Phide.exe rootkit versus HIPS

@Doodler,Good for you and your discovery of sanboxie. It indeed is a nice and quiet state of the art security product.

 

Mike,

What is helpfull to assess the way two programs theoretically work together is using a rootkit detector (e.g. avz) to see what the hooks each individual program is setting. So run AVZ with only program A and only program B. The more overlap the bigger the chance of conflicts (and lacking protection).

So what you are saying is true in general.

Regards Kees

 

LOL, interesting definition. May I quote you somewhere? As a side note, Gentoo Linux is using a sandbox where all the compilation and pre-install stuff takes place, and only then the files are installed/upgraded on the real OS. Makes it really easy to spot botched makefiles, ebuilds etc. It also makes it easy to spot design bugs, such as trying to read/write configuration to stupid places etc. But definitely, sandbox != HIPS.

Amen to that...

 

For those who are interested,

I can personally confirm that DefenseWall successfully blocks the Phide rootkit.


Peace & Gratitude,

CogitoErgoSum

 

Thanks for that CogitoErgoSum.

 

Hello Antarctica,

You are very welcome.


Peace & Gratitude,

CogitoErgoSum

 

I agree, because you added "teach a novice". ThreatFire, PRSC, Mamutu. GeSwall and DefenseWall can do without the teaching.

 

We'll see about that. I was at a friends house last week and I saw he had ThreatFire installed. I was really susprized, since TF is absolutely unknown in my country. I asked him why he had that and he said "I went to download.com looking for an antivirus and I found that". (Needless to say, he is 100% non-geek). He didn't even know that sometimes TF could prompt and ask for an action.

To make the long story short, and stop with this off topic rant, I decided to do a little experiment. I didn't tought him anything about TF or security. In a few weeks I'll visit him and see how well a newbie can handle TF.

 

First of all, my 9-year-old granddaughter is quite proficient at using HIPS & making good decisions based on alerts.

The analogy of needing a mechanic is imperfect. A better analogy to "effectively using HIPS" is "safely driving a car."

To safely drive a car, one must learn the rules of the road, and what is required by the various traffic control signs found alongside the road. One must understand what to do when hearing/seeing an emergency vehicle's approach. What to do when certain red lights appear on the instrument panel -- keep going, or stop & call for roadside assist?

Those who complain that safe use of the internet requires a bit of thinking & learning are like a person who wants to drive a car but refuses to learn how to drive and how to pass the license test. I call these sort of folks "aggressively ignorant". If those folks viewed learning to drive a car in the same way they view learning to use HIPS, here is the sort of conversation that might ensue...

 

I think your analogy is flawed, but such debates seldom lead to a meeting of the minds. We'll have to respect one another's positions and agree to disagree, agreeably.

 

I agree (to disagree).

All analogies aside, my granddaughter & all the other kids in her elementary school computer class use HIPS with aplomb. Not only are HIPS readily learnable, the HIPS are, themselves, grrreat little teacher's aides. To be hip, use HIPS.

In some future age, we will have computer's like unto Star Trek's. For now, it behooves us to learn a bit.

 

That may be true of OA. But in case of TF it becomes blind of SOME behaviors( not ALL of course).

 

Yes, same.

 

Ok, I tried it with CFP( safe mode) without ShadowSurfer. No other security software as well. I don,t get physical memory access alert at all. Acc to Vettetech on Comodo forums, he gets the alert. I am confused.

Can anyone test it with CFP? Thanks

 

is it a virus aigle? if not send it to me and i'll test it.

 

It,s POC rootkit i think. Anyway i will not suggest to run it on a working machine without reliable recovery in hand. BTW just a reminder, ur sample was well contained by GW.

 

@aigle

ok

@Peter2150

i'm aware of the rule that we aren't supposed to ask for malware on the boards or even trade malware through PMs. that's why i stated "if it's not a virus". it's now against board policy to ask for non-destructive/non-virus proof of concepts?

 

i'm aware of that, i don't have a test pc so any tests i run have to be non-destructive.

but i realize i should have made that more clear in my first post to aigle.

 

Without wishing to split hairs but what would be the difference between say Eicar test,leaktest.exe(or someother HIBS testing POC) and in this topic test.exe(Phide).

Just curious where the cut off point is to stay within forum TOS

 

aigle, much thanks for your time & effort, even if just to educate me.

I see now that it was the lack of "physical memory access alert" (to be confirmed) in ur initial test, and not the lack of clarity in alerting to "malicious behavior", that prompted the initial fail. Thanks.

P.S. Wonder if D+ whitelists the hashes of common safe apps. If yes then renaming or re-locating calc.exe would not have made any difference, and I'd probably wasted ur valuable time (so sorry!).

 

I always set TF to create a restore point before quarantaining and set the default actions of RED (malware) and GREY PUA(Potenial Unwanted Application or spy/adware) to quarantaine. Tell them to hit learn more about this threat when TF po-ups before deciding. That is all and works with non-geeks well.