A comparative : 10 HIPS against 'brutal unhooking' malwares

Discussion in 'other anti-malware software' started by nicM, Jul 25, 2007.

Thread Status:
Not open for further replies.
  1. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,656
    Location:
    Sydney, Australia
    Any HIPS that relies on behaviour might give a false positive such as this (unless the particular exe is in a whitelist, if that HIPS has a whitelist).

    HIPS require a bit more attention than an AV. The difference is that the AV will only alert when it knows it is bad. The HIPS will alert when bad behaviour is detected. There are some legitimate programs that exhibit these behaviours - for example, some chat clients use keyboard hooks to determine if you are idle.

    It is then up to the user to make a decision - do I trust this vendor, or not? The likelihood of NOD32 recording keystrokes (provided you have a purchased copy, and not a cracked version) is unimaginably low. So, you should allow the action. Most security programs require fairly high privileges on your system in order to operate.

    One thing I often do when prompted like this is to deny the hook, and see what happens. Usually, some keyboard shortcut or minor function will fail - and if I am satisfied with that, I leave it as blocked. If the program then exhibits problems, and I still want (and trust it) - I'll allow the hook.
     
  2. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,306
    I note that some of the most hyped did poorly; SSM, Prevx, PG, and Cyberhawk.

    I remain unconvinced as to the worth of such applications.
    Best,
    Jerry
     
  3. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,161
    Hi, folks: Like anything else in this civilized world, in order to make these brilliantly-concepted apps to be successful, they need to enlist a bit of luck. when potential consumers would not willing to become their customers, that is when they are forced to adopt downsizing, merging and so on. Excellent ideas and top products, often are tough sales to average joes/janes. Developers have to think at the very same level as them. That is why toys producers invite many children to their R/D, and watch these boys and girls to try out their pilot models. These marketable products will not be possible to make their ways into real world w/o these kids' inputs.
     
  4. tlu

    tlu Guest

    After trying several approaches I found suDown to be the most convenient solution. It creates a user group called SUDOERS - just add your user account to this group, that's it. It enables you to start any application with admin privileges just by right-clicking it, selecting "sudo ..." and entering the password of your user account (NOT the one of your admin account!!) in a pop-up window. Access to the system menu with admin rights can be gained by right-clicking your desktop and selecting sudo. Note: You need .NET 2.0 for suDown.

    I agree, but that doesn't belittle the benefits of a limited user account. You don't have write-access to the biggest part of the registry, the Windows folder, the Programs folder and most startup-locations. This means that you are protected against most kinds of malware even without using any HIPS. And if you do use one (like I do, too) you will most probably protected against new zero-day attacks where your HIPS might fail - or if you have it misconfigured (given how complex many of them are).

    In other words: I can manage my system and start applications with admin rights via suDown in a very comfortable way, and SSM works very smoothly in a limited account. Why, for heaven's sake, should I permanently be logged in as admin o_O
     
    Last edited by a moderator: Jul 30, 2007
  5. wat0114

    wat0114 Guest

    Of course, and I agree 100%. I was only illustrating the fact that his tests were based on the typical example of someone installing an application under their admin account. Now the chances of that app being rogue if it is downloaded from a legitimate source are extremely minimal. I gues an ultra-powerful, bail-you-out-of-your-own-stupidity HIPS is required for those who dabble in cracked software and keygens. They also do better to satisfy the ultra-paranoid, as well, so the vendors of these products have no choice but to ensure they will fend off everything short of an atomic doomsday attack if they want to stay in business.
     
  6. tlu

    tlu Guest

    Haha - well said :thumb:
     
  7. wat0114

    wat0114 Guest

    I couldn't resist :D
     
  8. tamdam

    tamdam Registered Member

    Joined:
    Feb 8, 2007
    Posts:
    88
    I would love to use apps like suDown, sudowin, and RunAs shim but none of them seem to work with windows update properly. So I dumped them, and stick with KIS which provides excellent protection without hassles.

    Besides, limited user to me is just another form of HIPS - its inbuilt into the system. Vista has a very good limited user thing going for it, I'd love to use it because of that, but it has compatibility problems with some of my other apps. sigh.
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,814
    Location:
    U.S.A. (South)
    Very timely and great topic.

    Would be nice for all HIPS creators to review those finds and improve on their respective ability to have their SSDT Table hooks displaced. Every single potential risk needs addressed, especially when it comes to these HIPS programs.
     
  10. tlu

    tlu Guest

    I don't know what you mean. I've set Windows Updates to "automatic" and that works in a limited account without any problems. The same is true for the manual installation of updates - it works with suDown, MakeMeAdmin and Runas.

    I disagree. The point is that as a limited user you simply have no write access to critical parts of the OS. Period. To overcome this "problem", malware has to apply some kind of privilege escalation. I'm not saying that it's impossible but it's an extremely difficult task to do.
     
  11. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    User mode stealth kit with keylogger can log the admin password when you use tools like runas to escalate your privileges. This can be circumvented by rebooting before using these tools or using tools that don't require typing the admin password.
     
  12. tlu

    tlu Guest

    How to prevent user-mode malware: See this post. The steps outlined there work with suDown, too, of course.
     
  13. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Just a quick update : Website was updated, to include updated results of 2 new programs versions : SSM build 619, and EQSecure 3.4, freshly released in English.

    For now, the new results are just listed in the new 'update' page, available as a link on the main page.

    Theses two versions are passing all tests now.



    nicM
     
  14. egghead

    egghead Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    443
    Location:
    The Netherlands
    Great job Nico. You are too good for this world. Merci beaucoup once more.

    Also thanks to Vitaly for the very fast fix of SSM, this is the prove SSM is alive and kicking ! (thank le bon Dieu for that:D )
     
    Last edited: Jul 31, 2007
  15. Tokar

    Tokar Registered Member

    Joined:
    Jul 22, 2005
    Posts:
    81
    Spyware Terminator in the next update, maybe? :-D.
     
  16. wat0114

    wat0114 Guest

    Thank you for the update, nicM :thumb: You are too generous offering your time like this :)
     
  17. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,113
    Location:
    South Texas, USA
    Just curious but does anyone but me notice that when a test comes out, applications that fail depend on the test results to update their techniques. Is this a fair practice or more of a way of cheating and being on top with the rest that did good the first time :rolleyes:

    By the way, Excellent work on this tests nicM.

    dja2k
     
    Last edited: Jul 31, 2007
  18. wat0114

    wat0114 Guest

    I see it as keeping up with the Jones'es :)
     
  19. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,469
    Location:
    Hawaii
    It's a chess match -- good guys VS bad guys.

    BAD guys surely undertake TESTS of their own, against major security applications, in order to find new ways to defeat them.

    Somewhere out there (if not today, then soon) along will come a nasty that can squirm past PS or OA, but not get past Prevx or SSM. Then we here at Wilders will have another reason to rave & rant. Then PS & OA will adjust, & not too long thereafter the bad guys will come up with something else that makes (for instance) KIS look as full of holes as swiss cheese. And -- awaaaay we go again.

    By golly, I LOVE this place!

    In short -- There never was a horse that couldn't be rode, AND there never was a rider that couldn't be throwed.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    That's why we ALL layer our security (sure we do!) but even so -- the ONLY bullet-proof security is imaging, wot? :ninja: *puppy* :ninja::-* :blink: :cool:
     
  20. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,995
    Test results are good for both security companies and consumers. The companies get to know their product weaknesses so they can improve- and a test done in the fashion NicM did his is a no BS type, not a bashing by someone with a pecuniary interest. Customers get an improved product and also find out which companies are staying active in updating.
     
  21. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,113
    Location:
    South Texas, USA
    I wasn't BSing anything nor Bashing this test in particular nor any other, I was talking in general. Testing is good, no debating that.

    dja2k
     
  22. herbalist

    herbalist Guest

    If you think about it, this is no different than windows and security patches. When a vulnerability in a piece of software or an OS is found, vendors fix it. All security apps go thru this. I'd much rather see them fix a vulnerability than ignore or downplay it. Malware writers are very resourseful. If there's a weakness, they'll usually find it. Malware writers clearly consider HIPS a threat or they wouldn't write code to attack it.

    No matter how many times this "penetrate and patch" cycle repeats, security apps will never be bulletproof. If malicious code is allowed to run, sooner or later, it will succeed, no matter what apps you use. Like firewalls, HIPS is only as good as the rules it enforces and the decisions of the user. When malicious code is allowed to execute, the role of HIPS changes from primary defense to one of damage control. All the HIPS apps will intercept the launch of the malware. A test like this does show where HIPS apps need strengthening. This type of problem is ongoing with all windows apps.

    Users should see another lesson in these tests. When malicious code is allowed to run, the advantage shifts to the malware, no matter what you use. Fixing a vulnerability in a security app or operating system isn't very comforting if you were successfully exploited before it was fixed and your bank account gets cleaned out. Default Deny.
    Rick
     
  23. Tokar

    Tokar Registered Member

    Joined:
    Jul 22, 2005
    Posts:
    81
    Well there is two ways of performing the tests:

    1) Dont diclose testing information. It keeps the field level, and if the program wants to improve or stay at the top they have to keep working.

    Or in nicM's case, who is genuinely interested in making all security software better (which is very commendable):
    2) disclose all information to help other programs improve and then just retest retest with new samples every so often.


    #1 is better than #2 because it shows which programs are more dedicated to finding every sample possible.
    However, #2 is better than #1 because it shows which programs are more dedicated to being on top of new threats.


    Both have their advantages and disadvantages.
     
    Last edited: Jul 31, 2007
  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,814
    Location:
    U.S.A. (South)
    Malware unhookers are new techiques but now their out in the open HIPS developers can lock them out.

    Thats the answer.
     
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Thanks for the update nicM.
    It,s good that SSM and EQS fixed the issues but in my opinion we can,t know the reality until a new test with a new sample set/ new malware type is done by someone, somtime in future.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.