Phide.exe rootkit versus HIPS

Doktornotor

I found the link and the other claim of Vettetech that Aigle's tests are worthelss because he uses several (overlapping) aps.

The proof of Vettetech (on Vista) shows a pop-up of D+ advising

"If HideProc is one of your everyday applications, you can allow this request"

Questions of an innocent user What to do when it is not my everyday application, because I have more than two options:
a) Allow this request
B) Block this request
C) Threat this application as (several choices in drop down list)

So should I block it or treat it as an installer (which is the shown prompt) + remember, Don't mind me preferring the EQS advise "Block is advised unless you trust it, with only two options (Allow or Block)

Bottom line
Since you do not defend your statement and the above sample does not proove your point, I rest my case.

 

Huh?! Where did you invent the above?! Actual screenshot here.

Now may I suggest that you compare the above detailed, plain language description of the possible malware behavior with the "Oh, %foo wants to get some administrative privileges" in somewhat more objective manner?

Please, don't misquote application warnings we are debating here, that'd be a good start at least. Until then, no point in debating this further indeed.

 

As I said in the (other) claim of Vettetech (Aigle's tests are worthless) in the same thread, see http://forums.comodo.com/index.php?action=dlattach;topic=25349.0;attach=18543;image

Please open the link to see thay my quote is quite accurate.

 

This clearly doesn't go anywhere on-topic. See this message on Comodo forums and please answer there. Unless you are able to reproduce your "failure" issue on a sane setup without using a bunch of clearly conflicting on-access applications, I consider this debate over.

Have a nice day.

 

Sorry to cut in, I'm not familiar with D+. Does D+ give same or different alert if cmd.exe wants to execute a harmless app like notepad or calc, but with their respective .exe renamed or at diff location?

 

Here is some background for this phide sample used by Aigle

Just to clarify as is not to be confused with phide_ex POC released by PE386 on 24 October 2006.

 

You gotta hate those fanboys...
Thanks aigle for another test.

 

That is an easy answer, I am not using a bunch of clearly conflicting on-access applications. You and Vettetech claimed that Aigle did (hence all his tests are worthless).

It is about the claimed clear langauage of D+ (your claim) while one screen prompt proves that at least in one situation D+ advise is not clear. This does not make me a Comodo basher or Comodo a bad application (to quote one of my statements "I think on Vista64 Comodo is still the best/free power user HIPS+FW combo available".)

Have a nice day to

 

By "you" I apparently meant either the OP, or anyone here who actually tested this piece of malware. The OP here uses CFP with Defence Plus GesWall and ThreatFire all at the same time, so yeah, so tests are really not useful. No response so far to that request.

And please avoid dragging this debate off-topic stuff like your "unclear advise" screenshot. (That information is still a whole lot more useful than "some administrative privileges" popup one. I actually doubt most users would even see that one - simply since they already are logged on under administrators group account, so there are no privs that the malware would try to "obtain". it'd already have those privs.)

 

Okay it is clear now: you is not me but Aigle or anyone else testing this piece of malware

You added this in post 5 yourself (clueless pop up), now it is off topic?

Common make up your mind, a sentence ago this was off topic, now you are starting on it again.

 

Hmmmmmmmm... lot of discussion. I just came back after a very busy day. I will take time to read all stuff. Pls be patient.

Seems CFP behaving strange on my system. I neeed to investigate. Users on CFP forums get alert about memory access, I don,t. Pls see my reply there also. Post no.25.

http://forums.comodo.com/leak_testi...e_rootkit_bypassed_defence_plus-t25537.0.html

About the discussion that what is failure and what is pass-- I just tested the ability of CFP HIPS to detect a malware behaviour if it is allowed to execute! One can disagree for sure. I have no problem at all.

I have replied the PMs. Also edited my first post.

 

2 2 true. Sandboxes are padded cells for computer illiterates, old ladies with tennis shoes, couch potatos too lazy to do a bit of thinking, etc. I'm not quite sure which category I fit into, but I use Sandboxie for browsing.

Even that is not total protection, however -- for instance, Sony's spyware that was built in to "reputable software" until a public furor made them cease & desist. Plus, a fellow was caught shop lifting at OfficeDeport the other day. In reviewing the store's video from its "eye in the sky" it turned out that the shoplifter replaced a certain antivirus (boxed & shrink-wrapped) with an identical box -- BUT the replacement box contained a poisoned copy of the antivirus.

Moral #1: Not everyone will run their new programs (shrink-wrapped or otherwise) inside a Sandbox.

Moral #2: Sandboxes are not the be-all and end-all of security. (The closest thing to "perfect security" is an imaging program, assiduously employed.)

It is utter nonsense to fault a HIPS on behalf of "innocent users"/doofuses who are not able to discriminate between safe and dangerous actions, &/or too lazy to do a bit of research.

The HIPS job is to alert the user about potentially dangerous situations. It is the user's job to decide what action to take in response to that alert.

As yet, there is NO HIPS with a broadbased AI that can totally take such decisions out of the user's hands. Those that try get FPs.

So the amateur reviewers of HIPS will squawk if a user decision is required because of weak AI. Then they will squawk if an FP ensues because of aggressive AI. They should stay home & read a book, watch TV, or whatever -- & stop erroneously faulting the work of programmers who are light-years more proficient than they are.

Those who can do, DO. Those who cannot do, CRITICIZE.

 

off topic post removed and a reminder We do not condone attaching or sharing of malware on this site, publically or privately.

 

Having read both treads at Wilders and Comodo, I did not know security is such a big thing.

Seems Kees enjoys teasing the Comodo fans, reading his initial post he did not disagree with the posters, suppose their tone of voice got him triggered.

I agree with Someone (Pedro) on the COmodo forum, tone of voice really makes a difference

CognitoErgoSum should have joined in to add some love and peace

 

I strongly hope there isn't any public ark that still doesn't detect this old phide PoC

phide_ex is far more advanced, though easily detectable.

 

IMO a good hips program should give as much information as possiable of whats about to execute as comodo did with the possiable heuristic detection of a malware.this helps a user make a more informed desicion to allow or not, good or bad.In the case here EQS with a Blank of information there is no informed desicion to make its a total gamble.SO yes a hips is in the hands of the user to make that wright choice but with no information its almost useless.

 

No it does not. CFP is not dumb.

 

No I think, it,s not the case. These seem to be file heuristics( heuristics for static files) of CAVS engine newer version that is yet to be released. They are aggressive but good. These are not heuristics of behaviour I think. It,s just my guess but I am very much confident about this guess.

1- Yes
2- Execution alert and that,s all.

But as u noted Vettetech at Comodo forums is geting physical memory alert, so I need to investiagte it.

 

Well after reading this thread, I can't wait to try Comodo with Defense+, it's really what I was looking for. I hope it'll play right with my Vista system.

 

i orginally agreed with myself to stay out of this discussion, but here i go. i will preface my comment with, yes i know SafeSpace is not Geswall and vice versa.

i have been evaluating security software set-up on different snapshots on my pc for the last couple of days. one of the set-ups has Returnil, SafeSpace, Threatfire, Avira Free & Comodo with D+. the other is Returnil, SafeSpace, A2 Antimalware, EQS 3.41 (with Alycon Ruleset). part of that evaluation was to see how the BB apps would respond to real malicious code. i would test one set-up, then boot to another snapshot and run the malware on that set-up.

i noticed Threatfire would alert on actions taken by the malware and A2 would not. i was very close to uninstalling A2 when i decided to run the malware outside of SafeSpace protection and rely on Returnil to shield my system only. i reran the malware after rebooting and using AVZ and Process Explorer to ensure the malware was flushed, and A2 then 'saw' the code and in fact alerted on 4-5 behaviours of the code as opposed to Threatfires single alert or 2 at the most.

my point? it seems some software is able to beter interact with isolated files than others. Threatfire alerted in the same fashion to malicious code whether it was sandboxed or not. A2 seemed not to see the same code when it was sandboxed, that it alerted on without the sandbox. perhaps the lack of D+ giving Aigle the same detections that whoever did get was influenced by Aigle running the code through Geswall. btw EQS & D+ both did an admirable job in alerting to the malware, were they the same alerts, i don't know as that was not really my focus.

the how's and why's of this, i can't say. but my personal observation was that A2 went from being a disappointing nearly dumped security app with sandboxed malware running, to an absolute hero, and a keeper, at the very least on that snapshot, with the malware unsandboxed.


Mike

 

When u run malware in a sandbox, ur behav blocker might not work.

In case of TF, malware file usually accesses TFservice in memory and the u get a TF prompt. when u run a malwre inside GW or other sandbox, this memory access is stopped and TF seems blind, though it is not.

Wait and I will make a thread about this with screenshots.

 

I'm not sure if the above quote was tongue-in-cheek or seriously intended or perhaps a bit of both. I can tell you (with great risk of being slammed I'm sure) that some months ago I tried a popular firewall with HIPS mentioned in this thread and found it an awful experience.

I'm neither computer illiterate, nor an old lady with tennis shoes (wrong gender and age factor) or couch potato too lazy to think. What I am is someone who is very busy trying to successfully manage and care for my family and personal life. Those are the things most important to me. And, during those initial weeks using HIPS and finding myself being confounded by all the pop-up HIPS alerts and spending hours trying to investigate what this message meant and that message meant, I had a Eureka moment and realized "this is a stupid waste of time for me". "Why should I be hassled with all this? Computers shouldn't be this troublesome for me to use."

So I dumped that firewall and HIPS program and a little while thereafter discovered Sandboxie. I couldn't be happier.

I have a car. I get into my car. I drive it. I make sure it has routine maintenance done on it so it operates reasonably well. But other than that, I know nothing about its workings and I'm not interested in learning. That doesn't make me lazy; it just means my priorities right now lie elsewhere. I don't fault those who prefer to tinker under the hood themselves. Nor do I want to be criticized for not wanting to get my hands greasy. Likewise with my computer. I have one. I want to turn it on and use it. I have a few anti-malware programs to try to protect it. I defrag it regularly and use CCleaner to get rid of most junk. But that's the extent of it. That's all I have time for.

I find nothing wrong with those who have the time or inclination or curiosity to want to be alerted everytime something unexpected happens with their computers so they can explore the issue in great depth. HIPS is a good fit for them. Likewise, the simplicity and effectiveness of Sandboxie is a good fit for me. It keeps my pc clean and I don't care how it does it.

 

nice!


Mike

 

Thanks for the screenshot . Just to clarify, the alert will be same if calc.exe was renamed & at different location? I only ask so I can understand better why u initially said D+ failed altho it mentioned "malware behavior" in ur test.

THANKS so much.