Some unique HIPS features

Discussion in 'other anti-malware software' started by aigle, Jul 5, 2008.

Thread Status:
Not open for further replies.
  1. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Kav denied Access no word from Norton AntiBot.All detection logs gone after reboot.Kudos to shadow Defender as well.
     
  2. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Does GPcode scan all partitions for files?
    What files besizes txt does it attack?
     
  3. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Viruslist
    Who's Behind GPcode
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Yes, it does so.
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    TF does not detect GPcode trojan.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan

    Attached Files:

  7. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    How long takes GPCode to do it's job?
    Are there any signs of activity?

    I mean, if somebody unprotected gets hit by this, is there any chance to tell something wrong is happening and stop it from task manager before it destroys all files?
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Okay, so it's not protecting based on policy as much as protected files. The question about say GW, is you have to specify protected files, which means it nails all the ones you don't specify. When I tested it, it got everything, including stuff on the desktop. Having to specify files to protect is a weakness. Sandboxie didn't let do anything, and of course ShadowDefender undid all the damage.
     
  9. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,379
    Location:
    Hawaii
    Sob. :oops: :p

    Clapping!!!:) :D :D

    @ aigle, Pete, etc --- Thanks to all for the testing & info! A special thanks to aigle for starting this very helpful & educational thread.
     
  10. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Takes about 10 minutes on my PC.
    Interesting watchng it do it's work with FileChangeAlarm on.
    Lot's of hard disk activity is only indication.
    Yes, it can be stopped by task manager.

    Seems I was wrong about behavioural blockers.
    Attempts to encrypt files in my view should be detected by the likes of TF & Mamutu.

    If it is the case that you have to specify which files to protect with GW, then it doesn't really pass the test for me.

    CogitoErgoSum
    Did you have to specify which files to protect with Defensewall? I thought that an untrusted process could not modify any files with possible exceptions to be confirmed by Ilya (see post #41)
     
  11. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Not exactly. DW has built-in list of the file's extensions untrusted can't modify. Other types files can be. So, some files can be encrypted with GPcode untrusted, but DW do cover the most important ones with built-in ruleset and resource protection function. Also, the files you think important can be protected with "Secured files" function.
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Peter, you are nmistaken. GW protects against it with default settings out of the box. You don,t need to tell him which files to protect. It protects ALL files.
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    It,s a mis-understnading. See my post above.
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Aigle

    Thanks for the correction. It is confusing indeed.

    Pete
     
  15. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello hammerman,

    FYI, the "only" other thing that I have done regarding the protection of specific files/folders with DefenseWall is put my "Documents" folder which contains private/sensitive information under the care of "Secured Files".


    Peace & Gratitude,

    CogitoErgoSum
     
    Last edited: Jul 8, 2008
  16. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Thanks Ilya - I understand now.

    Do you think it is feasible to detect the encrypting behaviour of malware like GPcode? DW, GW and Sandboxie seem to do a good job of isolating the effects but there doesn't seem to be a program that detects the actual behaviour. NeoavaGuard HIPS seems to have made an effort to detect this but doesn't go far enough. Is it possible to detect when a file is read and re-written in an encrypted form?
     
  17. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Well, it is possible, but this will cause significant system's slowdown as requires calculate an entropy of the new file realtime. False positives are here too. Also, such the system hardly can be generic- malware may re-write file in one byte buffer, for instance, this will cause impossibility to recover an original file when an entropy engine will flags encryption. Not really clever solution, it _can_be_bypassed_.
     
  18. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,379
    Location:
    Hawaii
    Has anyone tested DriveSentry versus this threat? After all, DS claims to specialize in protecting files -- shouldn't it do the job in this case?
     
  19. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    I think you may be right. It is referred to here.

    http://blog.drivesentry.com/
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    It,s not job of a sandbox. It,s job of a behav blocker I think.
     
  21. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    It would be nice to see How DriveSentry handle this threat.I would like to test it my self but I was very unlucky with DS after 3 BSOD I removed it.:(
     
  22. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Totally agree. The only programs effective against GPcode so far are GW, DW and Sandboxie. They have proved their worth. Nothing as far as I know detects the actual encrypting behaviour.

    When a program is busy making all your data files unreadable, I would have said that was suspicious behaviour worthy of a response! When needed, Mamutu was wondering what to do next.

    I need to think about a new setup after this. Paranoia is setting in again.
     
  23. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857

    Aigle,

    Could you please re-test when not using a confidential folder? I got simular results as Peter, but I used an old configuration of GeSWall Pro (to let my printer working properly, I had given the named pipe Lsass more access rights = which is a weakening of the protection level)

    Regards Kees
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    If I´m correct this GPcode trojan basically works about the same as a file invector, and like I said a while back, current HIPS won´t protect you against this method, you need a sandbox for this. NG does try to protect, but fails, so would be cool if it could virtualize this action (like SBIE) and then give you the alert, you would then immediately know that you´re dealing with malware, without suffering any damage.
     
    Last edited: Jul 9, 2008
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Kees

    My comment wasn't based on a test, but on the assumption that gw was just changing rights/policy, and that doesn't work. The problem to me was not just worrying about special folders, but even text files on the desktop got nailed.

    Pete
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.