As per title. If yes, please mention what anti-executable or HIPS was bypassed, and under what circumstances.
Anti-executable is easy. We only need to exploit or hijack the whitelisted process. For CHIPS, as long as it's put into quite/safe mode then it's not really all that useful IMO. Otherwise, a chatty CHIPS should warn you if your trusted programs being manipulated or changed... ...plus other notifications.
You know you can do it yourself actually. Just enable the whitelisting features and you will see lots of new trusted processes added without you knowing it. There, bypassed. Now before anyone start to blast their guns, the OP never said if it's a malicious bypass or not. So I'm safe. IIRC aigle-sensei had tested various HIPS programs in the past, here on WSF. I can't be sure but there were bypasses, although it might not be relevant now due to updates.
Sorry, legit programs being allowed via preconfigured rules does not qualify as a bypass. If a completely unknown program were allowed via a rule intended for a legit one, that would be a bypass. I'm not a great fan of AE/HIPS programs on Windows, but let's at least be fair here. Anyway we all know that you can do nasty stuff in the address space of a compromised process. The question is whether anyone has actually seen it happen, outside of controlled environments such as hacking competitions.
IMHO good (i.e. controlling all threat directions) HIPS can hardly be bypassed without a user interaction. I guess Cruelsister has vast experience here.
Why? If Firefox.exe is whitelisted and I run my malicious commands through it, why does it not qualify as a bypass? No, never seen it in wild. These programs are rarely used, so rarely targeted.
So it's a somewhat arbitrary distinction... Perhaps I should rephrase my question: Have any of you ever seen actual malicious code executed by ITW malware or ITW client-side exploits, without any user interaction, on a Windows system running an AE/HIPS?
For that limited scope, no. Any bypasses I've ever seen are only on tests done by the experts. But I believe it's just a matter of time and popularity until we see it in real-life situations.
Why do people keep asking hard questions to me these last few days? Well, for one, if the anti-exe doesn't protect you from a certain executable, then it's possible to make use of the whitelisted process in order to do its malicious purposes, like DLLs or Macro scripts for example. Some info: hxxp://www.insanitybit.com/2012/06/04/why-i-dont-like-antiexecutables/ P.S. : I'm not sure if I understand everything I've read correctly since I'm not an expert on this one. Pardon if my conclusion is such a big mistake.
It depends if your AE is just an AE or has some extended features, here's a thread about NVT Exe Radar and DLL's: https://www.wilderssecurity.com/showthread.php?t=350072
I've yet to have one bypassed by Test, POC or live Malware. (purposely trying of course) This is only from my own personal experience.
Here's a example of one bypassed in a test performed by Pedro: https://www.wilderssecurity.com/showthread.php?t=306496&highlight=xyvos
Is that not more of an AV with some whitelisting capabilities (and a poor one at that) then a dedicated HIPS or Anti-Executable?
Yes - HIPS. HIPS systems don't observe every actions if files use such unobserved they can easily be bypassed. Happened in the past in will happen in the future.
May I ask which HIPS you are referring to and under what circumstances in which the bypass took place?
Yes, all of the time, with Faronics Anti-Executable (AE) installed. PDF exploits are a good example. Here is a file, analyzed as "malicious." The was included in an Exploit Pack and the exploit triggered as I went to the booby trapped web site. This code embedded in the web page calls the PDF plug-in: Then, the code inside the PDF file uses Windows APIs to download a malicious executable file: At this point, even though malicious code has executed, the exploit fails because the malicious executable to be downloaded is not on my computer's Whitelist,and is flagged by AE: ---- rich
