Do IT yourself HIPS all freeware and light

Discussion in 'other anti-malware software' started by Kees1958, Jan 17, 2013.

Thread Status:
Not open for further replies.
  1. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    There's probably going to be one or two more beta versions before 1.0.
     
  2. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
    Interesting, does they load the malware via vulnerabilities in those file or they load the payload via internet?
     
  3. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Normally vuln in the parent process, either browser or browser plugin (java, acrobat, etc.). The most common we see is browser plugin.
     
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    These and several other Windows executables like cmd.exe shouldn't be in a usermode whitelist. Regsvr32 is not required for normal usage, save updating, which should be an administrative task. Cmd.exe should be admin only. Rundll32 should only be permitted with specific command line parameters in user mode. If your security package doesn't allow you to whitelist specific parameters for executables like rundll32, block it and use a renamed copy in a different location for those instances that require it.


    Just because an executable is legitimate or part of the OS doesn't mean it should be whitelisted for usermode. Only those needed for normal user operation should be allowed. The rest should be admin only.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.