Process Guard Rootkit prevention - in need of an update?

No need for stupid and aggressive comments, if you do not understand what you were reading.

 

OK can someone give a summary, what exactly doesn´t SSM protect against? So if you´re executing a certain app, it isn´t able to prevent this app from installing a service/driver? This would be quite a serious bug, very disappointing.

 

Yes, and I have made a thread at SSM forums.

 

Waiting for nicM!

 

I understood. PG blocks. That is what it is for. I don't see any holes in PG blocking. Humans have holes though as they may tell PG to allow a baddie onto their system but that is the human's error not a hole in PG.

 

OK so PG blocks it now? And which other HIPS fails against this? What about Neoava Guard? And I wonder if it´s a matter of not knowing about this technique, or if it´s a bug in certain of these HIPS. As a developer of a HIPS you should know about most if not all techniques used by malware IMO.

 

No, it doesn't. All PG can do against it, is to prevent the file from running. But as far as we talk about rootkit protection, the goal is not reached :

*This rootkit needs a driver,
* PG is supposed to block driver loading,
* BUT it doesn't here >> It fails, period.

I repeat one time again that yes, blocking the file start allow to block the rootkit, but in a perspective of rootkit protection test, this argument isn't valuable : It should intercept driver loading. In this scenario, by blocking process execution, all you block is the test itself.

Suppose this rootkit is embedded into a file you need to run (program installer), what you do not know, of course : What would you do?

Wit analogy to leaktest again : Do you consider a firewall pass a leaktest if you block its process execution with the FW?? >>reductio ad absurdum

OK so, but can I ask, why did you get PG FULL, since your point of view implies that free version is enough, if the only protection you expect from it is process execution?? What do you use its advanced features for? Obviously not for protection, since you say this is useless...


Note that if this thread was at first about PG, in fact PG is not the only program involved here, since some other HIPS do fail in these tests too.

I did get another one of these rootkit, which is able to escape from Sandboxie, for example, although it was able to block the precedent one. Here again, this rootkit does blind most of the HIPS, once it is running : The GUI of the program keeps running, status seems OK, but the program is unable to intercept anything indeed. Another kind of "kill" method : Program doesn't work anymore. Blocking such threats is important, isn't it?

Then when people say they don't care, as long as they can prevent these rootkits file execution, OK, fine.. But I do not think everyone will be satisfied with a so weak protection (weak, since you just can't prevent every files from executing..). Especially when some programs are able to block the same threats, and that some are unable.

All these test have proved is that some program are more "advanced" that others, regarding their abilities against some new threats; end of the story.


About Neoava : Does it monitor service/driver installs?

 

nicM, now you're just being scary! Perhaps you can share that program that evades SandboxIE with the developer? On the other hand, it was about time something concrete is shown about potential/real weaknesses in SandboxIE.

Yes, Neoava is supposed to block service/driver installs.

 

That wasn't my intention, Pedro, it was just a way to realine debate on the actual stakes. Sandboxie dev will get the file.

Thanks for the info about Neoava, will test it then.

 

hello nicM, what's the name of this rootkit? did you test it vs things like defensewall or geswall? if so, did they also fail?

 

Well, I guess that this rootkit uses a API call which isn't hooked (yet?) by Sandboxie, right?

 

Hi zopzop, Lucas1985,

Yes, you're right, about the api.

Did test few apps, as requested :

Defensewall, Geswall can block it (new one).

Neoava doesn't (with previous rootkit):

http://img294.imageshack.us/img294/623/neoavajp2.th.png

>>hidden driver from 2nd file:

http://img502.imageshack.us/img502/8431/20070530012325rf9.th.png

 

It was a bit of a joke (i didn't mean i was actually scared). Turns out it's an API that should be hooked (lol, here we go, hook and peter pan).

Thank you for sheding some light. I'm now concentrating on not running files (exe blocking) than containing infections. BTW, can you say what you think of this?

Your input would be much appreciated, by me specially.

 

@nicM

thanks bro. you're worth 10x's your weight in gold

 

Thanks for these tests nicM.

 

Especially as GeSWall is passed.

 

Just a quick update : OA 2, despite it doesn't mention rootkits in its protection scope on the main page, does successfully pass this test :

http://img402.imageshack.us/img402/6994/20070601132921gx8.png


http://img402.imageshack.us/img402/9618/20070601132936hr9.png

No SSDT restore, no rootkit installed.

 

Hi nicM, I am a bit confused, the rootkit u tested against OA is already tested by u against other HIPS and results are as :

Passed: DSA, PS, GesWAll, DefenceWall, SandBoxie, OA2
Failed: SSM free n paid, EQSecure, NeovaGUard

Am I true?

Ok, now what about the rootkit that bypassed sandboxie? Seems some other onw. It,s name?
Did u test it against other sandboxes, HIPS?

Thanks

 

That's right, I realized results might not be clear at all since there are several test files used. On the other hand, that's just off-the-cut tests, and I post results for apps people ask about : Do not ask a nice excel table please , Lol

So far, the results are as you said for the 1st file (wit a detail : Prosecurity Full pass, free does fail).

Were tested with 2nd one, so far : Defensewall, Geswall and Prosecurity Full, passing (didn't post screenshots though). Sandboxie did fail. Other apps were not tested yet, but I'll do, just let me some time .

edit : I've edited a previous post, to make it more clear

Thanks, zopzop, but I feel embarrassed now, Lol

Pedro, I agree with the "if it can't execute, it can't harm" statement (and always did - some people were mistaken on my opinion here due to the fact that we were talking about tests ), but it remains that sandboxing offers some more flexibility in your protection anyway : The fact that sandboxes are able to let the files run, without cutting security down because threats sandboxed are usually unable to harm, allows you to have a more "risky" behaviour than with execution prevention policy.

For example in the case of execution prevention, with "gui disconnected" or whatever you call it, it does protect, but it does prevent you from starting good apps too, if these apps were not allowed before gui disconnect; with sandboxes you do not have these problems. Without to talk about scripts, which are launched sandboxed too when coming through "threat-gates". Usually, execution protection doesn't protect against scripts-based malwares (with some exceptions however, and depending of the content of the allowed apps list).

Now, sandboxes can fail too, then the help of execution-prevention can prove useful.

Why not run both?

 

Hi nicM, thanks. It,s OK, great tests by u, really did not want results in tabulated form etc but was actually confused by ur post, now after edit, it is much more clear.

Thanks for ur time to do these tests on our request.

I expect that second rootkit can,t be distributed as well. I was curious about EQSecure( new user!!).

 

Wow, this sucks quite badly, my favorite tools (SSM Pro, Neoava and Sandboxie) fail against this stuff. Seems like they didn´t do their homework, at least not good enough.

About SBIE, are you saying that even when run in the sandbox it manages to install a driver? This really sucks.

 

Online Armor is standing up hey? Mighty interesting, i didn't know it could be that good detecting this kind of behavior. Good firewall, execution prevention, browser protection etc., detects keyloggers, rootkits installation, and can encorporate Kaspersky AV?

This is an interesting all in one. I hate those, but this one starts to make sense. And it's not like i have to choose KAV, i can save some bucks and go with Avast! still.

 

If I'm correct, wasn't the topic based on PG, and updates, the company, etc? Seems like 20 different topics in one now. I'd like to know if ANYONE knows the status of Wayne and DiamondCS, are all products now dead, they re-vamping, anyone know?

 

The topic is based on the inability of PG full to stop a driver installation once the rootkit dropper is executed.
Nobody knows what's happening with DiamondCS.

nicM,
Could you test this rootkit against Samurai HIPS (a hardening tool). It should give a prompt when a driver is attempting to install.
Thanks.