I have recenly switched from EQS to CFP D+ as calssical HIPS on my system. I have tried almost all classical HIPS in the past, maily for fun. I have especially used EQS, NG and SSM free for a singinificant period of time as a classical HIPS protection on my system. While playing with malware, I had even run more than one classical HIPS at a time in real time, just to compare their popups and thus knowing what they are monitoring.
I have more or less similar popups with all these classical HIPS, never found a major diffreence of pop up alerts between them.
HOWEVER it is not the case with D+. I have been trying it since alpha and every time I tried it I felt that its popup alerts are a bit different than other HIPS. Not sure why! Also can,t be sure whether it is monitoring more as compraed to other HIPS or less.
I will present a few examples.
1- I really hate the privilege pop ups from Defence+. For almost every application I get pop ups about System time privilege. Another such popup that appears with almost all applications is “accessing service control manager”. Others are system shutdown, debug and backup privilege popups etc.
I wonder why CFP can,t just keep quiet and only warn when some application tries to use this privilege like many other HIPS do. What is the use of a behavior popup that comes with each and every legit application. Its too annoying. I have removed all these( mentioned above) filter from " My protected com interfaces" to get rid of these pop ups.
Two other very common alerts I get on my system are :
- Accessing memory of ThreatFire service( almost every application does it on my system on shut down)
- Accessing memory of CTFmon.exe
NEVER saw such alerts with any other HIPS.
2- Stranngely that D+ gives very frequent memory access alerts about TFservice and CTFmone.exe on my system, I hardly get any other memory access alerts on my system from D+ while such alerts are common with other HIPS like EQS, SSM and AD. Very strange for me.
3- Another alert never got from D+ is about remote thread creation. It,s a bit common by other HIPS.
I am not sure but my impression is that on remote thread creatiuon, D+ gives alert about memory access.( Any POC to check this? anyone?).
4- Another popups- pokapoka.exe modifying of memory of SYSTEM. Not sure what is meant by it. I havn,t seen it with other HIPS except with AD.
5- One more alert is " One application modiying the user interface of other application" Not sure what it means. I don,t remember such an alert from other HIPS. I would have considered it as memory modification but memory modification has its own alert in D+.
[attachment deleted by admin]