EQsecure is crippled by Avira

Discussion in 'other anti-malware software' started by enthios, Aug 22, 2008.

Thread Status:
Not open for further replies.
  1. enthios

    enthios Registered Member

    Joined:
    Aug 22, 2008
    Posts:
    17
    I am running EQsecure 3.4.1, on on WinXP Pro SP2. A quick review of kernel hooks using "Rootkit Hook Analyzer", shows that EQsecure has set 24 kernel hooks.

    After installing Avira free, a check of hooks reveals that EQsecurity has only 21 hooks set. The following hooks have been (apparently) disabled by Avira:

    1. NtCreateThread, ZwCreateThread
    2. NtOpenSection, ZwOpenSection
    2. NtWriteVirtualMemory, ZwWriteVirtualMemory

    Avira runs the following as services on startup:
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

    If I disable these services Avira does not disabble EQsecur's kernel hooks.
    Starting either avguard.exe, or sched.exe, immediately disables the above listed hooks (or appears to). Without sched.exe, Avira can not update.
    Without avguard.exe, there is no real time protection.

    Can anyone suggest a workaround for this issue.
    Is EQsecure, really being crippled? How to test?
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    IMO don,t worry about it. No issues in my experience. But I am not an expert/ programmer. It,s just my observation.

    Just for get the hooks u see. They should work fine together.
     
  3. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    Did you try disabling the self-protection? (General -> Security -> Protect AntiVir processes from unwanted termination)
     
  4. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Hi Enthios, Hi Aigle, Hi GG,

    " EQsecure has set 24 kernel hooks ". HORRIFYING !!!

    Horror, horror ...

    EQsecure is crippled by AVARICE !:doubt: :doubt: :doubt: :doubt: :doubt:

    Avaricious EQsecure, bad, bad ...

    I look to my nonpaged memory : 9570 Kb after the restart... And you ? ...

    And without EQsecure ?

    ... and your Windows speed ...:thumbd:

    ( silence ...)... and ... jump of your Windows : " Hey! ... Hey! ... Do not show me this HOOKS anymore ! "

    So that's settled ...

    Salutary .
     
    Last edited: Aug 22, 2008
  5. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    Rootkit Hook Analyzer first shows me 26 (5 for SPTD) hooked functions, after enabling real-time protection and rebooting shows me 24. Unlike the OP I cannot re-enable the hooks and the affected function were different (I'm not sure wich ones as RHA crashes everytime I attemp to save the log). I'm using Windows XP SP3.
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    All security software chooses the hooks it needs for its protection. Except for Easter few will have all hooks covered. Missing a hook inevidently causes the security program to miss an attack vector (event) and it won't pop-up.

    This is no problem when the other program intercepts this event, but you have to test whether it works.

    I always use rootkit analysers to assemble a setup with the least amount of overlap (non preferably).
     
  7. enthios

    enthios Registered Member

    Joined:
    Aug 22, 2008
    Posts:
    17
    I find that running a AV scan on my drive C: with either, AVG 8 free, Avira Personal Classic free, or a-Squared Free, will unhook three of EQSecure 3.4.1's hooks.

    These are:
    NtCreateThread, ZwCreateThread
    NtOpenProcess, ZwOpenProcess
    NtOpenSection, ZwOpenSection
    NtWriteVirtualMemory, ZwWriteVirtualMemory

    These hooks are NOT replaced by hooks to the AV progie. The protection these hooks provided is simply removed, allowing any program, virus, or trojan, to inject a dll, or code into any running process, without detection or blocking by EQsecure. This is a serious vulnerability. EQsecure may be giving many a false sense of security. If EQ's hooks can be so easily removed, without EQ even noticing, then how can EQ protect against todays' HIPS aware, hook removing Trojans/Malware?

    EQsecure needs more work. Specifically it needs to monitor, protect, and restore it's hooks.

    Not ready for prime time (IMHO).

    --Enthios
     
  8. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    Can you confirm your results with another rootkit scanner?
     
  9. enthios

    enthios Registered Member

    Joined:
    Aug 22, 2008
    Posts:
    17
    Not at the moment. I've uninstalled EQ, and re-installed SSM. I much prefer EQ, but this thing with the hooks is worrysome. While I was running EQ (past 4 weeks), my firewall was bypassed on two occasions, allowing heavy traffic inbound(looked like a download) , with firewall in "Stop All Traffic" state, and No program loaded or active. The source URL of the inbound traffic was Google.com, but that could have been spoofed.

    On the other hand, . . SSM protects it's hooks Very well, but programs that need to set hooks to operate (like Avira Guard), are denied hooking and thus Guard won't work with SSM installed. At lease not yet. Working on it.
    Running SSM 2.4.0 622 beta. No bugs thus far.
     
  10. HIPSter

    HIPSter Registered Member

    Joined:
    Feb 15, 2008
    Posts:
    28
    When I had Safespace & Avira installed, EQSecure's active hooks were reduced to 11.
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Don,t go on the hooks. I don,t think it,s so simple to just count the no of hooks.

    Did u verify this practically? Do a scan bu AV, confrim that hooks are removed, now run a POC dll injection etc( like Firehole leaktest) and see if it can actually bypass EQS without any hooks. Only then I can believe that EQS is crippled so easily.
     
  12. enthios

    enthios Registered Member

    Joined:
    Aug 22, 2008
    Posts:
    17
    The number of hooks EQ will install depends on the rules you define (or import), and will vary from one user to another. However, EQ doesn't protect it's hooks(!) so just about any other program which sets hooks, can usurp EQ's hooks, leaving EQ blind to some threats. The ruleset defines the rules, the hooks detect violations of the rules, (and undefined threats).

    -enthios
     
  13. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    With DW, OA and Avira's AV installed, number of EQS hooks in SSDT is 7. EQS doesn't seem to be crippled though. I've had alerts for all protection except 'Create Remote Thread'. Anybody know how I can test this?
     
  14. enthios

    enthios Registered Member

    Joined:
    Aug 22, 2008
    Posts:
    17
    My free time is limited, so I did not go into detail with testing, but if EQ's hooks are so easily undone, then I don't trust it. SSM sets 280 hooks and they are, as of this writing, absolutely unhook-able (version 6.4.2 622 beta). EQ is an elegant solution, and a lot of very intelligent work has gone into it. I hope that we will see a more secure version in the near future.

    --enthios
     
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    This is the way (classical) HIPS work, catching attack vectors through the internals (SSDT) of your OS. Although all HIPS are subject to malfailure when they can't guard hooks they need to react on certain system events.

    Old freeware version of Kerio FW, which had the HIPS part deactivated, set the NT Load Driver hook as part of its HIPS software over quiet a few security programs I played with at the time. I think SSM is a good example of defending its hook setting, but it is not a generally used self defense mechanism.
     
  16. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    I tried Firehole leaktest. It does NOT bypass EQS.

    If I disabled Program Guard in OA, Firehole was stopped by EQS.
    If I disabled EQS and re-enabled OA, OA stopped Firehole with exactly the same pop-up messages as EQS.

    Aigle Do you know how I can test 'Create remote thread' protection?
     
  17. HIPSter

    HIPSter Registered Member

    Joined:
    Feb 15, 2008
    Posts:
    28
    Can anyone confirm if this issue exists in the EQsecure 4.0 Beta?

    If so, it looks like it's time to look for a replacement.
     
  18. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    The OP stated that before Avira was installed, EQS has 24 hooks.
    After installing Avira, number of hooks is reduced to 21.

    Let's assume that EQS has protected it's hooks in a way that SSM does. Does this mean that Avira has now been crippled by EQS? Nah, I don't believe it.

    With 280 hooks so solidly protected by SSM, there is a good chance that at least one is used by Avira. Does this mean that Avira has been crippled by SSM? None of this makes sense.
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hmmm... I have seen this pop up hundred times but can,t tel u now as I am using CFP that combines " Create remote thread, modifying memory, etc alerts" into one alert type i.e accessing in memory.
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    My point is that in my experience when u use more than one security applications that hook SSDT, u might not see all hooks of all applications in SSDT table while u still don,t loose any protection filters of these security applications, unless there is some other conflict.

    It,s my observation.
     
  22. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    They were not disabled. SSDT is a table that contains thunk pointers to a functions into kernel mode. If two drivers hooks into it, you will see only the top one. But it doesn't mean that the second hook is disabled. Top-hook driver will call it by chain.
     
  23. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Thanks Ilya. That explains why EQS is not apparantly crippled even though I have OA, DW and AV installed and only 7 EQS hooks 'visible' in SSDT table.
     
  24. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Thanks Aigle. I used DLL Injection 2 test in Comodo Leak Tests program. This confirmed that EQS is protected against 'Create remote thread'. EQS messages exactly same as OA. ALL EQS protection measures are functioning correctly despite there being only 7 SSDT hooks visible.
     
  25. HIPSter

    HIPSter Registered Member

    Joined:
    Feb 15, 2008
    Posts:
    28
    So, EQsecure's security was never compromised by Avira? Just a false alarm?
     
Thread Status:
Not open for further replies.