Phide.exe rootkit versus HIPS

U r welcome.

 

thanks aigle for testing that malware I sent you. I was told it was really bad, but obviously not to bad for Geswall. What was interesting were the Virus Total hits on both parts, or lack of. Seems Microsot and F-Secure were the only 2 that caught both parts. Microsoft is getting real interesting in detection.

 

i agree. SafeSpace is a hooking machine. i have already used AVZ and GMER, Icesword, K-Xray to see all of the hooks. what i do not have the skill/patience to analyze, is what hooks are duplicated (?). thanks for the tip, i had not considered the potential for conflict as the reason A2 was not seeing sandboxed infections.


Mike

 

Aigle

Tested phide.exe against OA build 131.

When Run Safer selected at execution warning, hidden process NOT created.
If Run Safer not selected, no more pop-up's from OA and hidden process gets created.

 

Thanks, I have same findings. So OA fails inspite of the fact that it has a filter to intercept physical memory access.

 

Will try test again with OA as the only security app just in case. I can confirm your findings that EQS gives physical memory access message but OA doesn't.

Will post this at OA forum.

 

I´ve tested it and SSM Pro and NG both pass the test, both succesfully block direct access to memory. About the discussion, if CFP only gives a warning about "possible malware behavior" (which may be a false positive) and no other alert if you allow to load, it is indeed a failure, so I can understand Aigle.

 

Wow that is just pathetic,all 36 scanners and only 2.

 

The bug is confirmed by Comodo people on some XP machines and they will fix it.

 

A "PURE" and accurate HIPS just doesn't get any better then EQSEcure, provided you were able to install/overwrite 3.41 with the 4.0 Beta.

This is the KING of them all all IMO. A solid lock down HIPS that super-guards every single vector courtesy Alcyon's RulesSets.

It will take a WHOLE brand new group to compete with this HIPS.

EASTER.

 

Retested with latest OA beta 3.0.0.162. Still a fail.

 

Does it allow to hidden process do something unauthorized ?

 

Seems your thread on Comodo forum generated a lot of interest and a conclusion reached. Cannot say the same for OA. As yet, no confirmation of my test results.

 

May be because they are much busy due to the latest beta release. I am sure they will notice it. U can PM Mike as well.

 

I have been informed on OA forum that protection against phide.exe bypassing OA has been included in latest private beta version.

Have since discovered that physmem.exe from SysInternals can also access physical memory with no pop-up from OA (build 131). DW and EQS block the physical memory access. Does anybody know how to set OA rules to stop physmem.exe from accessing physical memory?

 

Seems OA filter not working OK, so u can,t do it until they release the fixed version.

 

Any links for physmem.exe? Thanks
What this tool is exactly?

Edit: I got it but don,t know it,s use!

 

CFP intercepts it.

 

See below for description of physmem.exe

http://technet.microsoft.com/en-us/sysinternals/bb897446.aspx

Glad to see CFP detects it. This is what I was expecting from OA.

I can't believe that OA physical memory access protection simply does not work. I am expecting somebody to put me right on this (Mike, anybody ....)

 

Thanks

I believe, after these tests. So is true of CFP. It has same bug but to a much less extent.

Try SDTrestore with CFP. It,s a POC.

 

I'm not sure, on my Vista this tool just doesn't work. But may be OA only alerts on write access, while physmem requests read access ? After all OA was designed to minimize user interaction, so it would be natural not to bother on harmless actions.

 

That may be one reason. But phide.exe does try for write access.

 

But phide was reported as fixed already

But generally speaking I think Vista will turn most of those tricky tests into a set of useless toys. At least 50% of famous POCs (and also malwares) do not work on Vista even without any special software. So I think it's time to move to Vista for those who really cares about true security.

 

No it,s time to prepare for windows 7. A better version of Vista.