Some unique HIPS features

Discussion in 'other anti-malware software' started by aigle, Jul 5, 2008.

Thread Status:
Not open for further replies.
  1. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I will do "what Bellgamin wants". :rolleyes:
     
  2. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Obviously not just text files it attacks.

    http://www.symantec.com/security_response/writeup.jsp?docid=2005-052215-5723-99&tabid=2

    I guess the best I could do with EQS would be to limit access to these files types. Thinking of the number of pop-up's, don't think I'll bother.

    Do any behavioural blockers like Threatfire or Mamutu detect this kind of behaviour? What about Defensewall? Seems to me that protection from ransomware like this is something for a 'smart' behavioural blocker rather than a classical HIP's.
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Seems you are right. I have not tried behav blockers with this malware but will try to test with TF.
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Thanks hammerman.:)
     
  5. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello hammerman,

    I have personally tested the GPcode trojan in question against both DefenseWall and Primary Response SafeConnect. The former was able to successfully block and contain it while the latter was not.


    Peace & Gratitude,

    CogitoErgoSum
     
  6. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,381
    Location:
    Hawaii
    I am a CFP user. As such, I strongly support your proposal to add such filters to CFP (Defense+). I want to endorse your comments at Comodo's forums, but couldn't find your post. Link please?
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    GW stops it too.
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
  9. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    These kind of features would be useful as an heuristic analyzer module in a classical HIPS. Then, you would have an hybrid between a HIPS and a behav. blocker.
     
  10. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Thanks for test results. Didn't expect DW (or GW) to protect against this. I thought protection from ransomware would be more prominent in their feature list.

    Any chance you could PM me a link to GPcode. I'd like to test against OA's run safer and Mamutu.
     
  11. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Always expects unexpected. :D
     
  12. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Lesson learnt. Seems like this protection could be quite unique though. Looking forward to seeing if TF and Mamutu are up to the challenge. Response from OA is that this is a feature that may be added in future.

    Does DW protect against GPcode simply by running malware file untrusted or does the resource protection need to be used?
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    If this threat is the KD.exe, then Sandboxie protects. Also OA actually does now in some ways. If the exe is downloaded from the web thru a drive by, and you are running your browsers with Run Safer, it will indeed not allow this thing to do damage. I've tested that.

    Also OA will have two new features. One is direct disk access, and other is automatically running an unknown program at lower rights. Test both in beta's and both work.

    Pete
     
  14. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Well, I'm not sure if DW covers all the file types Gpcode encodes. But most of them are, as I know, the most important for an average user. Will check out later.
     
  15. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Tested sample of GPcodei courtesy CogitoErgoSum.

    Sandboxie completely isolates infection :thumb:
    OA run safer fails to protect :thumbd:
    Mamutu quiet as a mouse in Paranoid Mode (waste of good memory space IMO) :thumbd:
    AntiVir detects infection :thumb:
    EQS 3.41 unable to do anything about it :thumbd:
     
  16. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Thanks Ilya,

    I haven't used DW for a while since there is a conflict on my system when I run Sandboxie, OA and DW together.

    As I understand it, an untrusted process cannot modify any other files and this is how it protects against GPcode. Are you saying there are some exceptions to this rule for certain file types?
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    No, it,s not.
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Okay. Got a sample and tested. Nasty little critter.

    ShadowDefender did it's job well as did Sandboxie.

    OA's Runsafer didn't and couldn't do anything. I would suspect none of the policy based sandbox will.

    I ran it with both OA and SSM on to see what it was doing. Both just alerted it wanted to run. It did nothing else, so clearly it didn't need system privileges. By the time the next pop up's came about the vbs file, it was too late.

    Pete
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    GW( i think) and DW will protect against it.
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Okay, so they are protecting files also?
     
  21. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I would like to test this GPcode do not have sample though:(
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Why not. Registry n files both. No protection if u can,t protect files. Just they don,t rely heavily on virtualization, only as musch as needed.
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    I PMed u, pls share ur results but take care not to loose ur data.
     
    Last edited: Jul 7, 2008
  24. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    thanks.I will post after test.Here is what I got from KAV.
     

    Attached Files:

    Last edited: Jul 7, 2008
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    I tried it with GW to be sure. Excellent job by GW on default settings. :thumb:

    1.jpg 2.jpg
    3.jpg
    4.jpg
     
    Last edited: Jul 7, 2008
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.