HIPS and Behavior Monitoring

Discussion in 'other anti-malware software' started by Rasheed187, Jan 13, 2008.

Thread Status:
Not open for further replies.
  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Hi,

    We´ve been talking about the ultimate HIPS and stuff, but I just wonder about which behaviors they all should be monitoring. We all know that if it´s only missing one thing (programming errors aside) you can already get infected. Most HIPS nowadays are monitoring stuff that is used by malware in real life, but now and then they seem to completely miss some things. So let´s make a list of areas/behaviors HIPS should be monitoring.

     
    Last edited: Jan 15, 2008
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    So, have I covered just about everything? Feel free to come up with more areas and to comment about this subject. Keep in mind that it´s not only about classical HIPS who can guard these areas, sandboxes will automaticly protect/restrict certain vulnerable apps against most, if not all, of this, of course without asking any questions.
     
  3. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    I think, HIPS fail in one regard,
    Specifically where it concerns web browsers and server cross scripting as they are not monitoring web browser based injections. I believe most do pickup executables at the activation point however if not activated by commands invoked by the browser. That is why in the case of Firefox an Adon such as NoScript is necessary.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    I´m a bit surprised about the lack of comments, I would like to see the developers of the various HIPS to comment, I wonder, does your HIPS protect against this stuff, have I missed something, are their perhaps any new attack vectors?

    Perhaps also an idea to make a list of the most important registry keys, I´ve seen quite a few lists but I still don´t know what are the most essential ones.

    Of course the Windows system files should be protected against modification. And what about NTFS permissions? According to Solcroft they can be used to lock a user out of his/her system.

    I´ve noticed that both TF and NG fail to protect against this, so perhaps an idea to virtualize these actions, like SBIE does. Also, can HIPS protect against other types of (none destructive) file infectors?

    Let´s say you´re infected with a rootkit, is killing invisible processes enough to prevent the rootkit from doing any damage (stealing data etc.)?

    Well, the question is if HIPS should monitor this, perhaps an idea to add this feature in the future, but perhaps it´s better if protection is build into the browser itself?
     
  5. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Trojan.Srizbi runs completely in kernel mode (no user mode payload/injection) so it doesn't have a process.
     
  6. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Yes indeed.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Very interesting! So this rootkit can do whatever the hell it wants without a process? You know what I was thinking, I wonder if HIPS will ever be able to stop already installed malware, so basically the HIPS must be some kind of "see it all" super rootkit, that can still spot malicious behavior from other stealthy malware. :D

    Care to explain this LUSHER, what do you mean?
     
  8. QQ2595

    QQ2595 Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    159
    this one should be included?

    Anti directly I/O port access: With directly I/O, one APP can read/write the disk in sector or send data to internet via netcard.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Can you give a bit more details, and are there any HIPS which are already monitoring this? I do recall seeing something like this in VirusKeeper, but never really understood it. Also, NG offers protection against "remote shell execution", is this different from cmd.exe?
     
    Last edited: Jan 26, 2008
  10. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Yes, the kernel driver does all the work, even spamming. Most rootkits only use the kernel driver to hide their files/processes/services/registry keys, but the "real work" (spamming, DDoSing, displaying ads, etc) is done at the user level injecting code into a system process.
    Impressive stuff indeed.
     
  11. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    He (probably) means low-level disk access (talking to disk.sys or even lower level stuff) and talking directly to the NIC driver (bypassing NDIS).
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    To answer my own question:

    But if cmd.exe can´t execute, a remote shell can´t be launched I assume.

    This one isn´t on my list, can someone give a bit more info about it? Is this related to process memory modification?

    I was looking at some old tests from nicM, and this caught my attention, DSA was still able to spot certain behavior after its kernel hooks were wiped, I wonder if other HIPS can do this too?
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    LUSHER, I´m still waiting for your answer? Did I miss something? And where are the HIPS developers at? Can someone perhaps answer my questions? What other areas need to be guarded? :doubt:

    Interesting qoute from Peter2150 (at the PS forum), can you give a bit more info perhaps? I guess it´s too noisy?
     
  14. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Yes, All the time... All the time Rasheed... :D

    As it occured to you that maybe your questions show you don't understand a thing, and hence anyone who knows anything isn't borthering to answer because it would be a waste of time?

    Don't feel bad, I don't know enough to phrase a proper question either.
     
  15. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    LUSHER, you are advized to either provide some useful answers or refrain from answering/posting like quoted above. Such contributions are useless.

    Apart from that, withold from comment(s) going ever further: putting a member with solid questions at hand down. That's not the way it works over here - period. In the meanwhile, some sortalike irrelevant posts have been removed.

    regards,

    paul
     
  16. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    another post removed and suggest that if this thread is to continue, it does so by discussing HIPS and Behavior Monitoring only. It's not open for comment concerning post removals, whether in jest or seriousness.

    Thanks,
    Bubba
     
  17. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Rasheed187,

    Post removed. You as well are advized to stay on topic and refrain from personal remarks.

    regards,

    paul
     
  18. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Meanwhile, back at the ranch...

    A) For a good comparison of behaviorists/HIPS check it out HITHER & THITHER.

    B) As to non-replies by HIPS proponents: most of the stand-alone HIPS are 1-man operations -- e.g. SysSafetyMonitor (Vitali), Prosecurity (Jie) -- so they rarely have time to visit Wilders.

    C) Threatfire mainly replies to posts on their support forum although they do visit Wilders from time to time.

    D) Winpooch, Neoava, Coreforce, & 3 or 4 other HIPS are "abandonware" at the moment, mainly because their proponents are busy with other affairs & have zero time for their respective HIPS program.

    E) Comodo's HIPs is quite good, but also is mainly responsive to posts on their own forum. Those who DO comment here at Wilders are mainly to be found in the Firewall forum because Comodo3 is mainly regarded as a firewall with a HIPS glued onto it.
     
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Although it was a very rough decision for me to change, in EQS i saw a chance to make a break from System Safety Monitor which is been iron-clad and reliable as ever.

    But the HIPS EQSecurity seems to offer me more options to set rules on nearly everything they,ve compiled it to cover, including file and extension coverage. Malware is been notorious in changing extensions to their own designated programs to run and EQS affords the user to keep watch for such a change and block it entirely.

    Even to this day, i still not completely addressed every potential entry point they could manipulate. The freeware app RegTick is a good starter to hunt down the resgistry entries that all malware needs to do is change a 0 to 1 to disable many common settings. I wish MS had not offered in XP the option to disable so many settings, so a HIPS is the only way to monitor all these registry entries as well as file extensions.

    Behavior Monitoring & HIPS are closely related in some ways and yet distant in others. The whitelists of HIPS are fantastic and even the suspending mechanisms Behavioral Monitors & HIPS rely on are the best innovations i have ever seen for any behavioral app. I suppose they took a page from the AV's book on that, but it sure is nice to have an unknown and potential malware file stopped dead in it's track for a user to research first then just simply notifying as well as allowing it to continue.
     
Loading...
Thread Status:
Not open for further replies.