Fake AV alert....Hips

Discussion in 'ESET NOD32 Antivirus/Smart Security Beta' started by Slappy, Sep 7, 2011.

Thread Status:
Not open for further replies.
  1. Slappy

    Slappy Registered Member

    Joined:
    Sep 7, 2011
    Posts:
    11
    Hello everyone. I was testing some malware tonight (sandboxed of course) and ran across a nasty fake AV alert. Eset hips popped up upon the install and said it had been allowed. So I went into the settings and switched hips to interactive and was bombarded with a ton of hips alerts (pop ups). After denying about 10-12 alerts from hips and having pop ups from the fake AV, I just terminated the sandbox.

    My questions are, how or why did hips allow this? Is there settings I should use for the hips to deny these kind of actions (fake AV's or suspect files). If I would have keep clicking deny would it have eventually killed the fake av? I suspect once it was allowed to get past hips the first time it was to late. If hips would have been set to interactive from the start would it have killed the process on the first deny? I submitted the file to eset. Thank you for your time and thank you in advance.

    Edit: This was done with stock settings with the exception of trying hips in interactive mode as stated above.
     
    Last edited: Sep 7, 2011
  2. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,033
    Location:
    California
    Hello,

    In Interactive Mode, HIPS behaves interactively and prompts you to make decisions about actions. If you select Policy Mode, HIPS will deny operations for which you have expressly created a rule.

    It might be helpful to think of HIPS as a version of ESET Personal Firewall, except that instead of filtering network traffic, it filters applications' behavior. It is not a perfect analogy, but the premises are similar.

    Regards,

    Aryeh Goretsky
     
  3. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    @ slappy

    I feel your pain and I also tested Eset. My results were the same; in its default settings the Eset's HIPS will allow evrything, you name it and it will be allowed. However, the interactive mode will drown you in pop-ups. Eset HIPS gave me one time 122 pop-ups, consequently do you imagine the nightmare when you have to click on so many pop-ups.

    I've always said that Eset's HIPS could be considered as a huge bug and by what you said I can conclude it still is, unfortunately. I would like to beseech ESET not to release Eset 5 as is. If you do, Eset 5 would lead to your downfall. Take the HIPS out of the whole product and continue to rely on your fantastic heuristic.

    Once you can utterly master HIPS and reputation tech then and only then you could try to incorporate an intelligent HIPS. Please Eset listen to my plea do not release Eset 5 with that kind of HIPS, please... it is a HUGE bug.

    Thanks.
     
    Last edited: Sep 8, 2011
  4. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    First of all, just because the HIPS is allowing all by default doesnt mean the files are not scanned with heuristics. The real-time scanner and HIPS are two different layers. If you disable the HIPS you will loose the Self-Defense protection.

    I think ESET should release some interactive rules, disabled by default and pointing to sensitive areas of the system.
    This way the users can enable such rules, rather than manually creating them.

    PD: I will post some rules soon.
     
    Last edited: Sep 8, 2011
  5. Coccinelle

    Coccinelle Registered Member

    Joined:
    Jan 17, 2011
    Posts:
    211
    Location:
    France
    Are you creasy?
    Eset look to make money,do you saw the new droide Pub?
    For the Pub spend the money but to do good hips who cares?
    Forget about version 5.
    Look around there have another AV.
     
  6. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    @ Coccinelle

    I have now seen the pub, thanks. :D.
     
  7. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    If what you said is true then the situation is worst than I thought. Think of it for a moment you have a rogue file that 1) is not signed or probably has a stolen certificate; 2) tries to write itself to autorun; 3) tries to disable taskmanager; 4) probably attempted to disable eset services and processes (unsuccessfully I hope); 5) Injects its malicious processes into legitimate processes such as IE; 6) and after installation tries to automatically restart the user computer without any prompt or any request to do so; 7) uses svchost to execute non-windows processes; 8 ) alters users rights policies; 9) hijacks executables; 10) etc...

    And still Eset did not even have a clue that something fishy was going on. Oh my gosh... I would like to thank you for bringing that fact to my attention.

    Thanks.
     
    Last edited: Sep 8, 2011
  8. Slappy

    Slappy Registered Member

    Joined:
    Sep 7, 2011
    Posts:
    11
    So if Hips had been set to interactive from the start would it have stopped the threat (assuming the user denied it)? How or why did Hips automatically allow this through even though something triggered the Hips in auto mode? Those are my main questions/concerns.
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    Basically HIPS provides protection against modifications of crucial system areas whilst advanced heuristics coupled with generic signatures is aimed at malware detection.
     
  10. Slappy

    Slappy Registered Member

    Joined:
    Sep 7, 2011
    Posts:
    11

    Thanks for the response Marcos. Could you please address the questions in my previous post. Thanks.
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    It actually answers your question, at least partially. It depends on the malware and your responses to prompts for actions while in interactive mode of HIPS. Do you have malware that was able to kill ESET for instance with HIPS in automatic mode?
     
  12. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Yes the hips needs some TLC no doubt and it should have self protection unrelated to the hips. I am curious though if the PUA { Potentially Unwanted Application) was Selected,its off by default.

    Also keep in mind Fake AV - Rogue does not always mean it contains malware - virus.it essentially tricks the user to purchase it,So I ask if the heuristics scan it as clean files it would be essentially allowed no.
     
  13. Slappy

    Slappy Registered Member

    Joined:
    Sep 7, 2011
    Posts:
    11

    The file was placing so many pop ups on the screen that when I tried to open the ESET GUI it was buried behind the pop ups. I had to move the GUI around the screen to see what I was doing. I only had a very small space to see any of the GUI. Did it kill ESET? ESET was doing nothing to stop it. So I guess in a sense since I was infected it, in a way, did kill ESET. I know nothing is perfect, but I expected the Hips to at least through up a flag or warning instead of a pop up saying it was allowed. I not here to bad mouth ESET, I like the product, I am just trying to get an understanding of why the Hips allowed it through with without a fight and is this going to be normal for the ESET hips.
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    Please follow the instructions for submitting suspicious files and submit the file to ESET for perusal. If it turns out to be actual malware, detection will be added. Remember that there's no 100% perfect security solution that detects every single malware in the world.
     
  15. Slappy

    Slappy Registered Member

    Joined:
    Sep 7, 2011
    Posts:
    11

    I submitted the file last night. Since the official release date is so close, what are the chances of the Hips improving/changing in the official release version? Thanks.
     
  16. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    So is the malware detected now? If not, what email subject did you use when you submitted it?
     
  17. Slappy

    Slappy Registered Member

    Joined:
    Sep 7, 2011
    Posts:
    11

    I will have to wait until tonight when I get home to retest the file to see if it is detected. I submitted the file through the right click->submit file for analysis.
     
  18. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    This is not recommended as > 99% of submitted files is junk and your file might get lost easily. Samples submitted per the instructions above receive a reasonably high priority.
     
  19. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    If possible post the MD5 of the file in question.
     
  20. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    I dont know why ESET has left the option for disabling the HIPS visible, instead of an option for disabling the filtering unrelated to SelfDefense.
    I think the current option can expose curious users unticking that option.
     
  21. powerpack

    powerpack Registered Member

    Joined:
    Mar 23, 2010
    Posts:
    42
    Location:
    Now-here or NO-WHERE
    I think they make products for some regular noob Users too. And so, they make Version 5 like that. If you go under HIPS tab, you will have 4 option. and see the description below the filtering mode tab

    Automatic mode with rules - order of evaluation:rules, allow
    Means if you configure any rules for particular application, Eset will decide according it, otherwise it will allow.
    Now why is it allow? I think this option is behave like no-HIPS, for regular user who do not want to bother with any popups etc.
    If you know about vipre premium, they disable hips by default

    Interactive Mode- - order of eveluation: rules, ask, allow on failure
    If you have configure rules Eset will decide automatic or ask user.

    Policy-based Mode-order of evaluation:rules, block
    Same as Automatic rules but by default block everything, if no rules find.

    Learning Mode- Is simple learning mode, and what I did for now. It allow everything and make a rules for allow.

    So, after install Eset 5 on CLEAN machine, switch HIPS to learning mode, open all your regular programs, their updates etc. switch back to interactive mode.
    It makes Eset little quite and give you popup for any new program or installer.

    This is not so secure way to configure the rules, but something is better then nothing.

    P.S: I am not Pro of configure HIPS, but for now it serves me well, till some expert wilders' look at the rules configuration.

    Thanks,
    PP
     
  22. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    Good point, I think before long someone will have a optimal file to import for those who want some solid settings but are not sure how.
     
  23. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
  24. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    thank you
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.