HIPS test question

In testing malware it is obvious that step one is frequently to unhook/kill as much security as possible .

Has there ever been a test where the first execution is allowed (mimicking user error) and then denying all following executions/modifications ?

 

I think in general this is the way matt on remove-malware tests.

He agrees to whatever prompt is initally shown , and then whatever app he would be testing would( hopefully) block the malware.

I remember seeing it work with Geswall.

I don't know if he ever tested a full hips though.

 

Kareldjag used to test that;
http://kareldjag.over-blog.com/article-3470338.html
though it's been a while since it's updated.
NicM also;
http://membres.lycos.fr/nicmtests/Unhookers/unhookers_results.htm

A few members (at least used to) test them also, like aigle for instance.
Don't forget Matousec's HIPS leaktests - http://www.matousec.com/

 

I 've done two test with Comodo. In the first (link) I used DNSChanger: Defense + naturally detects immediately the trojan, but I give all the permissons to run that Comodo asks to me subsequently, to verify what Defense+ can check and recognize if I give the permissions to DNSChanger, and which malicious behaviours it allows. As you can see in the video, every attemp to get access to the SCM, to the drivers or to the Registry and file writing is denied.

The same test I did with Seneka : (link) I used the same procedure giving successively the requested permissions to Defense+, but it alike bloks Seneka denying to it the possibility to do some malicious action.