Some test ;)

In case of Comodo 3.5, I am able to block all executables, except for htaab.exe, from running by blocking the first alert I get - "explorer.exe is trying to execute..." alert. Is this the alert you are referring to? Or is this the alert before the executable tries to run itself, because I am not certain if blocking explorer.exe from running the sample is blocking the malware or explorer.exe. For htaab.exe, even when I block explorer.exe from running it, it fails to stop it and I get alerts for all further accesses of the sample, blocking which, again, does nothing but freeze my PC. Now this is unacceptable since this the most basic of all that a HIPS should do.

 

Yes it is unacceptable since this the most basic of all that a HIPS should do.
Your right. Thats why for me comodo is history.

what you described is basically what I found, I specifically remember clicking on the stop test executables and comodo producing ZERO Popups.

 

DriveSentry failed all tests -- how is this able to bypass most HIPS?

Can someone test ThreatFire?

 

After testing again, I am able to stop all the samples from running by blocking the first access, i.e., the initial explorer.exe one. So I was wrong. Maybe even you hadn't tested properly either?

 

thanks for results Toby, it is a good test, Defense wall is the one that has passed most of them except stop2.exe.

hmm so far no product passed stop2.exe test without patches.

and

I have a question for every one.
when venders make patches where their products have failed tests like in this case Comodo has fixed its product. Do they fix and patch up the Actual Method that the test used to bypass it so as other tests and malware can't use the same method?? or do they just simply block the test program from bypassing their security product?? because you got to admit comodo fixed it quite quickly.

Also I have retested MD and it fails htaac.exe and stop2.exe of course MD does throw up a pop up to begin with asking if it can't be executed or not. But MD can't control their behavior if you let them run. maybe there is some more hardening settings I can apply? But I have hardened it as much I know of

 

I am wondering the same thing!

 

Something I would like to know too. Just adding code everytime to pass a certain test, doesn't really help. It is about strengthening the defenses at the deeper level, to protect from a wider range of threats.
Getting bypassed is inevitable, but not every other day. Kinda makes a HIPS somewhat similar to the blacklisting technology.

 

A HIPS alone can give the protection that you get with a layered security, if you know how to answer alerts. Since all HIPS act as anti-executables, they should be able to prevent any executable from running, you are 100% if you know how to answer alerts. In case of rare mess-ups, you might require a sandbox type application, and I use GeSWall for that. The technology "restriction" explains protection better than "containment". IMO, of course

 

But then why are most HIPS failing this test? They aren't preventing these executables from launching.

 

They are. If you look at arran's test-post, he states it. If you mean the leak test, then that's is what a leak test is, isn't it? A test (technique) that is able to leak (bypass) the defenses.

 

They can prevent them from launching, Its controlling their behavior when they are running is what this Test is about.

 

When I click on any of these programs DriveSentry does not alert me to anything....this means that the programs are successfully able to execute, right? I am confused.

 

So when you click on say stop.exe and stop2.exe drive sentry gives you no alerts at all and your pc locks up??

sounds like the same experience I had with comodo, if this is the case then drivesentry can't be very good at preventing executables from launching. LOL
if drive sentry can't prevent them from launching what Hope would it have of controlling their behavior??

 

Yes, exactly - no alert -- nada -- nothing -- zilch

 

Arran, you said in your earlier post

"Process Guard and EQS failed the Stop2 and htaac and maybe 1 or 2 others I can't remember which."

When you say "failed" did EQS give you an alert or it did not?

 

Maybe DriveSentry doesn't have an anti-executable like function. Though it isn't a classical HIPS, it is pretty hard to believe that it won't stop an executable from launching.

But until the executable cannot get itself to run, bypass doesn't come into the picture.

 

Testing malware all the time with DriveSentry and it has never failed me...always detecting each write to the drive...but this test...it fails.

I have sent the sample to Katie with DS.

 

Yes they did give alerts to start with asking if they can be Launched.

But they didn't give any more alerts after that, and they were unable to control their behavior so as a result explorer.exe shut down or pc locked up, that is why they failed.

 

There is a high probability that a malware somewhere can bypass Sandboxie. You don't use a anti-malware product, particularly with the intent of filling the holes left by a HIPS-type software. By holes, I mean attack-techniques. You don't use products just to cover up each other's bypasses. The reason to opt for a layered security varies from opinion to opinion. But, how you prefer to implement it is not certainly one.

 

yea well its already be proven in this thread that with sandboxie default settings malware can easily bypass sandboxie.

 

...and accomplish what? I have yet to execute any malware sandboxed with default settings that permanently affected the host.

 

the tests that we have been talking about in this thread proves that it is Possible for malware to bypass sandboxie and cause damage to host. Just because you haven't found any malware yourself which can, doesn't mean to say that no such malware exists.

 

Malware that infects and permanently changes the system.

Which "malware"?

 

All that was proven was that a sandboxed POC app can terminate explorer.exe or use BlockInput to disable the mouse and keyboard. Hardly the "damage" one would expect from malware.

Well, I guess Sandboxie users will have to cross that bridge when we get to it, but I would not hold my breath waiting for that to happen.