A comparative : 10 HIPS against 'brutal unhooking' malwares

Hi nicM, thanks for the tests. Is it possible to test NG beta 3?

And what about Sandboxes like GW, DW, SBIE etc. running malware as untrusted?

Thanks

 

Hi Becky,

Actually, I've not received any reply from CyberHawk support, which I mailed before to publish the comparative , but Thanks for letting us know about improvements for the next version.

If support didn't see this mail, they should have a look as this mail has a link to a zip with all malwares used inside.

Cheers,

nicM

 

Thanks Osaban (and egghead to btw, for making the effort of french speaking lol).

Longboard, I use snapshots from Rollback Rx (version 7) to restore between all tests. Most of these files are known from most AV, and the other were submitted.

As you said, publishing has the advantage to prompt editors to improve their programs : That was the goal - I've got feedback from all, except 2 editors, so far.

Tokar : I'll try to test ST.

Aigle : Sandboxes are on the ToDo list, along with some firewalls...

 

Thanks nicM. Really hardwork and nice effort by you. I really appreciate.

 

Thank you again for your efforts nicM

 

Ah... "the check is in the mail."

I tried CH Pro & loved its rule module EXCEPT that I couldn't find a way to make a rule to block Avira's infamous avnotify.exe. Maybe I overlooked something?

 

I am assuming the Prosecurity paid version was tested here? Anyone know if that is so or how the freeware version would have faired?

Thanks

 

Hi bellgamin--

I've asked that someone look into your question and follow up through PM.

Please note that specific questions such as this are better handled through our support ticket system at http://www.novatix.com/support or through our official Cyberhawk forum at http://www.pctools.com/forum/forumdisplay.php?f=58.

Out of respect to the Wilders moderators (since we're just guests here) we try to limit posting direct "technical support" type responses and stick to more general product discussions.

We welcome and in fact encourage users to contact us directly through our normal support venues so we can help with any specific cases such as the one you brought up.

Kind regards,

Becky Dubrow

 

Read the test with very much interest.
I have multiple licences for all - ProSecurity,SSM and OA.
What I find interesting is the amount of kernel hooks for the programmes.
Most use between 25 to 40 but SSM has 280 hooks.

Any thoughts, comments etc about this.

phil

 

Very nice job on these tests, nicM.....your efforts and hard work are much appreciated

 

Yeah these tests are awesome well done.

These tests show that the humble anti-virus scanner is still essential in any combination of security software. Despite the delay in releasing signatures, anti-virus programs will still stop the malware mentioned in this test better than any HIPS.

This is because despite HIPS claiming to provide 0day security, when a "truly" unknown threat appears such as unhooking malwares they are still worse than a signature scanner when definitions for the malware are released.

 

These tests show again how important a layered protection is. And the cornerstone is using a restricted user account. No malware can install a kernel-based rootkit, install a service etc. etc. in a normal user account. But although it's that obvious, most people here see a layered approach simply as adding up more and more HIPS and AVs. nicM's test reveals again how fallacious that is. Who knows if the better tools in this test will also stand the newest malware next week or next month.

Every idiot can comfortably manage Windows XP or temporarily start applications with admin privileges under a normal user account by using, e.g., suDown. I will never understand why most people here so vehemently refuse to accept that. I also use SSM and KAV 7.0 but they are just an additional protection - my system isn't easily compromised if they fail. But people always logged in as admin have to rely solely on them - the next intelligent rootkit or zero-day attack will show how problematic that is.

 

@NicM,

I actually have a question - when you did test this malware against Online Armor, did you select the "Run Safer" option when running the unknown exe, or not?

Mike

 

Sobering assessment and also with the most recent tests with SSDT table unhooking malwares vs. some kernel-mode HIPS, looks like some improvements are sorely needed in certain HIP programs for better self-preservation against being displaced by those invaders easily unhooking security "hooks".

280 security aimed hooks or even 380 hooks are of no real consequence if they can be so easily knocked out of the line-up as been reported.

Just another good reason why a security layered approach helps offset such limitations, maybe not completely but at least can offer a user additional detection monitoring along with constant vigilence by regularly running more advanced ARK tools routinely on a schedule of choice.

Excellent Tests btw.

EASTER

 

The Pro version was used here (same for CyberHawk and SSM). In fact, the only two freeware were DSA and EQsecure (I added that behind their names, on the website).

As for the free version of ProSecurity, it wouldn't do as well as the full version, for sure, since what allowed the full version to perform so well was the 'debug at system level' protection .

Mike : No, this protection was not used.


Thanks,

nicM

 

OK, clear. That protection would have prevented the driver install But probably most users would not have selected it so still a fair test.

 

Nice test, NicM. Can you gave a test to Comodo firewall 3.0 alpha also ? I'm interested in their HIPS.

 

Mike have always wondered what Run Safe did:
does it strip token priv like dropmyrights?
or is it more like defensewall/Geswall?

 

It's like dropmyrights - although we may expand this in future to include isolation/virtualisation capabilities as well.

 

Thats sounds really good!

 

nicM:
Hello!
Why don't you test Safe'n'Sec 2.5 and 3.0 ?I am sure you will get a surprise
,tell me cause I am rather curious!!
Thank you for your fabulous work!!!


Regards!!

Kael'thas

 

The latest response from the Syssafe developer here

 

Good to read, indeed - see my posting #37 above.

 

It would have been interesting to see the results of testing under a limited account, but the fact is an administrative account is required to install programs, or, at least, using the "Run as" option in XP.

I did question nicM earlier on what type account was used for testing, feeling, at the time, that using a limited account would have better represented the truest scenario, but after further consideration, I believe testing under the administrative account is the most true-to-life scenario. Not only that, but if the test product can stop the malware under the administrative account, then that clearly illustartes the product will protect under the most permissive conditions possible.

 

Which HIPS do you use nicM? I am 6 days into a Cyberhawk Pro 2.0.4 15 day trial, but I don't think that I will buy Cyberhawk in view of these results and what appears to be a false positive from Cyberhawk. It told me NOD32 wants to log keystrokes. I now believe that was a false positive.

I don't relish the task of scrambling to find another HIPS.

I wanted to use Dynamic Security Agent Free Edition, but I was in a hurry to get a HIPS up and running properly on my XP sp2 Home; so, when DSA would not function in my "limited user" xp account I just moved on to another HIPS.