Interesting HIPS test- Delete Volume

Hello muf,

Ilya has informed me that DefenseWall(DW) also fails this test. Fortunately, DW v2.30 will be released in the near future to address this issue.


Peace & Gratitude,

CogitoErgoSum

 

I'm looking for a link which details the API calls blocked under LUA. Do you have a resource handy?
I know that access to physical memory, raw disk, CMOS, time are forbidden under LUA.

 

Thanks CES. Nice to know. Just shows that even when you think all bases are covered along comes something that does things not done before...

muf

 

It's only a matter of which API calls are hooked.

 

Anyone test this on SafeSpace?

 

Just tried it on an XP LUA test account. It just goes to show the power of a Windows LUA. And it doesn't cost a dime.

 

Can Threatfire detect this ?

 

100% true.

Maybe I should create a small program which calls an inoffensive Windows API function and advertise it like the newest leaktest that no firewall stops...

 

Yep, LUA is good but it doesn't suit my purpose as I actually want to test exploits against my security apps and LUA gets in the way.

 

Yep, anyone pls?

 

DeleteVolumeMountPoint API ?
But I do find a heuristic analysis alert from Comodo V3.

 

This is useful discussion and topic because let's face it, this test brings attention that VIRUSES are still being created and their behavior is always UNPREDICTABLE. Now with that being said this test bodes well for those of us who take shielding and prevention very seriously, enough that many of us employ MULTIPLE systems of coverage such as Sandboxes combined perhaps with Virtual Systems along with either an AV/AS or both, and not to forget behavioral blockers & HIPS. Of course include ISR's in these strategies for the more vigilant users as well as isolated back up images to fall back on.

I'm in the process right now of testing a very frustrating virus named Death.exe that drops a Supervise.exe and a .inf file to spread to removable devices & is a relentless nusance since i just discovered it's also a random file infector too. It easily evaded SandboxIE's protections, i blocked it with my HIPS, and much to my surprise this thing stayed very ALIVE AND infected another hard drive attached to the main system drive. It left a mass of debris everywhere by creating weird folder/file names like _e^e^e~1., ( strewn all over the place, some forcing XP to recognize them on the order of GB's which is of course totally bogus. Unlike the Parite Virus i research a month ago, this one is indeed full of cleverly crafted code that CANNOT be cleaned by AV's i tried. Only remedy is a full wipe, in fact it did a number on the drive itself because it said couldn't read it on the disk and other spooky messages.

I'm now convinced more than ever that this type of danger poses the greatest threat compared even to rootkits! At least with rootkits PRIVACY becomes the main issue and your files are normally left intact, but with viruses their intent is much more and extremely aggressive which some will trash your applications without remedy leaving only a total NUKE and reformat as a lone alternative. I wouldn't even trust restoring an image to a drive so affected.

So keep up the good work/discussions and let these tests flow, they are very useful!

 

So you set the file with OA's Run Safer? If so, would you please try right-clicking it and running it sandboxed and see if you get the same results.

 

i attempted to accomdate someone's request to run this under SafeSpace, but Prevx2 jailed it and Comodo ver 3 with Defense Plus also alerted on it.

i changed the Prevx2 disposition from Jailed to Probation (which allows the file to run) and retried to run it SafeSpaced. i am not sure what these results mean. i clicked on the executible, CFP popped up, the first couple of rounds i blocked (but did not 'remember' the blocks) and i then tried to run the executible, and again CFP poped-up warnings, which i allowed this time around, wavehost started (seen by Prevx2 event monitor) and then immediately terminated. i tried 3 more times with the same results.

it seems that it is similar to Sandboxie and just doesn't run in a virtualized environment...but i have no way of verifying. opening the SafeSpace console did not indicate this file running, but there were many, many attempts to rename registry keys that were blocked by SafeSpace, but it only provides a total number of attempts, but not a list of what keys were protected....so...


Mike

 

SafeSpace blocks this exploit.

 

other than keyloggers, when did SafeSpace get in the blocking business? this is not meant to be insulting, but i was under the impression that whatever could be SafeSpaced would be if that is the users intent, and SafeSpace would protect the system and other files/partitions based on SS configuration. how does SS determine what files to run and which to block?


Mike

 

Hi simmikie.

SafeSpace blocks the exploit, not the file. The exploit in this case being access to the MountPoint device.

Best regards,

Kris.

 

How many times do I have to say it? Unmounting the volume from the specified volume mount point is NOT an exploit ! It's a normal windows API facility.

 

In the context of what the executable is trying to demonstrate, it's an exploit. There is no legitimate reason for any rogue code to do this.

 

congrats K

 

The executable is only trying to demonstrate that you can delete a mount point. Nothing more, nothing less. Based on what you said, why would a "rogue code" (let's say adware or spyware) be allowed to show something on screen - so the next step for a HIPS would be to hook all graphic functions in Windows?

 

Hello EASTER,

Under Vista 32 SP1 with Shadow Defender in "Shadow Mode" and Primary Response SafeConnect disabled, I tested three malware samples that are supposedly related to death.exe/supervise.exe against DefenseWall(DW) v2.21(Vista SP1 compatible). Provided that one runs these samples as "untrusted", DW was able to restrict the potential damage to the confines of its sandbox and give me the ability to stop the intrusion on the spot by way of "Stop Attack" or "Close all untrusted processes".


Peace & Gratitude,

CogitoErgoSum

 

With or without using limited rights?

 

i will not pretend i understand, but nice to see SS handles this guy. thanks Kris.


Mike