"services.exe tries to load driver" alert is missing

[Guest]

[i4u1]

Sandbox has nothing to do with HIPS. HIPS has to protect in any way. Drivers even when registered have to loaded some time. If CIS HIPS can't prevent some unsigned driver from autoloading, it surely must have some protection from manual loading the drivers over several different ways. then i don't know why CIS needs drivers and hooks if drivers gets loaded w/o troubles and checks.

[Luc[y]]

. then i don't know why CIS needs drivers and hooks if drivers gets loaded w/o troubles and checks.

No, when you allow 1 & second alert, you allowed driver to be installed.

[evil_religion]

People who think applications can install drivers with HIPS at proactive config and sandbox off maybe should show up with a proper malware sample which demonstrates this.

This thread is really just hot air about a cosmetic thing.

[tcarrbrion]

But if you only block what has been found in real malware and not proof of concepts then it is like signature based defence and not default deny. When the unknown arrives you are caught out.

[evil_religion]

If the registry access is blocked the driver shouldn't become active. I could demonstrate you dozens of examples with malware which show this.
Do you have any proof that the opposite is the case?

[i4u1]

Are you "profi" pretending that you don't understand the point?

Once again - installing the CIS on some machine can't prevent the machine from loading unauthorized/usigned or malware drivers from loading even if these drivers are childish toys with "start on demand" then when this "demand" happens then guess what happen with CIS...

Once again your/CIS' hooks and drivers in R0 are useless if only registry's \Services\ protected somehow and only post factum after/since installation.
XP and some allow loading unsigned drivers and this another headache CIS D+ can't solve in this case of weakly protected registry tree.
Why some assumptions on clean and signed drivers in \Services\ on default? At least signing should be checked on pre x64.

[evil_religion]

Are you "profi" pretending that you don't understand the point?

I'm not a profi, just have thrown ~1000 malware samples against several HIPSes and never a driver became loaded into the kernel when the registry keys couldn't have been created.
So, your point is just wrong.

Once again - installing the CIS on some machine can't prevent the machine from loading unauthorized/usigned or malware drivers from loading even if these drivers are childish toys with "start on demand" then when this "demand" happens then guess what happen with CIS...

Where is the proof?
Prove it that a driver is loaded into the kernel if no registry keys are created.
This doesn't seem to be possible via this driver loading method.
And this is the point.

[SS26]

This thread is really just hot air about a cosmetic thing.

Then walk away, noone holds.

[evil_religion]

Then walk away, noone holds.

No, I'll stay and tell you if you're wrong.
No need to be touchy.  

Edit:
Btw: Who wants more additional pop ups without any gain?
You would get pop ups even if safe applications install drivers.

[Tags:]