Advice Request Why CruelSisters disable the HIPS?

Please provide comments and solutions that are helpful to the author of this topic.

camo7782

Level 4
Thread author
Verified
Apr 29, 2019
168
9181230e.jpg
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
it seems she run unknow apps into sandbox, what if a safe app is infected?
She tested the malware in a virtual machine. Furthermore, she is an IT professional. She also created her own malware samples (not published) to show that most AVs have very weak protection against scriptors.

If a legit signed app is infected, not anti-executable, HIPS or antivirus will save your ass.
Many AVs may have a problem with detecting never-seen & signed malware. But usually, the signed malware which can hit home users will be detected by signatures. That is why the AV alongside CF is welcome. The user can also throw out most entries from CF Trusted Vendor LIst and keep only those entries which are required for system/software updates.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
So her amlware was able to bypass CF with her settings too?
Some samples with EV certificate could. But, this kind of malware is used in targetted attacks on organizations, not home users.
How do I do that?
It was possible some time ago:

So, it is probably possible now.:unsure:
 

codswollip

Level 23
Content Creator
Well-known
Jan 29, 2017
1,201
Maybe this program is too complex for you at this time. You could just run it and leave Windows' Firewall active (it won't hurt your system). Then watch and observe and search for answers (here and w/Google) before adding 50 questions to this thread. I say this in peace.

Re: HIPS... it is fine to leave it on... some here do. It is chatty. Try it if you like. Again... no harm is done by running it.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Found! So new vendors not in the list will end up in Untrusted category? What if an app has no vendr or is not signed? Same result?
You have a lot of information about CF on the CIS website. The Firewall Configuration, HIPS Configuration, Containment Configuration, File Rating Configuration, and Advanced Protection Configuration are valid for CF too.
Here is an answer to your question:
As you can see the application must be signed and the vendor must be on the TVL list, and then the application will be Trusted. There are some other possibilities too (citation):

"There are three ways that a file can be treated as safe in CIS:
  • The file is on the Comodo safe list (a global white-list of trusted software)
  • The user has assigned 'Trusted' rating to the file in the CIS file list (‘Settings’ > ‘File Rating’ > ‘File List’)
  • The file is published and signed by a trusted vendor. The 'vendor' is the software company that created the file."
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top