Termination Protection- How good is ur HIPS

What version of GW was that? Freeware (2.5.1/Beta 2.6) or Pro (2.5.1)

BTW what software is GSS 1.2?

Thx.

 

GeSWall 2.6 beta
GSS- ghost Security Suite

 

Nice to see that.
thanks for sharing. So one more winner!

 

i actually tested geswall 2.2.5 a while ago against this sort of thing and it passed. aigle recently tested it vs version 2.6 and it passed. geswall's been on top of this for at least a few months

 

I think this product protect itself in this way from cracking

I am very surprised to see that top hips could fail to intercept a WM_CLOSE sended to regmon but very happy to see that GeSwall pass this test

MaB

 

Have a look here.

https://www.wilderssecurity.com/showthread.php?t=128594

 

Hi Zopzop and MaB69!

Run Windows task manager isolated in GW via right click menue. Run wordpad as trusted( non-isolated). On applications tab of Task manager, select WordPad and opt for End Task- --- that,s it. Untrusted task manager is able to kill trusted wordpad. Shhhh..... Don,t tell anyone.

BTW, defenceWall is able to protect here too. I already let GW people know this.

 

Here is news regarding PS' failure to block this: I talked to PS developer about it and it turned out that this is caused by a bug which has been introduced somewhere in the 1.30 beta versions. The protection against this type of termination attack was already implemented long ago. Here is a screenshot showing PS 1.26 successfully blocking this:
http://img163.imageshack.us/img163/1588/psblockbl9.th.png

A fixed 1.3x version will be released in the next days.

 

Thansk for update!

 

ICE protectors
Thanks aigle, did not read this thread.

You are right aigle but in GSwall logs i had this

Code:

2007.04.25 20:37:42 taskmgr.exe ISOLATE on start from explorer.exe
2007.04.25 20:37:42 taskmgr.exe DENY 7F message to notepad.exe (Process)

obviously, used notepad instead of wordpad
Strange that i could kill notepad

Did you reported this to Gentle Security Forum or Brian ?

MaB

 

Yes! since last beta version or before and yesterday as well. I hope they will fix it. Actually I expect there r many of granular settings/features/ tweaks/ GUI things to come but ATM their priority seems to be stability and I agree with that.

 

nice catch aigle. i can confirm this works in geswall 2.5.1 too

 

Just got it by chance.

 

did anyone try with viguard?

 

It,s hard to find a ViGuard user here though I will be interested. Last time I tried it, it will not install if u have an AV on ur system( Antivir at least).

Lets, wait for:

BufferZone
ViGuard
??
?

 

Ok, another experiment. I am not sure if it is justified or not.

I tried RotKit Unhooker and IceSword to kill notepad.exe while using different HIPS as protection against termination of notepad.exe( using maximum HIPS protection settings- if there were any). Results are as follows:

- SSM free 2.0.8.583 -- failed
- SSM Pro 2.3.0.612 -- failed( even I was able to kill syssafe.exe itself)
- PS free failed
- PS Pro 1.30 failed
- NG beta 2 -- failed against IceSword, succedded against RKU.
- AppDefend version 1.110 -- failed against IceSword, succedded against RKU.

Poor results are obvious as IS and RKU load a kernel driver so they are very strong in killing the processes.
Sandboxes( GW, DF, SIE) can,t be checked here as they will not allow loadind of a kernel driver by IS or RKU.

Advanced Process Terminator( APT) from DCS

I tried to kill notepad.exe while protecting it by HIPS.

- NeovaGuard beta2 failed with user mode kill 2, 3, 4, 10 and Crash 01
- SSM free failed with user mode Kill 2, 3 and 4
- SSM Pro passed all APT tests
- PS Pro failed with user mode kill 2, 3, 4 and Kernel Kill 2

Advanced Process Termination( APT) from DCS & Simple Process Termiantion( SPT) from syssafety.

GesWall: I tried to kill notepad.exe via untrusted Adavnced Process Termination( APT) and SPT( Simple process Termiantion) while notepad.exe was running as rusted.
GeSWalled blocked all 16 kill modes of APT and also all 16 kill modes of SPT.
Not a single failure even.

 

SSM pro sucessfully blocked vlp and avs with default setting

 

Thanks Korb. BTW confirmed by Farmerlee as well .
https://www.wilderssecurity.com/showpost.php?p=990811&postcount=14

 

Right, it is pointless to test this in my opinion. Once you allow a kernel mode driver to load the game is over anyway. It can do whatever it wants and undermine all security software and the Windows kernel itself.

ProSecurity does not fail kill 2-4 tests. As I have already pointed out, only the latest version of PS has a bug which makes protection against termination by sending window messages ineffective. If you want to make any further termination tests, use an older version like 1.26, you will see it blocks kill 2-4 successfully.
By the way, I could not verify your SSM Pro results. For me SSM Pro 2.4.0.618 beta does not pass kernel kill tests if you allow the driver to load. Neither 1 nor 2. ProSecurity passed kernel kill 1 even then! Anyway, as already said, I don't believe testing against kernel kills makes much sense.

 

Hi all,

I agree too

APT vs OA 2 beta 178

notepad protected from termination/suspend/remote code control/remote data modification

OA succeed all kill and Crash tests but failed only suspend 2

SPT vs OA 2 beta 178

Code:

C:\>spt 2160 1
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 1...
Test failed

C:\>spt 2160 2
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 2...
Total opened thread count 1
Test failed

C:\>spt 2160 3
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 3...
Error: AccÞs refusÚ.

Test failed

C:\>spt 2160 4
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 4...
Total opened thread count 1
Test failed

C:\>spt 2160 5
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 5...
Error: AccÞs refusÚ.

Test failed

C:\>spt 2160 6
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 6...
Error: AccÞs refusÚ.

Test failed

C:\>spt 2160 7
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 7...
Test failed

C:\>spt 2160 8
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 8...
Test failed

C:\>spt 2160 9
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 9...
Test failed

C:\>spt 2160 10
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 10...
Test failed

C:\>spt 2160 11
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 11...
Test failed

C:\>spt 2160 12
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 12...
Test failed

C:\>spt 2160 13
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 13...
Test failed

C:\>spt 2160 14
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 14...
Test failed

C:\>spt 2160 15
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 15...
Test failed

C:\>spt 2160 16
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 16...
Test succeeded

OA failed only test 16 and detected a keylogger for test 13

SPT with parameters e and f

Code:

C:\>spt 3644 1 -e -f
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Searching...%100
Starting test 1...
Test failed

C:\>spt 3644 2 -e -f
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 2...
Searching...%100
Total opened thread count 1
Test failed

C:\>spt 3644 3 -e -f
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Searching...%100
Starting test 3...
Error: AccÞs refusÚ.

Test failed

C:\>spt 3644 4 -e -f
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Starting test 4...
Searching...%100
Total opened thread count 1
Test failed

C:\>spt 3644 5 -e -f
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Searching...%100
Starting test 5...
Error: AccÞs refusÚ.

Test failed

C:\>spt 3644 6 -e -f
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Searching...%100
Starting test 6...
Error: AccÞs refusÚ.

Test failed

C:\>spt 3644 7 -e -f
Simple Process Termination (SPT).
Copyright (C) System Safety Limited. All rights reserved.

Searching...%100
Starting test 7...
Test failed

OA succeed against all this tests

Regards,

MaB

 

Hi all,

Lucky us (one PC protected by DefenseWall, other by GeSWall Pro 2.5 latest),

EQSecure failed regmon termination (quite an effort to install those programs).

Note when removing the video downloader it does not remove dartsock.dll and dartweb.dll from system32 directory, you have to remove them manually.

Regards K

 

This is why i use RollbackRx : a snapshot before installing, make my test and then restore my last snapshot (no need to worry about dirts left by tested apps )

MaB

 

Hi MaB9 and Kenjin , I agree, kill tests after loading a kernel driver are useless anyway. In case of APT kernel kill I denied loading the driver.

 

I installed with ShadowSurfer.

 

I agree, i don't even worry about uninstalling any test software, just reboot to a clean snapshot, so much easier.