Hypersight Rootkit Detector VIPS

I had yesterday the possibility to test it on a intel core laptop.
After installation and some reboots I could see: nothing.
The tool had no reaction, I guess it can´t prevent rootkits.

 

SystemJunkie, can you clarify? How did you test it?

What do you mean, that it can´t stop rootkits from modifying the kernel? Or perhaps that it can not even spot rootkit behavior?

But it must be able to do at least something? Because it´s a bit confusing, if it can´t control the OS, then how can they claim to be able to protect Windows?

 

Hypersight is a rootkit detector , it's up to you to find other way to clean infections.

 

This tool although a good concept in theory and maybe someday practice is AFAIK rather impractical. Rootkits are not viruses per-say but more or less sneakers/hiders. The real problem lies in wait that if or when destructive virus writers find it to their advantage to use them to commute their vicious payloads onto users PC, IMO.

This is taking it to the extreme and almost like chasing ghosts when viruses are more AGGRESSIVE and infinitely more DESTRUCTIVE!

But it remains to be seen if such a concept of this nature takes off or not, besides, the odds are not really (right now) so much in favor with these threats as much as viruses IMO.

 

Well this kind of sucks, I became excited because I thought that it could actually stop rootkits from being installed. This is in fact what I´m looking for, I wonder if it´s possible for HIPS to act sort of like Vista´s PatchGuard, and that they could simply deny an already loaded driver from modifying the kernel. Now that would be cool.

 

Hypersight can detect and block. The protection can be configured in preferences.

 

Security Through Virtualization Obscurity

a post from June at rootkitdotcom. Did anyone else test this from NSL, I too pretty much had no reaction from this detector.

 

Well this sort of sucks, because you would think that hypervisor based security tools are the future. And if you read their blog, they now even claim to be able to stop Blue Pill rootkits. I would sure like to see this thing getting a professional review. Is it crap or does it got potential?

http://northsecuritylabs.blogspot.com/

 

In fact, it's a bit of over-marketed. All is simple. From the ring -1 level you can trace following activity- system registry modifications including MSR ones, memory and system ports access. Nothing more and nothing less. It is always possible to write a rootkit that won't cause hypervisor-based "security" software to signal. At all.

Also, such the software should be extremely OS-dependent and, even, hardware-dependent, especially in case of non-standard RAID controllers requires driver.

Its security capabilities are really limited and can't provide more security that, for example, HIPS solutions. Ah, and one more thing- have you ever seen BluePill-based malware ITW?

 

Hi,

I´ve done some reading, and perhaps you´re right. It´s perhaps not the silver bullet against rootkits, but it seems to be yet another layer. I still think (and hope) that these hypervisor based HIPS can/will be useful. On BlackHat 2008 someone else came with a tool based on the same concept, it´s called Viton. From what I´ve read this tool can protect against Type 1 and Type 3 rootkits. It´s more difficult to protect against Type 2 rootkits.

So the question remains, how to protect the OS kernel from Type 2 attacks. Btw, there is also another interesting project which is backed by Intel, it´s called HyperArmor, let me know what you think about it.

http://hypervisor.com/our_products.html

 

I don't understand: it's only a project ? If I wanted to try it, should I contact them ?