HIPS in the upcoming CPF

[Guest]

[Melih]

will the hips someday end up a lot like whats in ghost security suite by ghost security?

no!

[kailasa108]

I've been playing with all of the HIPS style programs for the last few months. 
Here's what I would like to see -
  a totally BEHAVIOR-based (i.e. NON-signature & NON-list-based, NON-scanning) real-time monitor;
          that completely interfaces with a firewall;
   AND ***** that automatically sandboxes new installs AND updates for a selected amount of time
                (until the software "proves" itself), and then is released to the actual environment
                 or otherwise the installation is "rolled-back" and undone. *****

My ideal HIPS is complete, and automatic.  I really don't think most people are savvy enough to use a HIPS otherwise, so, that HIPS becomes the "boy-who-cried-Wolf" and they just blow through all of the warnings and the advantages are lost.

CyberHawk and SanaSecurity SafeConnect do the behavioral-based best job I've seen so far...but they don't have the installation sandboxing.  Having this would put the COMODO product in a class by it self!!!!!

[Little Mac]

Here's what I would like to see -
  a totally BEHAVIOR-based (i.e. NON-signature & NON-list-based, NON-scanning) real-time monitor;
***
My ideal HIPS is complete, and automatic.  I really don't think most people are savvy enough to use a HIPS otherwise, so, that HIPS becomes the "boy-who-cried-Wolf" and they just blow through all of the warnings and the advantages are lost.

kailasa108,

Can you explain how you would like to see a HIPS that is completely behavior-based, and yet automatic?  As a concept, the two seem exclusive of each other... if it's automatic, it's based on a list of some sort; if it's behavioral, it's based on a user-response (because there are safe actions that seem suspicious; thus user reaction is required).

I know CH has both aspects - a blacklist/definitions for automatic protection, and heuristics/behavioral analysis requiring user response.  I'm not familiar with SafeConnect.

LM

[kailasa108]

LM,
      Well, IMHO, here's what I see.  First of all, this pure HIPS system would be ONLY that - a "host intrusion prevention".. It would NOT try to be an A/V, an A/S, a firewall, a network monitor or anything else.  So, it would NOT concern itself with getting rid of currently present "live" infections.  It WOULD catch inactive infections.
       It would do this by a combination of a heuristic artificial intelligence that utilizes an application/process database containing things like version #s, file dates, checksums, dependencies, call routines, file accesses, registry keys, etc.  The HIPS would build this database upon install, by executing each installed program and routine in a virtual environment (sandbox) and "observing" them.  Yeah, it might take a while to run this, but I'm used to doing full scans when installing an A/V or A/S, so this would be no different.
       Once the database is built it would be securely resident in RAM (protected from tampering or shutdown by zero-day/rootkit attacks), and the HIPS would watch everything.  If anything changes, the entire suspect program, its processes and dependencies would be sandboxed, automatically.  The user would be informed, not questioned.  The user would be allowed to override the HIPS system if they are certain the changes are safe (as in installed from a reliable media).  Otherwise, the new or modified program would be re-"processed" in the sandbox.  The heuristic AI would determine if anything was "bad".  If so, the install/modification would be rolled back and removed.  If not, the install/mod would be "released" into the real environment, its info added into the database and observed for any changes like the rest.
       I've seen bits and pieces of this approach in different HIPS-type programs, but not all together at the same time.  SanaSecurities Safe Connect and the new SafenSec Pro comes the closest.  But I think COMODO could "just do it" and be the one that everyone else plays "catch-up" with - like their firewall.

[Little Mac]

That'd sure be a piece of work!  There has been other mention of having a sandbox aspect to the HIPS, and I mentioned earlier basically the same thing about the installation monitoring.  I think some sort of install mode is a crucial thing, in order to keep users from turning the HIPS off while installing applications.

LM

[terbev]

This may be a dumb question, but I am good at them.  With the CPF 3 being so powerful, will we still have a use for BOCleaner?

[kailasa108]

This may be a dumb question, but I am good at them.  With the CPF 3 being so powerful, will we still have a use for BOCleaner?

Terbev, I don't think your question is dumb at all!  Again, IMHO, there is STILL a need for BOClean in this scenario.... 
You've probably seen movies where a security perimeter is set up AFTER the "bad guy" is ALREADY inside right?  Which makes the perimeter guard pointless, except to stop another "baddie" from coming in. 

Well, let's say CPF 3 contains my ideal HIPS mentioned above.  The HIPS is the perimeter guard.  First, I would use something like BOC to sweep through and see if anything "bad" ALREADY was present, and remove it. 
So, in the security suite that I have seen users asking COMODO to develop, the suite would initiate BOC to do a "clean sweep" BEFORE initiating the HIPS system.

[carioca]

 
BY the way, When will CPF version 3.0 be released? Might you forescast the previewand final launching date? Best Regards.
 

[Melih]

BY the way, When will CPF version 3.0 be released? Might you forescast the previewand final launching date? Best Regards.
 

7th june beta..

end of june for production all being well.

Melih

[wilpower]

That'd sure be a piece of work!  There has been other mention of having a sandbox aspect to the HIPS, and I mentioned earlier basically the same thing about the installation monitoring.  I think some sort of install mode is a crucial thing, in order to keep users from turning the HIPS off while installing applications.

LM

Hey all> Can this be done?...if so...Would it then not be absolutely essential to secure the talent and get it done?
I'm only a 'programer' in my dreams........heehee.

[Paweu]

Hello.
I would rather see not only whitelist HIPS. Apart of safety - in my opinion, HIPS may be very usefull to make life of computer user easier. For example: I use HIPS features of GMER to block from running some processes which are combined with many software and which - when ther are many of them - slow down PC very very much.
Man installs java - nobody asks him whether he wants to have java update scheduler beeing autostarted or not. Same with printer driver updater and some stupid printer manager, same with some strange "nerocheck", same with strange process from one of the office suites, same with mobile phone software... And when man allows those and many others to run - he needs P4 4Ghz to make his PC boot in less than 5 minutes. In most cases it is possible to turn them off, but not anytime (like some processes or services from Nokia 6630 software if I remember correctly ). Rule based HIPS give information and allows user to prevent nuisanance of "good" software.
Greetings

Ps. Sorry for my bad English.
 

[Little Mac]

Welcome, Paweu   

Melih has stated that in addition to the safelist aspect of the HIPS, there will be a high level of control available through user configuration.  In my mind, based on some things he has said in the past, this will take it to a level far beyond what applications like ProcessGuard have done in the past.  I think there's a very good chance that it will do what you are looking for.

LM

[kailasa108]

Hey all> Can this be done?...if so...Would it then not be absolutely essential to secure the talent and get it done?
I'm only a 'programer' in my dreams........heehee.

Not only can it be done...someone has started doing it!!  Both PREVX2 and SafenSec Pro is doing their versions of what I suggested above.  BUT, neither one of them is a firewall. 
PREVX2 has taken the lead as a superHIPS at this time (IMHO)...SEVEN signature engines, and COMMUNITY-based white/black-listing, PLUS the sandboxing!  Wow!

[Melih]

what is a seven signature engine?

thanks
Melih

[carioca]

Not only can it be done...someone has started doing it!!  Both PREVX2 and SafenSec Pro is doing their versions of what I suggested above.  BUT, neither one of them is a firewall. 
PREVX2 has taken the lead as a superHIPS at this time (IMHO)...SEVEN signature engines, and COMMUNITY-based white/black-listing, PLUS the sandboxing!  Wow!

 
Hi, buddy! When I used Prevx and safe'n'sec pro FYI my computer got a mule or a turtoise and I had had with the second one too many splash screens that I almost went bananas! Thus, I woudn't like CFP got that way! I think in my humble opinion it's too much aggressive for a security stuff ! I have the ghost security licenses but I stopped using because a lot of popups. It's annoying.Best Regards.
 

[Tags:]