HIPS on x64 - Question

Discussion in 'other firewalls' started by Bigabe, Mar 24, 2011.

Thread Status:
Not open for further replies.
  1. Bigabe

    Bigabe Registered Member

    Joined:
    Feb 12, 2011
    Posts:
    58
    When I was looking for the reason why Outpost fails PCFlank leak test, I found the answer in the link below.
    Agnitum says that due to MS restrictions (patchguard) on x64 their HIPS will not recognize this kind of injections.

    My question is: why does Online Armor pass test? And I read of other security software that has no problem with patch guard, too.
    So do you believe that Agnitum hasn't figured out a way to do implement such ways of protection in their software or are those programs which pass the test just lying and use some kind of blacklist to recognize the test?

    I don't want to say something bad about those products, I like both of them very much, but I wonder why the one is stating that this kind of protection isn't possible on x64 while other security software devs seem to have found a way to circumvent patchguard.


    https://www.wilderssecurity.com/showpost.php?p=1757610&postcount=13
     
  2. _kronos_

    _kronos_ Registered Member

    Joined:
    Dec 8, 2008
    Posts:
    126
    1- that programs (OA in primis) are able to really detect that type of attack.
    2- that is what i'm wondering, but some software house does not answer to these questions.

    They say that they offer same protection level on 64bit and on 32bit. But when you test their software, and show clear vulnerabilities on x64, they don't answer..
     
  3. Bigabe

    Bigabe Registered Member

    Joined:
    Feb 12, 2011
    Posts:
    58
    Hello. :)

    It seems that you are the only one out of 404 users that viewed this topic who is also wondering about that strange behavior of some security companys.
    I investigated a little bit more:

    On 64x systems, thanks to MS, security programs cannot rely on kernel mode hook, because patchguard is preventing the kernel from being patched.

    In Comodo forum someone stated that Online Armor seems to use some kind of user mode hook on 64x to circumvent this restriction by microsoft.
    The bad side of the coin is that software relying on this methode are easier to attack directly.

    So, a security software that is using this mode can be attacked by malware and this part of the security program that is using this mode can be disabled if that happens.
    This doesn't happen to the usual AV if it doesn't use this kind of protection through some integrated HIPS.

    So while some companys seem to use this way, others prefer to keep away from that mode.

    As I stated above I don't think bad about any of those companys, I like their products and in my opinion you are more protected with them than with just Windows FW+AV.

    But what I don't like is them being silent, just giving strange and short answers, and advertising better or full 64x protection in their products which seems to be complete bulls....;

    An EMSI employee wrote in their support forum about x64 protection:
    hxxp://support.emsisoft.com/topic/3820-oa-64-bit-more-vulnerable-than-32bit/page__view__findpost__p__22301

    A very straight and clear answer.

    I wonder why other companies try to keep this like a secret.

    The most of my knowledge above I got from reading forums so if there is anyone who knows better or best please enlighten me and correct me.
     
  4. _kronos_

    _kronos_ Registered Member

    Joined:
    Dec 8, 2008
    Posts:
    126
    mmm.. i don't think so.
    there are some excellent hips softwares based on user mode hooks, Malware Defender for example.
    You can implement the same protection in both ways (obv there are pros and cons), with the same results, it is only a discussion about know-how..

    Honestly, they prefear to implement av features instead of implement D+ hips.
    If you want to use only D+ you can easily use version 3.5, no D+ improvement since then.
     
  5. Bigabe

    Bigabe Registered Member

    Joined:
    Feb 12, 2011
    Posts:
    58
    Thank you for the hint. I'll give Malware Defender a try.

    Yea, I read that it is just theory that user mode hooking is some kind of unsecure because you have to target the software running on a system directly.
    And since security devs are constantly improving their softwares self protection the malware has to handle that, too.

    Per example if a malware writer wants to infect as most PCs as possible he wont write malware that disables Malware Defender. This would be unlogic as the number of PCs running just on Windows FW and Antivir or AVG is much higher.
     
    Last edited: Apr 2, 2011
  6. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    AFAIK DefenseWall isn't currently 64-bit compatible. Did you mean Comodo Defense+?
     
  7. Bigabe

    Bigabe Registered Member

    Joined:
    Feb 12, 2011
    Posts:
    58
    Sorry I read an article about defensewall and so I put the wrong name into the answer. ;-)
    I meant Ill give malware defender a try.
     
  8. _kronos_

    _kronos_ Registered Member

    Joined:
    Dec 8, 2008
    Posts:
    126
    Malware Defender is 32bit only, I used it as an example of hips using user mode hooks :D
     
  9. Bigabe

    Bigabe Registered Member

    Joined:
    Feb 12, 2011
    Posts:
    58
    Yea thanks, I just read that. So there is OA for x64 that works flawless and I'll stay with it.
     
Loading...
Similar Threads
  1. ttomm1946
    Replies:
    0
    Views:
    520
Thread Status:
Not open for further replies.