Defence Plus gives no warning about process hiding

[Guest]

[aigle]

http://www.iterati.org/Developers/HideProc/Default.aspx

I tried this tool to hide a process and no detection by CFP. TF detects it. Can detection for this behaviour be added in future?

Thanks

[aigle]

Did anyone try this so far?

Thanks

[Ragwing]

I suppose it uses a driver to hide itself? So you don't get any alert that HideProc.exe tries to install a driver?
Were you trying it in Paranoid Mode for Defense+?

Cheers,
Ragwing

[aigle]

I use paranoid settings with all custom rules even for the most system aplications.

There are two problems:

1- No detection of driver/ service install/ loading.
2- No detection of the behavior of hiding a process

See here as well.

http://forums.comodo.com/leak_testingattacksvulnerability_research/driver_service_install_not_detected-t25349.0.html

[Ragwing]

From reading the other topic, it seems like the problem is that the program uses a trusted process to install a driver.
I think this could be fixed by allowing only the drivers that come with XP/Vista by default, and ask for the rest.
There wouldn't be any problems I guess, as drivers for graphic, sound, network or whatever is installed before you reboot, so you would be able to view the alert.

Cheers,
Ragwing

[ruiky]

From reading the other topic, it seems like the problem is that the program uses a trusted process to install a driver.
I think this could be fixed by allowing only the drivers that come with XP/Vista by default, and ask for the rest.
There wouldn't be any problems I guess, as drivers for graphic, sound, network or whatever is installed before you reboot, so you would be able to view the alert.

Cheers,
Ragwing

there are no any alert when virus uses service.exe to install a driver even if ask.
so this is a big problem need be fixed as soon as possible. this is a security bug.

[Vettetech]

Is this the result you want to see. Seems to work for me. I actually got 3 warnings. One for explorer.exe trying to run HideProc which is normal. Then another one about the program starting up. Then after I tried to hide Set Point I got the D+ you see. Firewall and D+ in safe mode.

[aigle]

Is this the result you want to see. Seems to work for me. I actually got 3 warnings. One for explorer.exe trying to run HideProc which is normal. Then another one about the program starting up. Then after I tried to hide Set Point I got the D+ you see. Firewall and D+ in safe mode.

What does it mean?

There is no indication that HideProc is trying to hide a process from Task Manager at all. Pop up about service control manager access is vague as it is not even specific like a driver/ service instal alertl.

[Vettetech]

Its an alert. Something you said you didnt get and yes this is XP. I guess you never heard of Stardock.

[Rafel]

I need allow the program, but, it's true, the advice can be a bit vague, no alert about drivers/service.

[Matty_R]

Lets be fair the alert does say "The service control manager can be used to perform priveleged operations including installing high privelege applications or even device drivers"

I think in some cases the wording could be differant/better but deciding what is tricky.

[Vettetech]

Lets be fair the alert does say "The service control manager can be used to perform priveleged operations including installing high privelege applications or even device drivers"

I think in some cases the wording could be differant/better but deciding what is tricky.

Exactly Matty. It is an alert.

[aigle]

Ok, now it,s a totally different discussion whether we like the SCM alert or not.

But my thread is about something alert. I like CFP to give a bit better alert just like TF.

[Vettetech]

Well you made a post stating it doesn't give a warning and looking at my screen shot it does. A warning is a warning in my eyes. Maybe it could be more descriptive but either way D+ did its job.

[aigle]

U r not getting my point. It,s OK that CFP give SCM access warning but I want it to be better than this. It should clearly tell that a service/ driver being installed( instaed of just a privilege alert) like other classical HIPS, like EQS, SSM etc.

Now not only this but I want CFP to go one step ahead and give even another alert about process hiding just like TF. It wil be part of behavioral detection by CFP.

CFP already has atleast some behavioral detection like:

Detection of files being hidden by ADS

I want this behavioral detection to expand that will make CFP exceptional among other classical HIPS. NeoavaGuard HIPS has such features but it,s development is stopped.

[Tags:]