What's Your Viewpoint On This

Discussion in 'other anti-malware software' started by EASTER.2010, Mar 16, 2007.

Thread Status:
Not open for further replies.
  1. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Easter,

    It seems that you have no answer to my points hence you decide to play the victim.

    I have no personal axe to grind with you, beyond the fact that while the regulars here are experienced enough not to fall for your misinformation this forum gets a lot of newcomers so your disinformation has to be challenged vigorously (not that I'm the first to do so).

    If someone had done so at the outset, you wouldn't have sprouted your silly whole SSDT no overlap theory half a dozen times. I must bear some of the responsibility because for some reason, I missed or misinterpreted your posts on that. In fact I I overestimated your knowledge, I thought you tested each one seperately, noted down what was hooked and checked for overlap, but it turns out you just installed them all together and noted only one entry for each!

    Despite being proven wrong on this you persist on your whole HIPS have no overlap theory including confidently making bold claims without any evidence about how HIPS makers are ensuring that their products don't overlap.
     
  2. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Easter.2010,

    I'll take it at face value that you haven't experienced any obvious negative outcomes thus far. However, cascaded HIPS coverage is certainly not a recommended course of action for anyone. You do increasingly court instability in the system with very little even potential payback.

    In very crude terms, you've spliced in a chain of successive filters, many of them manual in nature. You replaced...
    • System call made
    • Jump to appropriate routine identified in SSDT made and return
    with
    • System call made
    • Jump to HIPS1 filtering routine - allow or block, if allowed, jump to next in chain, otherwise return
    • Jump to HIPS2 filtering routine - allow or block, if allowed, jump to next in chain, otherwise return
    • and so on until the real function is executed.
    Answering the same question with the same answer n times is not fundamentally more protective than answering it one time only with the same answer. I realize that every HIPS on the market does not have precisely the same SSDT entries hooked, although many have a very common subset, with variations on that basis set.

    More granular direct interaction with the underlying OS is not necessarily better.

    Blue
     
  3. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    One visible effect, that i now recall, seems that Gmer doesn't run on your system.
    You have to take this into consideration imo, and simply turning the HIPS off won't isolate the issue.

    I'm only trying to help in clarifying with an example.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.