iDefender (new HIPS for Windows)

Hi @ Nastrahl & Trustsing

Thanks for that

Terry

 

Hi @ Trustsing

When you say "right click on the blocking event and select Trust Process or Trust Target to quickly unblock it"

When I right click the event I am offered the following trust options:- 1) Add Process To Global Trusted Processes 2) Add Processes To The Trusted Processes Of Current Rule
3) Add Target To The Trusted Targets of The Rule 4) Add Process & Target To the Trusted Process And Targets of The Current Rule

This is somewhat different to your explanation i.e. Trust Process or Trust Target. Am I in the right place. If I am which do I choose?

Thank you

Terry

 

Good to see you again on the forum, seems like a nice update. I understand you are quite busy, but can you also answer a couple of technical questions? Like what type of code injection methods are monitored, how does ransomware protection work (does it also rollback files) and what about trust? A lot of people don't trust Chinese software, so do you guys collect telemetry, can you say something about this, to remove people's doubt? No offense, of course.

OK thanks, so you can still use it.

 

No I understand, but the point is, that this is most likely not malicious software, so I have no clue why Avira flags the website. Or are you saying that it also flags the .exe file?

 

"Avira Security Warning: Unsafe website"

 

Hi @ Wilders

How does the HIPS component in Windows Defender (ASR) compare with that in iDefender?

Thanks

Terry

 

Code injection primarily involves two main steps: writing shellcode and executing shellcode. The methods supporting shellcode writing include AllocateProcessMemory, WriteProcessMemory, ProtectProcessMemory, and MapViewOfSection. On the other hand, there are numerous ways to execute shellcode, but monitoring is limited to methods such as QueueUserAPC, CreateRemoteThread, and SetThreadContext. However, the prerequisite for execution is writing shellcode. By monitoring the writing of shellcode, injection behaviors can be detected. As long as there are shellcode-related activities, they can be detected. Moreover, it incorporates the detection of both Direct Syscall and Indirect Syscall techniques to accurately identify injection activities.

The detection principle for ransomware is based on a combination of increased file entropy and other file operation characteristics for comprehensive judgment. Some of the logic is similar to HitmanPro.Alert, but there is no file rollback mechanism.

Is telemetry data collected?
Currently, events that trigger built-in rules and generate prompt notifications are collected. The collected data includes the calling process path, calling process signature, rule name, and operation target. No personal privacy information is included. This data is used to improve the accuracy of built-in rules and reduce false positives. Once false positives are resolved, the data is promptly deleted and not stored long-term. No additional information is collected.
In the next version, a detailed explanation will be added, and we are considering including a toggle option to allow users to disable this telemetry data collection.

 

@Trustsing thanks a lot for the detailed info.

 

That's what a lot of people don't understand, you can't really compare WD with a tool like iDefender. WD's behavior blocking is mostly cloud based, but once an app is deemed safe, it won't alert you about app behavior, that's where HIPS like Comodo, SpyShelter and iDefender come in play.

OK I see, then Avira should explain why it considers the website to be unsafe.

 

Thanks for the info! So when you look at the article, will iDefender be able to block all of these methods? I suppose iDefender will at the moment already detect process hollowing?

https://www.elastic.co/blog/ten-pro...-technical-survey-common-and-trending-process

OK I see, so at least in theory ransomware should be detected. But perhaps it's not yet as good as HMPA and AppCheck.

Yes, this would be a good idea, and of course no files should be collected either. BTW, I have no interest in the AV, I think you guys should purely focus on the HIPS. Let's face it, most users already use Win Defender.

 

BTW, somebody else already asked this, but is there a way to manage app rules? And a simple network monitor would be nice too.

 

All methods are supported, but not on a per-rule basis. The built-in code injection supports all cross-process active injection methods. Passive injection methods such as AppInit_DLLs, AppCertDlls, and IFEO fall under persistence rule items. SetWindowsHookEx does not have a built-in rule, but a rule template is available and can be enabled. Methods like Process Hollowing are included in the process tampering rules. iDefender supports the detection of all known attack methods (though some may have relatively high false positives, and rules are being optimized to reduce them). If any method is not supported, samples can be provided for analysis to add detection support.

AV is dead, HIPS is eternal. AV is a solution that requires massive and continuous investment, yet it cannot handle scenarios like fileless attacks, making it an outdated technology. Even though there are many new AI-based AV solutions, they cannot change this trend. We offer AV primarily to validate the effectiveness of such machine learning algorithms. In the future, we will apply machine learning algorithms to behavior-based detection, combining them with EDR attack graphs to achieve automated attack behavior detection, rather than relying on manual operations.

Additionally, the iDefender 5.x version will cover the detection of all behaviors while establishing a graph-based behavioral analysis system. The 6.x version will build a truly intelligent inspection system based on AI or machine learning. Stay tuned. (The manual HIPS will continue to exist.)

 

iDefender never collects files, nor does it need to collect files. Even for the AV functionality, reporting false positives only involves submitting feature information required for machine learning, with no need for any file content.

 

I wouldn't say AV is dead, but I understand what you mean. The way I see it, is that AV is the first line of defence, while HIPS is the second line. So AVs will try to block malware from even executing (pre execution), while HIPS give you a chance to block suspicious behavior (post execution). Of course a lot of AVs have already implemented a behavior blocker/HIPS, but I prefer a standalone HIPS.

This sounds pretty cool, it's sort of like an EDR. But a manual HIPS should indeed continue to exist, for power users who like to get full control over app behavior, even from trusted apps. That's why I asked where you can manage app rules, is this present or not?

If these methods are NOT monitored on a per-rule basis, does this mean that you will NOT get any alerts and iDefender will autoblock stuff? I would rather have it alert me when certain APIs are triggered. So DLL injection, PE injection, Hook injection should trigger alerts. And it would be nice if iDefender would automatically block process hollowing, APC injection and IAT hooking, to avoid causing too many alerts. Would this be possible?

 

OK this is pretty cool, because with cloud based AVs, you never really know what goes on in the background. I guess you either trust them or not. That's why I asked you if it's a good idea to use Kernel Enhanced Defense, because it would modify the SSTD and make iDefender act as a rootkit, like HIPS back in the days on Windows XP. But I see you have provided some more info, apparantly it's compatible with PatchGuard? Not sure what this means.

https://idefender.net/help/faq.html#q3-what-is-enhanced-defense-and-kernel-enhanced-defense