Detection of hiding a process by HIPS

Seems an interesting filter that is present in ThreatFire. Any othet HIPS can do this? I tried CFP and there were no alarms. GesWall of course stopped it.

 

where is the download link?

 

http://iterati.org/Developers/HideProc/Default.aspx

 

thank you

 

A2's IDs does that (Mamutu), the HIPS of Rising checks by default for every hour on hidden processes (which is not so strong as TF and Mamutu).

 

A2 didn't block the processes from being hidden but will prompt the user for driver installation when HideProc.exe is run.

 

IS because it is initiated via a user interaction A2 with IDS will warn for processes going under (hiding) tested with real malware so 100% sure on that

 

Wow i get a BSOD with IRQ LESS... problem running this program. What a fast way to turn off my pc lol.

 

Just tested with SandboxIE. As expected, no alert, but hiding process is NOT SUCCESFULL.
Once again, SBIE passes the test.

 

EQ and drive sentry not no alert to it. btw geswall free also no alert to it

 

GesWall will not alert as it,s not a classical HIPS. It will just stop it from hiding the process.

 

Can you post a screenshot? Strangely no alert from CFP about driver loading.

 

I hope OA also pass this one. (I do not always use SBIE)

 

HideProc can hide processes without OA prompts, if the HideProc.exe is Unknown or Trusted in OA Programs, even if the driver HideProcDrv.sys is Unknown.
If you use Run safer for HideProc.exe, then OA blocks all attempts to hide processes.

But there is no single prompt from OA (paid) related to the Process > Hide operation from HideProc.

Cheers

 

Even for driver install/ loading?

 

here's the pop up alert from a2

 

There are no prompts about process hiding.
But of course there are prompts about driver installing and loading.





Cheers

 

I get 2 Alerts from PG; 2 from GSS and 1 from TF.

 

3 allert from ProSecurity. Test passed

 

What were the alets?

 

Hi,

Anyone willing to test SSM Pro? I wonder if it could spot the hidden process. I will check it out later. And keep in mind guys, if you stop the driver from loading, of course the test won´t work, I think you need to allow the driver to load and then see how HIPS react.

 

hey aigle, i tired testing this app against rising AV/hips but all i got was a BSOD.

 

hmmmm... so there was a conflict.

 

It needs admin rights.
With admin rights (..) SSM pro detects the driver loading, but not the hiding of notepad.
At least with default rules, i don't know if there's something to tweak in SSM. I installed it in VM for the purpose.

 

It seems to be not really clear.
"3 allert from ProSecurity." sounds like HideProc starts, then the driver is installed and loads.

But only to detect the hiding process seems to be the objective of this test.

Cheers