Phide.exe rootkit versus HIPS

It,s a real interesting POC.

CFP Defence Plus- Failed
EQS-- Pass
GesWall- Pass
SBIE- Pass

I don,t get direct memory access pop up on my system from CFP. Others do get. I need more users to test pls.

OA free- Same as CFP, no direct memory access pop up. Any one pls?

 

aigle- You said CFP D+ failed. However your screenshot for D+ shows...

It looks to me like D+ DID alert to the nasty. Am I mis-interpreting?

 

As Bellegamin said, It looks like comodo heuristic of a possiable malware. It looks to have passed and as with hips leaving the final decision to the user.From the screenies it looks like EQsecure show no warning of a possiable virus/malware.One other thing just Noticed EQsecure says allow after 28 seconds in the bottom of screen shot does this mean if the user does not respond in the time frame it will be allow auto to run?.

 

Well, sorry if I sound harsh - but damn get a clue before making claims about "failed". CPF D+ alerts you about possible malware and asks what to do. Fail?! EQS gives some fuzzy blurb about admin privs and will autoallow (WTF?!) it in ~30 seconds. Success?!

 

I think aigle just mixed up his words for his claims and meant EQSecure failed and FYI aigle does have a clue.Aigle has been doing some extensive testing with real malware with numerous products. you may want to search his threads, you will see for your self which products he has tested that passed and failed.

 

You can configure it to block prompts after 30 secs instead of allow.

~~~~

Once again, SBIE kicking some butts!

 

Apparently he really meant CPF failed... . Not to mention CFP's D+ actually doesn't even let it execute when properly used and provides a verbose, simple language warning.

So, to get infected by this requires ignoring two huge warnings about the malware... the only "fail" here is between chair and keyboard apparently.

 

Hi,

IMO, aigle is right : D+ notified about an executable (any) launched through command line so it's potentially a threat but D+ did not warn about any step of the process cloaking itself (Direct Memory Access ) like EQS did

regards,

MaB

 

Wrong. May I suggest reading my previous post right above? Failure to use a tool properly is certainly a "fail", but not one in software.

 

What's good software for someone is bad one for someone else... IMO, good software respects that the user is the finally the one who should decide what action to take. There may be legitimate reasons why users wants to allow the (alleged) malware to run. Be it false positives, or research and testing purposes, or whatever else.

See, making it impossible for the user to decide would make actual testing of the HIPS behavior very difficult. As you see here, even if you decide to allow the rootkit run in the first place, you still get additional warning in the next phase - so you can see that multiple types of behavior trigger the warning and can change your decision later... If you still allow this in the second step, it makes it possible to check whether another layer of your protection will pick that up (like, AV rootkit detection or whatever). I personally strongly dislike applications that make it impossible for the users to have full control over their computer.

Finally, software is no replacement for using ones brain. People that routinely make wrong decisions about malware warnings should switch from Windows to a different OS which won't require any such decisions and will protect them much more.

(Sandboxes are completely different type of thing here.)

 

When accusing somebody of clueless claims be sure to check your own claim

About EQS
You can choose wthin EQS how to handle an intrusion: ASK + Allow, ASK + Dent, Deny and Allow. Aigle has chosen ASK + Allow as respond.

About the fuzzy blurb
Acquiring admin privileges is asking for the keys of your house, please Google on Limited User and LUA to understand this concept (or google on improvements of Vista compared to XP) and Google on for instance rootkits to get an idea of the consequences of acquiring highest privileges.

Comodo's D+
Comodo's heuristics is problably triggered because 60% of the leaktest uses cmd.exe to bypass firewall protection. So it could have bypassed the com protection available withing D+ (D+ also warns you for sme privelidge elevation of pseudo com commands). When this is the case, it is a disappointing respond of D+. I would have called this a conditional or partial pass

@Aigle two questions
What I would like to know whether you enabled this (pseudo com protection) on D+?

What are the series of (intrusion) events of this malware, to understand your evaluating this D+ respond a complete failure?


Regards Kees

 

The blurb provided by EQS actually gives rather poor information to users, compared to the warnings provided by D+. And if you want highest privileges on Windows, you actually want the thing to run as SYSTEM, not as Administrator.

May I suggest reading the thread @ Comodo forums, referred to here? It included screenshots that shows lack of proper testing of the application on OP side, resulting in this completely unsubstantiated claims about "fail".

 

Hello peter,I think I see your point know.What I think your saying because Comodo warns clearly of a possiable malware But will still allow the user to run It If the user ignores the warnings it Failed.If it had the warning of malware and blocked the user from any possiable choices it would have passed.please correct me If My thinking is Incorrect.Thanks

 

What I see from the screen shots With warning such as comodo just seeing the words malware my answer would always be deny even the chance of a FP.EQSecure gives No Information So The chances are greater the user may make a wrong choice.

 

Thanks, exactly my point. When majority of users use an account that belongs to Administrators group for everyday normal work, warning users that "application will obtain some administrator privileges" is just plain useless (a.k.a. fuzzy blurb), bound to be ignored by most people who'll quickly allow it to get rid of the popup window.

 

Absolutely agree.

 

I call this success

What is HIPS really? Is it sth that will point you to the right direction by using heuristics, signatures and behavior analysis or sth that will just inform you of ANY action and wait for accept/deny?

I thought it was the latter, but maybe it is sth in between. I don't know really if there is an objective point of view about HIPS.

 

Hey peter, Thanks for the clear answer I understand some what better know.

 

This is the only thing that really bothered me with EQS when I used it. Some popups are totally blank, no info at all.

 

I agree hurst and IMO is like playing russian rulett with 5 bullets in a six shooter.

 

Please make up your mind: is it EQS compared to D+ (first quote) or the text of EQS itself (second quote). Also, EQS advised to block, so what "exactly is your point"?

In this sentence

Rootkits try to acquire this (ring-0/system) highest privelige. I do not disagree on that, so again what is your point?

You may, please provide a link, I asked Aigle with what settings he had tested D+ and what the supposed the flow of events of this intrusion would be (to assess on which points D+ might fail). WHen Aigle's testing was correct I would have labelled it a conditional pass. So again what is your point?

 

.

I've already commented on this, please read this thread a bit more carefully.

Ditto, I've already done this.