HIPS HIPS Hooray for proactive detection

This morning looking through the customer submissions to Sophos (how to submit samples). I saw a sample with the ‘Rule or identity name triggered by this file (if applicable)’ form filled in as HIPS/RegMon-009.

Looking at SophosLabs automated scans of this sample it was a malicious AutoIT file. Running the file through the automated replication rigs here in SophosLabs it also hit the following HIPS rules:

  • HIPS/RegMod-001
  • HIPS/RegMod-002
  • HIPS/RegMod-009
  • HIPS/RegMod-012
  • HIPS/FileMod-004

For a description of HIPS rules click here.

I have written exact detection, and disinfection, for this malicious AutoIT file as Troj/Tiotua-U. Enabling HIPS detection on your network could have prevented an infection of this Trojan.