Ok, lets argue this some more.

Discussion in 'other anti-malware software' started by trjam, Jan 15, 2008.

Thread Status:
Not open for further replies.
  1. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    My aim is about 95-98% of an earnest ITW malware protection.

    Sorry, but 100% is impossible. Lets be realistic. 95-98% of a total protection is a very high rate comparing to anti-viruses.
     
  2. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Right now, I find it quite inconvenient.
     
  3. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    A bit of user education. If you're going to be fooled by any existent trick, there's no security software which can help you.
    Do you mean vulnerabilities in the HIPS driver or vulnerabilities in the OS?
    Firefox + NoScript and some common sense.
    Solcroft says that HIPS used as anti-execs (Process Guard, SSM with UI disconnected, Anti-Executable, etc) are 100 % efective against malicious executables. Do you mean that there are other ways to execute code which aren't covered by those apps?
     
  4. monkeysmagic

    monkeysmagic Registered Member

    Joined:
    Jan 15, 2008
    Posts:
    6
    The problem with classic HIPS is that there is no defined definition of bad behavior. Both "good" programs and "bad" programs can create the same kind of pop up’s. The only advantage that classic HIPS have over behaviour blockers is you know what kind of permissions a certain kind of program should have.

    Black list scanners don't usually have this problem as they are checked by expert's.So I think the best solution is a combination between blacklist scanners and behaviour based HIPS. No solution is going to be perfect but as home users the chance of being effected is rather small.

    I think that if you use either or both solutions will be acceptable but a combination of behavior and signatures is better and sandboxing will also be a part of security futures in the future when it becomes easier to use and has less problems. No solution is perfect but if they can combine all their advantages and still e light weight it any of those products will be hard to beat in term of security.
     
  5. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Doesn't works, I know that.

    Doesn't matter. You sound card driver may be the good source of ring0 jumping too :)

    Some sites (social networks ones, for instance) are requires scripting for its work. And they are not 100% bulletproof against hacking :)
     
    Last edited: Jan 15, 2008
  6. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Yes, sure. I may remind you MS Office document vulnerabilities. Also, there is one very interesting app here: rundll32.
     
  7. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    We can try a little harder to educate, I think.
    All softwares have bugs, we have to live with that or become paranoid. We can only hope that developers start to write higher quality code and test it with the right tools.
    True, web 2.0 is proving to be a nightmare in security. However, NoScript does much more than simple whitelisting sites. It has protection against XSS and it can be used to control content (really useful in the light of Flash, Quick Time, Real, Java and Acrobat Reader vulnerabilities)
    Rundll32 runs DLLs, which are executables and banned by Anti-Executable. SSM has an option to check for the parameters and target of rundll32.
    Office exploits are used to place malicious executables, again banned by a default-deny policy enforced by Anti-Executable or a classical HIPS. They don't detect/prevent the exploiting of Word, but they detect the outcome of such exploit (the landing of a downloader/dropper)
    I'm aware of the possibility of exploits in data filetypes which may be used to disable the security software first and then deliver the malicious payload. So far, nobody is doing this.
     
  8. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    With a gun pointed to a user's head? :D
     
  9. ProSecurity

    ProSecurity Registered Member

    Joined:
    Dec 13, 2007
    Posts:
    123
    So you are saying that there is absolutely no software currently available that will give me complete control over all possible threat vectors? :eek:
     
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    100% Period?

    Means you are absolutely sure 'Solcroft' knowns the 100% base line. Please share your tests results (and enlighten us on the malwares you may have written to complete the magic 100% test set).

    Regards Kees
     
  11. ProSecurity

    ProSecurity Registered Member

    Joined:
    Dec 13, 2007
    Posts:
    123
    If a soft gives me COMPLETE control over EVERYTHING that executes on my system, isn't it safe to say that this soft can provide 100% protection?
    Sure I may make a mistake in operating the software, but that just means that now I am the weak link; my lack of skill does not reduce the theoretical protection capability of the software.
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    HI PS,

    Who says the execs will wait until your HIPS is up and running at log-on time or start execution after your HIPS is closed down at logo off?

    HIPS only have protection against the current attack vectors. When you do not believe this have a look at the release notes of Pro Security or SSM versions over the years.

    Regards Kees
     
  13. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    LOL :D
     
  14. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Control doesn't mean security. Yes, it is possible to make a monster software that will bombard you with information and conformations to achieve 100% control over the system. Are you ready to use it every day?
     
  15. ProSecurity

    ProSecurity Registered Member

    Joined:
    Dec 13, 2007
    Posts:
    123
    All I am saying is that the security potential of HIPS is greater than of AVs.
    A patient, diligent and well-informed user can achieve a level of security with HIPS that can never be achieved with AVs regardless of who is actually using the AV.
     
  16. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    then show me how and with what please.

    Your foundation is Firefox and Sandboxie.
     
  17. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Indeed. I add NoScript for the browser, and would add Wormguard or something similar, and maybe BO protection (and coffee). Oh well can't have everything.
    Driver vulnerabilities: this doesn't imply an executable first? Is there a past example?
    I understand, i realize what you aim for in DW. I stop now with my obsession (executables+proper script control) :p
     
  18. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Macro viruses are another possibility, since they're essentially Visual Basic code that contains commands you could ostensibly find in an executable file (including trojans, possibly). However, Office provides its own execution control for them, so it makes no sense for HIPS to unnecessarily duplicate this function.

    And cmd.exe. And wscript.exe. And some others I may have missed. Though I think lucas already covered this part nicely.

    Ilya, how do you propose executable malware is going to bypass a well-enforced default-deny policy? I don't think 100% is any exaggeration, it's just a logical statement of what simply has to happen. 100%, period, end of story. This is why ProcessGuard is still a viable solution, even though it hasn't been updated for ages - because it does execution control right.

    My dear sir, rest assured that your question is as absurd as asking me to prove that fire is hot.
     
  19. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Well, new dll/ActiveX loading is more then enough this case.
     
  20. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Executable malware- can't. Interpretated malware may.
     
  21. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    I don't believe this!

    Says common sense and everyday logic, that's who.

    Kees, I know you're at least somewhat experienced with traditional "dumb" HIPS programs. Please take a moment to consider what you're saying.

    Please realize that these "extra" attack vectors only come into play when the malware is allowed to run. If it is denied from even executing, as it rightly should as an unauthorized program that has no business doing so, then those "extra" attack vectors don't matter one single iota.
     
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    I know it will be argued EQSecure is not been updated in quite some time so it suffers from the newest limitations no doubt that has the other HIPS already addressed, but does that really make for serious concern if you are also using a layered approach?

    Let's please not forget, EQSecure while maybe is taken a back seat temporarily in conparison, is still very formidable and reliable. And they are at least hinting, from what i could make out from their enhanced logic of replies :blink: that another improved version is shortly to arrive, maybe not on our time schedule, but i expect it will equal if not surpass in areas the others have missed. It's not an exact science and requires quite a detail of mapping just the right areas of potential abuse by intruders.

    And while were on this point of trying to single out every potential vector of possible interruption or displacement by forced intruder malware, let's be practical as well. HIPS alone still holds a very high percentage of safety prevention compared to others methods, i think this thread is on the right course and i further subscribe that at some point a HIPS will attain as close to 100% shielding as any app could reach for. The issue is that thanks to microsofts lazy or rather deliberate intentional flooding of leaving all these open entry points is made for quite a task for the security vendors to try to address as they are discovered.
     
  23. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Over time (e.g. NicM and Dmenace) it has been proven that execution does not always mean a direct execution. Also execution with Web 2.0 and other distributed/in line code execution has become a grey area. So wait in the above context could mean a staged attack, with the real kill coming at shut down or at the next start up. In both cases the Anti Executable would not be 'on air'.

    Because Ilya takes into account these options he says DW will protect for 95 to 98 percent at best. The 100% you are talking about is at best the 100% any HIPS vendor now is aware of. You would be a hell of a hacker/programmer when your 100% would match any of the HIPS vendors (like GMER, DefenseWall, PrevX, SSM, etc). My 100% is 70% of that of Nicm, my 100% is 90% of Stem's or Easter or yours for arguments sake. That is why I am challenging your 100%, show some!
     
    Last edited: Jan 16, 2008
  24. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    I have a different opinion.

    The reason Ilya is saying that is because DefenseWall does not have execution control. Once the attacker's code is running on your machine, then there's no such guarantee of a 100% defense anymore. That's why Ilya is being conservative of his own product's success rate.

    Tell me a method by which you will be suitably convinced, and I will.
     
  25. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    That was the whole point of this thread :) Now I can rest in peace :D
    Scripts are indeed a danger to the default-deny approach, since a malicious document may carry a script designed to disable/wipe the security applications instead of placing a downloader/dropper. But this mostly a theoretical discusion, because nobody is doing this and it would be very unlikely to run a untrusted/suspicious document in my case.
    The main vector of infection are executables (drive-bys, social engineering, exploits in document/media files)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.