Termination Protection- How good is ur HIPS

Discussion in 'other anti-malware software' started by aigle, Apr 24, 2007.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Just a test of ur HIPS if u think that ur HIPS is giving a good termination protection.

    Take a good backup or use a test PC.
    Download and install sysinternals RegMon, mark it as trusted in ur HIPS rules and give it protection against termination by ur HIPS( if there is such an option).
    Download and install Music Video Downloader 4.0 from here.( change hxxp to http).

    hxxp://www.zheadware.com/products/mvdown.htm

    It will create a shortcut icon Video Link Parser on ur desktop or in Start Menue/ All programs.
    Run Regmon and let it running.
    Now run Video Link Parser and it will immediatelt kill Regmon( See if ur HIPS gives popup about this and blocks this). Also u can run Video Link Parser first and while it is running, try to run Rgmon, Regmon will be killed even before loading.( See if ur HIPS protects it).
    I tested on XP SP2. Interestingly Video Link Parser does not install a driver but still it is very brutal in killing RegMon.

    HIPS failed without any popup:

    SSM free
    ProSecurity Pro( Not sure if ther are some special settings for termination protection) but it seems to fail( anybody can confirm it pls?).
    NeovaGuard Beta 2
    AppDefend- Not tested( any volunteer please).

    Older thread showed that ProcessGuard and AntiHook failed too at that time, not sure now with there latest versions. Thread is here.

    https://www.wilderssecurity.com/showthread.php?t=128594

    SSM Pro blocked it successfully( even when I did not gave any termination protection to RegMon in advanced rules)
    Out of curiosity, I started Video Link Parser isolated in GeSWall and good that it was unable to kill Regmon.

    I found it very interesting so I am posting it here( for those who are HIPS crazy!!) BTW I am not sure if Music Video Downloader is clean or not? Antivir, BOClean and AVG antispyware did not flag it.
     

    Attached Files:

  2. Kenjin

    Kenjin Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    63
    Confirmed. Tried also with 'Enforce protection' option set - same result. Will notify PS developer.
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thansk a lot Kenjin.
    As I read at that time even ApDefend was probably failed here.
    Its, too weired and interesting as well. Strange that these HIPS did not even detect termination atempt, what to speak of protecting against it.
     
  4. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    i wonder how eqsecure and DSA would do against this test.
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Infact i wanted to try last version of PG, AD and some other HIPS but unfortunately I had no time and no immediate recovery except SS and ATI. So I posted my findings. It will be easier for anyone to test his own HIPS that is already installed. Too much of a work for me to install soo many HIPS and make new images with ATI on a single PC.

    BTW while testing I used SS and instaled SP, SSM, NG all at the same time( though one was active at a time-- luckily no BSOD).:D
     
  6. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    well aigle, i just tried it with eqsecure 3.3 and DSA and they both failed to stop regmon from being terminated. they didnt' even show a pop-up warning that something was up.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    This test is realy very interesting.
     
  8. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    I tested SSM Free using SPT and APT against mspaint.exe

    It failed for APT:
    User-mode Kill 2 (WM_CLOSE)
    User-mode Kill 3 (WM_QUIT)
    User-mode Kill 4 (SC_CLOSE)

    For SPT -e (-f doesn't work on my system):
    Method 7 (terminate process as part of a job)
    Method 11 (terminate process by sending WM_SYSCOMMAND)
    Method 15 (simulation of normal process exit)
    Method 16 (terminate process by "bruteforce" message posting)
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Will be interesting to check it with DefenceWall, SandBoxie etc.
    Any volunteers?
    Come on guys, test ur HIPS against this.
     
  10. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    By default gss 1.1 doesn't stop the termination. If i adjust the rules i can stop regmon from being terminated however regmon does stop monitoring the registry.
     

    Attached Files:

  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Oh, unfortunately I forgot to check for this thing during testing It,s important as well. Ok, may be some time later or I will wait if someone tests with SSM Pro. I will test with GW now. SSM pro is no more on my system.
     
  12. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    GSS 1.2 detects the termination attempt by default. I blocked it and both programs continue to function.
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ok tried with GeSWall, RegMon was not terminated and continued moniroring registry.( Anyone for SSM Pro?)

    Well Tried with Sandboxie version 2.86 and DefenceWall version1.74.

    DefenceWall passed( RegMon not terminated and still monitoring registry) but unfortunately SandBoxie failed. A hint that of policy based sandboxing might be more secure than complete file and registry virtualization? I posted on their forums.

    ( In all cases Video link parser was installed outside sandboxed and then it was run isolated via right click menue option).
     
  14. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    SSM pro detects the termination attempt. Blocked it and both programs still function correctly. LOL i'm so bored today i got nothing better to do than test this stuff out.
     

    Attached Files:

  15. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    nice job guys! so far the only "passes" we have are geswall, SSM pro, GSS 1.2, and Defensewall.
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi Zopzop, In my opinion GSS1.2 partially passed as Regmon stopped working, though not killed. It,s very imp( loss of function is practically equal to termination).

    Edit: Sorry I missed that GSS 1.2 was passed( GSS 1.1 did not).
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    lol, thanks for that BTW.
     
  18. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    I tried out cFosWatch which is a piece of freeware that monitors dialers, autostarts, filewrites and process termination and it wasn't able to stop it.
     
  19. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    anyone down to try bufferzone?
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ya, plz any buferzone user?
     
  21. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Why does music video downloader terminate regmon?
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I am looking for BZJet!
     
  24. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Thanks for the info, really cleared things up for me. I would do some testing, but I have recently settled with DefenseWall which we know passes.
     
    Last edited: Apr 25, 2007
  25. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    Hi all,

    Thanks aigle for these interesting tests

    Tested with Online Armor 2 beta 178 and OA succeed in protecting regmon from termination (OA did not notify for this kind of actions)

    One more thing, before beginning to test, regmon was capturing nothing but procmon did. ( Video Link Parser did not target procmon to protect itself )

    MaB

    EDIT : Without Protection from termination, OA detects the WM_CLOSE sended by VLP to Regmon

    http://img87.imageshack.us/img87/1658/oaul1.th.png
     
    Last edited: Apr 25, 2007
Loading...
Thread Status:
Not open for further replies.