here as they will not allow loadind of a kernel driver by IS or RKU.

Advanced Process Terminator( APT) from DCS

I tried to kill notepad.exe while protecting it by HIPS.

- NeovaGuard beta2 failed with user mode kill 2, 3, 4, 10 and Crash 01
- SSM free failed with user mode Kill 2, 3 and 4
- SSM Pro passed all APT tests
- PS Pro failed with user mode kill 2, 3, 4 and Kernel Kill 2

Advanced Process Termination( APT) from DCS & Simple Process Termiantion( SPT) from syssafety.

GesWall: I tried to kill notepad.exe via untrusted Adavnced Process Termination( APT) and SPT( Simple process Termiantion) while notepad.exe was running as rusted.
GeSWalled blocked all 16 kill modes of APT and also all 16 kill modes of SPT.
Not a single failure even.

-{ Quote: "Oh, unfortunately I forgot to check for this thing during testing It,s important as well. Ok, may be some time later or I will wait if someone tests with SSM Pro. I will test with GW now. SSM pro is no more on my system." }-


SSM pro sucessfully blocked vlp and avs with default setting

Thanks Korb. BTW confirmed by Farmerlee as well .
http://www.wilderssecurity.com/showpost.php?p=990811&postcount=14

-{ Quote: "Poor results are obvious as IS and RKU load a kernel driver so they are very strong in killing the processes." }-
Right, it is pointless to test this in my opinion. Once you allow a kernel mode driver to load the game is over anyway. It can do whatever it wants and undermine all security software and the Windows kernel itself.

-{ Quote: "Advanced Process Terminator( APT) from DCS

I tried to kill notepad.exe while protecting it by HIPS.

- NeovaGuard beta2 failed with user mode kill 2, 3, 4, 10 and Crash 01
- SSM free failed with user mode Kill 2, 3 and 4
- SSM Pro passed all APT tests
- PS Pro failed with user mode kill 2, 3, 4 and Kernel Kill 2" }-
ProSecurity does not fail kill 2-4 tests. As I have already pointed out, only the latest version of PS has a bug which makes protection against termination by sending window messages ineffective. If you want to make any further termination tests, use an older version like 1.26, you will see it blocks kill 2-4 successfully.
By the way, I could not verify your SSM Pro results. For me SSM Pro 2.4.0.618 beta does not pass kernel kill tests if you allow the driver to load. Neither 1 nor 2. ProSecurity passed kernel kill 1 even then! Anyway, as already said, I don't believe testing against kernel kills makes much sense.

Hi all,

-{ Quote: "Right, it is pointless to test this in my opinion. Once you allow a kernel mode driver to load the game is over anyway. It can do whatever it wants and undermine all security software and the Windows kernel itself." }-

I agree too

APT vs OA 2 beta 178

notepad protected from termination/suspend/remote code control/remote data modification

OA succeed all kill and Crash tests but failed only suspend 2 8)

SPT vs OA 2 beta 178

C:\>spt 2160 1
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 1...
Test failed

C:\>spt 2160 2
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 2...
Total opened thread count 1
Test failed

C:\>spt 2160 3
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 3...
Error: AccÞs refusÚ.

Test failed

C:\>spt 2160 4
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 4...
Total opened thread count 1
Test failed

C:\>spt 2160 5
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 5...
Error: AccÞs refusÚ.

Test failed

C:\>spt 2160 6
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 6...
Error: AccÞs refusÚ.

Test failed

C:\>spt 2160 7
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 7...
Test failed

C:\>spt 2160 8
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 8...
Test failed

C:\>spt 2160 9
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 9...
Test failed

C:\>spt 2160 10
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 10...
Test failed

C:\>spt 2160 11
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 11...
Test failed

C:\>spt 2160 12
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 12...
Test failed

C:\>spt 2160 13
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 13...
Test failed

C:\>spt 2160 14
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 14...
Test failed

C:\>spt 2160 15
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 15...
Test failed

C:\>spt 2160 16
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 16...
Test succeeded


OA failed only test 16 and detected a keylogger for test 13 8)

SPT with parameters e and f

C:\>spt 3644 1 -e -f
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Searching...%100
Starting test 1...
Test failed

C:\>spt 3644 2 -e -f
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 2...
Searching...%100
Total opened thread count 1
Test failed

C:\>spt 3644 3 -e -f
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Searching...%100
Starting test 3...
Error: AccÞs refusÚ.

Test failed

C:\>spt 3644 4 -e -f
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 4...
Searching...%100
Total opened thread count 1
Test failed

C:\>spt 3644 5 -e -f
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Searching...%100
Starting test 5...
Error: AccÞs refusÚ.

Test failed

C:\>spt 3644 6 -e -f
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Searching...%100
Starting test 6...
Error: AccÞs refusÚ.

Test failed

C:\>spt 3644 7 -e -f
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Searching...%100
Starting test 7...
Test failed

OA succeed against all this tests 8)

Regards,

MaB

Hi all,

Lucky us (one PC protected by DefenseWall, other by GeSWall Pro 2.5 latest),

EQSecure failed regmon termination (quite an effort to install those programs).

Note when removing the video downloader it does not remove dartsock.dll and dartweb.dll from system32 directory, you have to remove them manually.

Regards K

-{ Quote: "Hi all,

Lucky us (one PC protected by DefenseWall, other by GeSWall Pro 2.5 latest),

EQSecure failed regmon termination (quite an effort to install those programs).

Note when removing the video downloader it does not remove dartsock.dll and dartweb.dll from system32 directory, you have to remove them manually.

Regards K" }-

This is why i use RollbackRx : a snapshot before installing, make my test and then restore my last snapshot (no need to worry about dirts left by tested apps )

MaB

Hi MaB9 and Kenjin , I agree, kill tests after loading a kernel driver are useless anyway. In case of APT kernel kill I denied loading the driver.

-{ Quote: "Hi all,

Lucky us (one PC protected by DefenseWall, other by GeSWall Pro 2.5 latest),

EQSecure failed regmon termination (quite an effort to install those programs).

Note when removing the video downloader it does not remove dartsock.dll and dartweb.dll from system32 directory, you have to remove them manually.

Regards K" }-
I installed with ShadowSurfer.

-{ Quote: "This is why i use RollbackRx : a snapshot before installing, make my test and then restore my last snapshot (no need to worry about dirts left by tested apps )

MaB" }-
I agree, i don't even worry about uninstalling any test software, just reboot to a clean snapshot, so much easier.

I tried with Viguard Platinum (trial) which I did not use from much time (now it looks like more an av than an HIPS, and I have not found any version in English, French only >:( ) and it fails miserable ... no popup is given ...
but, a curious error (?) appears when I launch Video Link Parser.
(It's on a fresh installation of winxp sp2 with ONLY Viguard installed)

Error seems from VLP rather than from ViGuard.

-{ Quote: "Error seems from VLP rather than from ViGuard." }-
Yes, but I don't know from what it depends ... anyway the software then run.

----

I tried also with the last version of Winpooch (0.6.6) and it fails without any log ::)

Any EQSecure user?

Thanks

Hi Aigle,

I have EQS configures as behavior blocker (allow execute, allow load library and allow process terminition), sorry can't help you

WinPooch killprocess protection failed by the way on the other machine (it stopped the create shortcut though).

Reg K

Thanks, Kees. No problems.

Ok, tried this with EQSucure and EQSecure failed. No popups from it and regmon was killed by VideoLinkParser.

Aigle,
I tried to download "Music Video Downloader 4.0", but Anti-Executable didn't allow it.
I guess my experiment was terminated too soon. Is this a good sign ?

This is exactly what AE is supposed to do. Good or bad doesn,t matter for AE.

-{ Quote: "This is exactly what AE is supposed to do. Good or bad doesn,t matter for AE." }-
That's what I thought too.
AE is even too good : today, Thunderbird updated itself automatically, AE didn't accept it and Thunderbird.exe didn't work anymore, but my boot-to-restore fixed it. So I turned Thunderbird's automatic update OFF.

With AE, may be there should be no update of anything on ur system or u wil get popups.
Very good for institutions.

Just for an update of this threa.
Neoava beta 3 and EQSecure 3.4 protect against this termination as well.

Thx Aigle for the update,

I am glad I could not answer your question, to test this. So you decided to give it a try yourself and are now on Wilders problably the most valueable power and providing Solcroft a lot of valueble feedback for EQSecure.

I stopped trying to set up a powerfull easy to use multi layer security package with classic HIPS (there was always one 'new' / ' updated' function that was quitely stopped which I had not foreseen in my classic HIPS set up) on one of our PC's.

I put my trust mainly in the sandboxes (DW and GW) with behavior blockers (A2 and CB) as a second net to catch shoot in the foot mistakes of the user

Please keep on posting your findings on NeoavaGuard and EQSecure

Regards Kees

-{ Quote: "So you decided to give it a try yourself and are now on Wilders problably the most valueable power and providing Solcroft a lot of valueble feedback for EQSecure." }- Thanks for that but infact I must be thankful to Solcroft for reporting issues to EQS support on my request. I am really thankful to him.
I can,t imagine such a complete HIPS( EQSecure) to be free and "trouble free"( on my system at least). It doesn,t even need a reboot to install and unisntall- really wonderfull.

NG seems to has a great potential too. It cab be recommended for beginnrs as it has a config wizard and learning mode after which u will gwt very few pop ups. At the same time, it has much more options for advanced users to make complex rules. Every HIPS( including EQSecure) should have a default install with config wizard and brief learning mode to help beginers. Advanced users can always deny these options and make their own rules. Otherwise one should not expect too many users for a HIPS.
-{ Quote: "
I stopped trying to set up a powerfull easy to use multi layer security package with classic HIPS (there was always one 'new' / ' updated' function that was quitely stopped which I had not foreseen in my classic HIPS set up) on one of our PC's." }-Sorry as I did not understand it.???
-{ Quote: "
I put my trust mainly in the sandboxes (DW and GW) with behavior blockers (A2 and CB) as a second net to catch shoot in the foot mistakes of the user " }-Sandboxes and Behav blockers are great. However I was disappointed with a2.

Not much to add to this that would be of any great interest than is already been said, but so far SSM & EQSECURE seem to suit the common Termination Protection on this end.
In fact from my lurking the virus makers forums and such to peer into anything of concern, most still seem to concentrate their efforts on this form of intrusion mainly at AV's + Firewall's, and they are KEPT IN MEMORY so-to-speak with the features found in these HIPS. Besides, since IE is the likely hole of entry those crafts have an almost useless venture IMO given the WALL of defensive shields most users set up, at least those with some regular schedule of internet experience. Still it's another benefit for us in this ping-pong game of chance that Security has a very strong lead in right now.

You could almost go blind with the myriad of choices available to us as well as current shielding/protection features and those new developments yet to find their way into these arsenals.

So in essence, at least on this end, my HIPS of choice is SUPERIOR since "it" or "they" are heavily complimented and covered with everything from Sandboxes to Virtualization plus Rollback & Imaging.

But for the sake of this Topic, i must admit i haven't structured a great deal of effort or put much time into fashioning, or experimenting with every way to shut down a HIPS-Termination Protected App. I expect there are just too great a collection of hurdles for those to be of any serious consequence, at least in this direction like most others here.

-{ Quote: "
Sorry as I did not understand it.???
." }-

I tried to set up a traditional HIPS like SSM Pro or EQS to protect in a silent manner (blocking irregularities in stead of asking). With this I came more closer to concept of behavior blocking than anti executabe. Out of the programs I tried SSM, ProSecurity, Antihook, ProcessGuard, NeoavaGuard, Appdefend I liked EQS best (with good old SSM second).