The original inspiring thread by Rmus is here. :thumb:

http://www.wilderssecurity.com/showthread.php?t=230837

It,s a very clever piece of malware, uses an aurorun.inf file and a dll( hidden as a vmx file) to do its dirty tricks and spreads via USB sticks. :thumb:

CFP - on default interactive security mode, you will get only one pop up that is execution of dll/ vmx file by rundll32. If u allow it, no more pop ups and malware is free to do all its actions. CFP however did label it as suspicious via file heuristics. :thumb: PASS though I am not so happy about this pass. ;)

EQS - seems similat to CFP though I tested it in hurry. PASS

GesWall - you need to make a rule to isolate ur USB drive in GW( see the pic). It stopped the worm dead. :thumb: :thumb: PASS

TF - Fail, totally blind. >:( :thumbd:

Come on. Try ur HIPS once again. ;D ;D

BTW - more pics are here but u need extremely tight rules to get many( though not all) of these pop ups and such rules are practically not feasible at all.

http://rapidshare.com/files/186335754/pics.zip

205601
205604
205603

Someone test it with SandboxIE :)

Curious about DS as well since it monitors flash drives as they are plugged in.

What about the Prevx Edge discussion of their success at http://www.prevx.com/blog.asp ? Is HIPS simply the wrong tool for some of the modern malware?

And what about Online Armor, another current modern HIPS?

Sample files I picked up.

205612

-{ Quote: "The original inspiring thread by Rmus is here. :thumb:

http://www.wilderssecurity.com/showthread.php?t=230837

It,s a very clever piece of malware, uses an aurorun.inf file and a dll( hidden as a vmx file) to do its dirty tricks and spreads via USB sticks. :thumb:

GesWall - you need to make a rule to isolate ur USB drive in GW( see the pic). It stopped the worm dead. :thumb: :thumb: PASS

TF - Fail, totally blind. >:( :thumbd:

" }-

Aigle I can make a pass custom rule in ThreatFire, like you did with GeSWall

So either you consider GeSWall a FAIL or you reward ThreatFire with a PASS

Aigle do you have two USB sticks and two or more USB ports? Would you mind testing GeSWall with the custom rule you applied for USB stick (harddisk1) with the virus on teh second USB stick. I bet GeSWall will fail miserably :-X :-X :-X

Come on man, use one stick to measure results :D :D :D

Comodo Defense+

It's often the problem with "classical" HIPS: the user has to deccide himself what to allow or block.

-{ Quote: "And what about Online Armor, another current modern HIPS?" }-

If somebody provides a dropper, I can report the results.

Caution: Please don't post links. They will certainly be removed.

Pete

-{ Quote: "Aigle I can make a pass custom rule in ThreatFire, like you did with GeSWall

So either you consider GeSWall a FAIL or you reward ThreatFire with a PASS



Come on man, use one stick to measure results :D :D :D" }-Hmmm.... I don,t agree Kees. TF is supposed to intercept it by default without any custom rules at all as it intercepts other autorun malware. When u add custom rules in TF, it acts as a typical classical HIPS and any classical HIPS willl for sure intercept this malware. I just tested default behav blocker function of TF.

As far as GW is concerned, it,s lacking the feature to protect USB sticks by default. I just added it manually. Development of GW is stalled ofcourse. Basic functionality is there but u need to implement it somehow.

I used this rule in GW as there seemed no other way for me to run this malware isolated. It,s not a PASS infact I agree unless u tweak GW as it lacks protection of USB sticks by default.

-{ Quote: "
Aigle do you have two USB sticks and two or more USB ports? Would you mind testing GeSWall with the custom rule you applied for USB stick (harddisk1) with the virus on teh second USB stick. I bet GeSWall will fail miserably :-X :-X :-X" }-If u run malware isoalted, it will not be able to do anything. If u run it un-isolated, it can do anything. That,s how GesWall or any other such product is supposed to do. :)

-{ Quote: "
I used this rule in GW as there seemed no otehr way for me to run this malware isolated. It,s not a PASS infact I agree unless u tweak GW as it lacks protection of USB sticks by default.
" }-

The ability to apply minor nuances marks a great mind. You are a sport :thumb: :thumb: :thumb:

Will test SandboxIE later when I'm at home, but I have no doubt it will pass, with the USB drive forced to run sandboxed.

-{ Quote: "Will test SandboxIE later when I'm at home, but I have no doubt it will pass, with the USB drive forced to run sandboxed." }-

Your faith in the wondrous SandboxIE is well placed,I'm certain it'll pass,but await your findings in any case.;D

Has anyone tried this with Mamutu yet?

-{ Quote: "Will test SandboxIE later when I'm at home, but I have no doubt it will pass, with the USB drive forced to run sandboxed." }-

Guys, again in regard to Sandboxie
- let's make a special configuration rule (force USB drive run sandboxed)
- ghee it passes a real malware sample

What in regard to XP:
- I have a SRP rule blocking executables from running in RECYCLER
- Ghee my windows XP passes in Limited User Account, what a great HIPS old XP is, it passes!

When you disagree with the second observation, why do you agree with the first observation?

There is something I seem to misunderstand completely ???, so better keep my mouth shut :gack:

-{ Quote: "Guys, again in regard to Sandboxie
- let's make a special configuration rule (force USB drive run sandboxed)
- ghee it passes a real malware sample

What in regard to XP:
- I have a SRP rule blocking executables from running in RECYCLER
- Ghee my windows XP passes in Limited User Account, what a great HIPS old XP is, it passes!

When you disagree with the second observation, why do you agree with the first observation?

There is something I seem to misunderstand completely ???, so better keep my mouth shut :gack:" }-

Actually Kees, I don't disagree with your 2nd observation.
SandboxIE with it's default config would not protect from this. A default XP is vulnerable. I think some classic HIPS could be vulnerable too.
But when you design your setup to cover infection vectors, you only see PASSES. It doesn't matter if it's a HIPS, a sandbox, LUA, or other method. The important thing is to have the defenses well planned.

For what it's worth, If I had XP Pro, and could use SRP, I probably wouldn't use Sandboxie, but I'm stuck with XP Home...

Nice test, what about OA or DefenseWall?

According to the PC Tools Forum (http://www.pctools.com/forum/showthread.php?t=55900) the new Threatfire Beta will detect the conficker worm.

regards,
Joerg

a)to be honest,any classical HIPS should give you at least 1 execution warning...soooo if you just pop the thumb drive in and you get a prompt,ya you deserve to be infected :D

b) @ aigle i don't know why you say that it needs very deep rules (in CPF) to get the right warning..anyone that uses cpf adds those and paranoid mode has them on by default

http://www.imageshack.gr/files/kccat7zu2wqzdfzed5ze.jpg (http://www.imageshack.gr/view.php?file=kccat7zu2wqzdfzed5ze.jpg)

Reports of Eset v 3.0.669.0

Edit: Sorry if my post is off topic :'( don't know much abt HIPS

OA is much the same to the others. There was execution alert about jwgkvsq.vmx wanting to run. Once allowed computer is infected.

-{ Quote: "OA is much the same to the others. There was execution alert about jwgkvsq.vmx wanting to run. Once allowed computer is infected." }-what about if you allow the pop up to run it in comodo or other hips but you have a rule to denny access to write to the hard disk?;D ;) :thumb:

-{ Quote: "Would you mind testing GeSWall with the custom rule you applied for USB stick (harddisk1) with the virus on teh second USB stick. " }-

Hey, what about the case of 2+ HDDs?:)

It would be pretty good if there was a way to add rule for removable drives automatically, without putting the user through the misery of doing the computation on total number of HDDs & USB sticks by hand:)

-{ Quote: "what about if you allow the pop up to run it in comodo or other hips but you have a rule to denny access to write to the hard disk?;D ;) :thumb:" }-
deny copying files from a thumb drive? :D
then why buy it at all?thats why you use it anyway,to copy stuff :P

*hint* if LUA passes the sample then OA with checked the option "run unknown apps as untrusted" passes it too. duh!

some1 pm me the sample please? :P

-{ Quote: "deny copying files from a thumb drive? :D
then why buy it at all?thats why you use it anyway,to copy stuff :P

*hint* if LUA passes the sample then OA with checked the option "run unknown apps as untrusted" passes it too. duh!

some1 pm me the sample?" }-anyway i think that defensewall will run this sucker as untrusted from a usb devise making it run with limits rigths;)
note:not tested yet on my part;D

Yes LUA stops this particular sort of "attackers" with no fuss, and DW/GW/some HIPS will do it easily under admin,
but it gives way more pleasure to spot and disintegrate the sucker yourself, with autorun disabled for removable drives.

-{ Quote: "
b) @ aigle i don't know why you say that it needs very deep rules (in CPF) to get the right warning..anyone that uses cpf adds those and paranoid mode has them on by default
http://www.imageshack.gr/files/kccat7zu2wqzdfzed5ze.jpg (http://www.imageshack.gr/view.php?file=kccat7zu2wqzdfzed5ze.jpg)" }-
Actually if u are user of CFP, you will know it better. Being a classical HIPs with complex parent child relationship for executables, it,s too chatty. So I have tweaked rules( while keeping paranoid settings) to get the minimum of alerts. I will give u examples:

1- I allowed svchost.exe to creat any file anywhere otherwise I get too many alerts about it creating/ modifying file that was legit but bothersome for me.

Now here the malicious dll( vmx) and autorun files are created in USB devices via svchost.exe so during my testing it was a puzzle for me that which process is actually creating these files. I did not know until after many tries I found it out.

2- Similarly a dll in system32 is created by svchost.exe that my custom rules allowed silently.

3- I allow creation of tmp files globally without any pop up in my rules, so i never got an alert about creation of tmp file( ?driver) in this case.

4- More worse, just think of it. CFP intercept any dll execution by any process by default but it gives literally dozens of pop ups while executing legit applications, so i made a custom rule to allow any dll to be executed by any parent from anywhere.

Now if malicious dll is not spoofed as a vmx, you can guess what will happen. I will not get even a single alert and malware will execute n do its harm. :o :o

BTW, an off topic Q: I noticed that when u install CFP it intercepts execution of exe files only if u add them in image execution control settings but dlls execution is intercepted without such settings. Am I correct, if so why there is such a diffrence? Thanks

Appreciate everybody's results and time spent.This is real malware and not some Poc that i don't know if it can be used in real situation or not.
As Aigle & alex_s mentioned about comodo & OA's results i want to ask isn't one pop-up too litle from a classic HIPS?
I get two if i drag & drop files to my media player.
Are the same results obtained with Real Time Defender or SSM?

-{ Quote: "what about if you allow the pop up to run it in comodo or other hips but you have a rule to denny access to write to the hard disk?;D ;) :thumb:" }-
Hmmm... You are thinking some thing super natural. :) What will be this rule? For wat application and deny access to which HD? And how many dozens useless pop ups this rule will create. Not practical at all IMO.

-{ Quote: "Hmmm... You are thinking some thing super natural. :) What will be this rule? For wat application and deny access to which HD? And how many dozens useless pop ups this rule will create. Not practical at all IMO." }-i meant to block executable files(dll) to access to write to the disk???

-{ Quote: "=
As Aigle & alex_s mentioned about comodo & OA's results i want to ask isn't one pop-up too litle from a classic HIPS?
" }-
Yes, it is too little. Infact I expect a classical HIPS to contain the damage even if u allow the sample to execute.

Now I realize how simple it might be for a clever malware to bypass a classical HIPS. ::)

-{ Quote: "Yes, it is too little. Infact I expect a classical HIPS to contain the damage even if u allow the sample to execute.

Now I realize how simple it might be for a clever malware to bypass a classical HIPS. ::)" }-i think it will be a good idea to have hips + sandbox type combo,i think more security;)

-{ Quote: "BTW, an off topic Q: I noticed that when u install CFP it intercepts execution of exe files only if u add them in image execution control settings but dlls execution is intercepted without such settings. Am I correct, if so why there is such a diffrence? Thanks" }-

upon default installation of CIS(without AV) it didn't cause this.maybe it is because it installs in clean pc mode so only new files are recieving warnings :)

-{ Quote: "Appreciate everybody's results and time spent.This is real malware and not some Poc that i don't know if it can be used in real situation or not.
As Aigle & alex_s mentioned about comodo & OA's results i want to ask isn't one pop-up too litle from a classic HIPS?" }-

Yes, I think this is too little. Mike said they overlooked this problem, but in a short time they will take care of. Let us wait a bit :)

thats what came up with fresh comodo installation,paranoid mode and maxxed out image execution controll
see attached archive...
http://rapidshare.com/files/186766019/CPF.rar

(do not worry peter,its just photos here) :)

will test it vs md trial just for the heck of it

ok :D omg md really impressed me...
it also monitors functions that CIS does not.. like in pics 29 and 39
definately blocks it *lol* what a storm of clicking

http://rapidshare.com/files/186782286/MD.rar

if i am not too lazy i might try OA after my snack..it should itercept the .bat files creation and the .vmx but i am not so sure about the registry, it is not supposed to ,besides autorun ones

-{ Quote: "Yes, it is too little. Infact I expect a classical HIPS to contain the damage even if u allow the sample to execute.

" }-
Yes that's why i ask.An unpleasant but common infection Vundo will get you bored till it reaches system32 using HIPS.
Also i don't know if all the damage can be contained if allowed to the end but if u terminate the process during 3-4 pop ups is gone, Nothing Happened.Yet this Conficker escapes that's why i'm puzzled.

-{ Quote: "Yes, I think this is too little. Mike said they overlooked this problem, but in a short time they will take care of. Let us wait a bit
" }-
Good to know.OA has always been quickly touch with user suggestions.CAn't wait to try the final build as i think this one is gonna work properly on my PC.

-{ Quote: "ok :D omg md really impressed me...
it also monitors functions that CIS does not.. like in pics 29 and 39
definately blocks it *lol* what a storm of clicking

http://rapidshare.com/files/186782286/MD.rar

if i am not too lazy i might try OA after my snack..it should itercept the .bat files creation and the .vmx but i am not so sure about the registry, it is not supposed to ,besides autorun ones" }-
thanks chris for the info:thumb:

OA gave me just those 2 :S
but still,why would a thumb drive would wanna write to system32? :P

with run safer option i didn't notice any payload changes
http://www.imageshack.gr/view.php?file=lylicfsepo8yfi5nrxh7.jpg

http://www.imageshack.gr/view.php?file=ipl323p2gy773b5l4qnx.jpg

i do not think im doing something wrong,but SRP does not block the .dll file :O
LUA itself on the other hand prevents its writing on sys32

Rmus,
Both Executable Lockdown and the new Returnil beta Anti-Execute can be configured for Default - Deny. They can also be configured to give an Allow - Block choice. This is handy as when password protected only the administrator / password setter can answer the call. Anyone who doesn't know the password can only block. Don't know if they block against the same range of executables as AE though.

Thanks for that information about those products.

----
rich

-{ Quote: "thanks chris for the info:thumb:" }-
you are very welcome buddy!
as to answer your previous question,you do not need to disable execution of .dll from the usb drives,it is super easy to just add a wildcard execution block of the .inf files(which are the ones that launch dll and other files by means of autorun ;) )

here is how simple it is.
http://www.imageshack.gr/view.php?file=88imgsl27v351qllsh5z.jpg
http://www.imageshack.gr/view.php?file=h4ity8p5sv0mthi5low9.jpg

cheers

-{ Quote: "you are very welcome buddy!
as to answer your previous question,you do not need to disable execution of .dll from the usb drives,it is super easy to just add a wildcard execution block of the .inf files(which are the ones that launch dll and other files by means of autorun ;) )

here is how simple it is.
http://www.imageshack.gr/view.php?file=88imgsl27v351qllsh5z.jpg
http://www.imageshack.gr/view.php?file=h4ity8p5sv0mthi5low9.jpg

cheers" }-that's very cool thanks again;)

-{ Quote: "i do not think im doing something wrong,but SRP does not block the .dll file :O
LUA itself on the other hand prevents its writing on sys32" }-

Check whether you have applied restrictions on all files or all files excluding dll's in secpol.msc

You could add a No execute SRP to RECYCLER and TEMP dirs

Cheers

yes .dll extensions were added in gpedit.msc.
i know about the recycler and the temps,but i should still get that dll deny warning..hmm

-{ Quote: "Also, please list if other products offer DEFAULT-DENY alerts.

For the non-technically literate average home user, DEFAULT DENY is the ideal solution, in my view. It's clear to me that these people would have much difficulty dealing with/understanding the prompts that have been discussed here." }-
I agree. But I like the way Prevx Edge (not a classical HIPS) intervenes the Downadup/Conficker worm, too. It shows a simple and clear alert with an eye-catching red block-button. There is no allow-button, just a unremarkable grey options-button. So everyone should easily hit the right one. ;D

OA Beta 3.1.0.18,

execution alert allowed, memory tampering blocked, computer in not infected

Hi, thanks. That,s nice! :thumb:

Is this a closed beta? Does latest public beta has similar detection?

Thanks

@ chris2busy

Does MD has gives pop ups about memory modification like OA as shwon by alex_s? Thanks

-{ Quote: "Hi, thanks. That,s nice! :thumb:

Is this a closed beta? Does latest public beta has similar detection?

Thanks" }-

This is "just-posted" beta. Beta 17 only showed execution alert and if allowed computer was infected.

From where I can get it?

Thanks

-{ Quote: "@ chris2busy

Does MD has gives pop ups about memory modification like OA as shwon by alex_s? Thanks" }-

Yes sir it did ;)

-{ Quote: "From where I can get it?

Thanks" }-

At the moment I think there are the only 2 options

1.) to ask Mike to provide you a link
2.) to join OA betateam

But I guess the new release is coming soon (the public beta released some time ago is a sign). It also may happen Mike will post another public beta.

I'd like to provide you with the link, but I'm not sure I'm authorized to.

Hi, thanks for the replies. I have analyzed it more and it,s very interesting. OA people have intercepted it cleverly now so that user will not be fooled. Actually once malicious dll( vmx) is executed, u can see that all malicious activities are done by svchost.exe that is a legit windows process.

205654 205655
205656
205657 205658

Now Q is that who forces a legit application svchost.exe to do all this. I am not an expert but the obvious reason is that it is done by malicious jwgkvsq.vmx via rundll32.exe. Now CFP just intercepts it as an action by rundll32.exe that one will not guess to be malicious( rundll32.exe accessing svchost.exe in memory).
While OA being clever clearly tells user that it is being done infact by jwgkvsq.vmx ( jwgkvsq.vmx accessing svchost.exe in memory). :thumb:

205659
205660
205661

-{ Quote: "At the moment I think there are the only 2 options

1.) to ask Mike to provide you a link
2.) to join OA betateam

But I guess the new release is coming soon (the public beta released some time ago is a sign). It also may happen Mike will post another public beta.

I'd like to provide you with the link, but I'm not sure I'm authorized to." }-
So it,s a closed beta. Ok, I will wait for the public release. :)

Thanks

-{ Quote: "Now Q is that who forces a legit application svchost.exe to do all this. I am not an expert but the obvious reason is that it is done by malicious jwgkvsq.vmx via rundll32.exe. Now CFP just intercepts it as an action by rundll32.exe that one will not guess to be malicious( rundll32.exe accessing svchost.exe in memory).
While OA being clever clearly tells user that it is being done infact by jwgkvsq.vmx ( jwgkvsq.vmx accessing svchost.exe in memory). :thumb:

205659
205660
205661" }-

I'd definitely give this round to OA. I hope the new version fixes some of the bugs.

-{ Quote: "
Maybe also LUA, as neksus reports, but he didn't specify that, but I'm *assuming* that nothing can write to %System% without Administrator rights. Please correct me if I'm assuming wrongly.
" }-

You're assuming correctly, provided that the default permissions aren't tampered - see this (http://www.wilderssecurity.com/showpost.php?p=1201866&postcount=146) post.

-{ Quote: "Now Q is that who forces a legit application svchost.exe to do all this. I am not an expert but the obvious reason is that it is done by malicious jwgkvsq.vmx via rundll32.exe. Now CFP just intercepts it as an action by rundll32.exe that one will not guess to be malicious( rundll32.exe accessing svchost.exe in memory).
While OA being clever clearly tells user that it is being done infact by jwgkvsq.vmx ( jwgkvsq.vmx accessing svchost.exe in memory). :thumb:

205659
205660
205661" }-
Malware Defender has same problem as CFP. >:(

-{ Quote: "yes .dll extensions were added in gpedit.msc.
i know about the recycler and the temps,but i should still get that dll deny warning..hmm" }-

Do you use XP Pro or Home? If the Home version - have you made sure that SRP works by applying pcwXPProme (http://pcwelt-praxis.de/downloads/pcwxpprome)? (See also this (http://www.wilderssecurity.com/showpost.php?p=1230623&postcount=29) post.)

-{ Quote: "Do you use XP Pro or Home? If the Home version - have you made sure that SRP works by applying pcwXPProme (http://pcwelt-praxis.de/downloads/pcwxpprome)? (See also this (http://www.wilderssecurity.com/showpost.php?p=1230623&postcount=29) post.)" }-
i am on win vista buisiness edition.group policies are at their maximum capabilities and even further developed than on xp pro.

-{ Quote: "Malware Defender has same problem as CFP. >:(" }-
yes my friend,but we escape the subject...lets revise.

we popped a thumb drive in a computed environment and we got a warning that a .dll was auto executed and it tries to modify legitimate processes of your OS..now thats just not right,is it? :D

what i am trying to say is that H.I.P.S is no there to tell you what to do,its there to tell you what the malware does so YOU can decide what you should do.

in the end of the day,the decision is still up to the user. e.g if you run on vista,you are immune to that threat,but if you decide to give elevated privilage to a file that run itself,oh well :D not anything else will save you,i'll tell you that :D

OA does that because it overall has a marketing goal contrary to classical hips,thus it uses that great whitelisting database and makes its warnings a little bit more self explainatory for the average user.
Cheers
P.S this is one of the few such informative threads i've seen for a while!

-{ Quote: "
we popped a thumb drive in a computed environment and we got a warning that a .dll was auto executed and it tries to modify legitimate processes of your OS..now thats just not right,is it? :D" }- Hmmm... only OA,s alert is good. Others alert about rundll32 acessing svchost.exe, both are legit, why one wil stop it. Infact when u are using a HIPS, u will make a permannat allow rule for this behavior very soon after u get this alert few times on benign legit actvities.

-{ Quote: "OA does that because it overall has a marketing goal contrary to classical hips,thus it uses that great whitelisting database and makes its warnings a little bit more self explainatory for the average user.
Cheers" }-
OA was same as others but just after they came to know it, they added a way to intercept it in a better way. I want atleast same from others( CFP, MD etc) but I am not sure if I can convince them. >:(

Gents,

The new OA beta also protects against raw disk access. I have not used OA for quiet a while, I can remember I needed the run safer option to be protected against raw disk access.

Aigle,

Thanks for these kinds of post. :thumb: :thumb: :thumb:

and chris2busy for being not to busy (and able to participate :thumb: )

-{ Quote: "Hmmm... only OA,s alert is good. Others alert about rundll32 acessing svchost.exe, both are legit, why one wil stop it. Infact when u are using a HIPS, u will make a permannat allow rule for this behavior very soon after u get this alert few times on benign legit actvities." }-

my bad,i meant that rundll32 tried to execute and unknown file(see pic)..but even if you didn't you still see svchost.exe writing files to sys restore and modifying a bunch of registry entries

-{ Quote: "OA was same as others but just after they came to know it, they added a way to intercept it in a better way. I want atleast same from others( CFP, MD etc) but I am not sure if I can convince them. >:(" }-

to be honest i didn't use OA before version 2.x.x so i cannot comment on that but at its current state it sure is one of the most friendly h.i.p.s out there!
maybe you should ask xiaolin first,from his posts i see that he pays a lot of attention to what his customers think :)

-{ Quote: "Gents,

The new OA beta also protects against raw disk access. I have not used OA for quiet a while, I can remember I needed the run safer option to be protected against raw disk access.

Aigle,

Thanks for these kinds of post. :thumb: :thumb: :thumb:

and chris2busy for being not to busy (and able to participate :thumb: )" }-
enjoyed being a part of it mate :) cheers

P.S:do not watch that moovie in the taskbar >.> was awfull

What is a real mistery to me is that OA intercepts intrusions of programs being kept in a policy sandbox of GeSWall. Most other security programs do not notice these interceptions because geSWall contains it first.

Only OA throws pop-ups.

From a security point of view this is a real benefit of OA, for me I kind of dislike it. The whole idea behind policy HIPS/Sandbox is that they are quiet. Now when you use MD together with Dw or GW, it works perfect.


Cheers

-{ Quote: "What is a real mistery to me is that OA intercepts intrusions of programs being kept in a policy sandbox of GeSWall. Most other security programs do not notice these interceptions because geSWall contains it first.

Only OA throws pop-ups.

From a security point of view this is a real benefit of OA, for me I kind of dislike it. The whole idea behind policy HIPS/Sandbox is that they are quiet. Now when you use MD together with Dw or GW, it works perfect.


Cheers" }-that is exactly what i have;)

How would the CIS beta handle the request, I wonder? I assume rundll is likely in the whitelist, so would the malicious process ever be seen?

-{ Quote: "my bad,i meant that rundll32 tried to execute and unknown file(see pic)..but even if you didn't you still see svchost.exe writing files to sys restore and modifying a bunch of registry entries



to be honest i didn't use OA before version 2.x.x so i cannot comment on that but at its current state it sure is one of the most friendly h.i.p.s out there!
maybe you should ask xiaolin first,from his posts i see that he pays a lot of attention to what his customers think :)" }-

Now that Comodo prompt looks better. :thumb:

-{ Quote: "How would the CIS beta handle the request, I wonder? I assume rundll is likely in the whitelist, so would the malicious process ever be seen?" }-
My screenshots are with latest beta.

Can anybody test :

- PS
- DW
- PRSC &
- Mamutu

Thanks

-{ Quote: "Check whether you have applied restrictions on all files or all files excluding dll's in secpol.msc

You could add a No execute SRP to RECYCLER and TEMP dirs

Cheers" }-

Could you elaborate on this?

I thought that with SRP, all folders except C:\Windows and C:\Program Files are prevented from executing programs. I know that since things like browser cache are stored in the user account folder in Documents+Settings so they're typically safe.

Although I could swear seeing the Recycler folder before, I can't seem to find it at the moment.

-{ Quote: "OA was same as others but just after they came to know it, they added a way to intercept it in a better way. I want atleast same from others( CFP, MD etc) but I am not sure if I can convince them. >:(" }-
It shouldn't be that hard to convince them, since messages like "rundll32 is trying to..." or "svchost.exe is trying to..." are quite useless to make reasonable decisions. I really was wondering, how all the "experts" do that. I even had a vain look into CIS's proccess manager, if there are more informations about that processes. So I'm glad to see, that I'm not the only one with that problem. ;D Has anyone talked about this in the Comodo Forum or added it to the wishlist?

that should be enough...
open SRP console and right click on the empty board space.select new path rule and try something like that.

As someone here likes to say,its not pretty the crap to leave the toilet :D

Wow I didn't even know we had to manually enter Recycler and the TEMP folders to SRP.

Quick question though. Chris' above post covers "recycler" what about the "TEMP" folders Kees mentioned? How do we make SRP cover those as well?

EDIT :

Hold on a sec, before adding "recycler" to the SRP list, I decided to try copying an executable to the folder and see what happened when I tried to run it :

Yes,

But be aware that you can have windows update problems, also a lot of installers won't work.

But then again that is exactly what I want, so before updating switch to the admin account or enter secpol.msc and let rules not apply for admin.

I have a test image for instance with
- OA free DUTCH (no pop-up for new programs, remove unknown entries from start up list after re-boot)
- Avast free DUTCH only the standard shield with check at write (and blocker warning for executables, delete, rename, format)

I add this image by setting all receclyer, temp and temp internet files to not alllowed to execute, same as shared directory for P2P, have the mail directory tagged as limited.

With OA free I run all interfacing aps as run safer.


It is a test image and performs pretty decent against threats.

-{ Quote: "
EDIT :

Hold on a sec, before adding "recycler" to the SRP list, I decided to try copying an executable to the folder and see what happened when I tried to run it :" }-

Yes, that should be the normal behavior. Adding these folders isn't necessary. If anything can be executed in them with limited rights, something is misconfigured.

i know this.tlu is very correct,i just answered a question on how one can do this.
HOWEVER for vista users that have the extra security level "BASIC USER" this way can help them make anti-executable type rules for files,folders e.t.c
which is VERY cool if you consider that it does exactly what kees had in mind e.g run an admin acc without UAC on and have preconfigured which apps will run in LUA without UAC OR the need of dropmyrights e.t.c

This (http://www.us-cert.gov/cas/techalerts/TA09-020A.html) report is relevant.

Ok, tried it with DW and DW seems to protect against it. Did not check the network part though.

:thumb: :thumb:

Anyone can try with:

PRSC
Mamutu

Thanks

-{ Quote: "Ok, tried it with DW and DW seems to protect against it. Did not check the network part though.

:thumb: :thumb:

" }-
Thank you Aigle for your time and tests, good work :thumb:

cheers

Thanks.

Still interested in PRSC and Mamutu though I think both will be bypassed. I don,t have a licence for them otherwise I must have tested already.

our "friend" got evolved :D now it has a brother that does even more tricks!

http://news.softpedia.com/news/Nasty-Conficker-Worm-Lurking-Windows-7-Vista-SP1-and-XP-SP3-Machines-102798.shtml

Ok, I found a GAOD licence for Mamutu that I did not use. It has still 35 days left. Tried it with the worm.

Default settings- Mamutu failed
Paranoid settings- it gave alert about rundll32.exe( on svchost memory modification), blocking this behaviour Mamutu passed.

-{ Quote: "Ok, I found a GAOD licence for Mamutu that I did not use. It has still 35 days left. Tried it with the worm.

Default settings- Mamutu failed
Paranoid settings- it gave alert about rundll32.exe( on svchost memory modification), blocking this behaviour Mamutu passed." }-

Thanks for that test.

PARANOID MODE is a very worthy setting and adds more S.M.A.R.T monitoring IMHO so this latest results is no surprise.

NASTY WORM INDEED!

EASTER

I had a problem with this thing around August or September of last year.
To be a little more correct, I am still dealing with it. Yeah, I allowed the 16.tmp. So now it's run a muck.

Infected:
1. Back up image
2. Micro SD card
3. Micro SD card

I used the infected Micro SD to update the BIOS of a computer. The computer has never been connected to the internet or network.
Will a wipe be sufficient to clear the worm?
When I updated the BIOS could the worm have affected that?

The Back up image alters the CMOS clock after install.
Will the MSRT be sufficient to clean the reinstalled image if there are no extra tools installed?

How do I clean the Micro SD cards and keep my files?
I checked one of the cards and it has 2 partitions. Harddrive1 and Harddrive1 partition 1. I don't know if it is normal for SD cards to have multiple partitions or if this is part of the infection.

-{ Quote: "Our sinkhole logged just over one million unique IP addresses yesterday. This is compared to 350,000 last Friday. Remember, there may be any number of computers sitting behind a single IP address.

China, Russia, and Brazil have the highest IP count. Combined, they account for nearly 41 percent of the total.

Only a bit over 1 percent came from the United States…" }-

http://www.f-secure.com/weblog/

One time I'm glad the USA is not number 1 :)

Has anyone tested Zemana Anitlogger to see if it will block the worm. I know this program is marketed towards blocking logging malware, but i believe it will stop most other categories of malware as well. Someone please test it!

-{ Quote: "So it,s a closed beta. Ok, I will wait for the public release. :)

Thanks" }-

Here it is :)

http://support.tallemu.com/vbforum/showthread.php?t=6706

Thanks.

-{ Quote: "a)to be honest,any classical HIPS should give you at least 1 execution warning...soooo if you just pop the thumb drive in and you get a prompt,ya you deserve to be infected :D
" }-

I'm with Chris on this one.Ok the likes of Comodo may give a somewhat generic warning but the fact is if you've merely inserted a thumb drive and something is attempting to run automatically that in itself is highly suspicious and worthy of investigation,regardless of whether or not the warning flags up a sometimes benign action.

is enough nod32 updated or the microsoft patch is a must?

Did some one test this with sandboxie?

Yes...it passes.

For what I could see in this thread, no one has tested Outpost Firewall Pro 2009, have you? Sorry if you have and I totally missed. I did a quick look at the thread.

Would anyone be willing to test it?

I'm not using it at the moment and have no virtual machines up.


Thanks.

-{ Quote: "is enough nod32 updated or the microsoft patch is a must?" }-

That's a silly question. Of course a patched system is important!


Regards

-{ Quote: "That's a silly question. Of course a patched system is important!


Regards" }-
no i mean there is a patch from microsoft
but i can 't get with the regular updates

you should download manually and install it

Conflicker to me is of script kiddie making.

Take EQS i use for one example, i simply set a rule to monitor any activations of RunDll32 and even loaded the actual exploit, once the alert came up it was as simple as DENY & TERMINATE the file. Case closed, i cut/pasted it off my System Drive because it's so lame.

I'm sure theres other methods to abort it before it can advance itself besides EQS, but that's all it took and was so stupidly simply.

Theres simply more dangerous malware out there then this ridiculous piece of scriptie fun for them.

EASTER

-{ Quote: "Conflicker to me is of script kiddie making." }-
Nope, it's made by professionals.

-{ Quote: "Nope, it's made by professionals." }-

Then they have run completely out of ideas or else are bored because it's too easy to kill before it even makes it out of the gate with the most basic of security programs (hopefully).

EASTER

EASTER i share your opinion,especialy if u take into consideration that any vista machine is immune to it(yeah,except if you are smart enough^^ to give admin rights to and unknown program from your thumb drive)...Yet it was designed by professionals as Ilya said.Not everyone out there has sufficient knowledge to use H.I.P.S (unless its something like dw who's newest version should never give any pop up now :) too bad my trial is long over ).Hell most users will think "Shakira" when they hear of such tool name
: D

-{ Quote: "EASTER i share your opinion,especialy if u take into consideration that any vista machine is immune to it(yeah,except if you are smart enough^^ to give admin rights to and unknown program from your thumb drive)...Yet it was designed by professionals as Ilya said.Not everyone out there has sufficient knowledge to use H.I.P.S (unless its something like dw who's newest version should never give any pop up now :) too bad my trial is long over ).Hell most users will think "Shakira" when they hear of such tool name
: D" }-chris are you going to buy it?:)

-{ Quote: "EASTER i share your opinion,especialy if u take into consideration that any vista machine is immune to it(yeah,except if you are smart enough^^ to give admin rights to and unknown program from your thumb drive)...Yet it was designed by professionals as Ilya said.Not everyone out there has sufficient knowledge to use H.I.P.S (unless its something like dw who's newest version should never give any pop up now :) too bad my trial is long over ).Hell most users will think "Shakira" when they hear of such tool name
: D" }-

Luckily one thing is sure; Hips don't lie, and H.I.P.S neither.

-{ Quote: "Luckily one thing is sure; Hips don't lie, and H.I.P.S neither." }-

A very questionable assertion. There have been many examples of malware able to defeat several HIPS. A better, more reliable and user-friendly alternative (once implemented) is LUA + SRP.

The logic of this combo is as simple as it could be: No execution => no infection. Period.

-{ Quote: "A very questionable assertion. There have been many examples of malware able to defeat several HIPS. A better, more reliable and user-friendly alternative (once implemented) is LUA + SRP.

The logic of this combo is as simple as it could be: No execution => no infection. Period." }-
no execution equal no infection equal no problem;D

-{ Quote: "chris are you going to buy it?:)" }-
Actualy i have issues with my prepaid card(last one expired) otherwise i already would have.
Back on track,a hips could also be configured so that it would as SRP does(deny execution of any file except for the location that SRP allows too(program files e.t.c) and at the same time avoid the spoofing extension vulnerability of SRP (could use wildcard so that it blocks execution of any file type).

-{ Quote: "Then they have run completely out of ideas or else are bored because it's too easy to kill before it even makes it out of the gate with the most basic of security programs (hopefully).

EASTER" }-

I expect they've adopted a driftnet approach to infection,cast it wide enough and you'll catch sufficient victims,rather than the more difficult task of bypassing those with good security.

-{ Quote: "A very questionable assertion. There have been many examples of malware able to defeat several HIPS. A better, more reliable and user-friendly alternative (once implemented) is LUA + SRP.

The logic of this combo is as simple as it could be: No execution => no infection. Period." }-

Well I am not talking whether malware can bypass certain HIPS, they just don't lie. However, LUA + SRP and preferably SuRun or something that can temporary elevate your rights is a good choice to go with.

-{ Quote: "A very questionable assertion. There have been many examples of malware able to defeat several HIPS. A better, more reliable and user-friendly alternative (once implemented) is LUA + SRP." }-
I don't know if it is entirely true, but LUA+SRP works great:

http://www.wilderssecurity.com/showthread.php?t=233899

Just since I see in every thread that D+ fails against CONFLICKER bc of this testing I has the feeling I should share how the testing REALLY was preformed with CIS..

It was not some "default mode".

-{ Quote: "
1- I allowed svchost.exe to creat any file anywhere otherwise I get too many alerts about it creating/ modifying file that was legit but bothersome for me.

Now here the malicious dll( vmx) and autorun files are created in USB devices via svchost.exe so during my testing it was a puzzle for me that which process is actually creating these files. I did not know until after many tries I found it out.

2- Similarly a dll in system32 is created by svchost.exe that my custom rules allowed silently.

3- I allow creation of tmp files globally without any pop up in my rules, so i never got an alert about creation of tmp file( ?driver) in this case.

4- More worse, just think of it. CFP intercept any dll execution by any process by default but it gives literally dozens of pop ups while executing legit applications, so i made a custom rule to allow any dll to be executed by any parent from anywhere.

Now if malicious dll is not spoofed as a vmx, you can guess what will happen. I will not get even a single alert and malware will execute n do its harm.

I think one pop-up is too litle from a classic HIPS. Infact I expect a classical HIPS to contain the damage even if u allow the sample to execute.
" }-


REFERENCE: https://forums.comodo.com/leak_testingattacksvulnerability_research/downadup_conficker_worm_versus_defence_plus-t33410.0.html;msg240110#msg240110

In proactive (at that time when this test was preformed CIS would pop more than 10 times and also report malware behaviour.
I guess it catches this even better now thanks to all improvements to D+..
But In my mind it did really good.. :thumb: :thumb:

-{ Quote: "I expect they've adopted a driftnet approach to infection,cast it wide enough and you'll catch sufficient victims,rather than the more difficult task of bypassing those with good security." }-

I agree with you andyman35

Not to say theres no way to bypass a HIPS guarded autorun & RunDll as i have set in my EQS rules which seem impossible to jump, i believe as you they have fashioned it to penetrate open shares (which mine is closed (disabled), and any attempt to drive-by entry is also met with stiff deflections, so it's likely meant for wide open systems easy to flow right into servers and such and wreak it;s havoc.

EASTER

-{ Quote: "I agree with you andyman35

Not to say theres no way to bypass a HIPS guarded autorun & RunDll as i have set in my EQS rules which seem impossible to jump, i believe as you they have fashioned it to penetrate open shares (which mine is closed (disabled), and any attempt to drive-by entry is also met with stiff deflections, so it's likely meant for wide open systems easy to flow right into servers and such and wreak it;s havoc.

EASTER" }-

The thing is the folks that visit the likes of Wilders and actually care about preventive security are the overwhelming minority of pc users.Huge numbers still run unpatched systems with little or no security.Twice this last week alone I've dealt with shop-bought systems with long expired trial versions of Norton 2003,IE6,Adobe 5 etc,still running XP SP1 ,OS updates switched off.Both full of malware I should point out.:wacko:

-{ Quote: "Just since I see in every thread that D+ fails against CONFLICKER bc of this testing I has the feeling I should share how the testing REALLY was preformed with CIS..

It was not some "default mode".




REFERENCE: https://forums.comodo.com/leak_testingattacksvulnerability_research/downadup_conficker_worm_versus_defence_plus-t33410.0.html;msg240110#msg240110

In proactive (at that time when this test was preformed CIS would pop more than 10 times and also report malware behaviour.
I guess it catches this even better now thanks to all improvements to D+..
But In my mind it did really good.. :thumb: :thumb:" }-I just wanted an alert of this type infact. Clever way of interception by OA. :thumb:

-{ Quote: "I just wanted an alert of this type infact. Clever way of interception by OA. :thumb:" }-

Does it comfort that I agree with you ;)

Hmmm. sure it does. ;D

BTW not a big deal, i must say at the end.