HIPS and some problems.

[itman 1,659]

47 minutes ago, persian-boy said:

There is no dig sign list

In regards to this subject, you need to read this: https://thehackernews.com/2017/11/malware-digital-certificate.html

From the ReHIPS web site:

47 minutes ago, persian-boy said:

From what I know Rehips didn't Approve by homeland?!!

Correction - DoD requirements per GP/SRP use:

Quote

Windows meets the requirements of C2-level security of the U.S. Department of Defense, it already has all the necessary mechanisms to provide access control. ReHIPS takes advantage of these built-in mechanisms and operates in a restrictive manner (if it is not explicitly allowed, block it). It executes every restricted application in the isolated environment (ReHIPS mode) with its own set of rights

And futher proof it is built on GP/SRP:

Quote

ReHIPS doesn't detect malware. Instead it uses Windows built-in access control mechanisms to ensure system safety and data security.

All the above "marketing speak" for GP/SRP.

Since there have been numerous GP/SRP and permission bypasses, anything using "Windows built-in access control mechanisms" is definitely something I wouldn't be relying on.

Edited November 7, 2017 by itman

[persian-boy 22]

It's just saying how strong Rehips is!but there is no anything about the homeland award!or smth that show approved by homeland.

10 hours ago, itman said:

All the above "marketing speak" for GP/SRP.

no this is not true! you can ask others such as umbra ...! Rehips don't rely on SRP and Gr!using own mechanic(program list and sandbox)the SRP bypasses are not related to Rehips..
https://forum.rehips.com/index.php?topic=2032.690
Just for your information Cowboy!also that malware your mentioned(Dis sign)will not hit me. also, I  always have my safe dig signed list! so having dig sign is necessary for every Hips.

Edited November 7, 2017 by persian-boy

[itman 1,659]

4 hours ago, persian-boy said:

so having dig sign is necessary for every Hips.

Did I not discuss this with you in a PM? Eset HIPS is not "user friendly" by design. As such, adding features like allowing Trusted Publishers and the like are never going to happen.

[Marcos 5,074]

15 minutes ago, itman said:

Did I not discuss this with you in a PM? Eset HIPS is not "user friendly" by design. As such, adding features like allowing Trusted Publishers and the like are never going to happen.

This would be rather a feature of Application control which we don't have yet. PS: I would never say never

[itman 1,659]

17 minutes ago, Marcos said:

This would be rather a feature of Application control which we don't have yet. PS: I would never say never

Hum ....... How about my request for HIPS file wildcard capability?

[persian-boy 22]

3 hours ago, Marcos said:

Application control which we don't have yet

I'm waiting to see such feature in Esset!xd I just like these stuff!

[itman 1,659]

Suspect the Application Control feature will be the anti-exec capability many have requested.

[peteyt 393]

5 hours ago, Marcos said:

This would be rather a feature of Application control which we don't have yet. PS: I would never say never

Looks like this is probably going to happen then ha

[persian-boy 22]

Eset don't you want to release a changelog for these micro updates?I can see the hips module got some updates! no idea what are these changes? same for other modules.

[persian-boy 22]

On 10/29/2017 at 2:46 PM, Marcos said:

Do you have automatic activation of gamer mode for applications running in fullscreen mode enabled or disabled?

Updated to the last build and this issue doesn't exist anymore!keep up the good work Marcos.would be good if you fix other bugs(Hips problems) as well<3

[persian-boy 22]

 Hi,
There is a tooL call Pc Hunter!it can remove every file, folder, driver and...  with one click! I tested it against comodo Hips and Comodo failed to protect my protected files form change!!

Just tested it against Eset and the same story! I asked hips to protect some files! then run my tool and force remove those files!
Not even one alert from HIPS!the files gone :-( my next generation protection failed.

An expert told me how it works(all from that guy):
 

It probably bypasses API hooks for file removal with a system call to NtDeleteFile, or it uses a kernel-mode device driver to remove files without triggering NtDeleteFile hook on SSDT/FltRegisterFilter callback.
I'm betting on the latter being the reason why it bypasses your HIPS.
If it  installed a driver without consent according to your HIPS configuration then it probably used a work-around for that too. There are many ways to work-around HIPS, you just need to know how the monitoring is applied. I mean I've never used the software you're referring to but I know it is genuine security software and appears to be aimed at cleaning rootkits infections, so you'd expect them to have great knowledge on Windows Internals which is more or less the entry point to bypassing features like HIPS.

There are many ways to install a device driver. The first method would be relying on the normal service manager to create and start a Windows Service for a device driver. The second method would be applying registry modifications to setup the device driver installation (basically replicating what the service manager will do for initialisation before the start operation) and then using Native API functions like NtLoadDriver to start the service. The third method would be using an undocumented Native API function called NtSetSystemInformation, which is something that Microsoft used in the past for this same thing (which is how the technique was discovered). Another method could be injecting code into another process and have it load the driver for you. Another method could be patching an existent driver which isn't active but can be accessed on disk for read/write and then have that utilised automatically at boot, etc.

The NtLoadDriver and NtSetSystemInformation techniques are commonly only ever used in malicious software, but their use is not prevalent. Especially not nowadays at-least. Genuine software usually uses the documented service manager APIs, but when it comes down to security software, it would be reasonable to expect a sense of undocumented things going on because sometimes it is the only way to achieve the desired result. This is also why some security software causes crashes on new updates to Windows (e.g. new OS version won't be supported for X amount of time because the vendor needs to start reverse engineering and maintain support for "undocumented" things it may have been previously doing for specific features).

We also would need to look at how the HIPS product you are using actually works. It may be the case of both kernel-mode and user-mode components, and reverse engineering the software would reveal the technique the vendor is using to have implemented the specific feature of discussion - of course I am not going to reverse engineer genuine security software since this is unnecessary and illegal, but you should get the understanding of what I am trying to say. If a security product is injecting code into running processes to control execution flow for when specific APIs are used, but the author of the software decides to make a "custom" wrapper for the targeted controlled function (or in the case of NTAPI invocation, relying on a direct system call), then that would be bypassed. Whereas, if a specific feature is implemented from kernel-mode, then the user-mode program would not be making progress by using undocumented tricks like a system call because it'd still pass through the security software's interception once it reaches kernel-mode level. In a situation like that, it would require a zero-day exploit or a work-around overlooked by the vendor which implemented the feature (e.g. a vendor may block X action but may have forgotten there was another way to do the same action which isn't under the scope of their monitoring yet).

Malware can do these things and it could have done them for years. If we take a step back to the times around 2006 - 2012 there was some really deadly threats from those times surrounding rootkit infections which could do complex and sophisticated things, applying techniques to surpass behavioural prevention. However, without a bypass for PatchGuard (Driver Signature Enforcement feature specifically), you must have a signed device driver on 64-bit systems. Due to this, and due to many people moving to 64-bit over the many years since such a feature was introduced back on Windows Vista, the malware in the wild has significantly changed. It isn't normally about virus infections or rootkits to subvert even security software to hide other malicious software nowadays, but about generating income through ransomware and adware - those are the prevalent threats nowadays as far as I am aware. In fact, even banking malware has plummeted down a lot recently in my opinion - still popular though. It would have been common to find samples for Carberp, Zeus, SpyEye a few years ago, not as common nowadays. You have more chances of finding BadRabbit nowadays or a similar ransomware outbreak.

As for removing system files, you can delete files which are even in use as long as you have the correct privileges. For example, you cannot delete a file in a protected directory without having the rights to access those files with delete requests (e.g. acquire administrator rights); files in use can be deleted via a Native API function called NtDeleteFile. You can do this from user-mode thanks to NTDLL which sends requests up to a kernel routine which eventually leads to the real function within ntoskrnl.exe (kernel-mode image -> the Windows Kernel to be precise). Explorer.exe and most other software relies on the normal Win32 API which will lead down to the Native API calls in NTDLL (-> Kernel), but when you use Native API functions from NTDLL to pass to kernel-mode directly in this way, you bypass the checks performed by the documented and Microsoft supported-for-use functions which are supposed to be used by developers. Alternatively, just use a kernel-mode device driver and then you can invoke kernel-mode only functions (instead of the original Zw routines) to make a wrapper for the Nt* functions using the kernel-mode only functions instead (which they would have originally called anyway), whilst bypassing kernel-mode callbacks registered by other device drivers (e.g. maybe by a security product) or potential kernel-mode patches which may be present (32-bit systems).

The documented APIs will perform checks and put up restrictions for removing files in-use by other processes. The undocumented APIs won't necessarily have those checks, unless they are enforced from kernel-mode level under the original Windows Kernel routine which ends up being executed for the desired functionality which would be the end-result. This explains why you may not be able to delete GenuinePhotoshop.dll which is executing under GenuinePhotoshop.exe from the normal Windows File Explorer, whilst an external security tool like you have referred to will be capable of doing so. it
 uses a kernel-mode device driver to remove files without triggering NtDeleteFile hook on SSDT/FltRegisterFilter callback.
 It is because of x64 limitations for kernel-mode interception and ethical requirements. If an AV vendor patches the kernel and it all goes pear shaped, that is on them - they lose customers because of crashes and maybe even have to spend trouble dealing with law-suits if the data-loss was really bad.

Btw Eset idc! what can you do for such thing?! I didn't know an allowed driver can bypass the whole Hips! where is my protection? you left me unprotected - _ - same for comodo hips! still didn't test the spyshelter! but probably the same result:D

Edited November 28, 2017 by persian-boy

[persian-boy 22]

I could even remove the Eset files and folders with this tool! that's sound bad! I gtg! but will back for an answer!
P.s This tool made by Chinese! keep up the bad work Eset:P

Edited November 28, 2017 by persian-boy

[persian-boy 22]

Sorry, but I lost my mind:D When the user locks His files with Hips then he wants Eset to protect them!right? not everyone is malware analysis Lol ! not everyone knows an allowed driver can bypass the whole protection?!btw with or without an infected driver Hips should protect the files because the user relied on it!just imagine if it was a zero-day, not Pchunter! then what? 

[itman 1,659]

8 hours ago, persian-boy said:

Btw Eset idc! what can you do for such thing?! I didn't know an allowed driver can bypass the whole Hips! where is my protection? you left me unprotected - _ - same for comodo hips! still didn't test the spyshelter! but probably the same result:D

It has been this way since "the beginning of PC time." Use of Eset's ELAM driver allows it to load prior to other app drivers; a big improvement by MS in the design of Win 10. However, what about kernel mode device drivers? They all load prior to any app kernel mode drivers. So malware creates a device driver to do its hacking activities.

You prevent stuff like this for example by enabling Win 8/10 Secure Boot that only allows Microsoft code signed drivers to load.

Also starting with Win 10 AU i.e. ver. 1607, only Microsoft code signed drivers are allowed to be installed. Do note that this only applies to a fresh OS installation. If you upgraded from Win 7, it does not.

Edited November 28, 2017 by itman

[persian-boy 22]

I know about Signed Driver Enforcement but I'm not talking about this!the problem is more than that.
Hips is there to protect my files:D idc!
Whats the point with Hips?its suppose to protect me :-)?
Also, ESET hips don't alert you when smth wants to load a driver! while comodo ask!
What if it's signed?I know it's not common but what if?PChunter can dmg every protected file by Eset! ppl paid for protection!xd while the hips not gonna work in this situation!
Look at comodo: it's smarter that Eset in this situation.

Edited November 29, 2017 by persian-boy

[persian-boy 22]

Eset windows 7 users are in danger because there is no Signed Driver Enforcement.pls, find a solution to this problem! I'm wondering why no one answer!isn't important?Lol, this tool bypass the whole protection!and Eset is silent!

[Daedalus 16]

I suggest you follow the steps indicated on the following webpage: https://www.eset.com/int/security-vulnerability-reporting/

 

Edited December 1, 2017 by Daedalus
I don't need to insult someone

[persian-boy 22]

What? The moderators already saw my comments! no need to submit anything to Eset!they are not blind.

[peteyt 393]

3 minutes ago, persian-boy said:

What? The moderators already saw my comments! no need to submit anything to Eset!they are not blind.

As I have mentioned before while the forum is a good place for discussions and even reporting, it is not the main area and so some may not get replied to. It is always best to email them directly if you think you have found a flaw.

[persian-boy 22]

I think macros will report it if he considers it as a bug! it's not a bug but like a bug!this is a weakness in windows!but  Eset can fix it!

[Daedalus 16]

2 minutes ago, persian-boy said:

I think macros will report it if he considers it as a bug! it's not a bug but like a bug!this is a weakness in windows!but  Eset can fix it!

Well since you are counting on one persons "good will" instead of following the official procedure. You should not expect it to be fixed within an short time.

[peteyt 393]

10 minutes ago, persian-boy said:

I think macros will report it if he considers it as a bug! it's not a bug but like a bug!this is a weakness in windows!but  Eset can fix it!

The thing is things can get missed in the forum especially in a long post like this with multiple pages. That is why it is always recommended to open a support ticket

[persian-boy 22]

Hi, whats up?
if I set the Hips in learning mode and at the same time my browser wants to write to a folder/file then Hips will assign a rule like This:
Source: browser//operation: write to file//Traget: All files
Why all files? seems the hips don't understand it should only set the allow rule for a specific file(user:\broswer\browser folder), not my whole hard drive!The same story for registry and ...

I Want  Hips to set  Rules based on the what is happening and in real time! it won't limit the actions it just allows for everything(like that auto allow rule for ask mode lol)! whats the point of learning more?! what if smth want to exploit that application?(in my case browser)
Eset I consider this as a bug! pls, consider a fix for this issue!

[Daedalus 16]

19 minutes ago, persian-boy said:

Hi, whats up?
if I set the Hips in learning mode and at the same time my browser wants to write to a folder/file then Hips will assign a rule like This:
Source: browser//operation: write to file//Traget: All files
Why all files? seems the hips don't understand it should only set the allow rule for a specific file(user:\broswer\browser folder), not my whole hard drive!The same story for registry and ...

I Want  Hips to set  Rules based on the what is happening and in real time! it won't limit the actions it just allows for everything(like that auto allow rule for ask mode lol)! whats the point of learning more?! what if smth want to exploit that application?(in my case browser)
Eset I consider this as a bug! pls, consider a fix for this issue!

[persian-boy 22]

What is it mate?am i joking?!lol