Jump to content

Archived

This topic is now archived and is closed to further replies.

persian-boy

HIPS and some problems.

Recommended Posts

20 minutes ago, persian-boy said:

Why all files? seems the hips don't understand it should only set the allow rule for a specific file(user:\broswer\browser folder), not my whole hard drive!The same story for registry and ...

For the very same reason why the firewall doesn't create a separate rule for each visited website. If learning mode was to generate very specific rules, the user could end up with hundreds of thousands rules.

Share this post


Link to post
Share on other sites

Hi macros, I never used the firewall in the learning mode.
No problem! let the user end up with billions of rules(2 weeks is enough for creating all rules).
The hips will not protect me in this situation! ye maybe just block smth unknown from starting!but it will not protect my Pc! the interactive mode+plus some costume rule is the only way to make sure everything is okay.

Share this post


Link to post
Share on other sites

Action: ask  file operation: Load driver files: all files
This rule doesn't work! never got any alert from Hips :-) any idea?!

Share this post


Link to post
Share on other sites
6 minutes ago, persian-boy said:

Action: ask  file operation: Load driver files: all files
This rule doesn't work! never got any alert from Hips :-) any idea?!

My tests in regards to the HIPS driver loading is it pretty much loads all drivers in Windows\System32\Drivers regardless of what you do. In other words, it doesn't monitor driver loading. I have noted this in previous postings. This was verified when I noticed drivers loaded that were not in the list of drivers shown for the HIPS rule.

Share this post


Link to post
Share on other sites

Whats the point of this rule?! it doesn't work! Macros don't you consider this as a bug?
Itman do you mean if smth want to load a driver outside the c: Windows\system 32\driver then hips will alert?
Eset even comodo garbage which is free can monitor the loading  drivers! I already mentioned this issue when I was talking about the PChunter! remove load driver rule from the HIPS or fix the problem!
 

Share this post


Link to post
Share on other sites
12 hours ago, persian-boy said:

Itman do you mean if smth want to load a driver outside the c: Windows\system 32\driver then hips will alert?

No - based on the previous testing I have done.

Share this post


Link to post
Share on other sites

In over 3 years and 3 pc's , I never got any HIPS related alert  from NOD32.

Seeing all these threads , I start to believe that HIPS is a pure cosmetic item, with zero functionality.

Share this post


Link to post
Share on other sites
6 minutes ago, John Alex said:

In over 3 years and 3 pc's , I never got any HIPS related alert  from NOD32.

Seeing all these threads , I start to believe that HIPS is a pure cosmetic item, with zero functionality.

You don't always get an message.
One time (July 2017) I was unable to install an program. It was hanging... even while I was running it as admin.

Turned out it was HIPS, disabled that, restarted my PC. And then the installation went fine. 

Just pointing out that it does not always give an notification.

Share this post


Link to post
Share on other sites
39 minutes ago, John Alex said:

In over 3 years and 3 pc's , I never got any HIPS related alert  from NOD32.

I doubt that you run malware on your machine which is why you don't see any pop-ups from HIPS. In such case it's expected that HIPS doesn't alert you.

Here are 2 examples of HIPS-AMS alerts on files shown upon execution that I've found among new malware. Had to turn off real-time protection since it's extremely difficult if not impossible to find new malware that wouldn't be detected by real-time protection:

 

AMS-alert1.png

AMS-alert2.png

Share this post


Link to post
Share on other sites
53 minutes ago, Marcos said:

Here are 2 examples of HIPS-AMS alerts

I do not get it; if is a HIPS related alert , how come it sais " a threat Win32/Spy.Tewgol.P was found????

HIPS should alert based on a rule , and at best the alert should say what rule was involved.

As long as you already have a name (Spy.Tewgol.P), how do you know was not a definition based alert????

A detection from HIPS I would expect it to be something like:

HIPS.jpg.c584b5a00eebdbe9b93f386ee168a26f.jpg

Share this post


Link to post
Share on other sites
7 hours ago, persian-boy said:

I installed SpyShelter Free Anti-Keylogger because Eset cant protect me :-)the free version also alert for loading drivers.Itman if you want DW it from filehippo as fast as possible because they will remove the DW link soon.
https://filehippo.com/download_spyshelter_free/

I installed this and am surprised that it exists since the free ver. of Anti-Keylogger is no longer offered on the SpyShelter web site. My gut is telling me its a "promo-trial" ver. of paid SpyShelter which in time will display messages you have to purchase the paid version.

Anyway, this does not block "on-the-fly" loading of kernel mode drivers. To verify this, use Process Explorer that indeed loads a kernel driver this way. First, ensure you delete any ref. to its existing driver in C:\Windows\System32\Drivers. -EDIT- You need to reboot if driver was previously deleted since it would have loaded at boot time. Start up Process Explorer. SpyShelter Free Anti-Keylogger will create default rules for it since it is a trusted process. Examine the rules created for it. The one for monitoring of driver loading is set to default. This means it never recognized that a kernel mode driver was loaded by the process.

Also this free ver. of SSAKL doesn't actually block a kernel mode global keylogger hook from being set but instead encrypts all keystrokes similar to that done by Eset's Online Banking Protection.

Share this post


Link to post
Share on other sites

Had it been a definition-based alert, HIPS wouldn't have triggered an AMS scan based on internal rules and the alert wouldn't have read "The threat was detected in memory". This indicates it's a HIPS-AMS detection which also utilizes DNA detections which are in fact a sort of descriptions of malicious behavior. Again, the detection was purely HIPS-AMS based and I had real-time protection completely disabled.

For more information about DNA detections and Advanced Memory Scanner, please refer to https://cdn1-prodint.esetstatic.com/ESET/INT/Docs/Others/Technology/ESET-Technology.pdf.

Share this post


Link to post
Share on other sites
2 hours ago, Marcos said:

which are in fact a sort of descriptions of malicious behavior

Still I do not get it how HIPS can attach a name (Spy.Tewgol.P) to a detection based on a rule.

Maximum you should get is info about the malicious behavior being detected.

Share this post


Link to post
Share on other sites

Itman you can use it forever its free.Datpol updates the free version in silent, this is the free version of SpyShelter so it cants block your hacks! the paid version will block all your hacks haha(As you know The free version doesn't support kernel mode driver)!also you need To run it in ask mode and without trust the digitally signed for the maximum protection. I'm wondering when Eset will put such features on HIPS!
Anyway I'm here to tell Macros the Hips in interactive Mode has a conflict with Osarmor!also found some conflicts between Hips and SUA acc with UAC max! the alerts come with delay (like 1 min for every alert )and windows go freeze! windows 10 build 1709.
Try this: Put a password in your admin acc then create an SUA acc with UAC max! run hips in interactive and....!
 

Share this post


Link to post
Share on other sites
27 minutes ago, persian-boy said:

Anyway I'm here to tell Macros the Hips in interactive Mode has a conflict with Osarmor!also found some conflicts between Hips and SUA acc with UAC max! the alerts come with delay (like 1 min for every alert )and windows go freeze! windows 10 build 1709.
Try this: Put a password in your admin acc then create an SUA acc with UAC max! run hips in interactive and....!

Yes, I tried OSArmor a while back and immediately noticed Eset HIPS issues. I immediately uninstalled OSArmor and haven't thought about it since.

Share this post


Link to post
Share on other sites

Does Eset anti-exploit module work with windows Defender inbuilt Anti-exploit?orDo I have to disable one of them?!
I noticed that you improved the interactive mode! keep up the good work. had some problems with interactive mode but they don't exist anymore.
 

Share this post


Link to post
Share on other sites
3 hours ago, persian-boy said:

Does Eset anti-exploit module work with windows Defender inbuilt Anti-exploit?

Yes.

3 hours ago, persian-boy said:

I have to disable one of them?!

No.

What you have to be aware of if you start "playing with" WDEG app exploit mitigations for the browser, etc.. is that the mitigation to only allow Microsoft signed .dlls cannot be enabled since Eset injects its own .dlls into selected apps it is monitoring.

Share this post


Link to post
Share on other sites
18 hours ago, persian-boy said:

Itman you can use it forever its free.Datpol updates the free version in silent, this is the free version of SpyShelter

As far as free Spyshelter Anti-Keylogger, I have uninstalled it.

For starters, it makes over 20 system setting changes per noted in Eset's System Cleaner. Far worse if you're using WIn 10 1709, open Win Event Viewer. Then open the folder that contains the Win event logs. Scroll down to the one named, Security - Mitigations. Take note of the multitude of entries related to attempted svchost.exe modifications. Pay futher close attention to the multitude of warning entries related to attempts to modify services.exe and dllhost.exe performing "nefarious" type activities.

Bottom line - stay away from non-mainline established security solutions. More so now that Win kernel and app patches have been and will continued to be issued due to the Meltdown and Spectre exploits. 

Share this post


Link to post
Share on other sites

Eset system cleaner doesn't show 20 changes for me! it only shows 3 changes.Itman Spyshelter is a safe application!IDC about those changes.Its solid protection:/why would I stay away from it? btw I removed it because I cant handle 2 HIPS(a lot of pain lol)

Share this post


Link to post
Share on other sites
2 hours ago, persian-boy said:

Eset system cleaner doesn't show 20 changes for me! it only shows 3 changes

Why did I anticipate you would question this ...........;)

I ran System Cleaner prior to uninstalling SSAK. It showed over 20 system changes. I then uninstalled SSAK using Revo UninstallerPro. After SSAK was fully uninstalled, I ran System Cleaner again and it only showed one system change remaining. 

BTW - when I installed SSAK, I used Revo UninstallerPro in logging mode to create a log of all changes made. I also still have the log which I can export in HTML format if you wish to view it.

Share this post


Link to post
Share on other sites

Action: block source application: all application file operation: all operation specific files: C:\desktop\Example..RTF
I can easily delete the file and hips won't bother me! why is that?! HIPS blocked me from writing to that RTF file! but didn't bother when I removed it!

Share this post


Link to post
Share on other sites
19 hours ago, persian-boy said:

Action: block source application: all application file operation: all operation specific files: C:\desktop\Example..RTF
I can easily delete the file and hips won't bother me! why is that?! HIPS blocked me from writing to that RTF file! but didn't bother when I removed it!

Works fine for me. What was strange is I received an UAC alert for elevated privileges with the HIPS rule in place whereas none is ever triggered by normal desktop item deletion running as a limited admin:

Eset_Blocked.png.0e44580c92c87c3a6d188f63b4fd1a98.png

Share this post


Link to post
Share on other sites

Doesn't work for me!Anyway, I'm using Easy filer locker that does the job better than Eset!

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...