CFP Defence Plus - a bit weired HIPS?

I have recenly switched from EQS to CFP D+ as calssical HIPS on my system. I have tried almost all classical HIPS in the past, maily for fun. I have especially used EQS, NG and SSM free for a singinificant period of time as a classical HIPS protection on my system. While playing with malware, I had even run more than one classical HIPS at a time in real time, just to compare their popups and thus knowing what they are monitoring.

I have more or less similar popups with all these classical HIPS, never found a major diffreence of pop up alerts between them.

HOWEVER it is not the case with D+. I have been trying it since alpha and every time I tried it I felt that its popup alerts are a bit different than other HIPS. Not sure why! Also can,t be sure whether it is monitoring more as compraed to other HIPS or less.

I will present a few examples.

1- I really hate the privilege pop ups from Defence+. For almost every application I get pop ups about System time privilege. Another such popup that appears with almost all applications is “accessing service control manager”. Others are system shutdown, debug and backup privilege popups etc.

I wonder why CFP can,t just keep quiet and only warn when some application tries to use this privilege like many other HIPS do. What is the use of a behavior popup that comes with each and every legit application. Its too annoying. I have removed all these( mentioned above) filter from " My protected com interfaces" to get rid of these pop ups.

Two other very common alerts I get on my system are :

• Accessing memory of ThreatFire service( almost every application does it on my system on shut down)
• Accessing memory of CTFmon.exe

NEVER saw such alerts with any other HIPS.

2- Stranngely that D+ gives very frequent memory access alerts about TFservice and CTFmone.exe on my system, I hardly get any other memory access alerts on my system from D+ while such alerts are common with other HIPS like EQS, SSM and AD. Very strange for me.

3- Another alert never got from D+ is about remote thread creation. It,s a bit common by other HIPS.

I am not sure but my impression is that on remote thread creatiuon, D+ gives alert about memory access.( Any POC to check this? anyone?).

4- Another popups- pokapoka.exe modifying of memory of SYSTEM. Not sure what is meant by it. I havn,t seen it with other HIPS except with AD.

5- One more alert is " One application modiying the user interface of other application" Not sure what it means. I don,t remember such an alert from other HIPS. I would have considered it as memory modification but memory modification has its own alert in D+.

[attachment deleted by admin]

First of all, if for all applications, you get a SystemTime privilege, you have a faulty application in your system which sets up a hook DLL that is causing every process to obtain this privilege. It is not the fault of CFP it is one of your other security applications. This privilege IS a PRIVILEGE and is not granted to every application.

CFP, AFAIK, is the only HIPS which detects privilege escallations. Thats why you see these popups.

Two other very common alerts I get on my system are :

• Accessing memory of ThreatFire service( almost every application does it on my system on shut down)
• Accessing memory of CTFmon.exe

NEVER saw such alerts with any other HIPS.

Then be certainly sure that they dont protect you. Or your configuration is different with other HIPS products. They simply skip ctfmon.exe without asking. You can do the same with CFP. For example, if CFP is installed as a firewall + leak protection, All Applications are configured to open process it.

2- Stranngely that D+ gives very frequent memory access alerts about TFservice and CTFmone.exe on my system, I hardly get any other memory access alerts on my system from D+ while such alerts are common with other HIPS like EQS, SSM and AD. Very strange for me.

As i said, they either skip ctfmon.exe or add a default rule for it. Most of them just skip and dont protect.

3- Another alert never got from D+ is about remote thread creation. It,s a bit common by other HIPS.

I am not sure but my impression is that on remote thread creatiuon, D+ gives alert about memory access.( Any POC to check this? anyone?).

Trying to access other process in memory is what CFP will show you.

5- One more alert is " One application modiying the user interface of other application" Not sure what it means. I don,t remember such an alert from other HIPS. I would have considered it as memory modification but memory modification has its own alert in D+.

It is a user interface modification alert. For example Changing a window text or something similar in another application.

All in all, you have successfully experimented yourself that CFP is not a classical hips and protects you from more threats. Ofcourse you can easily make it the same by simple configuration changes. I am sure the others will follow CFP in the future…

Egemen

Hi egemen! thanks for ur detailed reply.

Let me say, if not ALL but Most or Almost All of applications give such pop up. anyway I have simply removed these privileges. Too annoying.

I agree that ctfmon.exe might be skipped but it might,t be the case with TFservice. Infact i would not be surprized if I get a reverse pop up like TFservice accessing other applications in memory. That would be quite expected from the very nature of ThreatFire. Can u please ask the developers to have a look on this issue?

That,s just a claim that needs a proof. I wonder why no memory modification alerts with other applications while I get such alerts from SSM, EQS and AD commonly.

Egemen is the lead developer for CFP V3. I suppose he’d know.

Sorry, I did not know that.

Hi egemen! I have done some testing with CFP D+, AppDefend and EQSecure. My observations are interesting.

I guess that when Defence Plus gives a pop up that " Application A is trying to access memory of application B", it means one of the three( or more?) things:

1- Application A is trying to modify the memory of application B or
2- Applications A is trying to create remote thread in application B or
3- Application A is trying to terminate/ suspend thread in application B

Now see the alerts given by CFP Defence Plus, AppDefend and EQSecure about behaviour no. 1 and 2( Modify memory and Create remote thread). They are exactly same.

In case of Memory Modification, current( active) application is Explorer.exe while target application is Iexplore.exe. See Pic

In case of Create Remote Thread, current( active) application is PokapokaC.exe while target application is Services.exe. See Pic

[attachment deleted by admin]

Now until this point everything is as expected atleast for me. Confusion arises when whe see the popup alerts about Terminate/ Susppend thread- behaviour no.2.

EQSecure and AppDEfend show that current( active) application is TFservice and target applications are Explorer.exe and Iexplorer.exe.

CFP on the other hand shows that current( active) application is Explorer.exe and Iexplore.exe and target application is Tfservice.exe. See Pics.

It,s a thing I can,t understand. I guess CFP may be wrong here. I almost remember the alerts by System Safety Monitor to be also same as those of EQS and AD.

[attachment deleted by admin]

Ok this may be something. Let us see what this is all about then.

Thx,
Egemen

I am afraid CFP is right in this case too. There are 2 interprocess memory access operations in this case. It seems CFP cathes and shows the important one, the others show insignificant one.

Let me explain:

1 - TFService.exe is a run under SYSTEM account. CFP does not show “TFService.exe is trying to access iexplore.exe in memory” because this is allowed for SYSTEM accounts in CFP. I.e. a HIGH privilege application can access LOW privilege application in memory. The alert you see in the others is this action. CFP simply skips this.

2 - iexplore.exe tries to duplicate a handle from TFService.exe and hence CFP shows you an alert that “iexplore.exe is trying to access in TFService.exe in memory” alert. However, please note that, it is possibly the hook DLL TFWAH.DLL trying to do something with its own application TFService.exe. Here a LOW privilege process is trying to access a HIGH privilege and CFP is doing what it is supposed to do and showing you the alert.

This is just one example why CFP is not a classical HIPS and quite powerful in design. You can see a lot of other “Interprocess Memory Access” alerts in CFP than others.

For example: try PCFlank LEak Test. Normally, CFP catches a protected COM Interface access for this test. Just ALLOW it and see the other type of the alert about IPC. I dont think other HIPSes will show you this.

Egemen

This is likely because of ThreatFire.

Hi, Egemen, thanks for the reply. It,s a bit understandable to me now.

Just two questions:

1- So in that case, if I DENY the pop up alert of Iexplore.exe accessing TFService in the memory, it should not affect on proper functioning/ protection offered by ThreatFire?

2- CFP skips the alert if a HIGH privilege application tries to access a LOW privilege application in memory. Does it decreases the protection/ security in any way against sophisticated malware n rootkits etc?

Thanks

They are probably closing a remote handle in the TFService this way. I am not sure. It is always better to check with the vendor.

The best way is to use only one of them.

2- CFP skips the alert if a HIGH privilege application tries to access a LOW privilege application in memory. Does it decreases the protection/ security in any way against sophisticated malware n rootkits etc?

Thanks

Nope. CFP does this in a complex way. I used HIGH/LOW privilege concepts for simplicity. CFP checks other things and makes decisions according to the types of the alerts. This was just an example valid for memory access.

Egemen

Thanks for the help egemen. I really appreciate your response. Many things became much clear now.

I can now confrim that if I deny this alert, ThreatFire can,t do its job.

See my thread here: