Some unique HIPS features

Discussion in 'other anti-malware software' started by aigle, Jul 5, 2008.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    NeoavaGuard HIPS has some unique features as compraed to other classical HIPS. I tried three malware samples.

    1- Aliz worm
    2- Sober worm

    Both these worm spread themselves by sending their copies by e-mail. They get the e-mail addresses from windows address book and Sober worm als scans many files like text file on the PC and finds e-mail addresses.

    3- GPcode trojan- A malware that encrpts many files on infected PC( like text files) causing data loss.

    NG gave pop ups for all these actions though it was not fully successful to stop the damage( like it did not stopped the encrption of text files by malware) but it,s interesting to see such a functionality. I have not seen such filters in any other HIPS( atleast upto best of my knowledge). Am i right?

    I have made thread on Comdod forums to add such filters in CFP. What are your thoughts?

    Thanks

    adress book.jpg read text files.jpg
    read text files2.jpg adress book 2.jpg
     
    Last edited: Jul 5, 2008
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Some more screenshots here!

    encrypt1.jpg encrypt2.jpg
    encrypt 3.jpg NG filters.jpg
    ng filters 2.jpg
     
    Last edited: Jul 5, 2008
  3. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    No other thoughts, than that NeoavaGuard didn't do a very good job and that these three threats are executables, which are easy to kill with better security softwares. Thanks for the tests, but NeoavaGuard was never on my list, BUT I need a Script Blocker with artificial intelligence. :)
     
    Last edited: Jul 5, 2008
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I knew that already Eric! :)

    This thread is for people with a taste different from urs. :D We don,t want to kill them, that,s so easy. Why want to remove their venom.

    But thanks for the comments. :)
     
  5. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    It just goes to show what a real tragedy it was when the developer of NG ceased maintaining it. In my opinion, he should resume working on it --- the *competition* is getting thinner every day, in both the number & the competency of classical HIPS.

    I think that a re-vitalized NG would quickly become a big winner -- and a major prospect for buy-out by one of the AV outfits.
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Do you admire the bad guys so much, that you investigate their droppings ? ;)
     
  7. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    aigle, have you tested how effective the partition protection of neova guard is? ever hear of "bypassdisk.exe"? i wonder if neova guard or any other hips would catch the program before it attempted to destroy the disk (if it was allowed to execute of course).
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    I wholeheartily agree. It completely escapes me why on earth these makers don't just continue to build on apps (HIPS) like these and make them even better then before. This is i hope a temporary trend and not something we're going to be seeing happen on a regular basis.

    I admit i haven't even got around to trying this one but it's no less still useful and any one could easily overtake the field at some point in time.

    And bellgamin, you're very sadly right, it's indeed a tragedy when very promising security applications without warning cease to proceed and gives serious rise to concerns. We need MORE innovations of this nature no matter how useful sandboxes & virtual systems, AS/AV's etc. are in keeping our PC's protected.

    Allow me to compliment also on the screenshots, thanks a ton for taking the time to show them.

    Regards EASTER
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    They can,t dare that on my system. That,s why no reboot to restore. :D
     
  10. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    EASTER,

    I don't want to sound flip, but I believe it has something to do with rent/food/living expenses. The market is saturated with offerings, which severely dilutes their economic potential.

    Blue
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Unfortunately I have no VM and no spare test PC.

    As far as I know some body in the past tested NG against KillDisk and NG was able to protect against it. That,s partition table protection.

    However I can,t say about bypassdisk. Can you PM me the sample by the way, if u have? Any more tests with this utility/ POC?

    Thanks
     
    Last edited: Jul 5, 2008
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Unfortunately, but then they also reserve the option of selling the source or sitting on it which these days can gather rust very fast.

    So in retrospect, the end user or potential customer must take a seat and wait out for either something similar or entirely new.
     
  13. Nizarawi

    Nizarawi Registered Member

    Joined:
    May 26, 2008
    Posts:
    131
  14. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Last edited: Jul 6, 2008
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello, Erik,

    Are you referring to web-embedded Browser scripts, or attacks that use script files (vbs, etc)?
     
  16. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    I have configured EQS to prevent all access to Windows Address Book and e-mail files. Only OE is permitted access to these. A simple check box in EQS, similar to NeovaGuard, enables or disables this feature. Scanning of text files for e-mail addresses is something I didn't consider though.
     
  17. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Last year I wanted to try NG and I only got BSOD's as soon as starting my computer.
    It's a shame they don't develop it anymore, it seems it would have been a great HIPS
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Any screenshots?

    Thanks
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It does gives occasional BSODs I know.
     
  20. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Shots of E-mail file protection rules and pop-up when anything tries to access these files.
     

    Attached Files:

  21. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    How they get to my system isn't really important to me, I just don't want them to run on my system, except the scripts that were installed from the beginning of course, I don't want to cripple my system either.
    Removing these scripts is not a problem, stop them from running is a problem.
    I need something like AE, but for scripts. Authorized scripts are allowed to run, any other script is killed immediately.
     
    Last edited: Jul 6, 2008
  22. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    HIPS mainly look at categories of actions/behaviors, without any significant consideration of the TYPES of apps that undertake such actions/behaviors. Such being the case, a HIPS will tend to alert to any suspect actions by ANY app (including but not limited to scripts, exe's, etc).

    Accordingly, I do hope this thread stays primarily on its topic of discussing generic/unique HIPS capabilities instead of getting diverted to yet another discussion of "let's all find what Erik wants."
     
    Last edited: Jul 6, 2008
  23. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Just answering member's questions or do I have to become impolite too. NG is abandonware, why discussing it ?
     
  24. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    But there is a big difference in the two types, and you prevent in different ways.

    Since scripts is a different topic than that of this thread, go here and see my comments about AE and scripts, Post #84, and post your discussion there:

    https://www.wilderssecurity.com/showthread.php?t=210179&page=4

    --
     
  25. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    The topic was started by Aigle. who asked certain questions based on NG capabilities. It is his topic and he based it on NG.

    If you want to endlessly discuss "what Erik wants" I suggest you start your own thread and stop hi-jacking others.
     
Loading...
Thread Status:
Not open for further replies.