HIPS etc learning mode Caution !

Discussion in 'other security issues & news' started by CloneRanger, Feb 26, 2013.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I installed something today, & ProcessGuard alerted me to several MS.Exe's that were required to run for the install to proceed. One of these was cmd.exe which under normal circumstances, as in this case, was ok to allow via a per basis prompt, as set by me in PG.

    If i, or anyone else, had just installed a Hips type App, & allowed it to be put in learning mode for some period of time, cmd.exe & whatever else considered ok, would have been permanently allowed as a safe .exe, never to be prompted again.

    As malware can make use of things like cmd.exe etc, i believe it's better not to permanently allow them, but rather receive prompts as & when required. This shouldn't be very often, so it's no inconvenience to adopt the precuationary method.

    Of course malware would throw up a number of other alerts & blocks on my comp & get no further, but other peoples comps "might" not !
     
  2. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    This is kind of a good point. To better protect against exploits rundll and regsvr should also not get an automatic pass.
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Modern HIPS can deal with this issue as they generate pop up alets on parent-child basis.

    But a weak point for even the modern HIPS may be executables like .cmd, .bat, .vbs etc. However even these executables can be contained be dealing every such executables an an idependent exe rather than an instance of cmd.exe, or scripting host etc. Comodo developers were implementing this but I don,t know how far they have completed this feature.
     
  4. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Nice thread with some very good points/suggestions on what not to give full permissions to with a HIPS. Thanks for that, any other suggestions would also be appreciated. :thumb:
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ nosirrah

    Nice includes :thumb:

    @ aigle

    Good points :thumb:

    @ LoneWolf

    Thanks ;)

    So far we have,

    cmd.exe - rundll32.exe - regsvr32.exe

    I'll add - regedit.exe - regedt32.exe - regedit.dll - & mstsc.exe = Microsoft Remote Desktop Connection :eek:

    All contributions gratefully accepted :thumb:
     
Loading...
Thread Status:
Not open for further replies.