Rootkit Defense with HIPS?

Discussion in 'other firewalls' started by underdog, Aug 12, 2009.

Thread Status:
Not open for further replies.
  1. underdog

    underdog Registered Member

    Joined:
    Aug 12, 2009
    Posts:
    26
    is it possible for a rootkit to be installed if its driver is blocked from installing, or are there other methods for rootkits to install themselves? i am using windows xp professional sp3.

    with this in mind, i am looking for a free hips right now to protect against rootkits. i do not care about anything else except this one feature (and keylogging protection i suppose, but most of the top hips seem to have keylogger protection built in already). i know plenty of experts frequent this forum, so does anybody have any suggestions? i tried most of the top programs at matousec here: http://www.matousec.com/projects/proactive-security-challenge/results.php

    here are my thoughts on the free ones or trial versions of the paid ones, with the limited knowledge i have -

    kaspersky: has a secret whitelist that you cannot disable according to a moderator on kaspersky's forums. zemana's keylogger test is on this whitelist. i do not want to use a program that has a whitelist i cannot control.

    online armor free: does it stop driver loading? i couldn't find the option anywhere. if this feature does exist, you would have to enable or disable it for every program. you cannot simply enable or disable the detection of driver loading for all programs by having certain boxes checked like in eqsecure and comodo.

    comodo: comodo allowed drivers through! see this thread: https://www.wilderssecurity.com/showthread.php?t=250833 otherwise it would be perfect.

    outpost free: outpost greatly increases my fan speed. a quick analysis using the open source program process hacker ( http://sourceforge.net/projects/processhacker/ ) shows that the i/o is close to 300 kb/sec! this creates a lot of fan noise and slows down my computer. otherwise it would be fine, but i haven't been able to test its other features because of this problem. i imagine the paid version probably has the same problem.

    pc tools: this firewall fails all the keylogger tests. this is unacceptable.

    eset smart security: great virus scanner, but the firewall part provides no protection at all against rootkits. it just filters internet traffic and does nothing against driver installation.

    zonealarm pro: failed to stop a number of drivers that eqsecure caught.

    i am extremely tired from all this testing and i am sorely disappointed that there is not a single hips product i have found that is able to catch all the drivers that eqsecure 3.41 has been able to catch. please help! i want to use a product that is currently being developed and has at least some keylogger protection. i am at my wit's end! :'(
     
    Last edited: Aug 12, 2009
  2. prairie dog

    prairie dog Registered Member

    Joined:
    Jun 9, 2009
    Posts:
    129
  3. underdog

    underdog Registered Member

    Joined:
    Aug 12, 2009
    Posts:
    26
    nope, i haven't tried drive sentry. i'm totally ok with not having a firewall though, since i can just use a separate firewall. i did for a long time. i looked at the features of drive sentry on its homepage, and i'm a bit curious. one of the features it lists is "antirootkit". how does drive sentry counter rootkits? does it block them from installing or is it a scanner?
     
  4. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Yes, it does it by default. The idea of OA is "you should be equally safe with ANY settings", so you would hardly see there an option that could compromise security. Until, of course, you switch into learning mode and forget to switch out :)
     
  5. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    Why not grab the offer of a OA Premium here for free. It's extended untill tomorrow.

    EDIT, btw, OA free, I'm pretty sure anything newly installed gets Unknown status, prompting for actions you are worried about, and the user is given an excellent advisory - and a default terminate process ticked box.
     
    Last edited: Aug 13, 2009
  6. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    I don't know for sure. I think part of the "definition" of a rootkit is that it has a driver component.

    Have you consider blocking all exe's ( this would include the driver install )
    I block all unknown exe's from running using a default-deny security solution ( AE 2.2 in sig ).
    LUA and SRP are also good ways of doing this.

    This leaves installing programs you think are ok.
    If you run the installer in sandboxie , you can then spot if it included a driver file. (Most applications don't need them, security and hardware software do )

    Its a bit of a restrictive but I've gotten used to it.
     
  7. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    @underdog - due lack of knowledge you mixed up some things

    >> eset smart security: great virus scanner, but the firewall part provides no protection at all against rootkits.

    a firewall is not to prevent system internal actions - only in/outbound to lan/web.

    the av-engine from eset has no HIPS to control deeper internal actions.

    And yes - OA can prevent rootkit actions.
    There is a german test from subset present which compares several HIPS systems.
    OA and ThreatFire had 8/10 blocked - best of 5 programs.
    But meanwhile both were upgraded so the test may now 9/10 or 10/10.

    ESET AV (EAV) and OA is a great combination - a² and OA ist great (not OA++ theses times)

    But remember - OA is only that good you click on the right decisions (deny/allow).
     
  8. underdog

    underdog Registered Member

    Joined:
    Aug 12, 2009
    Posts:
    26
    yes, i have considered blocking all .exe files. i think this would be hugely inconvenient though because i do install stuff (not recklessly though) on a regular basis, and it would be a bit inconvenient to have to allow everything each time i run it. besides, when doing leak tests, i would rather allow the .exe file to run, then pass the test based upon the behavior of the .exe file (aside from the mere fact that it's running).

    thanks for the clarification. sorry about not being clear enough. i do know that eset's firewall component is not a hips and was only meant to filter internet traffic. i'm not saying this is bad or good; all i'm saying is that if i do want a hips, i will need something else to supplement its protection.

    about Online Armor, is there a way to turn off blocking for specific behavior like in comodo? for example, let's say i want to allow all dll hooking for all programs, both known and unknown. can i do this by unchecking a box like in comodo?
     
  9. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    Read the manual of Online Armor! (or online help)
    http://www.tallemu.com/webhelp3/UsingOA.html

    In special:
    http://www.tallemu.com/webhelp3/Programs.html

    you have 30 days trial time before you pay - or quit.
     
  10. underdog

    underdog Registered Member

    Joined:
    Aug 12, 2009
    Posts:
    26
    thanks for your suggestion. i tried out online armor free. according to matousec, it is a solid hips, but i cannot use it, and here's why: online armor does not allow you to filter only specific behavior for all programs in general.

    let me be more specific. first, on the main menu of online armor, go to "Programs" on the left side. then click the "Options" tab. this tab, according to online armor's manual, allows you to "change how Online Armor handles programs in general, rather than individual programs". this is exactly the tab under which i was hoping to see more options. this tab should allow you to, for example, disable monitoring for dll injection, or driver loading, or other types of suspicious behavior on a system, but it doesn't. in order to turn off filtering for specific types of behavior, you have to go to the other tab ("Programs") and configure the behavior for EVERY specific program. this is a lot of work, especially if you only want a hips to perform certain functions. i think if online armor added the settings they allow you to use in the "Programs" tab to the "Options" tab, i would be using the free version, if not one of the paid versions. i do not want a hips alerting me to every possible behavior on my system if i already have other forms of protection that make certain filters in the hips redundant. i'm sure there are also many other good reasons why more specific settings are desirable or even necessary in certain circumstances.

    now, at first, i thought the inability to disable filtering for certain types of behavior might be a limitation only in the free version of online armor, but the manual does not distinguish. it appears to be for all versions of online armor. this means that even the paid version of online armor, unfortunately, does not provide this functionality.

    certainly i understand this. however, there might be certain situations in which it would be desirable to turn off the feature to filter drivers too. suppose you were installing a lot of hardware for which you had already installed the drivers many times yourself, so that you knew the drivers were safe. wouldn't it be convenient to have the ability to turn off the feature in online armor for a few minutes? if it was truly dangerous, a warning could be popped up when the user tries to disable this feature, giving the user the ability to either proceed with caution or to cancel. besides, having the ability to disable this feature shows that the feature indeed exists in this hips after all. otherwise, there is no way to verify that it does except by doing some tests yourself.

    i hope an online armor representative reads these concerns and replies. until then, i am still in search of a hips. :)

    i forgot to reply to the part of your post mentioning threatfire. i tested out threatfire today, but it also doesn't seem to let me turn off filtering for specific types of behavior. furthermore, it turns off automatic updating unless i agree to share my settings with everyone else.
     
  11. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    You could have a look at SSM.
    See Options-Logging , Modules-StartMenu , and Modules-Services
    for some customization options.
    Its not under development , but that could be a trade off worth making. HIPS will get a lot , even if not being developed.

    just minor thing about TF , I left the updates off , they are not really needed IMO, as its not signature based.
     
    Last edited: Aug 14, 2009
  12. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    http://drop.io/eqsecure

    has a good rep here too . although I have no idea if its a customizable as you want.

    sorry , realised you already looked at this. this is a later version i think.
     
    Last edited: Aug 14, 2009
  13. underdog

    underdog Registered Member

    Joined:
    Aug 12, 2009
    Posts:
    26
    you are definitely right about HIPS catching a lot, even if not being developed, but there are still some problems. for example, you cannot install these hips on newer versions of windows. furthermore, this unhooking test here shows that even on current operating systems, a lot could more needs to be done to stop rootkits:

    http://membres.lycos.fr/nicmtests/Unhookers/unhookers_results.htm

    yes, this is a newer version. unfortunately, matousec hasn't tested it yet, and it is not free anymore. a pity..i considered eq secure 3.41 the single most important line of defense on my computer. i think if eq secure 4.2 is proven effective, i would buy it, but for now, i have to look elsewhere :(

    by the way, does anybody happen to know why nod32 doesn't seem to like eq secure 4.2? (it detects it as Win32/Packed.Themida).
     
    Last edited: Aug 16, 2009
  14. nessy90

    nessy90 Registered Member

    Joined:
    May 4, 2009
    Posts:
    103

    underdog the screenshot provided shows what you can do with programs in the premium version of OA dont know if that helps or not
     

    Attached Files:

  15. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    OAprem and OAfree offers same.
     
  16. underdog

    underdog Registered Member

    Joined:
    Aug 12, 2009
    Posts:
    26
    thanks, but i have already seen this. all you can do in that screen is turn off filtering for specific types of behavior for ONE application, not all applications :) also, you cannot turn off filtering for driver loading at all, which makes that menu less useful.
     
  17. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    How about KIS 2010.

    It has a lot of configuration options.
     
Thread Status:
Not open for further replies.