Rootkit Defense with HIPS?

is it possible for a rootkit to be installed if its driver is blocked from installing, or are there other methods for rootkits to install themselves? i am using windows xp professional sp3.

with this in mind, i am looking for a free hips right now to protect against rootkits. i do not care about anything else except this one feature (and keylogging protection i suppose, but most of the top hips seem to have keylogger protection built in already). i know plenty of experts frequent this forum, so does anybody have any suggestions? i tried most of the top programs at matousec here: http://www.matousec.com/projects/proactive-security-challenge/results.php

here are my thoughts on the free ones or trial versions of the paid ones, with the limited knowledge i have -

kaspersky: has a secret whitelist that you cannot disable according to a moderator on kaspersky's forums. zemana's keylogger test is on this whitelist. i do not want to use a program that has a whitelist i cannot control.

online armor free: does it stop driver loading? i couldn't find the option anywhere. if this feature does exist, you would have to enable or disable it for every program. you cannot simply enable or disable the detection of driver loading for all programs by having certain boxes checked like in eqsecure and comodo.

comodo: comodo allowed drivers through! see this thread: https://www.wilderssecurity.com/showthread.php?t=250833 otherwise it would be perfect.

outpost free: outpost greatly increases my fan speed. a quick analysis using the open source program process hacker ( http://sourceforge.net/projects/processhacker/ ) shows that the i/o is close to 300 kb/sec! this creates a lot of fan noise and slows down my computer. otherwise it would be fine, but i haven't been able to test its other features because of this problem. i imagine the paid version probably has the same problem.

pc tools: this firewall fails all the keylogger tests. this is unacceptable.

eset smart security: great virus scanner, but the firewall part provides no protection at all against rootkits. it just filters internet traffic and does nothing against driver installation.

zonealarm pro: failed to stop a number of drivers that eqsecure caught.

i am extremely tired from all this testing and i am sorely disappointed that there is not a single hips product i have found that is able to catch all the drivers that eqsecure 3.41 has been able to catch. please help! i want to use a product that is currently being developed and has at least some keylogger protection. i am at my wit's end!

 

Have you tried Drive sentry? No firewall though

https://www.wilderssecurity.com/showthread.php?t=209764&highlight=drive sentry

 

nope, i haven't tried drive sentry. i'm totally ok with not having a firewall though, since i can just use a separate firewall. i did for a long time. i looked at the features of drive sentry on its homepage, and i'm a bit curious. one of the features it lists is "antirootkit". how does drive sentry counter rootkits? does it block them from installing or is it a scanner?

 

Yes, it does it by default. The idea of OA is "you should be equally safe with ANY settings", so you would hardly see there an option that could compromise security. Until, of course, you switch into learning mode and forget to switch out

 

Why not grab the offer of a OA Premium here for free. It's extended untill tomorrow.

EDIT, btw, OA free, I'm pretty sure anything newly installed gets Unknown status, prompting for actions you are worried about, and the user is given an excellent advisory - and a default terminate process ticked box.

 

I don't know for sure. I think part of the "definition" of a rootkit is that it has a driver component.

Have you consider blocking all exe's ( this would include the driver install )
I block all unknown exe's from running using a default-deny security solution ( AE 2.2 in sig ).
LUA and SRP are also good ways of doing this.

This leaves installing programs you think are ok.
If you run the installer in sandboxie , you can then spot if it included a driver file. (Most applications don't need them, security and hardware software do )

Its a bit of a restrictive but I've gotten used to it.

 

@underdog - due lack of knowledge you mixed up some things

>> eset smart security: great virus scanner, but the firewall part provides no protection at all against rootkits.

a firewall is not to prevent system internal actions - only in/outbound to lan/web.

the av-engine from eset has no HIPS to control deeper internal actions.

And yes - OA can prevent rootkit actions.
There is a german test from subset present which compares several HIPS systems.
OA and ThreatFire had 8/10 blocked - best of 5 programs.
But meanwhile both were upgraded so the test may now 9/10 or 10/10.

ESET AV (EAV) and OA is a great combination - a² and OA ist great (not OA++ theses times)

But remember - OA is only that good you click on the right decisions (deny/allow).

 

yes, i have considered blocking all .exe files. i think this would be hugely inconvenient though because i do install stuff (not recklessly though) on a regular basis, and it would be a bit inconvenient to have to allow everything each time i run it. besides, when doing leak tests, i would rather allow the .exe file to run, then pass the test based upon the behavior of the .exe file (aside from the mere fact that it's running).

thanks for the clarification. sorry about not being clear enough. i do know that eset's firewall component is not a hips and was only meant to filter internet traffic. i'm not saying this is bad or good; all i'm saying is that if i do want a hips, i will need something else to supplement its protection.

about Online Armor, is there a way to turn off blocking for specific behavior like in comodo? for example, let's say i want to allow all dll hooking for all programs, both known and unknown. can i do this by unchecking a box like in comodo?

 

Read the manual of Online Armor! (or online help)
http://www.tallemu.com/webhelp3/UsingOA.html

In special:
http://www.tallemu.com/webhelp3/Programs.html

you have 30 days trial time before you pay - or quit.

 

thanks for your suggestion. i tried out online armor free. according to matousec, it is a solid hips, but i cannot use it, and here's why: online armor does not allow you to filter only specific behavior for all programs in general.

let me be more specific. first, on the main menu of online armor, go to "Programs" on the left side. then click the "Options" tab. this tab, according to online armor's manual, allows you to "change how Online Armor handles programs in general, rather than individual programs". this is exactly the tab under which i was hoping to see more options. this tab should allow you to, for example, disable monitoring for dll injection, or driver loading, or other types of suspicious behavior on a system, but it doesn't. in order to turn off filtering for specific types of behavior, you have to go to the other tab ("Programs") and configure the behavior for EVERY specific program. this is a lot of work, especially if you only want a hips to perform certain functions. i think if online armor added the settings they allow you to use in the "Programs" tab to the "Options" tab, i would be using the free version, if not one of the paid versions. i do not want a hips alerting me to every possible behavior on my system if i already have other forms of protection that make certain filters in the hips redundant. i'm sure there are also many other good reasons why more specific settings are desirable or even necessary in certain circumstances.

now, at first, i thought the inability to disable filtering for certain types of behavior might be a limitation only in the free version of online armor, but the manual does not distinguish. it appears to be for all versions of online armor. this means that even the paid version of online armor, unfortunately, does not provide this functionality.

certainly i understand this. however, there might be certain situations in which it would be desirable to turn off the feature to filter drivers too. suppose you were installing a lot of hardware for which you had already installed the drivers many times yourself, so that you knew the drivers were safe. wouldn't it be convenient to have the ability to turn off the feature in online armor for a few minutes? if it was truly dangerous, a warning could be popped up when the user tries to disable this feature, giving the user the ability to either proceed with caution or to cancel. besides, having the ability to disable this feature shows that the feature indeed exists in this hips after all. otherwise, there is no way to verify that it does except by doing some tests yourself.

i hope an online armor representative reads these concerns and replies. until then, i am still in search of a hips.

i forgot to reply to the part of your post mentioning threatfire. i tested out threatfire today, but it also doesn't seem to let me turn off filtering for specific types of behavior. furthermore, it turns off automatic updating unless i agree to share my settings with everyone else.

 

You could have a look at SSM.
See Options-Logging , Modules-StartMenu , and Modules-Services
for some customization options.
Its not under development , but that could be a trade off worth making. HIPS will get a lot , even if not being developed.

just minor thing about TF , I left the updates off , they are not really needed IMO, as its not signature based.

 

http://drop.io/eqsecure

has a good rep here too . although I have no idea if its a customizable as you want.

sorry , realised you already looked at this. this is a later version i think.

 

you are definitely right about HIPS catching a lot, even if not being developed, but there are still some problems. for example, you cannot install these hips on newer versions of windows. furthermore, this unhooking test here shows that even on current operating systems, a lot could more needs to be done to stop rootkits:

http://membres.lycos.fr/nicmtests/Unhookers/unhookers_results.htm

yes, this is a newer version. unfortunately, matousec hasn't tested it yet, and it is not free anymore. a pity..i considered eq secure 3.41 the single most important line of defense on my computer. i think if eq secure 4.2 is proven effective, i would buy it, but for now, i have to look elsewhere

by the way, does anybody happen to know why nod32 doesn't seem to like eq secure 4.2? (it detects it as Win32/Packed.Themida).

 

underdog the screenshot provided shows what you can do with programs in the premium version of OA dont know if that helps or not

 

OAprem and OAfree offers same.

 

thanks, but i have already seen this. all you can do in that screen is turn off filtering for specific types of behavior for ONE application, not all applications also, you cannot turn off filtering for driver loading at all, which makes that menu less useful.

 

How about KIS 2010.

It has a lot of configuration options.