Ransomware n poor protection by HIPS

Thanks. Actually I am not using TF ATM. Also custom rules of TF are not user friendly at all.

 

All the TF-screens, I've seen so far at Wilders, contained a malicious executable file. You can imagine, when I install AE and TF on my system, that TF is quite useless, because AE will kill the executable before TF has even the chance to warn the user.
AE is 100%, TF is not, because the executable has to be suspicious before TF warns you and that is too risky and this has been proven already, if you remember the ransomware. I knew in advance that this would happen, because it was predictable with that kind of security. A.I. doesn't exist in traditional computer languages, they can only "compare", not "think".

 

To compare AE and TF is like comparing apples and bananas.

AE isn't better than TF, they just do different jobs. AE blocks all unknown executables, while TF tries to analyze the behaviour of software, thereby separating benign from malign - of course this is not bullet-proof.

Also you're not 100% protected by AE because the program has a very narrow scope. To protect against all sorts of threats you will have to combine AE with other solutions. And even then you will have a big challenge getting 100% protection

In a way we could say that there are several classical HIPS out there that provides a superset of the features in AE, thereby giving better protection. As far as I see it, AE is meant to be used in a very different environment than for advanced home users. It seems more useful on public computers in libraries, internet cafés etc...

 

I don't compare. I look at the results. TF didn't stop the ransomware, AE would have killed it. HIPS is not for average users, the majority.

 

Maybe I misunderstand the objective of using AE, but isn't it intended for use on a static system, no changes permitted, a completely locked down environment.... a system used in a library, educational institution, or similar?

So what happens when you, the home user, wants to install a new program you just downloaded form an Internet source? Don't you have to disable AE's protection to install it, or even download it for that matter? Now what happens if a scan from your av, all latest definitions, missed malicious contents it may contain? You're hooped, aren't you, or am I missing something? Isn't a behaviour analysis utility, provided there's some understanding of how it works, a more useful approach in this scenario?

Finally, in reality, these utilities - other than for the purpose of learning about interprocess behaviour in the O/S - are practically a complete waste of time and resources if you surf and download responsibly. At least that is what I've found. I'm amazed at the amount of concern people express in this forum because their machines are only 98.76% protected because their security arsenal doesn't quite parry one of the latest keyloggers discovered in the wild.

 

You did NOT mis-understand. AE has no AI whatsoever. Neither does it have any heuristics. It has no discriminatory intelligence whatsoever, except for a whitelist, which it mindlessly applies.

AE is very useful for a locked-down, "boot-to-restore" set-up such as one might find in a kiosk or library or computer cafe environment or the computer used by a child.

 

Hi, hammerman, thanks a lot for ur efforts and coding a test utility and sharing it.

I run it. Unfortunately there is problem with the test.

It wrongly says that ONLY 12 file types are protected but I am sure all files are protected. I tested with 7z by manually checking hash and testing by another utility and GW and 7z is protected by GW( just like all other file types). Problem I think is due to virtualization as u can see the GW log, it redirects access to( virtualizes) the folder containg files. So test is not able to know if it is modifying the actual files or not.

Just as an example test log states taht 7z file is modified. I checked the MD5 before n after the test and it was same( I amde a copy of dwtest folder on my desktop after creation of files and just before modifying the test files to compare the MD5 by Hasher. U can see it in my screenshots.

Also u can see that no file is tagged by GW even after running the test, so they are not modified.

I will be nice if u can code a utility like this.

1- Create two folders in root C.
2- First folder dwtest which will contain dwtest.exe and Extensionlist.txt files.
3- File creation is to be done in another separate folder in root, say its name Files.
4- After the files are created, u run a utility, say Check.exe, that will count and save SHA1 or MD5 value of all files in folder named Files.
5-After the files are modified u run the utility Check.exe again and it again count and save SHA1 or MD5 value of all files n folder named Files.
6- Finally u comapre the two hash logs via another utility, say Compare.exc that automatically compares and shows how many hash values have been changed.

IMO it,s the only way to be sure about results.

Also by keeping dwtest.exe and created files in separate folders I can check other HIPS protection against such intrusion by marking File folder as Secret/ Confidential etc.

BTW I think ur test results with DW are also questionable in the light of my findings with GW but I am not sure ofcourse as I am not a user of DW.

I am not a programmer, just a simple user, so i am not sure how difficult is to code such a test utility which is suggested by me.

Here are screenshots n logs to share.

 

I have used the utility Lockfile.exe from the below link to test GW with some file types and it stopped these attempts.

http://www.securitysoftware.cc/securitysoftware/apps.html.

Here are the results with a 7z file.

 

Dunno if i follow this thread exactly yet, but after briefly reviewing it this app may or may not be of any use for you, but i wanted to at least bring attention to it.

2BrightSparks, the maker, didn't even list it that i could find on their home website, however SOFOTEX still offers it and it stems all the way back even to Windows 98 days. I use it on XP to check for any changes in files occasionally.

Btw, on Googling it, you'll never guess who surfaced in a forum thread about it.


http://2brightsparks.com/bb/viewtopic.php?t=496&sid=0d2b2aa1f7e784b8efeabfe2b6e4ba39

SOFOTEX download page for "fingerprint". I know many of you will remember this one.

http://www.sofotex.com/downloads/d16765.html

 

Ok, as suggested by hammerman:

I can now confirm that files are not modified though i checked only jpg n 7z files manually by opening in notepad.

 

@Easter

Bundle of thanks for the utility.

I can confirm that GW did not allow change in any file.
Somebody should test DW with same utility. Anyone pls?

Thanks

 

Aigle,

I also use Fingerprint and I re-checked the operation of the test utility. I created the 272 test files and changed 266 files to read-only. The utility displayed a correct unprotected count of 6 and Fingerprint confirmed 6 files had changed.

I've asked Ilya if the results I got from Defensewall are sensible. After all, he should know which file extensions are protected or not.

I would appreciate it if you could send me a zipped up copy of dwtest folder anyway.

Will look into your suggestions for a test utility tomorrow.

 

Hi, your utility is OK, no doubt. Only problem is that it becomes decieved due to virtualization used by GW.

U need the folder after running the file modification inside GW. Am I true?

Can u test DW again this time the utility posted by Easter to confirm the results?

Thanks

 

I tested DW again using FingerPrint and this confirmed my results - 171 files unprotected and modified.

DefenseWall properties also indicates if a file can be modified or not by an untrusted application. I went through about 30 different file types at random and DefenseWall properties confirm my results.

I think you must be right. The virtulization means that the utility checks the virtual file and not the original file. I guess that is how it should work. Strange that 12 files are indicated as protected. Does this mean they have not been virtualized like the others?

 

May be they were just denied access rather than virtualized.

 

Aigle,

I've installed Geswall Pro and got the same result as you - 12 unprotected files indicated.

You are also right in that all the test files are virtualized into a Geswall redirect folder except those 12, for which access is denied. The test utility reads the redirected files. When the test utility is closed, the virtualized files are removed.

In the meantime, the original test files are untouched. Therefore, total protection against GPcode and very impressive in my view.

 

Yes, it,s exactly same.

 

Hi

I'm not sure what you're talking about. Why shouldn't HIPS be for average users? That's why there's stuff like TF, PRSC/NAB, Mamuto, etc.

 

He's talking classical HIPS, where the user is counted on to answer correctly the vast majority of popups, and also counted on to know which files/folders/extensions need protecting and the correct way to protect them, which is not knowledge your average user has. TF and the like are able to analyze to an extent bad behavior vs good behavior, which helps the novice with dealing with pop-ups. But, they can also flag legit behavior as good and completely miss or get tricked by bad behavior (TF is especially prone to mis-indentifying behavior, it flags every update process for my security software as malicious).

 

Hi

Well from my personal experience TF does not have a lot of FP.

But AE is also very annoying especially for average users. Imagine if you set AE up on a friend's computer. They try to download something and it's just blocked. Even worse than a lot of pop ups, at least you can allow them.

Thanks

 

Regarding AE, it is not suitable for home users - only for corporate environments where admins want to implement restrictions on applications which are allowed to run.

Why?

AE is vulnerable to social engineering. E.G. Lets say I download a codec - I think it is a codec hence I allow it to run BUT it is actually malware.

This is why HIPS and Sandboxes are better as they allow the execution of seemingly legitimate files but alert you when they carry out a malicious action.

As said previously, any HIPS (e.g. EQSecure) can run as AE as well.

So the $50 for just an AE ~ Just not worth it ~ My 2 cents on all this AE bragging.

 

Hi

How do you do this? Does it alert for ANY new exe?

Thanks

 

As with most dogmatic pronouncements of usage, this misses lots of useful nuance. AE is perfectly suited for a home system, if the usage style (primarily static configuration) matches the design ethic of the product (AE).

Anything that requires user imput is vulnerable to social engineering. That applies to HIPS or any other similar product.

As with any approach - it's worth it if the scheme works for you.

I agree that the target market for AE is institutional. It is clearly designed and implemented with that goal in mind. However, if one's machine matches that the design ethic of that market (simple product to maintain a static complement of allowed applications), it provides a perfectly fine and robust solution.

Blue

 

Actually I use SSM and keep gui disconnected. This way it blocks all new executables without asking. Not sure about EQSecure though (mentioned it as its free)

While HIPS are also vulnerable to social engineering if I say attempt to install the above mentioned codec and it wants to change my IE settings or edit my hosts file then I know it is malware. AE doesn't give you a clue.

 

Correct..., and since it is a simple whitelist only solution, why should a clue be offered? Basically you seem to miss the point of the product.

Sure, one can render SSM similar to AE on a single desktop. Now turn that around - what would your approach be to deploy SSM in an enterprise setting?

Keep in mind that while AE is available to home users, and can be very profitably used on a standalone workstation, the active marketing and design is geared to the institutional market which often has very different usage demands than a home.

Blue