Is there a standalone highly effective HIPS product?

W

Wave

Thread author
Jeff_T - Testing Group said:
It is not a bug, it is the way HIPS functions. For example,

execute Parent_Malicious_Process.exe > attempts to execute Child_Malicious_Process.exe > user Allows > Child_Malicious_Process.exe attempts to execute Windows process > user Terminates Child_Malicious_Process.exe > dependent upon settings either the Child_Malicous_Process.exe only or both it and its child will be terminated

The Parent_Malicious_Process.exe can still be loaded in active memory since the user only terminated the child process (Child_Malicious_Process.exe). If the user had terminated the parent, then it would not be loaded into active memory - and the entire run sequence would have been terminated right there and then.

However, there are some malicious processes that resist termination using HIPS, antivirus, behavior blockers, and various other utilities. As long as an autorun has not been created by the process, a system reboot will clear active memory and it will not reload.
Click to expand...
Yes, I thought that it was meant that when the user terminated the parent process it stayed in memory instead - basically I misunderstood what was said.

I'm not a user of SpS so when I misunderstood I assumed there was a bug, now I understand what's going on here, thank you :)

As for the resist termination, on x64 you can terminate any process from kernel mode, since malware cannot hook the kernel and therefore you can just bypass access checks incase of a kernelmode callback being used via ObOpenObjectByPointer :) and then on x86 you can just repair SSDT if it's hooked etc
 
  • Like
Reactions: Deleted member 2913, AtlBo, Svoll and 3 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Wave said:
Yes, I thought that it was meant that when the user terminated the parent process it stayed in memory instead - basically I misunderstood what was said.

I'm not a user of SpS so when I misunderstood I assumed there was a bug, now I understand what's going on here, thank you :)

As for the resist termination, on x64 you can terminate any process from kernel mode, since malware cannot hook the kernel and therefore you can just bypass access checks incase of a kernelmode callback being used via ObOpenObjectByPointer :) and then on x86 you can just repair SSDT if it's hooked etc
Click to expand...
SpS has known limitations on x64 systems, that's the problem here.
 
  • Like
Reactions: Deleted member 2913, AtlBo and Svoll
W

Wave

Thread author
shmu26 said:
SpS has known limitations on x64 systems, that's the problem here.
Click to expand...
If it's attempting to terminate the target process from user-mode then it can be prevented easily, whereas if they are using kernelmode for the termination then they can do more than the standard call to NtOpenProcess to obtain the handle.

In fact, even if they do it from user-mode they could try a direct system call to make it more effective.

However, on x86 systems where you can freely patch the kernel, rootkits can do a lot to prevent termination... Then it becomes a game of reverting the effects, cleaning out system drivers responsible for the patch modifications at reboot (e.g. removing a system file which set active kernelmode hooks prior to unhooking would cause a BSoD), etc.

Therefore, even though SpyShelter may have some limitations on x64 (due to not being able to patch the kernel), it is actually easier for them to make better termination for the x64 version, since malware will also have these restrictions (therefore ObOpenObjectByPointer cannot be hooked to be blocked but it is capable of bypassing kernelmode callbacks used for process protection). ;)
 
  • Like
Reactions: Deleted member 2913, AtlBo, Svoll and 3 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Wave said:
If it's attempting to terminate the target process from user-mode then it can be prevented easily, whereas if they are using kernelmode for the termination then they can do more than the standard call to NtOpenProcess to obtain the handle.

In fact, even if they do it from user-mode they could try a direct system call to make it more effective.

However, on x86 systems where you can freely patch the kernel, rootkits can do a lot to prevent termination... Then it becomes a game of reverting the effects, cleaning out system drivers responsible for the patch modifications at reboot (e.g. removing a system file which set active kernelmode hooks prior to unhooking would cause a BSoD), etc.

Therefore, even though SpyShelter may have some limitations on x64 (due to not being able to patch the kernel), it is actually easier for them to make better termination for the x64 version, since malware will also have these restrictions (therefore ObOpenObjectByPointer cannot be hooked to be blocked but it is capable of bypassing kernelmode callbacks used for process protection). ;)
Click to expand...
Wave, I will just have to believe you, because this is getting over my head...
 
  • Like
Reactions: Deleted member 2913, AtlBo and Svoll
You must log in or register to reply here.

Similar threads

Smoke
Question Firewalls with Block-Ask functionality
Replies
3
Views
602
General Security Discussions
LoneWolf.
LoneWolf.
Jonny Quest
    • Wow
    • Like
    • +Reputation
New Update EOL of the standalone F-Secure Freedome VPN and ID Protection apps.
Replies
3
Views
1,020
F-Secure
Jonny Quest
Jonny Quest
Gandalf_The_Grey
    • Like
Technology Panos Panay Details Amazon’s New Consumer Product Strategy
Replies
3
Views
338
Technology News
Zero Knowledge
Z

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top