Is the exclude list hashed to guarantee the actual target file is identified?

For background, I had trialed the Avast anti-virus product (in a VM using VMware). While the freebie version doesn’t include auto-exclusion of PUPs (probably unwanted programs), like Nirsoft’s utilities, it does provide an exclude list. However, I found out that the files listed in the exclude list are not recorded in AntiVir using a hash. That means the user excludes a file but malware could slide in its own file in the same path under the same filename so it would get excluded (I did not check to see if their exclude list was itself hashed to prevent malware from seeing where it could hide from that AV program). They promise that in some future version that hashing will be incorporated in the exclude list so the specified file is the actual one that gets excluded. Right now, the exclude list is nothing but a simpler pointer list and does not actually record the file (by retaining a hash of its content).

I believe the whitelist, or safe list, in CAVS is hashed. From the report done after the reboot after installing CAVS, the lines appeared to contain a hash value so the files were known to be specific files by their content and not just by their name. When I was looking at the settings for HIPS in CAVS 2.0 beta, I noticed the Allow/Block list and an Exclude list.

  • For the exclude list, is a hash generated based on the contents of the file which also gets saved along with the pointer information? That would ensure that malware doesn’t slide in under the same path and overwrite or replace the file that is getting excluded from the scans.

  • When selecting the High level for HIPS protection, it says the Allow/Block list is not honored (i.e., safelisting programs aren’t seen as safe anymore). The list of filetypes for Medium is too small plus I don’t trust anything based just on filetypes. Any file regardless of filetype that gets loaded into memory and contains a header that makes the file executable can be executed. I’d like to use the High settings for HIPS but then it appears that I would repeatedly have to answer the same prompts over and over again for the same processes/programs. What was the reason for ignoring the safelist at the High settings for HIPS?

  • Is the exclude list also ignored at the High setting for HIPS protection?

Hi Vanguard_LH,

  1. CAV Exclusion list not hash based currently. We will add this future in our next version.

  2. HIPS will not ignore safelist and exclusion list in any level of its settings.

If you want disable repeat alert for same process/program, Please check the “Remember this action” checkbox. Checking ‘Remember this action’ will create either a block or allow rule in the HIPS Allow/Block list in HIPS Manager depending on the action you chose.

Regards,
-Gopal

While allow or blocking programs regulate what can load, does the HIPS included in CAVS also include:

  • The ability to block some processes from being terminated. For example, it would be handy to use the HIPS feature to prevent some unauthorized process from killing the anti-virus, firewall, anti-spam, task manager, and other processes (since malware will want to target these).

  • The ability to track which caller process (parent) tried to load a program (child). Without the parent-child relationship tracking, it would be unknown as to what tries to use what. Malware may use services.exe or rundll32.exe and unless the caller is known then the user has no way to know if they should permit a particular instance of the program from loading. Malware can use these other programs and the browser, too, so a user that permits these process because they are generally needed is also allowing malware to use them.

  • The ability to track the command-line parameters used to start a program. This would be required, for example, to check what method and DLL was being ran when rundll32.exe was loaded. ProcessGuard omitted this checking and why I discontinued using it. If the user allowed rundll32.exe to run then malware that used it would also be allowed to run.

I didn’t see anything like the above mentioned features which means the HIPS in CAVS is far too lightweight a solution to be called a HIPS feature. With such limited capabilities, claiming HIPS to be included in CAVS is misleading. Users will think they have a real HIPS solution when, in fact, it is like using an anti-virus program that hasn’t been updated in years: they think they have the protection of HIPS but they really don’t.

Since I see no real HIPS functionality in the misnamed HIPS feature of CAVS (it seems to be nothing more than a white- and blacklist of programs), I’ll have to go back to System Safety Monitor which even in its freebie version provides far better HIPS protection.