Classical HIPS and policy based HIPS discussion

Discussion in 'other anti-malware software' started by BoerenkoolMetWorst, Jan 28, 2015.

Thread Status:
Not open for further replies.
  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Yes, indeed. Outpost has an excellent HIPS. Although is it not a big buggy?

    -EDIT- Yes, usage of AppInit_DLLs registry area outdated and potentially problematic since malware does use that key also.
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    You can only monitor processes with PFW. Also appears to be not actively supported anymore.
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Unfortunate. It wasn't such a bad application despite the kiddy land GUI boxes. I always felt that there was some authentic potential with that program given just a little more attention to improvements and what not, but i suppose as far as they are concerned it had run it's course.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Interesting, I didn't know about this, I wonder what the purpose is, you should be able to control API's with only a driver AFAIK. For example, SpyShelter doesn't inject code into processes.

    Have you already checked out SpyShelter? It's the most advanced HIPS for Win 8 at the moment.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, this is what I'm wondering about. I don't think older HIPS like System Safety Monitor could stop the relativity new "process hollowing" technique. HMPA added protection against this probably because it's used by some ransomware variants.

    HIPS should indeed trust system/OS applications and services to avoid triggering dumb alerts. But they should be smart enough to see if trusted processes are started in a suspended mode, and they should look at the parent process. Most apps have no business starting up explorer.exe or svchost.exe for example. I wonder if HIPS like Online Armor, Zemana and SpyShelter can tackle this "zombie process" bypass method.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Again, unless the app is injected with the behavior blocker or HIPS monitoring .dll, there is no way for it to monitor app behavior after the initial startup of the app. As noted previously, only a select group of software is injected by default; those that are known threat gates like the browser, explorer, taskmgr, and the like. This is done primarily I believe to cut down both on system performance impact and constant security alerts. Again, manual rules can be created for every app if one so desires.

    For the person with high security requirements, perhaps Comodo's Defense+ with auto-sandboxing is the best solution. I also believe Outpost's HIPS has a sandbox element? This way a new "untrusted" app can run for a predetermined time and monitored for abnormal behavior. Then it can be released from the sandbox manually. The downside is not all apps install or run properly in the sandbox and today's malware is sophisticated to detect sandboxing. Also as recent malware events have shown, some can detect a VM environment.

    In reality, the safest mode of operation is app whitelisting since only those processes specifically defined are allowed to run. Note however that app whitelisting will not protect you if one of those trusted apps are infected with malware.
     
    Last edited: Jun 1, 2015
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I'm guessing you're talking specifically about EIS? Not all HIPS work the same, AFAIK SpyShelter monitors every process depending on the mode that you select. But anyway, I was just trying to point out that this "zombie process" bypassing method is quite a smart way to fool HIPS. Sadly enough I'm currently not able to test various HIPS against this method.
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    HI itman

    You seem worried about what EIS may not do. Have you tested it against any malware. When I test against malware, EIS is always the first to stop it. That should be the main consideration.

    Pete
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I am not familiar with SpyShelter but appears to have options in settings such as this:

    - "ask user" level
    - use hard hooks
    - block also child processes


    Somewhat akin to Defense+ "paranoid" it appears. I would assume running as such, you will get a lot of alerts from SS?
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    The last time I ran SS was months ago, and I didn't really test all options. So I don't know if it will automatically trust system/OS applications even when you choose "ask user". But I did choose "allow Microsoft" because I was afraid to get too many alerts. I hated Comodo for this reason, and it took too much effort to shut it up, so I will never use it again.

    I don't understand, do you mean that this test does work on 64 bit systems?
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Thanks. Looking that one over now. It would almost have to be SS Firewall if i do
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I don't use EIS, but EAM w/Eset Smart Security. I am not worried about EAM but do supplement it with Eset SS HIPS rules plus botnet and exploit protection. I also supplement EAM's web filter IP blocker with Eset's active web filter scanner w/custom blacklisting of malicious SSL web sites. I use EMET also for additional exploit protection and for certificate pinning protection against MITM since I use IE10 and have Eset's SSL protocol scanning turned off.
     
    Last edited: Jun 1, 2015
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, I always see you complaining, which I can understand, after all we where quite spoiled with all kinds of different HIPS choices on Win XP. But SS is hands down the most comprehensive HIPS for Win 8 64 bit systems, let me know what you think of it.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    ,
    Google's response to this is encrypt all ads: http://www.cio.com/article/2912094/...rove-security-but-wont-kill-malvertising.html
    As pointed out in this article, this probably will make the malware even harder to detect. Also probably the primary motivator by some AVs to get more aggressive about SSL protocol scanning as they're doing in Eset Smart Security ver. 9. I have no problem with SSL protocol scanning on non-financial web sites and if the AV vendors provide at a minimum, the same protection as the major browsers. To date, this has not been the case.
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Typo. I meant, HMPA does stop hollow process on x64
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    This "hollowing process' looks very much to me like a zombie process. As such, conventional HIPS process rules wouldn't be effective. But again, this has to have registry rules to run.

    -EDIT- Also this attack should have been stopped by a good AV/AM long before it even got to the stage of final installation. Note that the user needs to manually install the crapware.

    Attack in a Nutshell
    The attack has a lot of variations, but always follows these steps:


    1.You visit a website with the malicious advertisement
    2.You get redirected to a different website that redirects you based on user agent. We observed that Windows and Mac users get redirected to different malware in order to infect both operating systems
    3.The final page starts the download of a malicious file


    Once the victim gets redirected to the final URL, the website automatically starts the download of a unique piece of malware for every user. The file is a bundle of legitimate software, like a media-player, and compiles malware and a unique-to-every-user configuration into the downloaded file. The attackers are purely relying on social engineering techniques, in order to get the user to install the software package. No drive-by exploits are being used thus far.
     
    Last edited: Jun 2, 2015
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    That's weird, I've just checked out the 32 bit and 64 bit version of HMPA's exploit testing tool, and now I can't find the "hollow process" test in either versions. But yes, I'm sure that HMPA will stop it if used in a real attack.
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    To clarify, I was purely talking about the "hollow process" (also called zombie process or dynamic forking) part. In the link that I posted, you can clearly see what type of methods are being used, so a HIPS should look for this. I don't believe it's the exact same as injecting code (DLL injection) into another process. So basically all HIPS should also look for certain type of modifications to child processes.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Maybe you missed my posting here: https://www.wilderssecurity.com/thre...striction-policies.365060/page-2#post-2493432 that a HIPS will not stop a "zombie" process. I assume this also is the case in the dynamic forking variant.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Thanks, I indeed missed that post, it's quite informative! And it also confirms my suspicion that most HIPS have totally missed this bypass method. But like I said, it should be quite easy to implement protection against this stuff.
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Interesting point in that article is the statement that dynamic forking will trigger the HIPS. Again I assume if the dynamic forking was hidden is a zombie process, it will go undetected.
     
  23. I am becoming very scared by the whoooooooooooooo hollow process being a hollow man (strawman) myself. :argh:

    When a HIPS contains some sort of anti-executable the initial excution of cryptowall should be stopped and the suspicious vsaddmin and disabling of system restore also. As an example a simple LUA/parential control or SRP/UAC would block other steps in the chain of events.

    So it seems to me that YES most HIPS won't stop the hollow process creation, but that does NOT leave someone using a HIPS unprotected. To spell it out: when one step is undetected in a staged intrusion, that does not imply that other steps will be undetected also (this is also my main critism against artificial test's and conditioned POC's).

    Sorry guys, nothing personal, my rant reaction was triggered by this FUZZ about FUD. :eek:
     
  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    No arguments on this end to that assessment :thumb:
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I mentioned it, because from a technical point of view, it's quite a smart and simple attack. I don't see how a HIPS would stop the damage, after all, a trusted process like explorer.exe or svchost.exe is used to do all the bad stuff.

    It's more likely that HIPS would remain silent, because it doesn't know that a trusted system process is modified. That's because the system process is modified when running as a child process from the malware. But this all is theory, I haven't actually tested any HIPS against this method.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.