Advice Request Why CruelSisters disable the HIPS?

Please provide comments and solutions that are helpful to the author of this topic.

RoboMan

Level 34
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
Many AVs may have a problem with detecting never-seen & signed malware. But usually, the signed malware which can hit home users will be detected by signatures. That is why the AV alongside CF is welcome. The user can also throw out most entries from CF Trusted Vendor LIst and keep only those entries which are required for system/software updates.
You're right here. Nevertheless, my comment pointed to legit signed malware, meaning a legit file, issued by a Trusted Vendor, corrupted by malware (a.k.a CCleaner case). If such case occurs, and no programming errors are found (like the infinite callbacks home from CCleaner malware), the chances of signatures detecting it are minimum, tending to zero. Here's where the importance of backups gain popularity. :)
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
You're right here. Nevertheless, my comment pointed to legit signed malware, meaning a legit file, issued by a Trusted Vendor, corrupted by malware (a.k.a CCleaner case). If such case occurs, and no programming errors are found (like the infinite callbacks home from CCleaner malware), the chances of signatures detecting it are minimum, tending to zero. Here's where the importance of backups gain popularity. :)
CCleaner was a case of update poisoning. Furthermore, on most systems, the "malware" never performed any malicious actions at all. It lay dormant. These rare cases can go undetected for a long time. But as soon as malicious actions start taking place on a significant number of computers, it will be detected.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
You're right here. Nevertheless, my comment pointed to legit signed malware, meaning a legit file, issued by a Trusted Vendor, corrupted by malware (a.k.a CCleaner case). If such case occurs, and no programming errors are found (like the infinite callbacks home from CCleaner malware), the chances of signatures detecting it are minimum, tending to zero. Here's where the importance of backups gain popularity. :)
Such malware will be also detected by signatures after some time. This usually depends on how aggressive it is. If it is ransomware, then AVs will produce fingerprints in the cloud very quickly. The CCleaner case is special, because the malware was similar to aggressive adware.
The good AVs detection is also based on analyzing telemetry from millions of computers. They use AI for it (big data & deep learning).
So, the stolen digital signature can fool most AVs when the malware is never seen, but this is usually quickly corrected by big data & deep learning methods.
 

ichito

Level 11
Verified
Top Poster
Content Creator
Well-known
Dec 12, 2013
541
Friend @ichito, yes, but the HIPS system, if you want to install a good program, will give you 10 alerts, which with the configuration of CS only if it is not recognized, the Sanbox will act.
"Good program"?...so what about "installation mode"?...or similar...that is a common and useful option/feature designed for such cases (we can find it in most of HIPS developed in history). HIPS should react giving us an alert...it's designed for such behaviour although mostly they have useful features called "white/black list" or some others technologies that could make easier porper decision by user. User should choose what in protection is more important and convinient for them but should remember also that HIPS demands our reaction/decision.
Answering question in the title - "Why CruelSisters disable the HIPS?" - perhaps it's easier for the user...why we shouldn't do this?...maybe because of such arguments?
 
Last edited:

bribon77

Level 35
Verified
Top Poster
Well-known
Jul 6, 2017
2,392
"Good program"?...so what about "installation mode"?...or similar...that is a common and useful option/feature designed for such cases (we can find it in most of HIPS developed in history). HIPS should react giving us an alert...it's designed for such behaviour although mostly they have useful features called "white/black list" or some others technologies that could make easier porper decision by user. User should choose what in protection is more important and convinient for them but should remember also that HIPS demands our reaction/decision.
Answering question in the title - "Why CruelSisters disable the HIPS?" - perhaps it's easier for the user...why we shouldn't do this?...maybe because of such arguments?
I'm not saying that HIPS is bad, it's a very strong system that I've used, in Paranoid mode.
But with the configuration of @cruelsister it stops him and with that you do not stop being sure.:giggle:
 

RoboMan

Level 34
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
CCleaner was a case of update poisoning. Furthermore, on most systems, the "malware" never performed any malicious actions at all. It lay dormant. These rare cases can go undetected for a long time. But as soon as malicious actions start taking place on a significant number of computers, it will be detected.
Such malware will be also detected by signatures after some time. This usually depends on how aggressive it is. If it is ransomware, then AVs will produce fingerprints in the cloud very quickly. The CCleaner case is special, because the malware was similar to aggressive adware.
The good AVs detection is also based on analyzing telemetry from millions of computers. They use AI for it (big data & deep learning).
So, the stolen digital signature can fool most AVs when the malware is never seen, but this is usually quickly corrected by big data & deep learning methods.
Yes. You both are right. I am talking about antivirus detecting these kind of malware at the very first sight. Literally no AV, if I'm not mistaken, caught CCleaner on the moment. It wasn't after some time that some companies detected the anomaly and found out about what happened. That's my point. To this rare case of malware, probably nothing will be helpful instantly.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
So this suggest that HIPS is better then Sandobx suggested by @cruelsister
Yes, HIPS is stronger than sandbox, but HIPS+a properly configured sandbox is even stronger than either one on its own. CruelSis recommends disabling HIPS because of the headaches it causes to most users. But for advanced users who enjoy the challenge, HIPS adds protection.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
HIPS alongside highly restricted Comodo sandbox can be useful only for advanced users or those who want to learn how the system works when executing files. For most users, HIPS will be just annoying alerts.
In the case of malware with a stolen digital certificate, the user will be simply infected, unless HIPS is set to Paranoid Mode. Even then, most users will treat the alerts as false positives if they think that the signed file is legal (like in the case of CCleaner).
I am not sure If HIPS is triggered earlier in the boot timeline as compared to autosandbox feature. Both are triggered by Comodo services.
 

ichito

Level 11
Verified
Top Poster
Content Creator
Well-known
Dec 12, 2013
541
But with the configuration of @cruelsister it stops him and with that you do not stop being sure.:giggle:
Yes...it's only smart technology what can means also that something trustworthy can be blocked...and something lethal can be allowed :)

I am not sure If HIPS is triggered earlier in the boot timeline as compared to autosandbox feature. Both are triggered by Comodo services.
You mean start as the service? Nowadays SpyShelter can run in that way...earlier (as I remember) it was System Safety Monitor and Online Armor...and perhaps many others.
 

bribon77

Level 35
Verified
Top Poster
Well-known
Jul 6, 2017
2,392
Yes...it's only smart technology what can means also that something trustworthy can be blocked...and something lethal can be allowed :)
You must understand that it acts as an anti-exe is configured to not allow what is not recognized, even if the application is clean, it will be placed in the Sanbox. It is the responsibility of the user to know if it gives reliability or not.
It is also not easy for users who do not understand how this configuration works, although some say it is for beginners.:LOL:
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040

ichito

Level 11
Verified
Top Poster
Content Creator
Well-known
Dec 12, 2013
541
You must understand that it acts as an anti-exe is configured to not allow what is not recognized, even if the application is clean, it will be placed in the Sanbox. It is the responsibility of the user to know if it gives reliability or not.
It is also not easy for users who do not understand how this configuration works, although some say it is for beginners.:LOL:
For me...it means :ROFLMAO: Comodo have ended for me at 3.5 version :sneaky:
No offence...your mentions about CIS are very useful and informative but I'm rather used to others "classical mode" HIPS. Thanks for clarification :emoji_beer:
 
L

Local Host

Yes. You both are right. I am talking about antivirus detecting these kind of malware at the very first sight. Literally no AV, if I'm not mistaken, caught CCleaner on the moment. It wasn't after some time that some companies detected the anomaly and found out about what happened. That's my point. To this rare case of malware, probably nothing will be helpful instantly.
You all talking signatures like we're in the 90s, this is 2019 and AVs have behaviour blockers, cloud, etc to deal with that sort of malware.

Sure it won't protect against all threats, but the CCleaner Incident was targetted which is something Home Users don't need to worry about generally.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
You all talking signatures like we're in the 90s, this is 2019
Valid digital signatures still play a big part in whitelisting files.
1 Comodo and many other advanced security programs will "trust" files signed by vendors that are on the approved list, unless there is an explicit block rule for that file
2 Windows 10 Smartscreen and many antiviruses will give more trust to a file with a valid digital sig.
3 A careful user who downloaded a file from the official site, and sees that it is signed by the official vendor, will tend to trust it.
 

SearchLight

Level 13
Verified
Top Poster
Well-known
Jul 3, 2017
625
So just to clarify, CFW once configured properly with CS settings will BLOCK any malicious file from executing, while if one chose to activate HIPS, would receive an alert or a multitude of alerts requiring action by the user?

When I mean block, I mean that one receives a Windows error message that the file cannot be executed or found.

I bring this up because I have found files in cfw Blocked Applications that were blocked by Containment but I received no alert by cfw other than a Windows error message upon opening the file. Test I used was the basic EICAR file.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top