HIPS and run dll

Discussion in 'other anti-malware software' started by david banner, Dec 13, 2007.

Thread Status:
Not open for further replies.
  1. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    576
    I hope this is in the right place. I have Spyware terminator and understand it is a full HIPS. But can anyone tell me if it will block the 'run a dll as an app' as PGndid. Thus PG can be annoying as it blocks the properties of my computer, but I understand this is good because malware can use shared dll files to execute. Also does it work at kernel level. I do not understand HIPS or kernel fully.

    EDIT:-I now have seen suggestion that ST is spyware itself
     
    Last edited: Dec 13, 2007
  2. Tokar

    Tokar Registered Member

    Joined:
    Jul 22, 2005
    Posts:
    81
    ST is spyware? How?

    ST HIPS will alert on EXE, DLL, COM, BAT, SCR, COM, and some other extensions that I cant recall right now.
     
  3. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    576
    It was considered spyware on Spyware warrior for a while but is now changed
    But it does not seem to alert on run dll as app. Is that important? I think dll are shared files. Could malware use one to run?
     
  4. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Please understand what "run dll as app" is, and how ST's HIPS work.

    ST scans your computer and whitelists every non-blacklisted file. It won't alert you when you run any of those files, and that includes rundll32.exe. There's no point in blocking rundll32.exe itself - it's a safe program and part of Windows. What you DO want to monitor are the helper dlls it loads, some of which can possibly be malware. And ST will do that just fine.
     
  5. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    576
    PG used to didn't it and was annoying
    But I think that waswhy PG blocked it so that the user could decide. How then to monitor what helper dll rundll.exe loads? Are you saying ST 'knows' which helper dll to block?
     
  6. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I can't answer your question as to whether ST can be used to block execution of rundll32.exe, though if it runs a white list it probably does not, however you are quite right to suggest that rundll32.exe should be blocked from running without permission, since it could be exploited to run malware .dll files. Most HIPS progs such as PG, PS and SSM will enable you to block it for that very reason.

    The same logic applies to any other legitimate progs that can be used to run other progs. If they are exploited a malware file may be run as a consequence, hence the desirability of execution control. Such progs include:- ntvdm.exe, cmd.exe, regsvr32.exe, javaw.exe, net1.exe, net.exe, wscript.exe, cscript.exe and others.
     
  7. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    ST blocks dlls the same way it blocks exes. Any dll not found and whitelisted when it first scans your computer will result in a prompt when a helper prog, such as rundll32.exe, tries to load it. Rundll32.exe itself is safe; realize that what helper dll that rundll32.exe tries to load is all that matters. For programs that directly flag rundll32.exe itself, you will most likely want to check the command parameters anyway (which shows you which dll is rundll32.exe trying to load) to find out what's going on.

    Correct, but not particularly relevent. Since ST's HIPS is mostly based on simple execution control, it should be used to block suspicious processes from running in the first place. Whether the malware will proceed to exploit any of the helper programs you mentioned is therefore of no consequence. I believe ST monitors a wide variety of data files as well, which is a preferable solution than monitoring the helper program itself (which is harmless, and will likely result in many FPs if so watched).
     
  8. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    So you do not consider it relevant that a scripted exploit, embedded in a website, can cause Rundll32.exe to launch a malware .dll?

    You appear to be confusing the loading or injecting of .dlls into apps with the spawning of legitimate progs by, for example an exploited IE, which can then be used to run malware.
     
  9. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    No, I do not, for reasons stated above.

    I don't think so.
     
  10. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    576
    Would I be better with PG then? I quite like ST though
     
  11. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi,

    In order to control rundll32.exe, you would need command-line sensitive application control. I allow rundll32.exe to run, but only under certain command-line conditions. Here are some sample rules created by ProSecurity...

    Nick
     

    Attached Files:

  12. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    576
    I do not uderstand command line sensitive app control Is that only in PS?
     
  13. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Command-line sensitive app control, for example, would notice the difference between...

    "RunDll32.exe shell32.dll,Control_RunDLL access.cpl,,3"

    and

    "RunDll32.exe mmhid.dll,StartMmHid"

    ProcessGuard does not "see" anything beyond rundll32.exe. Using PG, of course, you can block rundll32 from executing. However, that will break, among other things, most of your Control Panel applets. You could set PG to alert you every time rundll32 executes, but then you will have to decide whether or not rundll32 is doing something desirable. PG cannot make exceptions for the many known uses of rundll32.

    Since ProSecurity "sees" the entire command line following rundll32, it can make exceptions (rules) for known versus unknown uses. I believe there are other HIPS that can do this as well.

    Nick
     
  14. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    576
    .

    This is only in the paid version. Is there a free HIPS that can do it?
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    Seems like a nice feature in PS. I have also blocked Rundll32.exe from running automaticly when SSM is in "silent mode", because I supposed it might prevent malware from loading.
    Yes, I would like to see "parent-child process control" to become more smarter, instead of blocking every child process, HIPS should only alert about processes that might be used in attacks.
     
    Last edited: Dec 16, 2007
  16. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    I personally don't trust all this intelligence/smartness nonsense. Give me full control! :D
     
  17. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    www.threatfire.com :D
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    Correction, I would like to see dumb HIPS get more smarter when it comes to process execution, but they still need to act dumb when it comes to everything else. So TF is no solution. :D

    Exactly! Btw, mr LUSHER, can you perhaps clean your mailbox and perhaps also tell me why you´re so impressed with TF (in the TF thread of course)? :)
     
  19. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Why not just specifically configure process execution control for those few programs, then?

    The whole point of a "dumb" HIPS is that the user controls not only how to respond, but what to prompt on.
     
  20. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    I thought i already did Mr Rasheed. See PM.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    I don´t think this is possible with SSM. And I already explained in another thread that I would like to see HIPS get more smarter, but not by adding some kind of algorithm, instead HIPS should be fine tuned so that you won´t get all kind of useless alerts during installing. Because that´s when you normally will get to see the most popups. When you have made all the rules I hardly see any popup during normal computer usage.
     
  22. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Yes it is. Just config it to prompt on execution for processes you want, turn it off for everything else.

    How do you know they're useless? :rolleyes: You're contradicting yourself at every sentence. You want HIPS to get smarter, yet stay dumb. You want them to prompt you for everything, yet not bother you with useless alerts.
     
  23. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    :D:D:D
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    I don´t know if you understood what I meant. If you did, can you please explain yourself? I was talking about when you´re about to install a tool, would be nice if SSM was less noisy, but I figured out that you can achieve this somewhat with "install-mode".

    Is it useful to know about some process trying to execute a child process that´s in the same folder as the parent? I don´t think so, I´m only interested about suspicious behavior triggered by parent/child process. Basically, it´s what TF already does, I think.
     
  25. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    That wasn't what you originally said. You said you wanted to monitor the execution of only processes which might be used in attacks. And that's easy enough to do with SSM.

    Is it useful to monitor a driver installation, then? Or memory write requests? Your question is absurd: "some process trying to execute a child process that's in the same folder as the parent" can as easily be a malware in action as it can be a legitimate request. Obviously you've never seen trojans binded to a harmless program; the exe decompresses the normal program AND the trojan to the temp folder, and the trojan is executed silently as well when the normal program is. A dumb HIPS needs to prompt you on everything because it cannot decide for itself what's good or bad, it does not and cannot know what is suspicious or not. Which brings us back to your self-contradiction again; you want to be notified about everything, yet complain that certain alerts are useless, and want to be alerted only on "suspicious" behavior. Make up your mind.
     
Loading...
Thread Status:
Not open for further replies.