Phide.exe rootkit versus HIPS

Discussion in 'other anti-malware software' started by aigle, Jul 27, 2008.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It,s a real interesting POC.

    CFP Defence Plus- Failed :mad:
    EQS-- Pass
    GesWall- Pass
    SBIE- Pass

    I don,t get direct memory access pop up on my system from CFP. o_O Others do get. I need more users to test pls.

    OA free- Same as CFP, no direct memory access pop up. o_O Any one pls?
     

    Attached Files:

    Last edited: Jul 28, 2008
  2. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    aigle- You said CFP D+ failed. However your screenshot for D+ shows...
    It looks to me like D+ DID alert to the nasty. Am I mis-interpreting?
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Good ole Sandboxie.
     
  4. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    As Bellegamin said, It looks like comodo heuristic of a possiable malware. It looks to have passed and as with hips leaving the final decision to the user.:doubt:From the screenies it looks like EQsecure show no warning of a possiable virus/malware.One other thing just Noticed EQsecure says allow after 28 seconds in the bottom of screen shot does this mean if the user does not respond in the time frame it will be allow auto to run?.
     
    Last edited: Jul 27, 2008
  5. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well, sorry if I sound harsh - but damn get a clue before making claims about "failed". CPF D+ alerts you about possible malware and asks what to do. Fail?! EQS gives some fuzzy blurb about admin privs and will autoallow (WTF?!) it in ~30 seconds. Success?!

    :thumbd: :rolleyes:
     
  6. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I think aigle just mixed up his words for his claims and meant EQSecure failed and FYI aigle does have a clue.Aigle has been doing some extensive testing with real malware with numerous products. you may want to search his threads, you will see for your self which products he has tested that passed and failed.
     
  7. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    You can configure it to block prompts after 30 secs instead of allow.

    ~~~~

    Once again, SBIE kicking some butts! :D
     
  8. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
  9. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    Hi,

    IMO, aigle is right : D+ notified about an executable (any) launched through command line so it's potentially a threat but D+ did not warn about any step of the process cloaking itself (Direct Memory Access ) like EQS did

    regards,

    MaB
     
  10. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Wrong. May I suggest reading my previous post right above? Failure to use a tool properly is certainly a "fail", but not one in software. ;)
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Exactly, but I would consider that a failure. This is the problem with all classical HIPS. It warns of behavior, but leaves it to the user to make a choice. As Prevx discovered a few years back given that choice over 50% of the time, users make a wrong choice.

    To me, the good software would protect you even if you allow something to run. Like for example Sandboxie does.

    Pete
     
  12. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    What's good software for someone is bad one for someone else... IMO, good software respects that the user is the finally the one who should decide what action to take. There may be legitimate reasons why users wants to allow the (alleged) malware to run. Be it false positives, or research and testing purposes, or whatever else.

    See, making it impossible for the user to decide would make actual testing of the HIPS behavior very difficult. As you see here, even if you decide to allow the rootkit run in the first place, you still get additional warning in the next phase - so you can see that multiple types of behavior trigger the warning and can change your decision later... If you still allow this in the second step, it makes it possible to check whether another layer of your protection will pick that up (like, AV rootkit detection or whatever). I personally strongly dislike applications that make it impossible for the users to have full control over their computer.

    Finally, software is no replacement for using ones brain. People that routinely make wrong decisions about malware warnings should switch from Windows to a different OS which won't require any such decisions and will protect them much more.

    (Sandboxes are completely different type of thing here.)
     
  13. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    When accusing somebody of clueless claims be sure to check your own claim

    About EQS
    You can choose wthin EQS how to handle an intrusion: ASK + Allow, ASK + Dent, Deny and Allow. Aigle has chosen ASK + Allow as respond.

    About the fuzzy blurb
    Acquiring admin privileges is asking for the keys of your house, please Google on Limited User and LUA to understand this concept (or google on improvements of Vista compared to XP) and Google on for instance rootkits to get an idea of the consequences of acquiring highest privileges.

    Comodo's D+
    Comodo's heuristics is problably triggered because 60% of the leaktest uses cmd.exe to bypass firewall protection. So it could have bypassed the com protection available withing D+ (D+ also warns you for sme privelidge elevation of pseudo com commands). When this is the case, it is a disappointing respond of D+. I would have called this a conditional or partial pass

    @Aigle two questions
    What I would like to know whether you enabled this (pseudo com protection) on D+?

    What are the series of (intrusion) events of this malware, to understand your evaluating this D+ respond a complete failure?


    Regards Kees
     
  14. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    The blurb provided by EQS actually gives rather poor information to users, compared to the warnings provided by D+. And if you want highest privileges on Windows, you actually want the thing to run as SYSTEM, not as Administrator.

    May I suggest reading the thread @ Comodo forums, referred to here? It included screenshots that shows lack of proper testing of the application on OP side, resulting in this completely unsubstantiated claims about "fail".
     
  15. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Hello peter,I think I see your point know.What I think your saying because Comodo warns clearly of a possiable malware But will still allow the user to run It If the user ignores the warnings it Failed.If it had the warning of malware and blocked the user from any possiable choices it would have passed.please correct me If My thinking is Incorrect.Thanks
     
  16. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    What I see from the screen shots With warning such as comodo just seeing the words malware my answer would always be deny even the chance of a FP.EQSecure gives No Information So The chances are greater the user may make a wrong choice.
     
  17. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Thanks, exactly my point. When majority of users use an account that belongs to Administrators group for everyday normal work, warning users that "application will obtain some administrator privileges" is just plain useless (a.k.a. fuzzy blurb), bound to be ignored by most people who'll quickly allow it to get rid of the popup window.
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    First I am not pointing fingers at comodo, but let me give you an example, using the latest Online Armor beta and a Killdisk which we've played with a lot.

    If I run OA as a standard HIPS, and try to run it I get two warnings, first is that it wants to run, so how do I know. Second now is low level disk access, but again how do I know, so If I allow then it destroy's the disk. Problem is I may not know it's legitimate, and also legitimate programs need low level disk access. So if the program is good I may screw it up, or if it's bad I may let it run. So I call this a failure.

    But what I can now do with OA, is once I have my system setup, I can set OA to a mode where it won't even ask, but will run any unknown program at lower rights, thus prevening Killdisk from doing anything. That to me is a success.

    When I test my setup against stuff i do either allow everything or turn hips off. I consider the Pop up's informational and as was pointed out can be useful to see what malware actually is doing, but I assume under normal use I am likely to answer wrong.

    Pete
     
  19. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Absolutely agree.
     
  20. PiCo

    PiCo Registered Member

    Joined:
    Apr 9, 2008
    Posts:
    352
    Location:
    Athens, Greece
    I call this success :p

    What is HIPS really? Is it sth that will point you to the right direction by using heuristics, signatures and behavior analysis or sth that will just inform you of ANY action and wait for accept/deny?

    I thought it was the latter, but maybe it is sth in between. I don't know really if there is an objective point of view about HIPS.
     
  21. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Hey peter, Thanks for the clear answer I understand some what better know.:thumb:
     
  22. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    This is the only thing that really bothered me with EQS when I used it. Some popups are totally blank, no info at all.
     
  23. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I agree hurst and IMO is like playing russian rulett with 5 bullets in a six shooter.:eek:
     
  24. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Please make up your mind: is it EQS compared to D+ (first quote) or the text of EQS itself (second quote). Also, EQS advised to block, so what "exactly is your point"?

    In this sentence
    Rootkits try to acquire this (ring-0/system) highest privelige. I do not disagree on that, so again what is your point?


    You may, please provide a link, I asked Aigle with what settings he had tested D+ and what the supposed the flow of events of this intrusion would be (to assess on which points D+ might fail). WHen Aigle's testing was correct I would have labelled it a conditional pass. So again what is your point?
     
    Last edited: Jul 28, 2008
  25. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    .

    I've already commented on this, please read this thread a bit more carefully.

    Ditto, I've already done this.
     
Loading...
Thread Status:
Not open for further replies.