HIPS with centralised monitoring

[Guest]

[Melih]

Melih .  You kill me with all this good stuff .  My goodness .  I think I might just pull up a cot and never leave this forum .  Best forum I have seen .

Well its a fun forum, filled with lots of fun people who love helping and building to protect others!

It certainly is great fun for me ;-)

Melih

[AJohn]

Melih .  You kill me with all this good stuff .  My goodness .  I think I might just pull up a cot and never leave this forum .  Best forum I have seen .

Well said

This is what happens when honestly good-hearted people get power...

[sr386]

I tried the PREVX bought and paid for have about 8 months left
but I removed it as it slows things down to a CRAWL...
Just trying to copy a few animated GIFs to a CD would take
3 times as long as w/out PREVX...

It's a strange program to me anyway, although the concept seems to be good
I just wasn't happy w/the serious slow down it brought to my machine.

Stephen/SR386

[andyman35]

G'day,

What about a HIPS style program, but beyond just monitoring system vectors?
 
I'm looking at another one of these types of programs at the moment called PREVX1 (www.prevx1.com). Very nicely done but very noticeable impact on system performance. One interesting thing they do is unknown or potentially dangerous objects are automatically reported back to a central database for investigation.

Once investigated they are either classified as safe or unsafe. These classifications are then distributed back to other users of PREVX1. Sort of distributed collation - centralised distribution. This would have an advantage in that every application each users ran would be reported, logged, investigated, classifed and reincorporated. Nice way of picking  up zero day defects. Huge load initially but long term benefits, if only in timeliness.

Thinking further, if this method was adopted and the HIPS-style application reported back each object for classification, updating within each application would be unnecessary, as the HIPS could send objects and receive and install incremental updates for the firewall, anti virus and the anti spyware.

This method could be leveraged into the anti virus and the future anti spyware.

what do you think?
ewen :-)

I've been using this for some time,both Prevx1 and it's former incarnation Prevx Home.The reason they switched to the community database model was that Prevx Home suffered the same problem as many other HIPS products,pop up fatigue.Even the most security conscious user would tend to just click yes after the 15th warning message (or shut the thing down altogether).

I find there are very few warning messages now since they operate a large whitelist,plus any unknown files are verified with the central database and I have to say this works extremely well.I gather CAVS will operate on a similar principle,if so it'll be a very useful tool for the armoury.

[Mr Bips]

Hello all.

Odd this in so far as I've just registered to pose a Catch22 type situation that has arisen recently whilst trying out such a HIPS program.  I started using Sandboxie a while back and was impressed with it (despite it being a little, well; 'clunky' in the interface department) but migrated to GreenBorder Pro recently to try it out.  I have to say that of the HIPS style progs I've tried recently, not be confused with the whole Sandbox/Virtualisation type apps which one can use to run/monitor apps without messing with yer box, and which clearly don't really warrant consideration given the subject at hand, this is the best I've found.

Essentially what most people need, and I suppose to a lesser degree, want, is a protective bubble when running Internet Explorer with 'all the doors open' ie; ActiveX, JavaScript, etc. (for the kids or whatever) and also at a push Outlook/Express, so that if anything (inevitably) creeps in, the cnotrolled environment will prevent any contamination of your Windows system.  Greenborder excells in this area but unfortunately is (now) Shareware.

The reason I registered was because I then figures I'd try out GesWall as I wished to try and stick with the 'good stuff' ie; free if I could find something that would do the same thing.  This performs the same task as GreenBorder Pro, but also provides 'templates' for all manner of additional applications such as P2P, Messenger apps, etc. etc. to also be protected in this fashion.

The issue I've noticed with using this particular app, which wasn't apparent when using GreenBorder Pro, was that upon every subsequent reboot/connect to the t'interweb, Comodo's App Protection would signify that IE had changed and asked me whether I wished to allow it, this I attribute to GesWall somehow affecting IE whilst it runs from within its environment.

Anyone know on this note whether there is any resolution for this short of disabling the Application Behaviour settings within Comodo, as it has for now forced me to migrate (once more) to running CyberHawk as an alternative as I'm not prepared to lower my defences from within Comodo in this respect.

Ta.

[andyman35]

Thanks for the suggestion Falkor.

I have some interesting ideas that will help us have the biggest safelist in the world ;-) I just gave the go ahead to recruit another 25 people to our safelisting dept :-)

I think the idea we have will help us build the most comprehensive  safelist in the world!

give me a month or two.. you will see what i mean and why Comodo can do it while others can't.
don't want to give too much away to our competitors at this stage. I want our competitors to "follow" our leadership after we launched the products not before ;-)

Melih

An approach you may consider taking is one similar to that used by Dynamic Security Agent.It uses behavioural monitoring based on normal resource usage of applications which are averaged over the learning period.It then looks for unusual deviations from the norm,unusually high cpu usage etc.

[andyman35]

I should explain,I'm meaning that in conjunction with the whitelist of approved applications.

[solo]

HIPS programs aren't simply for computer geeks!  I am proof.

I don't know a lot about computers.  Because I don't, I try to put the best security software on my computer and get good, sound advice from people that know more than me. 

And let me tell you, HIPS doesn't have to be HARD.  I am presently using a program called On-line Armor (by Tall Emu).  This program is SO easy to use.  It doesn't alert me with a ton of pop ups.  It just does it's job quietly in the background. 

On-line Armor is an ideal HIPS program in my opinion, designed for the computer novice like me im mind.  If Comodo were to develop a HIPS program, I hope they would follow the same philosophy that Tall Emu did. 

By the way, I mentioend that I try to use "best in class" products.  Right now I use:

NOD32
On-line Armor
Comodo Firewall

[panic]

The issue I've noticed with using this particular app, which wasn't apparent when using GreenBorder Pro, was that upon every subsequent reboot/connect to the t'interweb, Comodo's App Protection would signify that IE had changed and asked me whether I wished to allow it, this I attribute to GesWall somehow affecting IE whilst it runs from within its environment.

Hey Mr. Bips,

This is EXACTLY why CPF is alerting you.

When an executable is run within a sandbox environment, its internal signature appears differently to the fireall. CPF is one of the few firewalls that is smart enough to spot that something has changed in an executable that you had previously OK'd.

As a consequence, it prompts you to alert you to the fact that IE has changed in some way. You'll find that any app you configure to run inside a sandbox-type environment will result in alerts from the smarter firewalls.

Hope this helps,
Ewen :-)

[andyman35]

Hey Mr. Bips,

This is EXACTLY why CPF is alerting you.

When an executable is run within a sandbox environment, its internal signature appears differently to the fireall. CPF is one of the few firewalls that is smart enough to spot that something has changed in an executable that you had previously OK'd.

As a consequence, it prompts you to alert you to the fact that IE has changed in some way. You'll find that any app you configure to run inside a sandbox-type environment will result in alerts from the smarter firewalls.

Hope this helps,
Ewen :-)

You gotta just love how smart CPF is!  (R)

[Tags:]