Ok, lets argue this some more.

Discussion in 'other anti-malware software' started by trjam, Jan 15, 2008.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Even with application based execution control code is running on your machine:
    a) Code is running in the network layer before it reaces the process layer.
    b) Code is running as parts of data files or incoming data streams
    c) Code could be running before the driver or execution control service/program is started
    d) same applies at system shut down
    e) IT innovation itself makes the border between data and code diffuse.
    - Due to thin client and distributed processing developments the architecture of the OS allows for code to run dynamically
    - Object based programming has left the old data and functionality seperation. This means that C++ or C# programs have a different way of adressing code and data than old fashioned C programs.

    Regards Kees

    Example

    http://membres.lycos.fr/nicmtests/

    The fuzz about Preuba.exe

    http://gladiator-antivirus.com/forum/index.php?showtopic=64264

    Recently I read something about ShadowDefender running together with AE coul dnot prevent writing to disk directly
     
    Last edited: Jan 16, 2008
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yes that is safe to assume, but there is no soft that will provide this 100% coverage. And even when there would be such a perfect software designer with this 100% knowledge. His soft would have bugs of its own and therefore would not be able to provide 100% security. And even when there would be a perfect software developer which would be able to program 100% reliable soft, than the 100% would only reflect the knowledge of the moment the software designer put the specs on the table. In the time lapse it would take to program the specs (the problem of the rabit and the turtle) a new exploit or new way of executiong code could be engineered and the perfect software designer and perfect software developer could still not guarantee this 100%.

    Taking all these imperfections into account, it is a near miracle when Solcroft would be able to provide this 100% in his test to proof.
     
  3. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    That's why I replace my complete system partition with a new one during each reboot. The softwares in my system partition are not 100% protected and full of bugs, but they will always be the SAME not compromised softwares.

    There is nothing better than using a clean and unused system partition after each reboot and that's what I do in practice. :)
     
  4. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi Kees1958,
    Please provide a link to this discussion so we can investigate.

    Thanks
    Mike
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
  6. ProSecurity

    ProSecurity Registered Member

    Joined:
    Dec 13, 2007
    Posts:
    123
    The main problem with theoretical discussions is that there is no definable limit.
     
  7. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    These are not executables. (A) belongs to the control domain of a firewall. (B) falls within the jurisdiction of both firewalls and HIPS, and easily stopped as well.

    Only if some other code instructed those code to do so. And that other code is easily blocked.

    Technical mumbo jumbo. Something more substantial please.

    I can easily block those with the greatest of ease even with the woefully-outdated SSM Free. Would you like to see evidence of that?
     
  8. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Hmm if you already pick your software carefully and run only safe programs, why do you need the likes of SSM to tell you that the executable you just clicked on is trying to run?

    You might as well cut out the middle man and run the software without the prompt!

    Not to say that warning you when an exe starts is not useful (it can be useful against say some exploit causing something unexpected to run), but i find it quite useless against threats that result from programs you choose to run yourself...
     
  9. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Bingo.
     
  10. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    But why not just sandbox?

    It seems the scenario with exploits almost always comes through the same few applications, so why not just sandbox those?

    Why suffer thorough the vast majority of useless prompts generated by you choosing to run something? By doing a system wide whitelist of processes, you need to do at least 3+ clicks (1 to start, 1 to answer the resulting prompt, at least 1 more to set the rule) when in the past you only had to do it once.
     
  11. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Because sandboxing allows execution nonetheless. And once execution is carried out, your guarantee of 100% defense is lost. Prueba aka Bifrose is one of the more prominent examples of this that I can recall - both Sandboxie and DefenseWall were defeated by SSDT unhooking, and the trojan escaped from the sandboxed environment to the host computer. On the other hand, even though SSM Free and ProcessGuard fail to defend themselves from SSDT unhooking, or any of the dozens of techniques with which they can be bypassed, they can block execution - and make everything else moot. 100% defense against executable malware.

    We've had exploits from word processors to media players to image viewers to pdf readers, and now Excel, as the latest and newest example. Same few applications? I think not. Fact: anything more complex than "Hello World!" can potentially be exploited. Possibly even Notepad.

    Learning Mode.

    This is the reason why I eschew classical HIPS as well. But I think the answer to this question is already beyond the scope of this thread. HIPS may not be suitable for everyone, but antivirus software will NEVER be on equal footing with them in terms of protection power, not by a fricking long shot, at least not for the foreseeable future.
     
    Last edited: Jan 17, 2008
  12. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Just to add my experiences relevent to this topic.

    In a year and a half of browsing through hacked sites,known offending sites and generally mass linking through pr0n land i have yet to have an infection install pass the execution control of ProcessGuard when deny rule is applied to any intercepted exe file:thumb:

    Even with attack surfaces maximised via unpatched sp2+IE6 with lowered security settings+ vulnerable versions of QT,Adobe,Realplayer and Java installed.The 'puter is now a malware magnet for driveby action and sure the exploit(s) fire and code imports but nothing sticks unless:D

    FWIW Often i don't have the window of opportunity to harvest full blown infections so the *deny* routine comes in handy to save the dropper inorder to fire up later for the full infection harvest:p

    So PG free execution control <deny> feature has been 100% effective todate in my high risk ITW travels at preventing solicited infections going native:D
     
    Last edited: Jan 17, 2008
  13. Wordward

    Wordward Former Poster

    Joined:
    Jan 12, 2007
    Posts:
    707
    I believe Comodo's Defense+ and ThreatFire also offer something similar to Process Guard's execution Control right?
     
  14. pojispear

    pojispear Registered Member

    Joined:
    Jan 12, 2006
    Posts:
    90
    the problem i had with HIPS is i don't know what every svchost.exe is for and i have 6 running in processes right now. i have a bunch of devices on USB so that's probably it, i need a HIPS that has some explanation of what the process is.
     
  15. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,976
    In SSM Pro > Process Monitor> Click relevant wheel under 'Service Column'> Tool Tip showing what is running under one of my 6 svchost.exe that is running - see screenshot. I am no expert when it comes to HIPS, but I made sure that I installed SSM in a clean operating environment, and ran in Learning Mode for 2-3 days, whilst not installing any new software. Now I hardly get any popups, and when I do, I am not surprised most times.

    I like to get popups as it helps to learn about my system and how software interacts.
     

    Attached Files:

  16. Oremina

    Oremina Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    209
    Location:
    England
    I've had the full version of PG (3.410) since it first came out and couldn't agree more with your sentiments and I have always had a lot of confidence in it. However, times move on and although I still use my six year old XP Home desktop I now have a new laptop with Vista Home Premium on it. PG obviously won't cut the mustard any more (with Vista). Having perused and searched these forums for an alternative I am at a loss to make a decision. I do use Returnil on the laptop but would like something along the lines of PG as well. May I ask your opinion? .. although all opinions would be welcome.
     
    Last edited: Jan 18, 2008
  17. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Well then, may I opine in saying that users of apps espoused in this Wilders forum are far and above wiser than those that frequent the AV sections.:cool: :D

    We are all different and if I ever get stuffed using my favourites, being Sandboxie and Returnil, I'll never let ya'll know anyways!:D
     
  18. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    I agree with solcroft on this one. I think that typically HIPS easily will catch 100 % of what all antivirus miss... Only that you may not "recognize" the fact and allow something in... Still this makes it more powerful than any AV in my opinion.
     
  19. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    If they kept the explanations in the pop ups simple enough that the average user could understand then they would be the cat's meow. However, the average user doesn't speak tech talk so just would click "Allow" just to get rid of the pop up. I can remember when Zone Alarm first came out the deluge of "What does this mean" posts in various security forums. I think in later versions (I haven't used it in years) they lessened the tech speak and that helped a lot.
     
  20. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    My take on this is that the database they use to document either the behavior or the known hostile should be the priority with a huge emphasis on clear communication. This still where the big focus needs to be for developers. There is a tech talk and and average Joe version required in all cases. Even more important considering the nature of hips... It is an imperative as users need to be able to get it or it render the product ineffective.
     
    Last edited: Jan 18, 2008
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,770
    Location:
    U.S.A. (South)
    I completely concur.

    And with the results to prove it, been over a year now i think, no AV.

    HIPS are indeed very well mapped out and formidable, they sense system/file activity signalling whereas AV's seem to have to run thru each file separately including identifying packers etc. A huge drawback in comparison IMO when it comes to taxing your system's performance. Takes a healthy lot of CPU cycles/resources/memory to power an AV in comparison to HIPS. Plus they seem to hit snags all the time, meaning unexpected conflicts.
     
  22. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    TF = NO by design, because it is a behaviour blocker

    D+ = YES, called image execution control
     
  23. ProSecurity

    ProSecurity Registered Member

    Joined:
    Dec 13, 2007
    Posts:
    123
    Hope is not lost! :D
     
  24. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    HI,

    The code execution discussion is somewhat clouded by the fact that running code is defined as running an executable only.

    XML, HTML, J2EE, (D)COM, ActiveX, scripts and dynamic code in for instance media files all are examples of dynamic (or interpreted) code or mixing data with code. So it is possible to fool the anti executable part of your HIPS.

    This obscured code could also use weaknesses in for instance your graphics card driver to get access to your OS at kernel level, without your HIPS having a defense in place.

    That is why I said in a post, look at the release notes of you favourite HIPS over the last two years and you will get the picture. Have a look at the exploit patches of XP and you will find some correlation.

    So in my opinion it makes sense to use some sort of AV, simply because it takes out a fair part of the known threats. At the home PC I have installed AVAST. But only the Network, Web, P2P and Internet MAil shields. This means (in line) code is checked only ONCE (before reaching the PC, f.i. embedded code in web pages).

    So I am using a mixed approach of HIPS/AV. Yes I use an AV, but only for incoming data streams (with as early as possible intervention). Most AV's also check at reads, writes and execution. This steals a lot of CPU cycles, which I rather give to a HIPS. Even wiser would be running as a limited user, which in itself is an elegant and efficient way of reducing the attack surface.

    Regards Kees
     
    Last edited: Jan 19, 2008
  25. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Actually ThreatFire includes some form of execution control by design. Attempting to launch a program via IE iframe/javascript exploits, and silently via cmd.exe batch files (I'm not too sure about the specifics of this, need more testing + samples) causes a popup. ThreatFire tries to limit execution control only to the scope where it is useful, unlike classical HIPS that whack everything that tries to start up.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.