Interesting HIPS leak test

Discussion in 'other anti-malware software' started by aigle, Jan 3, 2009.

Thread Status:
Not open for further replies.
  1. BrendanK.

    BrendanK. Guest

    It doesn't terminate. It hides the windows :blink:
     
  2. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,121
    Location:
    Mountaineer Country
    I thought one of the protection options might make a difference. I guess I'll give it a go.
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    U can try this setting I think. Let us know the result.
     
  4. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,121
    Location:
    Mountaineer Country
    I tried setting all the protection options in Online Armor for Firefox.exe and set it to "run safer" and the Firefox GUI still disappeared. I also tried to run Project1.exe as "run safer" and the Firefox GUI still disappeared.

    I tried running it in Sandboxie (not in OA run safer mode), but it wouldn't run as it was not one of my permitted programs but later I hovered over Sandboxie in the system tray and it's icon disappeared. Not sure if it was a coincidence or not...

    All my results were without a reboot in between each test.

    Edited for clarity and to add that I'm running OA3 free and I did get a popup warning me that the Project1.exe wanted to run, but nothing about what it did to firefox later. I also want to note that I used Returnil for testing this. I need a VM but I'm not springing for another XP license.
     
    Last edited: Jan 4, 2009
  5. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    No, no coincidence. I only ran this thing from Sandboxie and it works just fine in making GUIs disappear, even if sandboxed. It's like having a photoshop program making all guis "transparent". The most curious thing for me, was fastone screencapture. It wouldn't make it disappear at once. At first the symbols were gone. In the second try, the program name and at the end an empty window remained. It's like as if this program overwrites the screen with a "transparent paint", while not affecting the real program at all. No wonder HIPS don't see it.
     
  6. BrendanK.

    BrendanK. Guest

    It's a pretty clever trick. Fun to use. I just turned it on while my dad was on the computer telling him to not close it, it's just one of my programs. Anyway, every time he pressed Space bar something would disappear and he was having a fit! I was laughing so hard :p

    Oh and you don't need to restart your computer to take away the effects. In task manager find the process "Project1.exe" and end it. Then end "explorer.exe". Then File > New Task (Run...) > "explorer".
     
  7. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Defensewall - failed

    Prevx Edge - failed. This surprised me as I've been programming for a couple of weeks and every executable I've produced it warned me about.

    Online-Armor - failed. Apart from a pop-up about a new executable, it produced one pop-up (below) but blocking that didn't have any effect.

    Sandboxie - failed.

    EQS 3.41 with Alcyons rules (old version) - failed.

    A-Squared Anti-Malware - failed. Presumably Mamutu would also fail.

    Apart from detecting a new executable was present and about to run, the action of this program could not be detected by any of the above.
     

    Attached Files:

  8. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Ah, it uses csrss.exe, which manages graphical instructions for windows. That's why it is a GUI destroyer...

    The sc_close is apparently not intercepted from the classical HIPS (not dangerous?).

    Hats off to OA though, because at least can warn the user that something abnormal is going on with this exe.

    P.S: add "Threatfire - failed" to the list.
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Malware Defender protects, with only one message in the log: (denied) send message to csrss.exe, so OA is nearly right :)
     
  10. GreenWhite

    GreenWhite Registered Member

    Joined:
    Nov 23, 2004
    Posts:
    110
    What about Faronics AE ?
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    ROFLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
     
  12. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    I can't drag this "Button1" nowhere.
     
  13. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    You don't actually see it dragged. You only see the mouse pointer. Just left click on "button1" , keep left click pressed, drag the mouse pointer over an application window, release left mouse click, press "space". The window should disappear.
     
  14. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    I doubt it hide window, it kills it, there is no hidden window, try to "bring to front" with process explorer...
    BTW. KIS2009 failed on Vista32 and on XP32
     
    Last edited: Jan 4, 2009
  15. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Ah, now I got it. Thanks, Fuzzfas. 2.46 is immune.
     
  16. BrendanK.

    BrendanK. Guest

    It does hide. In task manager find the process "Project1.exe" and end it. Then end "explorer.exe". Then File > New Task (Run...) > "explorer".
     
  17. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,782
    Do you mean DefenseWall is not affected by this exe or does DefenseWall block/stop/prevent this exe from doing it's dirty work?
     
  18. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    It means that DefenseWall allow untrusted to manipulate windows of other untrusted processes but isolated ones. Untrusted can't manipulate windows of the trusted processes. So, this thing just silently blocks in sandboxing style.
     
  19. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    my opinion, leak tests suck, people continue to post them :rolleyes:
     
  20. GreenWhite

    GreenWhite Registered Member

    Joined:
    Nov 23, 2004
    Posts:
    110
    Continuous scare propaganda by security product companies to market their product.

    Everybody else fails, mine passed mindset, self congratulatory practice.
     
  21. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    778
    Tried this with Returnil on,
    DW 2.46
    Executable Lockdown (first attempt)
    Returnil 2.0.1.8510 Anti Execute (second attempt)

    Downloaded with Firefox (DW Status: untrusted)
    Tried to open/execute the .exe - Executable Lockdown stopped it dead. Then tried again with EL turned off and allowed it to run. Nothing happened, same result as Ilya.
    Rebooted Returnil and downloaded the .exe again. Returnil Anti Execute stopped it from executing. When allowed to run - nothing.

    Looks like DW untrusted status kills it as it doesn't do anything when it is allowed to run.
     
  22. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    For those who are interested,

    Under Vista 32 SP1 with UAC disabled and hardware DEP(OptOut) enabled and Shadow Defender in "Shadow Mode", I was able to confirm both Ilya's and Dark Star's findings that DefenseWall(DW) pre-v2.46 skinless successfully blocks this test silently. FYI, other than the fact that none of the GUI's or windows disappeared, proof that DW silently blocks this test can be found in the "Events Log" via entries related to "Project1.exe". On the other hand, unfortunately, Primary Response Safeconnect 3.5 beta fails to react to this test.


    Peace & Gratitude,

    CogitoErgoSum
     
    Last edited: Jan 4, 2009
  23. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    What's the difference between this little program and ALL the others available to hide windows? I mean there's a TON of similar programs!!!
     
  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    No offense, but this is a weak HIPS test. Take some pointers from COMODO and you'll know what i mean.

    EASTER
     
  25. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    we want to take advantage of all the hips potential;)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.