Classical HIPS and policy based HIPS discussion

Discussion in 'other anti-malware software' started by BoerenkoolMetWorst, Jan 28, 2015.

Thread Status:
Not open for further replies.
  1. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,458
    Location:
    Outer space
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,190
    Location:
    U.S.A.
    Both Eset Smart Security and nod32 also scoring high in recent AV lab tests. Both now have exploit and HIPS protection. On the other hand, Eset has never been the strongest in the AV signature category.
     
  3. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    Yep ESET Smart Security 8 did actually really bad against "1-day-malware".

    I run about 40 files... only 4 were blocked by HIPS (Smart mode) and a few didn't work. 29 were detected by the ESET AV scan which I did after a reboot. After that HitmanPro detected another 2 files.

    Now I am a little scared :S

    In my previous "Full Setup Test" (look at my signature for setup) I got a 100% detection rate. But ESET HIPS seems to add only little protection :/
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,436
    Please provide hashes of the files you used for verification. HIPS itself is not meant to detect and block malware but it's Advanced memory scanner and Exploit blocker which do really very god job and block dangerous malware, such as Filecoders without the need to update while other famous AVs leave brand new variants encrypt data on a disk.
     
  5. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    Puh I already deleted the virtualbox image. What I used was a 22 Virus-Sample-Pack which you can get from malwaretips.com (latest pack, uploaded yesterday) as well as all the links from the first page of malc0de.com (again all files were added to the malc0de db yesterday).

    Well, I obviously have no idea how exactly HIPS and BB (if there is one?) work in ESET. And as I said, the whole suite itself scored a 100% results (test twice, each time with about 50 0-day malware samples). But I always thought HIPS/BB is the only "real protection" these days as it is quite easy to get a file fully undetected against "simple AV-Scanners" as listed on e.g. virustotal.com. I have also no idea how other products (e.g. CIS) would perform in such a "HIPS only" test.
     
  6. coolcfan

    coolcfan Registered Member

    Joined:
    Nov 1, 2008
    Posts:
    130
    Actually based on what i learnt from kafan forum, the smart mode is not as complete as it seems to be, meaning that you still need to edit the hips policies based on your need.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,190
    Location:
    U.S.A.
    Here's a link to a Eset .pfd on its HIPS: http://kb.eset.com/esetkb/index?page=content&id=SOLN2908. Appears "Smart" mode is the least restrictive HIPS mode. Its "Interactive" mode appears to equate to Comodo's Defense+ paranoid mode.

    Here's a link that explains Smart Security various protections: http://malwaretips.com/threads/eset-and-zero-day-threats.39449/.

    Finally here's a link to configure for maximum protection. It's for an early version but poster stated settings still apply to ver. 8: http://malwaretips.com/threads/how-to-set-eset-smart-security-for-max-protection.14466/.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,628
    Location:
    The Netherlands
    I found some other interesting stuff that HIPS need to consider:

    http://www.google.nl/url?q=https://digital-forensics.sans.org/media/poster_2014_find_evil.pdf&sa=U&ei=93xfVb3LFYfjUZKjgLAI&ved=0CBQQFjAA&usg=AFQjCNFq3tgvSv6JuGA_OkQY2S6MN-XV7w

    Another thing that I wonder about: Can current HIPS spot "process hollowing" attacks. Do HIPS even monitor code injection into child processes?

    http://www.malwaretech.com/2014/12/zombie-processes-as-hips-bypass.html
     
    Last edited by a moderator: May 22, 2015
  9. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,361
    Online Armor is the last classical HIPS. ZA and many other AV's solutions now incoporate a BB, which used to be a separate stand-alone product. There are anti-exploits like EMET and MBAE. MITM blockers include Zemana AL. AE's - most prominent example is VS.

    As the dangers of malware have multiplied over a wide range of fronts, so are the solutions developed to prevent, monitor and remove them.
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,190
    Location:
    U.S.A.
    I believe, Windows keeps track of all newly created processes; suspended or not. If Windows know about the process, a behavior blocker or HIPS should know about it also. Also all these have clould counterparts as supplements. Those should trigger some type of reputation alert I would imagine.
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,190
    Location:
    U.S.A.
    The HIPS is Eset Nod32 or Smart Security can be either classic or policy based; your choice. It is fully configurable.
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,817
    Location:
    U.S.A. (South)
    Thanks ever so much. I been saying this for years harking back to when it first started rearing it's head as CONCEPT first and now it's so blindly praised as all the rave. Bahh! One thing will never change, the Cloud is a remote destination(s) wherein those physical units can be exploited and boomerang right back into our machines. That's why it's always so much more safer when they are run locally WITHOUT ANY INBOUND/OUTBOUND instructions. I always expected that if a quality efficient HIPS is thoughtfully and well constructed enough, it (and the user) can easily mitigate virtually any threat.
     
  13. dw2108

    dw2108 Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    480
    Any OS CAN be protected by the user with a minimalistic but effective defence NOT involving a cloud or a "fix it" stick! Dave
     
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,817
    Location:
    U.S.A. (South)
    Hah, it's a dirty rotten shame that here comes Windows 10 and EQS never built a 64 bit version for that when they had the chance nor did any other freelance or other development team didn't pick it up either. I still cringe on losing that super configurable HIPS but I suppose if it's of any consolation maybe it will run on the Windows 32 bit platform without sacrificing too much ability. Some still bellyache that EQS was noisy and not user friendly but once well configured it was nearly as automated as they come for a locally run classical HIPS.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,628
    Location:
    The Netherlands
    I also miss some of the old skool HIPS like SSM and Neoava Guard, they were superior when it came to GUI and user friendliness. You should check out SpyShelter, the GUI frustrates me but it's quite powerful and monitors a lot.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,628
    Location:
    The Netherlands
    The point that I was trying to make is that HIPS often watch for modification to other (non child) processes. For example, if malware directly injects code into explorer.exe or svchost.exe, that will be blocked. But what if it first launches a trusted process like explorer.exe, and then tries to manipulate its memory? I'm not sure if this technique is used in some of these tests (see links). And too bad that HMPA's "hollow process" test doesn't work on 64 bit systems, I wonder why.

    http://www.testmypcsecurity.com/lea...5sk1=875c240695498ea3dc80d72675dd53d1b7934ae1
    http://www.testmypcsecurity.com/securitytests/all_tests.html#AllTests
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,628
    Location:
    The Netherlands
    This is not correct, you forgot about Zemana, SpyShelter and Private Firewall.
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,817
    Location:
    U.S.A. (South)
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,190
    Location:
    U.S.A.
    I believe also it's important to note the limitations of the default settings of behavior blockers and some of the later version HIPS. Using Emisoft's behavior blocker as an example, it monitors app startup behavior. However, only a select pre-determined number of apps are constantly monitored; browsers, explorer.exe, taskmgr.exe, etc.. Ditto for the HIPS used by Eset Nodad and Smart Security even if running in Smart mode. How to determine what is constantly being monitored? Open up Process Explorer and find all apps that have the BB or HIPS's respective .dll injected into it. System level processes are usually fully trusted by these HIPS and BB's and are not monitored at all. Bottom line - you can be exploited using the default settings. Proof is the latest exploit tests showing Emsisoft's BB at the bottom of the heap. Eset fairs better in exploit testing since it use additional exploit detection software added to its HIPS that appears to be based on techniques used in EMET's protection. Like EMET however, only a select number of apps are being monitored

    The older "classical" HIPS models like that used by Comodo's Defense+ and Online Armor rely heavily on protection of the system registry with a few critical apps also monitored. Personally. I believe this is the safest approach since it uses a "cutting off of a snake's head" technique. If the malware can't install its execution control in the registry, it can't run. It goes without saying this approach requires the most user interaction but if the rules are carefully constructed, the user input interaction should be minimal.

    I personally have added a number of registry rules to Eset's HIPS to beef up it's protection.
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Couple of things. 1. EIS/EAM aren't anti Exploit software, so comparing them in Exploit tests just isn't valid. 2. EIS has been first to stop every piece of malware I've thrown at my system.
     
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,817
    Location:
    U.S.A. (South)

    Well put itman. And when someone runs across either a standalone or similar Registry Monitor like we used to enjoy on XP systems by all means please share. The one form of security i find missing (absent a complete program or suite) is been a decent registry monitor. On XP with EQS HIPS if you even attempted to make a change yourself to the registry, up popped an alert while the action was indefinitely suspended in transit with the details of what changes are expected.
     
  23. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,282
    Location:
    Hawaii
    So also does Spyshelter Firewall have a HIPS component.

    NOTE: PFW scores "Very Good" on Matousec's tests. If you like a little policeman in your system tray, give PFW a spin.

    It seems Mamutu (a BB) is no longer sold separately. At least I couldn't find it. Sad -- I don't want the whole Emsi anti-malware. Can its several modules be turned on/off? Especially its antivirus -- I no longer use a real-time AV.
     
    Last edited: May 30, 2015
  24. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,605
    Location:
    USA
    Online Armor injects into almost all processes. Very rarely will you find one that OA does not inject into.
     
  25. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,458
    Location:
    Outer space
    Same goes for Outpost(why do people keep forgetting Outpost?), it uses AppInit_DLLs though not everyone seems to like that.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.