A comparative : 10 HIPS against 'brutal unhooking' malwares

Discussion in 'other anti-malware software' started by nicM, Jul 25, 2007.

Thread Status:
Not open for further replies.
  1. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Hi,

    Here's the review some people were asking about : http://membres.lycos.fr/nicmtests/Unhookers/unhooking_tests.htm

    Remember that results are not representative of the general efficiency of the products tested, since these 'unhookers' malwares are very 'special', and hopefully uncommon... But they exist, and a small amount of malwares spreading are already using such a brute force install method.

    All companies have received the samples, now, except Diamondcs :doubt: , site is offline.

    Cheers,

    nicM
     
    Last edited: Jul 25, 2007
  2. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    again nicM comes through! :) nice job with these tests. i'm amazed by DSA's results. a freeware program that hasn't been update in a year and it's holding it's own well vs the "big boys". come on privacyware update this badboy already :D
     
  3. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,887
    Location:
    Stockholm Sweden
    Interesting test. Hopefully Prevx will take notice of this, I wouldnt want to resort back to "popup-hell" using regular HIPS :) But I guess there is no other way if one wants to feel really safe.

    But it is good to see that many of them at least gave some kind of warning about something strange was going on...
     
  4. Bio-Hazard

    Bio-Hazard Registered Member

    Joined:
    Jan 10, 2007
    Posts:
    529
    Location:
    Cornwall, UK
    Hello!

    Thanks for doing that test. I use Online-Armor and Prevx and i was really positively surprised about Online-Armor.

    Kristian
     
  5. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,658
    Location:
    Sydney, Australia
    We tried very hard to make OA resistant to malware attack. I think it shows in the results... interesting set of tests by NicM (and, it's nice to get a good result :D )
     
  6. Arup

    Arup Guest

    Looks like Pro Security did quite well.
     
  7. egghead

    egghead Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    443
    Location:
    The Netherlands
    NicM,

    Very good review. Merci beaucoup.

    Learned a thing or two from it........ :eek: :eek: :eek:

    Tête d'Oeuf
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Nico

    As always excellent tests. Couple of quick questions. What form were these malware in, for example were they exe's and did you first have to allow them to run.

    Second, what would the attack vector be? Drive by from a website, email, etc.

    Thank, Pete
     
  9. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    Hi Nicolas,

    Many thanks for this interesting tests

    I was ...
    Very happy for OA's results
    Very (badly) surprised by SSM and Prevx results
    Very disappointed by Cyberhawk and PR Safe Connect

    Bon courage mon ami

    Regards,

    MaB
     
  10. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    We were aware of this kind of attack because we were working on a infection that make use of this. A fix will be released soon ;)
     
    Last edited: Jul 25, 2007
  11. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello nicM,

    Kudos to your efforts in putting these 10 HIPS through the ringer. While I am quite disappointed with the results of Primary Response SafeConnect 2.1.0.661, I am encouraged that the latest version of PRSC(2.2.0.1187) has improved detection/cleaning abilities and an increase in behaviors monitored(274 vs. 226). In any case, I will forward these test results to Sana Security's CTO. I am curious as to how the latest version of PRSC would have done in this test. As a request, please seriously consider performing these same tests on BufferZone, DefenseWall, GeSWall and Sandboxie.


    Peace & Love,

    CogitoErgoSum
     
  12. ghiser1

    ghiser1 Developer

    Joined:
    Jul 8, 2004
    Posts:
    132
    Location:
    Gloucester, UK
    We looked at the results of the tests and were a little confused as we thought we'd already covered more bases that the test showed us passing. It turns out that we had a few things set incorrectly :doubt: We've now corrected these settings on our web-site, and updating your Prevx 2.0 manually should bring the changes in for you.

    We're still looking into the details, but the changes out now will help.

    Regards,

    Darren
     
  13. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    Nice results, Pro Security is my favorite at the moment, which makes me lucky I guess.. :)
     
  14. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Hi everyone,

    And thanks :) .

    Peter : Yes, of course, .exe were allowed to run, at least the droppers (initial .exe, when several files are involved). This is something I've probably forgotten to mention on the 1st page this morning; it will be added tonight.

    When unhooking was successful, some of the HIPS are unable to prompt about further executions, by the way, that's why I precised 'initial' .exe.


    Anything you can imagine : Drive-by, email, social engineering, file clicked by mishap, file part of a program setup, or clicked by an user who doesn't know if he must allow it to run or not... Lots of possibilities.


    Thanks EraserHW and ghiser1 ;) : Good to see you were working on this 'potential' issue, and that you've already released a fix !
     
  15. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Hi CogitoErgoSum,

    Can you tell me where I can get this version? I've used the most recent that I could find, and didn't know about this 2.2.0.1187 version.

    ps : Merci MaB ;) .
     
  16. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
  17. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Thank you for the link.

    Did they update/change their site lately? I did look at this page, yesterday again, and it's still showing version 2.1, in the right corner : http://www.sanasecurity.com/products/sc/features.php

    That's why I didn't even know there was a 2.2 version. My mistake.
     
  18. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    FYI, unfortunately, the latest version of PRSC is not mentioned anywhere on Sana's web site. The biggest change to their web site is the new start page which can be found here:

    http://www.sanasecurity.com/

    Since this past May, I have had on-going discussions with both Sana's CTO and technical support regarding much needed information about PRSC on their web site. Things such as the latest version number and change logs and since PRSC is marketed as a behavioral anti-malware application, clarification on what it can or can not protect against in comparison with a traditional/conventional HIPS. I have also suggested that they harden PRSC from termination by malware. Hopefully, Sana will address all of the above in the near future.


    Peace & Love,

    CogitoErgoSum
     
  19. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Social engineering acts other way- "Hey, dude! It's a really cool staff, but your HIPS (anti-virus, anti-spyware,...) may flags it as malware and stop its work. So, if you really want to be taught, tougher that mountains- simply disable your defense systems and enjoy!". Trust me- in 20-25% cases malware won't need to disable protection as used will do it by his own hands!
     
  20. wat0114

    wat0114 Guest

    Hi nicM,

    did you run the tests under a limited account or administrative account? You mention XP, SP2, but did you also have all latest critical patches installed as well?
     
  21. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Hi,

    wat0114, system was running in admin mode, and a few critical patches were missing, as I didn't update XP during the tests (between 1st program and last program tests), in order to have exactly the same system for all programs tests - only difference was the programs themselves.

    Ilya, you're right, but when I said social engineering, I was just thinking to the person running the file because of the intention to fool by the sender.

    It's true that usually user is the culprit, but what makes these malwares special is that, they just do the work themselves :ouch: .
     
  22. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,614
    Location:
    Milan and Seoul
    Merci beaucoup NicM!

    I have instantly ditched ProcessGuard after reading your tests: what a way to go DiamondCS!

    I will certainly trial ProSecurity and OnlineArmour, thanks again.
     
  23. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,238
    Location:
    Sydney, Australia
    @NicM
    Veerryy nice.
    Nicely done.
    Thanks for publishing rather than trying for some personal leverage.

    Congrats to OA and ProSec & AH, especially ProSec: I know one cant draw conclusions re overall protection, nevertheless: impressive.

    Kudos :thumb: to PrevX team and Mike Nash for instantaneous acknowledgement and response.
    Despite PX's some what poor showing, which was another dissappointment, the server database did it's job as you note. Very cool
    Even accounting for Ilya's observations re wetware failure, and observation from sukaroff about "Pop-up hell" hopefully any enduser might respond to a message...any message.

    What's the betting Ilya has already run these tests?
    AFAIK Sandboxie will not allow kernel level drivers to install.

    Maybe the colour, size and language in the warning pop-ups could be ..umm.. exaggerated by design, built in as option, :) font size 24: colour flouro red:choose language: IF YOU PRESS THIS BUTTON YOUR COMPUTER WILL BE FECKED" or "SOME SHITE WE ARE NOT SURE ABOUT IS TRYING TO CALL OUT" :blink:
    Never mind the politesse and the neat little boxes gentlemen: Let Rip. Lol, might even be a selling point.

    I am assuming that any sig based scanner would have possibly alerted on detection ( subject to db)

    Be very nice if anyone would test against the "sandboxes"
    Shame that ViGuard has gone all enterprise.
    If you wanted Nic I have a copy of one of the last available English trial versions. Not really much use now i think.

    What were you doing about restoring set-ups between attempted infections?
    Image?
    VM?
    FDISR?
    :p Reinstall?
    Also be useful to know which worked

    SO
    ?ditch CH.. sad, been there a while.
    Saddened to see the once mighty PG falling away: big loss.

    Time to: get OA and PX together, look at Prosec again. (already have licenses for OA and PX)

    :shifty: DW+PX+OA+ reasonable scanner ??

    Very nice Nico.
    :thumb:
     
    Last edited: Jul 26, 2007
  24. Tokar

    Tokar Registered Member

    Joined:
    Jul 22, 2005
    Posts:
    81
    nicM, are you able to test Spyware Terminator HIPS?

    If so, can you send the samples to Spyware Terminator thereafter?
     
  25. Cyberhawk Support

    Cyberhawk Support Registered Member

    Joined:
    Oct 26, 2006
    Posts:
    140
    Location:
    Boulder, CO
    Hi everyone--

    Just wanted to give you all the update on Cyberhawk and the threats in this test. We actually knew about many of them before this test was published and we had already built in protection for them which you'll see in our next release. This release is taking just a bit longer than usual since we've added a number of enhancements and we've also rebranded it under the PC Tools name. We're hoping to release the next version in a couple weeks, so stay tuned! (I can't release any details of the new features just yet, but they all help make the product a lot stronger)

    Kind regards,


    Becky Dubrow
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.