System shut down protection and HIPS

Discussion in 'other anti-malware software' started by aigle, Oct 9, 2007.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I tried two programs mentioned in this thread.

    http://forums.comodo.com/cfp_beta_corner/proofs_of_concepts_vs_cfp3-t12141.15.html

    f**k.exe and restart.exe. I tried them against GW. EQS and Sandboxie. Both are able to shutdown the system if allowed to execute.

    EQS failed although it has protection against system shut down. NG has no such feature at all ATM( I have suggessted it though).
    GW failed too.
    Sandboxie passed.

    I think ProSecurity protects against these( not tried). I hope users can try their HIPS against these and share the results.
     
  2. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    welcome back aigle :) and nice tests as usual. i'm amazed that geswall failed to stop the system from being shutdown (was this test against geswall v2.6 or geswall 2.7 beta?). did you notify gentlesecurity of geswall's failure to prevent the shutdowns?
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks zopzop. Nice to see u around. Just got my internet back today( though it,s costlyu and I am still trying for a cheeper one- what u think of a dial up with 0.75 dollar per hour:) ).

    Tested with 2.7 beta and sent a mail to Brian just today.
     
  4. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    I just don't understand - why to forbid system shutdown?
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Nothing much. It,s just a feature of many HIPS. Malware might try to install itself during reboot. If u talk of malware I have seen Brontok worm trying to shutdown system every few minutes. Sure there must be other malware who use this technique.
     
  6. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Thanks for testing this. It reminds me of old 98 days when various holes in IE were exploited that as soon as you entered the laced site, the PC would either shutdown or reboot.

    In this case it's very relevant if some malware requires a reboot to load a driver or attach a dll to keep itself merrily running around a system driving the user nuts.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan

    Attached Files:

    Last edited: Oct 15, 2007
  8. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    Online Armor too

    MaB
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    That,s nice. Any snapshots will be nicer!
     
    Last edited: Oct 17, 2007
  10. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    Hi aigle,

    OA.JPG

    Regards,

    MaB
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks but it,s just the permissions of explorer.exe.
     
  12. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    Yes, but by default all listed process are listed as ask to system shutdown

    MaB
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I understand that but did u tried these two execytables specifically? What was the reaction of OA to them?
     
  14. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    Sorry aigle,

    I was a little dumb.o_O
    Will make the test later and give the result

    Regards,

    MaB
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    No problems. U got my point. Having system shut down protection as a feature is something different and effectiveness of this protection is different.
     
  16. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    Aigle, OA personal (latest beta) fails both tests :oops:

    Regards,

    MaB
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I really expected so. These two executables defeated many HIPS.
     
  18. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Aigle,

    Kinda surprised GW failed.Have you contacted them and if so have you recieved a response ?
     
    Last edited: Oct 17, 2007
  19. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    As long as the malware cannot write to the actual registry, the shutdown is not very important
     
  20. Stephen2_Aus

    Stephen2_Aus Registered Member

    Joined:
    Feb 17, 2007
    Posts:
    37
    The shutdown is important for the number 1 reason I use a HIPS:
    The computer is doing something I didn't tell it to do.
    I don't want it randomly rebooting.

    I'm at work now and can't test these programs against ProSecurity 1.4 Public Beta 2, but would appreciate if someone could.

    I have found PS to be the best HIPS and would like to know if it detects these two threats.
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Some bdoy mentioned in the comodo thread that PS intercets these two tests duccessfully, if I remember well.
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I was surprized too. It has been a long time that I see GW failing somewhere.

    I have reported to Brian along with many other observations/ suggestions. He will reply but not very soon as I know they are busy for v 2.7 release soon. He replies late when they are busy and instantly if not busy.
     
  23. alfa1

    alfa1 Registered Member

    Joined:
    May 3, 2006
    Posts:
    61
    sdown.jpg

    :thumb:
     
  24. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello aigle,

    I tested both executables against one of the latest DefenseWall driver builds and DriveSentry v3.0 build 89 beta. Unfortunately, both of them failed.


    Peace & Love,

    CogitoErgoSum
     
    Last edited: Oct 21, 2007
  25. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    (Un)Fortunately, neither of them were designed to prevent this kind of attack in the first place. :D
     
Loading...
Thread Status:
Not open for further replies.