Differences between Comodo's HIPS & Other Products Intrusion Detection Systems

Other vendor products claim they have IDS which kinda works like HIPS. What is the difference between the two.? For example Kaspersky proactive defense & A-Squared Anti-mallware Intrusion Detection Systems compared to Comodo’s Host Intrusion Prevention Systems & Behavioral analysis? :THNK (B)

Very simple.

They all work with

Default Allow… then try to catch the baddies…and they only catch the baddies they know (even so called heuristic is a glorified signature based default allow system)

we work with

Default Deny… your name is not in the list you are not coming in…


Thanks for the clarification. (B) (J) (R)

I like the explanation, simple & to the point. :BNC

It’s similar to the way Prevx2 works and it’s CIPS.All files categorized as,known malware,known safe or unknown (exercise caution).It’s a highly effective method when implemented properly. :Beer

By the way I heard you have already relesed release candiadate version3. should I change to it ? or stick to version 2.4 for now?? I kinds afraid of beta version even release candidate… :THNK

wait till next week so that u can use the final…


Great nEws indeed. I think version 3 will rule over the competition, Online armor, Agnitum outpost pro included. :BNC (B) (L) (R) (S) (V). PS. I think you guys are great & I will do my best to promote comodo here in my country. Telling everyone it is an execllent product (B)

Great to hear about the FINAL release.

But, Melih, it seems, you got a new son?



Guess that answers your thread on whether or not version 3 will be released next week. (:WIN)

Are Firefox and Thunderbird allowed by default?

I’ll tell you the truth, even the professionals themselves don’t have a standard definition for the term IDS.

When you read the literaure, often when they say IDS, they mean NIDS.

NIDS =network based intrusion detection systems, there are rules that observe network traffic and protocols and warns (“emails/IMS/whatever” the system admin that something is going on.

Kind of like your personal firewall alerting on an outbound connection but more subtle and complex matching rules (also it runs not on the host machine - PC itself but on the routers, network gateways etc). This is only deployed on large corporate networks, irrelevant to home users.

There are other terms like IPS (intrusion prevention systems), but it’s semantics really.

For the home user, what you need to understand is this.

The newer approaches move away from analyzing code before execution, to analyzing and blocking behavior on the fly.

There are generally two approaches to this - which i call “dumb” and “smart” (this is not saying that “smart” is better, it’s just descriptive of the intelligence built in)

The “dumb” approach is the main focus of Idefense+ and many other products. The system basically “goes off”, when any single individual event (or detected behavior) occurs and gives the user the choice to allow it or not.

So for example, the HIPS might warn the user a certain registry key is being set, a certain process is starting, a driver is being installed etc. The user then decides whether to allow it or not.

The system itself just reports what happens, it does not give a recommendation on whether the change is dangerous or not. Of course, what is monitored is indeed sometimes dangerous (why else would it be monitored?), but often it is not as well.

The problem here is that the user has to decide, and most users don’t know enough to allow or not. Some approaches like whitelisting of known safe processes help reduce the number of decisions faced by the users but this is still too difficult for many.

Another approach is what i call “smart” behavior blocker. Here the system doesn’t just alert on any one event or behavior, but builds in some kind of intelligence in the system so it tries to determine whether the process is indeed malicious or not based on many factors, including the sequence of behavior.

So a process setting a autostart registry key alone might not be flagged, but one that does that followed by opening up a port, outbound connection and replacement of explore.exe would indeed be flagged as highly dangerous, because these behavior in combination is characteristic of malware.

here’s a description of one of them

"“To scrutinize the behavior of all processes, ***** uses kernel level monitors which watch every file operation (creation, copy, deletion, etc.), every process creation, modification and termination, every network communication (inbound and outbound) and every interaction with critical components of the operating system (registry, etc.). At the core of ***** is a process behavior analysis engine coupled with a set of specific pre-defined security rules which describe what is unacceptable from a process behavior analysis. The rules cover a wide range of events related to file operations, network operations, and interactions with the operating system. Every event from every process is efficiently analyzed by ****. When a rule is triggered, **** can terminate the detected malicious process.”

Unlike Antiviruses that rely on code-based detection, such behavior blockers (which may also use code-based scanning as one citeria) , can detect unknown malware, because what they are flagging is generic behavior and not code sections.

They are also less noisy then their dumb cousins that alert on pretty much everything.

The negative point of course is that such behavior blockers can indeed be fooled. E.g if i knew the software looked for a process to do X, then Y , then Z, I would not do Z and do Z2 instead. It’s not so crude, but you get the idea.

Dumb hips can never be fooled because they play safe and alert on everything.

This is theory only of course, in practice the line is a bit grey. For example some events are considered so dangerous, that any process causing this event will always trigger an alert for both “smart” and “dumb”

Kaspersky proactive defense by default is closer to the “smart” end of the spectrum, but can be tweaked to the dumb end (alert on everything).

A-Squared Anti-mallware Intrusion Detection Systems is marketed to be closer to the smart end as well . Also see Mamutu by the same company.

Threatfire is definitely on the smart end, but has options to make it function like a “dumb” hips.

Comodo 3 has this new heuristic with a claimed 60% detection of unknown malware , this is possibly an aspect of the “smart” HIPS. One wonders though what the FP rate of this new heuristic is, one can easily get high detection hit rates if one doesn’t care about FP rates.

-edited by mod to remove empty spaces-

False. Prevx does a lot more behaviorial analysis. CPF 3 is mainly similar to SSM type software, with whitelisting via digitally signed files.

The new “heuristic” is perhaps the closest thing it has compared to Prevx.

I think you will find that we do one of most sophisticated analysis in the market place compared to other hips!


Big claim. Considering that your heuristic was just added suddenly without any testing in any public test version…

How exactly is that false? The use of an extended whitelist/blacklist in order to determine what’s allowed to run,rather than a bombardment of pop ups asking permission for everything is SIMILAR to the PrevX approach.I didn’t state that the 2 products were the same,in fact I’m using both with no issues.

who says I am referring to that heuristic module :wink:

You are missing the point about the kernel level analysis defense+ does. That Heuristic module is a very powerful malware analysis module, however I wasn’t referring to that :slight_smile:


That’s the only really analytical part of yours.

You are missing the point about the kernel level analysis defense+ does. That Heuristic module is a very powerful malware analysis module, however I wasn't referring to that :)

So what are you referring to exactly? The rest of defense+ is as “smart” as processguard (which is to say it isn’t).

Are you able to discuss the methodology of the kernel level analysis that defence+ does,without giving away any trade secrets Melih?

The Prevx approach is much more than just the use of extensive whitelists. I guess you haven’t being reading the Prevx forums? Too bad the report they released a while back on the inner working of prevx is no longer available

According to the report, and just about every claim made by their reps, the main strength of Prevx, is their behavior analysis heuristics loaded on the servers. Of course, this is what THEY claim, I have no way to verify that.

Panda’s From Traditional Antivirus to Collective Intelligence report makes a similar claim.

But then again I see in this thread Melih is making a claim about “sophisticated analysis”, though I see very little sign of that… :slight_smile: