HIPS Bug

[itman 937]

Eset in its online HIPS documentation states it can monitor registry key additions. Problem is I have tried repeated to create a rule to do so and it does work.

For example, a HIPS rule monitoring all registry changes for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\* doesn't stop a new registry key from being created there.

[Marcos 3,591]

Creation of a registry key does not pose any risk. Monitoring and preventing it would cause performance overhead which is not the cost users would like to pay for no additional protection.

[itman 937]

2 hours ago, Marcos said:

Creation of a registry key does not pose any risk.

You're kidding here I hope.

Here's a nasty one - Snatch ransomware:

Quote

The ransomware installs itself as a Windows service called SuperBackupMan. The service description text, “This service make backup copy every day,” might help camouflage this entry in the Services list, but there’s no time to look. This registry key is set immediately before the machine starts rebooting itself.

The SuperBackupMan service has properties that prevent it from being stopped or paused by the user while it’s running.

The malware then adds this key to the Windows registry so it will start up during a Safe Mode boot.

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SuperBackupMan:Default:Service

 

https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/

Edited Tuesday at 01:53 PM by itman

[Marcos 3,591]

It's not a problem, you can block writing there by creating a block rule for

HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\*

[itman 937]

20 minutes ago, Marcos said:

It's not a problem, you can block writing there by creating a block rule for

HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\*

I believe what you are stating is Eset HIPS has preset internal rules/whitelist/etc. that allow for monitoring write activity in select registry keys only.  That is not acceptable. I should be able to monitor write activity in any registry area I desire.

[Marcos 3,591]

1 minute ago, itman said:

I believe what you are stating is Eset HIPS has preset internal rules/whitelist/etc. that allow for monitoring write activity in select registry keys only.  That is not acceptable. I should be able to monitor write activity in any registry area I desire.

No, quite the contrary. I created a custom HIPS rule in the registry path that you referred to by the linked article.

[itman 937]

2 minutes ago, Marcos said:

No, quite the contrary. I created a custom HIPS rule in the registry path that you were referring to by the linked article.

Then why doesn't write activity detection in this registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\* , work?

Edited Tuesday at 02:46 PM by itman

[Marcos 3,591]

I was unable to create / import values to that key:

[itman 937]

35 minutes ago, Marcos said:

I was unable to create / import values to that key:

Correct and I do apologize. It works for example using import; i.e. regedit.exe, via opening a .reg file

Where I screwed up and can see others doing the same is I added a key named "Test" via regedit interactively,  Eset HIPS  allowed it. Of course if you try to rename the key, Eset will detect that. Since I allowed the rename, any other subsequent activity that uses regedit, such as opening a .reg file against that key, will be allowed for current session.

Edited Tuesday at 03:31 PM by itman

[itman 937]

@Marcoswhat I would like to see added to HIPS rule options is an add/write registry option. As it now stands, the only way this activity can be monitoring is to select "All registry operations." There are instances where I want to just monitor registry add/write activity.