A comparative : 10 HIPS against 'brutal unhooking' malwares

Any HIPS that relies on behaviour might give a false positive such as this (unless the particular exe is in a whitelist, if that HIPS has a whitelist).

HIPS require a bit more attention than an AV. The difference is that the AV will only alert when it knows it is bad. The HIPS will alert when bad behaviour is detected. There are some legitimate programs that exhibit these behaviours - for example, some chat clients use keyboard hooks to determine if you are idle.

It is then up to the user to make a decision - do I trust this vendor, or not? The likelihood of NOD32 recording keystrokes (provided you have a purchased copy, and not a cracked version) is unimaginably low. So, you should allow the action. Most security programs require fairly high privileges on your system in order to operate.

One thing I often do when prompted like this is to deny the hook, and see what happens. Usually, some keyboard shortcut or minor function will fail - and if I am satisfied with that, I leave it as blocked. If the program then exhibits problems, and I still want (and trust it) - I'll allow the hook.

 

I note that some of the most hyped did poorly; SSM, Prevx, PG, and Cyberhawk.

I remain unconvinced as to the worth of such applications.
Best,
Jerry

 

Hi, folks: Like anything else in this civilized world, in order to make these brilliantly-concepted apps to be successful, they need to enlist a bit of luck. when potential consumers would not willing to become their customers, that is when they are forced to adopt downsizing, merging and so on. Excellent ideas and top products, often are tough sales to average joes/janes. Developers have to think at the very same level as them. That is why toys producers invite many children to their R/D, and watch these boys and girls to try out their pilot models. These marketable products will not be possible to make their ways into real world w/o these kids' inputs.

 

After trying several approaches I found suDown to be the most convenient solution. It creates a user group called SUDOERS - just add your user account to this group, that's it. It enables you to start any application with admin privileges just by right-clicking it, selecting "sudo ..." and entering the password of your user account (NOT the one of your admin account!!) in a pop-up window. Access to the system menu with admin rights can be gained by right-clicking your desktop and selecting sudo. Note: You need .NET 2.0 for suDown.

I agree, but that doesn't belittle the benefits of a limited user account. You don't have write-access to the biggest part of the registry, the Windows folder, the Programs folder and most startup-locations. This means that you are protected against most kinds of malware even without using any HIPS. And if you do use one (like I do, too) you will most probably protected against new zero-day attacks where your HIPS might fail - or if you have it misconfigured (given how complex many of them are).

In other words: I can manage my system and start applications with admin rights via suDown in a very comfortable way, and SSM works very smoothly in a limited account. Why, for heaven's sake, should I permanently be logged in as admin

 

Of course, and I agree 100%. I was only illustrating the fact that his tests were based on the typical example of someone installing an application under their admin account. Now the chances of that app being rogue if it is downloaded from a legitimate source are extremely minimal. I gues an ultra-powerful, bail-you-out-of-your-own-stupidity HIPS is required for those who dabble in cracked software and keygens. They also do better to satisfy the ultra-paranoid, as well, so the vendors of these products have no choice but to ensure they will fend off everything short of an atomic doomsday attack if they want to stay in business.

 

Haha - well said

 

I couldn't resist

 

I would love to use apps like suDown, sudowin, and RunAs shim but none of them seem to work with windows update properly. So I dumped them, and stick with KIS which provides excellent protection without hassles.

Besides, limited user to me is just another form of HIPS - its inbuilt into the system. Vista has a very good limited user thing going for it, I'd love to use it because of that, but it has compatibility problems with some of my other apps. sigh.

 

Very timely and great topic.

Would be nice for all HIPS creators to review those finds and improve on their respective ability to have their SSDT Table hooks displaced. Every single potential risk needs addressed, especially when it comes to these HIPS programs.

 

I don't know what you mean. I've set Windows Updates to "automatic" and that works in a limited account without any problems. The same is true for the manual installation of updates - it works with suDown, MakeMeAdmin and Runas.

I disagree. The point is that as a limited user you simply have no write access to critical parts of the OS. Period. To overcome this "problem", malware has to apply some kind of privilege escalation. I'm not saying that it's impossible but it's an extremely difficult task to do.

 

User mode stealth kit with keylogger can log the admin password when you use tools like runas to escalate your privileges. This can be circumvented by rebooting before using these tools or using tools that don't require typing the admin password.

 

How to prevent user-mode malware: See this post. The steps outlined there work with suDown, too, of course.

 

Just a quick update : Website was updated, to include updated results of 2 new programs versions : SSM build 619, and EQSecure 3.4, freshly released in English.

For now, the new results are just listed in the new 'update' page, available as a link on the main page.

Theses two versions are passing all tests now.



nicM

 

Great job Nico. You are too good for this world. Merci beaucoup once more.

Also thanks to Vitaly for the very fast fix of SSM, this is the prove SSM is alive and kicking ! (thank le bon Dieu for that )

 

Spyware Terminator in the next update, maybe? :-D.

 

Thank you for the update, nicM You are too generous offering your time like this

 

Just curious but does anyone but me notice that when a test comes out, applications that fail depend on the test results to update their techniques. Is this a fair practice or more of a way of cheating and being on top with the rest that did good the first time

By the way, Excellent work on this tests nicM.

dja2k

 

I see it as keeping up with the Jones'es

 

It's a chess match -- good guys VS bad guys.

BAD guys surely undertake TESTS of their own, against major security applications, in order to find new ways to defeat them.

Somewhere out there (if not today, then soon) along will come a nasty that can squirm past PS or OA, but not get past Prevx or SSM. Then we here at Wilders will have another reason to rave & rant. Then PS & OA will adjust, & not too long thereafter the bad guys will come up with something else that makes (for instance) KIS look as full of holes as swiss cheese. And -- awaaaay we go again.

By golly, I LOVE this place!

In short -- There never was a horse that couldn't be rode, AND there never was a rider that couldn't be throwed.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

That's why we ALL layer our security (sure we do!) but even so -- the ONLY bullet-proof security is imaging, wot?

 

Test results are good for both security companies and consumers. The companies get to know their product weaknesses so they can improve- and a test done in the fashion NicM did his is a no BS type, not a bashing by someone with a pecuniary interest. Customers get an improved product and also find out which companies are staying active in updating.

 

I wasn't BSing anything nor Bashing this test in particular nor any other, I was talking in general. Testing is good, no debating that.

dja2k

 

If you think about it, this is no different than windows and security patches. When a vulnerability in a piece of software or an OS is found, vendors fix it. All security apps go thru this. I'd much rather see them fix a vulnerability than ignore or downplay it. Malware writers are very resourseful. If there's a weakness, they'll usually find it. Malware writers clearly consider HIPS a threat or they wouldn't write code to attack it.

No matter how many times this "penetrate and patch" cycle repeats, security apps will never be bulletproof. If malicious code is allowed to run, sooner or later, it will succeed, no matter what apps you use. Like firewalls, HIPS is only as good as the rules it enforces and the decisions of the user. When malicious code is allowed to execute, the role of HIPS changes from primary defense to one of damage control. All the HIPS apps will intercept the launch of the malware. A test like this does show where HIPS apps need strengthening. This type of problem is ongoing with all windows apps.

Users should see another lesson in these tests. When malicious code is allowed to run, the advantage shifts to the malware, no matter what you use. Fixing a vulnerability in a security app or operating system isn't very comforting if you were successfully exploited before it was fixed and your bank account gets cleaned out. Default Deny.
Rick

 

Well there is two ways of performing the tests:

1) Dont diclose testing information. It keeps the field level, and if the program wants to improve or stay at the top they have to keep working.

Or in nicM's case, who is genuinely interested in making all security software better (which is very commendable):
2) disclose all information to help other programs improve and then just retest retest with new samples every so often.


#1 is better than #2 because it shows which programs are more dedicated to finding every sample possible.
However, #2 is better than #1 because it shows which programs are more dedicated to being on top of new threats.


Both have their advantages and disadvantages.

 

Malware unhookers are new techiques but now their out in the open HIPS developers can lock them out.

Thats the answer.

 

Thanks for the update nicM.
It,s good that SSM and EQS fixed the issues but in my opinion we can,t know the reality until a new test with a new sample set/ new malware type is done by someone, somtime in future.