Phide.exe rootkit versus HIPS

Discussion in 'other anti-malware software' started by aigle, Jul 27, 2008.

Thread Status:
Not open for further replies.
  1. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    @Doodler,Good for you and your discovery of sanboxie. It indeed is a nice and quiet state of the art security product.:thumb:
     
    Last edited: Jul 29, 2008
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Mike,

    What is helpfull to assess the way two programs theoretically work together is using a rootkit detector (e.g. avz) to see what the hooks each individual program is setting. So run AVZ with only program A and only program B. The more overlap the bigger the chance of conflicts (and lacking protection).

    So what you are saying is true in general.

    Regards Kees
     
  3. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    LOL, interesting definition. May I quote you somewhere? :D As a side note, Gentoo Linux is using a sandbox where all the compilation and pre-install stuff takes place, and only then the files are installed/upgraded on the real OS. Makes it really easy to spot botched makefiles, ebuilds etc. It also makes it easy to spot design bugs, such as trying to read/write configuration to stupid places etc. But definitely, sandbox != HIPS.

    Amen to that... ;) :thumb:
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Both Bellgamin's comment and the reply might fit here, but are flawed to the general population.

    I am interested in security, so I kind of understand the HIPS language. But the average user who wants to be secure, doesn't understand and probably doesn't want to have to spend hours learning.

    Would you guys want to have to be certified mechanic's just to drive your car(to continue that analogy). Probably not.

    If I had to teach a novice any program that would be totally protective without fear of a mistake, it would be Sandboxie, and not any of the other programs we love to talk about here.

    Pete
     
  5. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    For those who are interested,

    I can personally confirm that DefenseWall successfully blocks the Phide rootkit.


    Peace & Gratitude,

    CogitoErgoSum
     
  6. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,976
    Location:
    Canada
    Thanks for that CogitoErgoSum.:)
     
  7. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello Antarctica,

    You are very welcome.


    Peace & Gratitude,

    CogitoErgoSum
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I agree, because you added "teach a novice". ThreatFire, PRSC, Mamutu. GeSwall and DefenseWall can do without the teaching. ;)
     
  9. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    We'll see about that. I was at a friends house last week and I saw he had ThreatFire installed. I was really susprized, since TF is absolutely unknown in my country. I asked him why he had that and he said "I went to download.com looking for an antivirus and I found that". (Needless to say, he is 100% non-geek). He didn't even know that sometimes TF could prompt and ask for an action.

    To make the long story short, and stop with this off topic rant, I decided to do a little experiment. I didn't tought him anything about TF or security. In a few weeks I'll visit him and see how well a newbie can handle TF.
     
  10. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,353
    Location:
    Hawaii
    First of all, my 9-year-old granddaughter is quite proficient at using HIPS & making good decisions based on alerts.

    The analogy of needing a mechanic is imperfect. A better analogy to "effectively using HIPS" is "safely driving a car."

    To safely drive a car, one must learn the rules of the road, and what is required by the various traffic control signs found alongside the road. One must understand what to do when hearing/seeing an emergency vehicle's approach. What to do when certain red lights appear on the instrument panel -- keep going, or stop & call for roadside assist?

    Those who complain that safe use of the internet requires a bit of thinking & learning are like a person who wants to drive a car but refuses to learn how to drive and how to pass the license test. I call these sort of folks "aggressively ignorant". If those folks viewed learning to drive a car in the same way they view learning to use HIPS, here is the sort of conversation that might ensue...

    :D :) :D ;)
     
  11. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    224
    I think your analogy is flawed, but such debates seldom lead to a meeting of the minds. We'll have to respect one another's positions and agree to disagree, agreeably.;)
     
  12. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,353
    Location:
    Hawaii
    I agree (to disagree).

    All analogies aside, my granddaughter & all the other kids in her elementary school computer class use HIPS with aplomb. Not only are HIPS readily learnable, the HIPS are, themselves, grrreat little teacher's aides. To be hip, use HIPS. :thumb:

    In some future age, we will have computer's like unto Star Trek's. For now, it behooves us to learn a bit.
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    That may be true of OA. But in case of TF it becomes blind of SOME behaviors( not ALL of course).
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Yes, same. :thumb:
     

    Attached Files:

  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Ok, I tried it with CFP( safe mode) without ShadowSurfer. No other security software as well. I don,t get physical memory access alert at all. Acc to Vettetech on Comodo forums, he gets the alert. I am confused. o_O

    Can anyone test it with CFP? Thanks
     
  16. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    is it a virus aigle? if not send it to me and i'll test it.
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    It,s POC rootkit i think. Anyway i will not suggest to run it on a working machine without reliable recovery in hand. BTW just a reminder, ur sample was well contained by GW.
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Please do not make these requests for these programs. It is against forum policy. Period.

    Pete
     
  19. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    @aigle

    ok

    @Peter2150

    i'm aware of the rule that we aren't supposed to ask for malware on the boards or even trade malware through PMs. that's why i stated "if it's not a virus". it's now against board policy to ask for non-destructive/non-virus proof of concepts?
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Even POC's can be destructive, so the answer is yes.
     
  21. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    i'm aware of that, i don't have a test pc so any tests i run have to be non-destructive. :shifty:

    but i realize i should have made that more clear in my first post to aigle.
     
    Last edited: Jul 30, 2008
  22. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Without wishing to split hairs but what would be the difference between say Eicar test,leaktest.exe(or someother HIBS testing POC) and in this topic test.exe(Phide).

    Just curious where the cut off point is to stay within forum TOS:cool:
     
  23. yeow

    yeow Registered Member

    Joined:
    Dec 11, 2006
    Posts:
    225
    aigle, much thanks for your time & effort, even if just to educate me.

    I see now that it was the lack of "physical memory access alert" (to be confirmed) in ur initial test, and not the lack of clarity in alerting to "malicious behavior", that prompted the initial fail. Thanks.

    P.S. Wonder if D+ whitelists the hashes of common safe apps. If yes then renaming or re-locating calc.exe would not have made any difference, and I'd probably wasted ur valuable time (so sorry!).
     
  24. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I always set TF to create a restore point before quarantaining and set the default actions of RED (malware) and GREY PUA(Potenial Unwanted Application or spy/adware) to quarantaine. Tell them to hit learn more about this threat when TF po-ups before deciding. That is all and works with non-geeks well.
     
  25. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    :thumb:
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.