Perhaps act8192 can post the keys Outpost's HIPS monitors? That would be a very good start. Eset HIPS has two options to monitor startup settings. The first monitors any changes to startup settings but it monitors everything so you're getting constant alerts. So I just created a rule to monitor changes to the registry that apply to startup settings e.g. run, runonce, etc. keys. Below are the default ones McAfee Endpoint HIPS monitors. Note: REGISTRY = HKLM and & = the "*" wildcard symbol i.e. this key and an subordinate keys. Ignore the "\\", it is equal to "/": \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\& \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\& \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\& \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs\\& \\REGISTRY\\MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\& \\REGISTRY\\MACHINE\\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\& \\REGISTRY\\MACHINE\\SYSTEM\\ControlSet\\Services\\& \\REGISTRY\\MACHINE\\SYSTEM\\ControlSet\\Services\\&\\Parameters\\ServiceDLL\\& Windows Firewall \\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy Windows Security Centre \\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\wscsvc Windows Update \\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\wuauserv Above are the HKLM entries, you can specify equivalents for HKCU (or use the & to cover both) e.g. \\REGISTRY\\CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\&
I wish I knew how to tell. Is this sufficient from Autoruns? If it's application related, I'll have to do a lot of clicking to review every one inside Outpost. But I don't think is a good idea. Perhaps if you ask about a specific app/process, I can check. Or itman might tell us. Oooops! I just noticed itman already started, but haven't yet read it. My problem: Outpost doesn't have text output. I can only do it by screenshots, sometimes several per application. Anti-leak log of system events does list unencrypted, I can could copy that, but it would be 1. enormous 2. would require me to start something I suppose 3. would be incomplete. EDIT: This is how the log for some nvidia stuff looks via notepad (just few items and read up):
Go into Outpost and select Auto Start Entries and AutoRun Entries. One or both of those will show all registry keys Outpost is monitoring that apply to start up processing.
itman, here's the thing: Outpost programers know how to protect your box, but they haven't yet mastered how to make resizeable windows in GUI. Look where I'm now, it'll be dozens of incomplete screenshots. We have to think of a better way. Also, itman, see my EDIT above your post for Rasheed - about log. EDIT: Autoruns list is shorter and fits vertically. Here's a shot of the right side. Use your imagination for the left side
See if you can go to the lower window, the one that shows the registry entries, and see if you can copy what is there. Then you can paste it in this thread. If you can only copy a single screen, then open up Notepad. Then paste each screen into the notepad document. Then copy everything in the Notepad document and post to this thread. In none of the above work, then select the "Modify" box. That should open up a screen where all registry entries are shown. Hopefully you can copy everything there and paste into a Notepad document.
itman, As I wrote several times, that's the problem. If I could multiselect, right click, copy and paste I would've done it ages ago. I can't multiselect. I can't copy those keys and app paths, not even one-by-one. Ergo - can't paste nothing. I can't select Modify - is shaded out even if I suspend all OP protection. There's got to be another way and I can't think of it. In case you suggest to look for settings, .conf files are encrypted since v4 of Outpost, so there's no hope there. One idea: I gathered few logs, will extract pieces to excel on my XP, remove duplicates and post. Be aware - it will not be a complete list of what Outpost watches just what it or I saw in the days I have logs for. Stay tuned. Do you have Excel? If not I'll do a .csv file which is text.
http://dl2.agnitum.com/pr/Kernel_mode_hooks_or_user_mode_hooks.pdf " Pros and cons of user-mode and kernel-mode hooks Comparison criterion User-mode hooks Kernel-mode hooks Security 4) 64-bit Windows compatible. User mode hooks - Yes Kernel mode hooks - No, because of Microsoft PatchGuard requirements " Outpost, Eset, use heuristic dynamic ( a kind of sandbox ), with user mode hooks. « HIPS » is marketing, you like this ...
There are other methods to perform kernel hooking on x64 OS besides SSDT which fails due to PatchGuard: http://nagareshwar.securityxploded.com/2014/03/20/code-injection-and-api-hooking-techniques/ The main issue I see with Outpost's HIPS User mode hooking is it uses dll injection method via AppInit_DLLs registry key which is the most primitive of the User mode hooking techniques. This was fine for WIN XP but really should have been changed with the introduction of later ver. WIN OSes. Eset only will enable User hooking when it's kernel cannot identify a process. In other words, the User hook is not set at each boot time. The hook is also set dynamically into a process and not statically via use of AppInit_DLLs. Eset will hook explorer.exe at boot time which will cause the hook to be set for any subordinate processes; browsers, Adobe Reader, etc.. For other processes such as taskhost.exe, taskeng.exe, etc., the hook is set dynamically. Note that the User hooking has been changed in ver. 9 and appears to now always be set at boot time. Ver. 9 also incorporates a mechanism to protect its User Hooks although my initial analysis of it was that it's a bit crude in technique. Emsisoft uses a hybrid model where the User hook is set dynamically as needed but normally loads into a predetermined set of processes at boot time.
Sorry guys for the confusion. I already know which reg keys are protected by Outpost. But it was just a general question to itman, since I know he loves to tweak his HIPS settings. So I wondered if he protected all the keys that are displayed in AutoRuns. Yes, this is something that also annoys the hell out of me.
« The main issue I see with Outpost's HIPS User mode hooking is ... is the most primitive ... » No interest, hacker like user mode hooks, primitive or not, but they dont like UAC and Patchguard. Windows ( and you ) is your best defender ... Outpost, Eset, and others love your money, buy them ! It's good for business. https://msdn.microsoft.com/en-us/library/windows/hardware/ff554836(v=vs.85).aspx « and if an application crashes, the crash is limited to that one application » « If a kernel-mode driver crashes, the entire operating system crashes. » You see a difference ?
If you want a list I can't help you, perhaps you can ask on the Outpost forum? You can of course also try to make screenshots, and if you cannot resize the windows, you might want to check out ResizeEnable: http://www.digitallis.co.uk/pc/ResizeEnable/
I'm not sure why you bringing this old discussion up again. Nowadays HIPS can offer the same protection level as on Win 32 bit, the only thing they can't do is hook the kernel. M$ has addressed this years ago by developing API's, which gives HIPS the opportunity to monitor the same stuff. Don't forget, most malware can also not use kernel mode hooking anymore. It's not that easy to bypass "Kernel Patch Protection" from what I've read.
« M$ has addressed this years ago by developing API's, which gives HIPS the opportunity to monitor the same stuff » « which gives HIPS » … HIPS is a behavior blocker in the head of people, the only behavior blocker now is UAC, proactive firewalls can just use heuristic dynamic, no HIPS since Vista, you want a hammer ? … « same stuff », certainly no ! Take the hammer and hit your head. Malwares may attempt to remove the user mode hooks, they can remove UAC ? no. HIPS is a placebo in your wood head. Antivirus are placebos ? … may be.
If NSA love you … Your true defence is not antivirus and HIPS, you are crazy to think it. First, do the Windows update, do the same for Firefox, Flash, Adobe, and delete Java if possible, kill Edge and Iexplorer. Antivirus ? Kaspersky – Windows Defender = 5 or 10 % detection, pfff ! Firewall ? The only firewall is WFP, you have no choice, Windows firewall is a good GUI, outbound filtering ? No malwares, no bad outbound traffic. Configure Emet 5.5 . And say no when UAC asks about something … NO !!! Give the saved money to poor people ...
don't be a propaganda victim. there IS indeed a HIPS module in agnitum's OPFW and OSS x86 AND x64. you can turn off/on component control in the advanced settings, but it is there. you can also edit the 'known components' list it produces. current version is 9.2 and is win7, vista, win8.x, win10 compatible. some xp user have trouble with 9.2 & use 9.1 instead (fixes due soon i hope for y'alls sake.). there is also a section that prevents changes to the registry, as well as the one that (somewhat pops up irritatingly) warns you of executable changes. oh, and outpost is NOT a front end gui for windows firewall, which you can/should turn off if using outpost.
I don't think UAC is supposed to be mentioned in the same sentence as HIPS. Dragging UAC through the mud to see if it ends up side by side with HIPS; all that will give you is arthritis in your fingers and a wasted post. My interpretation of UAC is a kick-in feature when a user needs to run an application in their LUA, but requires Administrative privileges. Hence, the pop-up asking for Administrator password. In the UAC description when the toggle is raised all the way to the top reads: 1) Programs try to install software or make changes to my computer 2) I make changes to Windows settings The take-home message with this is, it'll only prompt if it requires Administrator privileges to execute. This, in my opinion, isn't preventing a host intrusion, it is merely reminding the user that something is going on that requires a higher privilege than a Standard User. It is sorta' fool-proof; without a password it cannot be promoted, and without a password it cannot continue. UAC, with everything Microsoft, was not designed to do "everything". If it was, then Windows Defender would be detecting in the 99th percentile as opposed to the 5-10% range, AppLocker/BitLocker (whatever the hell it is called) would be available on all Windows OS instead of just Enterprise, and the MS firewall would include packet filtering features and provide its own Connections Log (proper one, not just the tedious entries in Event Viewer).
Off topics posts removed.. Please concentrate on posting about Outpost and not making remarks about other members.
http://dl2.agnitum.com/pr/Kernel_mode_hooks_or_user_mode_hooks.pdf « In simple terms, they could be referred to as “front end” and “back end” modes respectively. » Outpost is a back end with Patchguard and 64 bits ? « Hook disabling (unhooking). - User-mode hooks Can be compromised if user mode hooks are not properly protected. Each method of user-mode hook protection requires specialized countermeasure to dismantle defenses. 64-bit Windows compatible : Yes - Kernel-mode hooks Can be compromised when the Administrator account is used. Most users have administrator rights as the default setting on their Pcs. 64-bit Windows compatible : No, because of Microsoft PatchGuard requirements » Where is the HIPS in 64 bits ? http://www.outpostfirewall.com/forum/showthread.php?27593-NSA-Backdoors-In-Firewalls/page2 « Originally Posted by PhilGreg Several years ago I posted a question to Agnitum about backdoors. I cannot recall the exact words but in essence I asked if Agnitum would install a backdoor into its firewall if requested to do so by any government. Agnitum's response was 'Yes'. » Where is propaganda ?
Outpost 9.3 released today, fixes syrnix's handle leak problem as well as significant speed improvements and winxp non wwe2 cpus. available on www.agnitum.com products pages 'download' buttons.
It's quite obvious that Boblvf doesn't know what he is talking about. He is basically arguing that the inability to run on ring 0 means it isn't a HIPS. That's basically like arguing that the local police are not law enforcement because they aren't the FBI.
