HIPS and Direct Disk Access by MBAM

Discussion in 'other anti-malware software' started by subset, Aug 22, 2008.

Thread Status:
Not open for further replies.
  1. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    Hi,

    'Direct Disk Access' is mentioned a few times in Malwarebytes' Anti-Malware change log, like:
    - Direct Disk Access for enumerating folder contents.
    - Direct Disk Access for breaking file headers.
    http://www.malwarebytes.org/forums/index.php?showtopic=3283

    This 'Direct Disk' operations can be recognized immediately after starting a scan with MBAM, but only with some HIPS.

    After testing with XP and Vista and with six different HIPS, only three warned me about 'Direct Disk Access'.

    Comodo Firewall Pro v3
    'Access the disk directly' - first success.

    CPF3.png

    EQSecure v4 beta2
    'Load driver' - the last prompt before MBAM scanned the disk, no prompt about 'Low level disk operation'.

    EQS4b2.png

    Malware Defender v1
    'Load kernel driver' - again the last prompt, no 'Access physical disk' prompt.

    MD1.png

    Online Armor v3 beta
    '... access hard disk directly...' - second success.

    OA3b.png

    Real-time Defender v1
    'open disk for low level operation' - third success.

    RTD1.png
     
  2. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    System Safety Monitor v2.4
    'Driver Loading' - but again no 'Low level disk access' prompt.

    SSM2.4.png

    I have tested MD and SSM with XP and Vista, EQS only with XP and they all didn't warn with a prompt about MBAM 'Direct Disk' operations.
    Otherwise I could easily reproduce the prompts with CPF, OA or RTD every time a scan with MBAM was started.
    Which HIPS are accurate, which not?
    Or are all somehow accurate?

    Another two things.

    First a question from Kees1958 in Emsisoft forum about Mamutu:
    "Does it also check low level disk access intrusions? I know other behavior based IDS programs do not."
    Answer from Fabian Wosar, Technical Support
    "Yes and no. To do a low level disk access you have to be in kernel mode. By restricting access to kernel mode you are protected from this kind of attacks. Once the particular driver is in kernel mode there is no way to reliable detect or block it."
    http://forum.emsisoft.com/Default.aspx?g=posts&t=3401

    Second from Neoava Guard blog, March 2007
    "Hidden files/process detection
    It is something which will be done by root-kits after they load into kernel, although it is possible to detect hidden files/process in some cases but it is not possible to control a kernel-mode driver as it already had the highest possible access to system."
    http://neoava.blogspot.com/2007_03_01_archive.html

    What does this mean related to the prompts from the HIPS above?
    Would it be best to block loading of a kernel driver, like Malware Defender advises?
    Or are CPF, OA or RTD really able to block 'Direct Disk Access' of a kernel mode driver?

    Cheers
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Very good question. Only answer can by testing these HIPS against a malware. I don,t remember any malware/ POC/ utility that tries to access disk directly after loading a kernel driver.

    Anyone?
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,048
    I can speak directly to OA and it might be the same for SSM. OA only detects Direct Access write attempts. So if a scan is read only OA will ignore it.

    When I've tested with real malware that does direct access, which by design are writes, both detect it immediately.

    Pete
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ok, let me make some guess.

    1- Some software probably rely upon a kernel driver for low level disk access. So u wil not get any prompt for Low Level/ Direct Disk Access from ur HIPS. If u block the driver, low level disk access will be blocked( mostly even the application itself will fail to load when u block driver laoding).

    2- Some applications access disk directly without any kernel driver. Ur HIPS here will give u a prompt for Low Level/ Direct Disk Access. U can block it here.

    3-Some applications install a driver but still they will access disk directly independent of the driver loading. Sop ur HIPS will prompt you for bith driver install/ loading as well as Low Level/ Direct Disk Access. If u allow driver install but block disk access, application will fail to access the disk inspite of driver loading.

    It,s just my guess. Only an expert person can tel us. I played with various utilities and HIPS to reach on these conmclusions. I used Systeminfo for Windows, Mobometer, RKU, RootRepeal etc. They try to load drivers, access disk etc etc.

    Now as far as lack of disk access pop ups by some HIPS is concerned. There are two possibilities.

    1- Some HIPS will only intercept disk write but will not intercept disk read while others will intercept both.

    2- Some might simply fail to intercet such disk access in some cases.
     
  6. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    Yes, maybe. I've tried to find out more about read/write operations and came across this Raw Disk Sample tool from EldoS Corporation.
    http://www.eldos.com/rawdisk/

    "RawDisk library provides direct access to the disks and partitions of the disks (hard drives, flash disks etc.) for user-mode applications, bypassing limitations of Windows® XP and Vista operating systems." o_O

    "The sample lets you check that the application reads and writes the data to the disk with help of the RawDisk driver."

    RawDiskSample.png

    There is only one problem, no prompt about a read or write operation from CFP, OA or RTD. :argh:

    Testing with malware seems to be easier.

    Cheers
     
  7. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    That's the only alert I get with Mamutu.
     

    Attached Files:

    Last edited: Aug 23, 2008
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    No pop up as I think this access is driver based, just like RKU hidden file scan.
     
Loading...
Thread Status:
Not open for further replies.