do HIPS protect against rootkit installs?

Discussion in 'other anti-malware software' started by superfly, Dec 2, 2005.

Thread Status:
Not open for further replies.
  1. superfly

    superfly Guest

    just wondering if HIPS could prevent a rootkit being installed, possibly by detecting a system change during the installation process?
     
  2. route1

    route1 Guest

    Yes, interesting point - not sure if PrevX qualifies as a HIPS but I'm also wondering if it can potentially prevent a rootkit from installing?
     
  3. whatdoiknow

    whatdoiknow Guest

    A qualified yes, if you are smart enough to respond correctly to the prompt.

    A rootkit doesn't have any godlike powers during installation, it's exactly the same as how a virus, adware or any malware installs. If your HIPS happens to be monitoring the areas or changes that the rootkit tries to change, you will be prompted just like any other kind of malware.

    So for kernel rootkits, they basically need to install a driver/service.

    Essentially if you have anything watching service/driver installs hooking NTloadriver?? (eg Processguard), or changes to c:\windows\system32\drivers (eg Prevx) or registry entries
    HKEY_LOCAL_MACHINE\System\*controlset*\Services\* etc (say regdefend) you basically cover some of it.

    or you could run without admin rights for the same thing.

    I'm still doing research on what user mode rootkits do and where they typically install. Once i figure that out, I will then see if these changes are monitored by HIPS.
     
  4. Arup

    Arup Guest

    Samurai does prevent rootkit installation to an extent, it observes any hidden or other drivers being loaded by new programs and warns and blocks it till you do the likewise.
     
  5. superfly

    superfly Guest

    thanks for the information, whatdoiknow and Arup, much appreciated.

    it's good to know that rootkits are "not stealthy" during installation, so at least they have an achilles heel there.

    whatdoiknow - do you have any indication whether Spybot's TeaTimer utility can monitor any of those changes you mentioned would be involved for a kernel rootkit install?

    also, are there any indications whether Windows 98 SE is more/less/equally vulnerable to rootkits?

    thanks for any thoughts :eek:)
     
  6. superfly

    superfly Guest

    sorry, didn't mean to post an "eek" at the end of my last post - meant to post a smiley!
     
  7. whatdoiknow

    whatdoiknow Guest

    You are welcome, given the FUD about rootkits, I thought that would be more informative than just saying program x can stop rootkit installations.

    Looking at the list of entries monitored by teatimer, my guess is probably not,
    I mean the rootkit would install then hide the autostart entries from teatimer.

    But what do I know?


    kernel rootkits thesedays are all? for win2k/xp/nt and wouldn't work on win98.

    Not sure about other rootkits, but probably same thing.

    But what do i know?
     
  8. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    The thing to understand about Windows 9x is that there is no user mode vs kernel mode. In Win9x any app can do pretty much anything it wants - apps can access hardware directly, write to eachother's memory spaces, and just about anything else they want to. It's basically like running everything in kernel mode and throwing away any protected user mode space. This was the reason that, back in the day, you could run games on Win9x but not NT (or 2000, usually). So pretty much any piece of malware could act just like a rootkit on Windows 9x without having to employ any special tricks that rootkits use now. Rootkits are kits that give the attacker root (administrator) access to the machine.. in Win9x that's no achievement, because it's all root (administrator).

    Edit: (Administrator is the Windows equivilant to "root" in Linux & Unix, for anyone that missed previous threads.)
     
    Last edited: Dec 4, 2005
  9. Fernando Villegas

    Fernando Villegas Registered Member

    Joined:
    Dec 3, 2005
    Posts:
    55
    Location:
    Santiago de Chile
    Thank you notok for clearing that up. I really think people who don't know anything shouldn't answer.
     
  10. superfly

    superfly Guest

    many thanks again whatdoiknow for the interesting insights, and thanks to notok for the background on Win98.

    fernando villega - i don't think your comment was fair or useful - the information provided by all the previous posters in this thread is clearly useful - just because someone is not an expert in all areas does not mean they cannot provide useful information in some areas. that is what a forum is for - people try and make contributions and others can pick up and provide extra pieces of the jigsaw. nb i happened to read your minimally informative post in another thread - your post was not useful at all - no rationale, explanation or even background information. maybe you are so expert you expect your word to be taken as law? i know which posters in this thread i would seek help from, they would be those who offer information and are modest enough to acknowledge their limitations. safe to say you would not be among them.
     
  11. Iagree2

    Iagree2 Guest


    Yup, I fully agree with those statements. If no one answered our questions, unless they thought they were a qualified expert, then we would probably get very very few answers to our questions at this forum. And often the answers are enough anyway even if they are not as complete as some would like to see. Or you will get a different perspective on something that will give you new insite into the matter. So thanx to all the posters here who try to help us out, it is appreciated. :)
     
  12. Fernando Villegas

    Fernando Villegas Registered Member

    Joined:
    Dec 3, 2005
    Posts:
    55
    Location:
    Santiago de Chile
    I didn't say only experts should answer. I said if you don't know anything you shoudn't answer. What's the point of pretending to know the answer anyway?

    Which post are you talking about? There is one post where I stated I liked something. I didn't say it was better objectively. What is there to explain?
     
  13. superfly

    superfly Guest

    i suspect you have no real knowledge pertinent to this thread - but you could prove me wrong by posting some useful information i guess
     
  14. whatdoiknow

    whatdoiknow Guest

    Superfly as guests I don't think we should be rude to registered members.

    And your attempt to use reverse psychology to get more information is childish and unnecessary.

    But what do I know?
     
  15. superfly

    superfly Guest

    reverse psychology? i didn't know i was that sophisticated! (grins) i just wondered if FV could enlighten us mere mortals with some of his rarefied knowledge (winks)

    but seriously - i took exception to FV's dismissive remarks about your contributions - i find all his remarks bizarre and incorrect, and clearly i'm not the only one

    anyhow, you're obviously more laidback about it than i am so all credit to you. i'm grateful for your excellent help in contributing to this thread, and i'll take your hint to desist (smiles)
     
  16. Termoil

    Termoil Registered Member

    Joined:
    Nov 13, 2005
    Posts:
    9
    Going back onto topic :) in answer to whatdoiknow Prevx1 does have the ability to prevent rootkit installations. As a hips product it will monitor various system calls, system file creation and hook the driver section of the registry to detect the creation of rootkits.

    In addition the latest release v1.1.0.32 now has a rootkit scanner, although i have seen some positing on some issues with it.
     
Loading...
Thread Status:
Not open for further replies.