I believe any AV product running on Win 10 using its ELAM diver to load its kernel process as a protected process would be immune from this malware.
Yes, it's a good reminder how malicious services/drivers can still be a true security risk. That's reason enough to use HIPS which can easily block this.
There are a couple of issues presented by this malware. First, PUA/PUP detection is not enabled by default on many AV products. I suspect that is to reduce the number of FPs generated on the AV lab tests. Hopefully, this malware will motivate the AV vendors to enable this protection by default. Next, the malware was able to install a driver. I assume it is a kernel mode driver to do the activity described. As such, it has to be validly signed. Also, it was unspecified if this malware could install the driver on a fresh install on Win 10 ver. 1607+ since kernel drivers have to be Microsoft signed using a special certificate. As far as a HIPS detecting the driver installation, it would do so only if it was monitoring driver installation regardless of how it was done. Being PUA/PUP based, the source legit software would have been running under Trusted Installer privileges. As such, most HIPS's would allow the PUA/PUP driver installation under their default configuration.
Yes correct, that's why I don't use white-listing in HIPS. And I suppose that this PUP has got a legit driver certificate, so apparently this is also not bullet proof.
surely, an HIPS should be run under their tightest/paranoid mode with customized settings, i don't see the point to use them otherwise.
AVs like Eset and Kaspersky have a HIPS. Eset for example by default allows any driver loading from C:\Windows\System32\Drivers\*. Most AVs using a HIPS today rely on catching malware in the initial installation phase and also rely on Windows native driver installation protections beyond that. Of course, you can always create Comodo Leak Test type rules to monitor any file creation activity to C:\Windows\System32\Drivers\* and also any modification activity to the registry service related keys.
yep i tried ESET's HIPS at some time, i had to immediately select "interactive mode" to get a semblance of security.
