Classical HIPS and policy based HIPS discussion

Ill let you know.I uninstalled ,sandboxie .outpost,and shadow defender ,and adguard earlier incase they were stopping installation of the 2 ssm setups.However they still wouldn't install ,but the free installed fine.Ill be installing sandboxie sygate and shadow defender and probably mbam subsequently and will inform you of any probs.

 

Here's a link to the developer's blog: https://www.scriptjunkie.us/about/ . There is an e-mail link on that web page to contact him.

Is OSSS x64 compatible? From the download page it appears it is not.

But from the screen shots, OSSS looks like a clone of Defense+. Implies that development was tied to Comodo in some fashion.

 

Can anyone recommend decent stand-alone HIPS modules ?

TIA

 

The only one I know of currently fully supported now and in the future for x64 OSes is Comdo's Defense+. You can disable the firewall if you don't want it. Also I believe SpyShelter also has a stand-alone HIPS.

 

@itman - Thanks. I am familiar with both. Heh, heh... standalone HIPS modules gone the way of the dinosaur.

Only one to appear is ReHIPS. Still currently being developed.

 

Ive just installed sandboxie ,with ssm in learning mode and run it with no problems.Took ssm out of learning mode rebooted with no problems.Fired up sandboxie and using it for this post and no problems.Ive noticed ssm seems to have allowed the sandboxie driver full status (probably in learning mode?) which may have helped with its co existence.

 

Anyone know of the exact limitations of SpyShelter on 64 bit systems ?

Is it capable of monitoring all of the built-in system protection (HIPS monitoring) modules ?

 

Your can read about it here: https://www.spyshelter.com/system-protection/ . Rasheed187 uses Spyshelter Premium so you will have to wait till he chimes in on this. I do know that out of the box, it scores 340/340 on the Comodo Leak Test.

 

Thank you very much for the screen shot. Yes, Learning mode would've done it, and it's correct. You want it to do what it has to do. Drivers and all.

 

You can try here: http://tecnologia.tiscali.it/download/scheda.php?id=298625 it's an italian site, I know only that it's an IT services company, so I believe that it's trusty. Click on " preleva ". Unlucky in this moment I have not my own file version, so I can't check the hash.

 

Thanks...
The links working ....Good find !!

 

I haven't tested it extensively, but my general impression is that all modules work correctly, including all behaviors monitored by the HIPS.

On Win XP I had to remove Sandboxie because of a conflict with SSM.

I will read the thread again.

 

I believe that wasn't based on SSM's code. And the new company of the OSS developers seems to be inactive. They were supposed to develop a new HIPS: http://www.cezurity.com/en/products/cube

Not really, I have had mostly bad experiences with Comodo. The HIPS is quite strong but there are too many annoyances.

 

Can you remember what the conflict was?.So far I haven't had any problems (not to say that I wont have any)but maybe I can replicate the problem ,or look out for it.I'm using last beta SSM AND SB 5.0.8 on 32 bit system

 

@Rasheed187

You experience any type of conflict between SSF and SBIE ?

 

Thank you. Hope that they'll develop it, I'm always curious to try new HIPSs.

 

SSM

Of courcse I've checked that link...SSM on Vista? No way...I must try it but I don't trust too much this information.

 

I linked it only for the SSM file exe download for XP SP3 for Elison64: I said that I believe the site trusted about the file integrity, not for other. But honestly I don't remember now if SSM, when it was developed, worked also for Vista.

 

I wouldn't count on it, I believe the site hasn't been updated in 2 years, so there is probably no development going on.

I would often get blue screens and SBIE wouldn't start up correctly. But it might be related to my specific system configuration, so there is a chance that you will never get to see any problems.

BTW, I was thinking about blocking of kernel API hooking, and I believe it's probably not possible because the Windows OS needs to provide an interface to monitor this, and I don't believe it does. That's why HIPS also couldn't block kernel mode hooking (after driver has loaded) on Win 32 bit. So it would only be possible with a hypervisor based HIPS.

 

I'm not surprised...SSM doesn't work on Vista so nothing new and linked version is the same as I have in my archive.

 

I guess they never had time to get it working properley in vista.But according to SSM "WHATS NEW" there was some vista support in build 621.Maybe not enough to run smoothly though.Im not sure what was new in build 622?
........................................................
Build 621

What's new:
* Added Vista SP1 RC support;
* Added Fast User Switching support for Vista

Known issues:
* NetStat module is disabled on Windows Vista because it won't work with SP1.
........................................................
Edit..
Seems like vista support started with build 616
.....................................
Build 616

What's new:
* Added Windows 2003 Sever SP2 support;
* Added Windows Vista support (experimental)
..........................................

 

@ itman

Here is another interesting article about a new version of the Gozi Trojan that can now infect MS Edge. If I'm correct, M$ tried to protect Edge by allowing only signed applications inject code into the browser, but seems like the malware author has managed to bypass this via some tricks.

But I assume by blocking code injection into explorer.exe and RuntimeBroker.exe you can still block it. And as previously discussed, tools like Webroot, Zemana and SS should also block the hooking of API's inside browser memory, on already infected machines:

https://securityintelligence.com/go...build-to-inject-into-windows-10-edge-browser/

 

For Win 10, create a HIPS rule to protect RuntimeBroker.exe from process modification. That launches Edge versus explorer.exe which is used by the other browsers. Also I would imagine that a HIPS rule that protects Edge against process modification would work equally as well.

The question is if or why Windows Defender doesn't catch Gozi since M$ built a anti-malware interface into Edge?

 

@ Rasheed187

I finally completed my Eset HIPS rules to pass all Comodo Leak Tests except knowndlls. Researching that, I came across a bit of interesting stuff. First is most security products fail that test. You should see if you pass it with your security software. This article: http://www.codeproject.com/Articles/325603/Injection-into-a-Process-Using-KnownDlls, describes what is going on which is basically hijacking the loading of knowndlls registry refs. and inserting your own malicious .dlls into a running process. Only way to protect against this is:

To protect the process from intrusion via KnownDlls you can use kernel mode hook of API function named NtCreateSection checking the path to DLL. If it doesn't correspond to the system one, the section creation must be blocked.
​

When I fired up Process Monitor, I did see that Emsisoft protects against this since it's hook was present in the clt.exe execution stack during this activity. Epp.sys is EAM's kernel hook:

-EDIT-

On second analysis, EAM did not catch this. Below is a screen shot of the Process Monitor relevant events. Also will add that Kapersky HIPS prevents this activity when the option "changing system modules" is enabled.





You can see in the Process Monitor log how CLT is building the dll load modules in a temp file. Appears CLT uses Wow64SystemServiceEX to set a hook to allow table section modification. Some refs. below on how Wow64SystemServiceEX does this. The last one is an EMET bypass.

http://blog.rewolf.pl/blog/?p=102
http://www.ffri.jp/assets/files/research/research_papers/psj10-murakami_EN.pdf
https://duo.com/assets/pdf/wow-64-and-so-can-you.pdf