Get Straight to the Facts!

Discussion in 'other anti-malware software' started by EASTER, Jan 6, 2008.

Thread Status:
Not open for further replies.
  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    A lot is been made over our newest introduction to computer security known as HIPS, classical if you will. But very little is ever discussed to EXACTLY why they are very effective in spite of some neccessary user interactions just to get them fine tuned enough where many have left AV's for this type of protection.

    From my standpoint, HIPS is a highly specialized field on the same order of anti virus software with the exception that from real world results, HIPS, properly configured, often and do surpass protections we been known to trust in with anti virus apps for the security thats paramount to keeping intruders at bay and in check from wreaking total havoc on windows systems.

    I feel its high time now that we don't just draw comparisons between them but rather concentrate solely on exactly how & why HIPS better in many ways, conventional anti virus programs in warding off potential disruptions to our productive favored investments, the PC.

    This leads us into the depths of the windows operating system files and undocumented areas of interest which many if not all AV's lack in keeping these type risks from interrupting the very internet service that we pay a common fee for but can experience lost time, effort, and of course be denied the very service we finance for internet access or even functional operations of the machine that we expect to be available for us.

    I would dearly like to read into this seriously so as to draw out the absolute FACTS which make a quality HIPS security program such the useful compliment and in some cases, reliable replacement for anti virus apps.

    A lot is made about ring0 & the low level driver actions which are designed to take up residence in whats called the SSDT table. From what i gather, HIPS distributes it's .sys drivers into areas of this $M internal base of operation which together with all the other supporting instructional positions in order to set itself in place of windows own default code.

    The question is, just how much mapping of these areas are of importance with HIPS in order for them to not only identify but more importantly, intercept AND then effectively abort any hostile take over by some rootkit malware which by design is made to target this table of system instructional code?

    Once a RK displaces or joins so to speak windows own default code at this level a system can be said to have become compromised.

    And since this deals mostly with drivers, exactly what & where is the window of opportunity most available for them (malware) that makes them such a threat to the overall normal functioning of a windows system?

    Just exactly how many points of normal instructional code in this table is afforded for them to replace the default file with it's own? Whatever intention that may be?

    I think these are very crucial questions that demand absolute answers if we, the end user, are to get a better understanding of how much space is sitting ready for them to occupy and overtake the control they are designed to replace?

    We all welcome concrete answers to this concerning chiefly XP, vista not included of course for obvious reasons.

    Just how many so-called potential "hooks" can be of an immediate threat to our windows XP machine?

    Is this one area of concern simply some freak blunder overlooked or even ignored by microsoft in order to expand discovery by coders talented enough to solve this challenge with their own solution to satisfy or fail some preconceived quiz?

    Thats a subject area for another topic for open discussion.

    System Safety Monitor by virtue of their first solid introduction into addressing SSDT table compromise by implimentation of their own "hooks", on the surface and in reality, replaced MANY of these positions with their own system drivers by concept to detect and alert to possible displacements where otherwise malware might easily take up those same positions, which would overtake by force/stealth important instructional commands the SDDT table appears to support.

    I've noticed in both Online Armor & EQSecure that their drivers by contrast position much less than SSM. Is this by design that they only occupy a fraction of this SSDT table in comparison to SSM, and does it make a difference? Do some HIPS (hooks) that only displace such fewer positions then SSM does do so to protect only the most targetted instructions and feel the others are really of no risk or threat?

    I really want to bring this rarely understood aspect of HIPS functions to the forefront in an effort for HIPS users to fully understand just what is the real truth of whether this is important or not.

    Thanks and i eagerly & with concern look forward to realizing the absolute truth as concerns these methods employed by the HIPS many of us take a great deal of confidence in. Is more coverage actually better for all of us or is there in reality particular positions which are all thats required that our HIPS have the handle and upper hand on this protection technique.

    THANK YOU
     
    Last edited: Jan 6, 2008
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello, Easter!

    The problem in discussing HIPS [host-based intrusion prevention system]is that the term means/includes different approaches among the various products.

    In the strict sense of this acronym, it is a Prevention System; however, it tends to be emphasized as a Detection System.

    In this sense, people are expecting more and more from these products in the field of detection, which leads to the dilemma in which you find yourself regarding rather sophisticated considerations:

    I can think of three people right off hand who, after reading that, would respond, "Huh?"

    Yet combining more than 40 years experience different areas of computing, without the use of a HIPS product, they have never encountered an infection.

    So while these products are impressive in what they purport to do, and discussions are certainly interesting, I think for a lot of people, it's outside of the realm of what they consider to be necessary for good preventative security measures.

    Someone wrote, "If it can't execute, it can't infect."

    Notwithstanding, I hope you get the answers you are searching for!

    Meanwhile, I notice in your signature that you have "Total Lockdown" and "Full Control." So maybe there is nothing left for you to do!

    regards,


    ----
    rich
     
  3. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    HIPS better than conventional AV - I can live with a yes here.
    But HIPS necessary ? not so sure. wouldn't it perhaps be better to start with questioning whether HIPS are really necessary ? The fact that a HIPS program can stop X does not mean that the program is needed if either the user is not attacked by X or is able to protect in other ways - some quite basic like not opening attachments ..... etc
     
  4. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Only three? :p

    Let me translate, Easter always writes in very grandiose terms , I wonder who he is trying to impress....

    What easter is asking is this

    "Does HIPS have to hook so many SSDT functions?"
    "Does hooking more mean it's safer?"

    In other words, can we judge how good a HIPS by the number of ssdt hooks it has? The answer is no of course.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I don't think Easter is trying to impress -- he is one of the more inquisitive and resourceful posters, and always questions and asks for facts/tests to back up claims. I've certainly become more informed from his posts.

    As I said, I hope answers to what he is asking are forthcoming, technical as they are!


    ----
    rich
     
  6. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    It's always my intention to try and soften up the grid so-to-speak before then releasing the core question "in very grandiose terms" ;) I do appreciate the compliment but if impressions seem what i'm after along the way, their only to enforce my own confidence that such techniques are more useful as opposed to just the conventional or common types most offered. Oh, and if others also find themselves equally gratified with the same enthusiasm, why not share the joy right?

    LUSHER is on target though, i am eagerly curious over technique of "hooking" by HIPS, but i don't seem to find much hard discussion in this area of them, and is why i keep hammering about it.

    The second question however should be "Does MORE hooking mean MORE coverage? If not, it demands some real answer/explainations why HIPS like SSM for one example, fill up many more such of those positions in the SSDT table whereas OnlineArmor/EQS/ and you can name others alike, selectively set up in fewer choice sections.
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep and when EP_XOFF explicitely mentions/thanks you, "EASTER (for the outstanding support, we will not forget)", his language usage only flavors his personality (his earlier avitars looked like magicans who came straight out of a Tolkien fary-tale).
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Let's try to stay on topic although the humour is healthy medicine for the season.

    Anyone have any opinions to just how effective flooding the SSDT table with hooking as opposed to strategic pickings?

    Curious interest, serious responses welcome.
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Easter,

    My 2 cents worth thought.

    First Eurocent
    With Vista coming up and Patch guard protection making it hard to place hooks, security vendors have to think of other ways to provide protection.

    Second Eurocent
    The orignal idea of attack vector control is to control all vectors. So more hooks would be better in theory. Focussing on single attack vector with a simpel 'stop-pass' policy per vector, reduces complexity. Also offering this warning to user would be a precaution to stop currently unknown threats (simply because no malware uses this violation yet).

    This approach (covering all hooks) also enables the controlling program to build up a intrusion event (sort of criminal) record. NeaovaGuard has a feture to quarantaine programs when they have passed a certain threatlevel (accumulated intrusion track record). This is a way of dealing with complex staged threat elevation.

    So yes SSM would be better WHEN they would have implemented the same max threat level quarantaine feature as NG. Without it SSM will not be any better or worse than programs using strategical selected hooks (simply because we do not known of any malware using this intrusion at the moment).
     
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Just an example of what i'm trying to point out as per HIPS hookings. In this example EQS 3.41

    The remaining gaps are many, SSM fills those gaps where other HIPS refuse. And this is just a partital list, perhaps 1/3rd the SDDT Table as reviewed by RKU.

    1.jpg
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    I won't harp on this too much since it doesn't seem to draw much of an audience but i still think it might be both interesting and helpful if any members or experts would care to elaborate in some detail to this type of hooking on this particular table and offer their comments on WHY in-depth discussion about it seems so elusive. After all, don't all HIPS focus directly on this Table as their underlying means to the ends for intercepting malware/rootkit intrusions from chiefly this type method?
     
Thread Status:
Not open for further replies.