Possible HIPS Problem With Driver Installation And Loading Protection

[itman 1,659]

Build WIn 7, SP1 x64, Eset Smart Security 8

 

Eset has an option in the HIPS for target files to prevent the Installation and loading of drivers per Eset documentation. The option is "Load Drivers." As a test of this capability, I used SysInternals Process Explorer that does all kinds of potentially nasty stuff such as loading a device driver on the fly from a spawned 64 bit process.

 

The procedure I used is:

 

1. Disable my existing HIPS allow rule for Process Explorer.

2. Create a HIPS rule to monitor the writing of any file to C:\Windows\System32\drivers\*

3. Create a HIPS rule to monitor the loading of drivers to target file C:\*.*

4. Start Process Monitor.

5. Allow Process Monitor startup and process modification activity to explorer.exe

6. Allow Process Monitor to write to C:\Windows\System32\drivers\*

 

Process Monitor starts up with no further alerts. I verified that Process Monitor's driver was loaded under System process. In other words, the Load Drivers HIPS monitoring rule did not prevent the loading of the driver. 

 

Note: I initially tested omitting creating the write rule in above step no. 2 and it made no difference; Eset allowed the creation of Process Monitor's in the C:\Windows\System32\drivers\ directory and the loading of the driver.

 

I

 

 

[Marcos 5,074]

The purpose of the feature is not to block all but the drivers in the list. As the help says, drivers in the list will be always loaded regardless of the HIPS mode used, ie. it's a kind of exception list. I'll ask HIPS developers for more information on this.

[itman 1,659]

Thanks for the reply.

 

My gut is telling me that the HIPS is checking driver loading at boot time against the default allow rule. But ignoring the fact that drivers can be dynamically loaded anytime. And unfortunately from places other than from places other than C:\Windows\System32\drivers\* .

 

BTW - I am still awaiting the use of wildcards feature for filenames.