Can malware run outside of itself?

Once the malware executed and is active it will add itself to the firewall rules. It can't block that got the same rights.
Also if a trusted system process is still allowed to load kernel drivers one can use dll injection to inject userland code into the trusted process and then load a malicious kernel driver.

Also ZwSetSystemInformation()
Its a little known interface and can inject code by directly modifying kernel memory. If hips is protecting (\Device\PhysicalMemory) they go for \MyPhysicalMemory

 

nope IMO.

 

I tought LnS can detect process modifications and dll
So i need defensewall...

 

All of the methods described above for injecting code, accessing specific APIs, etc only work when the malware is allowed to execute. With a properly implemented default-deny security policy, the malware doesn't run and these things don't happen. The number of ways that malicious code can interact with and exploit a system are almost limitless and greatly overlap the behavior of legitimate applications. I'm not sure if any HIPS or security app can intercept every possible malicious use of an API, but I'm sure that the vast majority of users won't want to and will not be able to handle being prompted for each of them. Properly answering such prompts would require the user to have the skills of a programmer. For all practical purposes, if malicious code can execute, all bets are off.

 

That's why defensewall exists
A few questions and a maximum protection

 

No infact a classical HIPS, if you can handle it though.

 

Are you ready to invest in the process ?

 

Hmmm.... what you mean exactly? What type of investment?

 

20m plus unique malware in 2010 at avg of 55000 a day.
Userland hooks run with same priveleges as the shellcode
Similiar to buffer overflow protection, userland based implementations cannot protect against malicious code that is executing with the samw priveleges.

 

LOL. Actually, it can be any type. Nobody tries to suck out the money from you, it's rather "general" question

What I really mean is our wishes don't fit in the money main streams most of the times.

 

Linux don't need malware the Users mess it up themselves

 

Though, while Linux doesn't need malware, malware needs Linux, unfortunately

 

I thought may b you have some thing in mind for a project.

BTW the reply to your answer is unfortunately No. Now don,t mind it but I told you the true answer.

 

Well, not when you have some knowledge of the OS (e.g. Windows7 or Vista).

Using UAC to add a threshold between Admin (high) and User (medium) rights (which can be improved by only allowing signed applications to elevate).

Using icalcs or 1806 trick to deny execution of certain folders (icacls) or downloaded executables (1806). The latter can be easily set to allow to remove the block with right click properties on the executable.

Using Low rights / protected mode applications which seperates the low rights sandbox (protected mode) from all other things running in user mode world (medium rights). Chrome is best, IE9 is second (and automatically apply low rights/protected mode). All other browser have to manually forced into low-rights through icacls.

I run this for one and half year now (so calles safe-admin setup) with Stem's Windows firewall setup (also outbound). Only using Hitman Pro on demand.

Sully is playing with native boot in VHD. This looks also promising when your CPU supports hardware virtualisation (a lot faster than VM). So Windows7 security by itself is as solid as fort knox for nerds like Sully, Moonbood and me that is

Regards Kees