HIPS in the upcoming CPF

In light of this new forum regarding security questions and HIPS, the following are quotes from a thread in the firewall forum that seem pertinent… (the originals are in here: https://forums.comodo.com/index.php/topic,4883.0.html )

#1

Well what is this HIPS all about?

Its all about the fight for the CPU time!

A malware is useless unless it gets executed (eg: got some CPU time). So what gets executed?
its the Instructions that gets executed. ok great, what are those instructions? It is what a software is made of. It tells the CPU what to do: eg: draw a line etc (of course these instructions are slightly different than just saying draw a line etc. ). Anyway, malware has these instructions as well, so they try to get the CPU to give them time so that they can also execute their own instructions. Of course those instructions are usually kind of instructions that cause damage eg: wipe hard disk, or some other nasty stuff like send keystrokes to the malware author etc.

So, who controls the execution of these instructions? Can any executable simply go ahead and execute? The answer is there is no control, and anyone can execute those instructions. There is no system saying: Hey I don’t like you, so I won’t let your instructions get to the CPU. There is no protection for the CPU. CPU does not know who is good or who is bad. It simply executes any instruction it gets.

So, that’s where the HIPS come into picture (at least the HIPS that we are developing). Our HIPS is a layer of protection around CPU (kind of) whereby all the instructions (at least the important ones) are checked before it gets executed. So no instruction can be executed without CPF HIPS’s approval. What this means is CPF HIPS controls the execution of all instructions. it checks to see where this instruction is coming from, if a good software, that has already been verified by Comodo, is trying to execute some instruction/command then CPF HIPS allows that, if an unknown application/malware is trying to get some instructions executed, then CPF HIPS will say, NO! The bottom line is: If your name is not in the list you ain’t coming in!

This is a different approach than other security techniques utilised today eg: AV, where it lets things in, then tries to find if that was bad or not.

Your first line of defense against any known or unknown threat will be CPF HIPS. The biggest advantage is, it only executes known apps. so any unknown or a new threat will be caught and won’t be executed with CPF HIPS.

Melih

#2

I know someone's going to ask, so I'll go ahead and pony up...

Does that mean it’s going to stop my applications, just because it doesn’t know them?

If it’s a safelist-based HIPS, how/when does my system get updated on the safelist?

What if an application is masquerading as a “safe” app (say, Firefox); in other words, it either hijacks it (and somehow leaves the hash value the same), or names itself firefox.exe. Even if the hash is different, and HIPS alerts me, won’t I just allow it, if it says it’s firefox? (ie, how will I know the difference?

That’s all the questions I can think to anticipate at this point… Grin

LM

and #3

Ok let me answer them:

1)Your applications are most likely to be in our safelist. If not, you can submit them for us to put them in. Currently we have over 130,000 verified applications in our safelist. This number is growing by 2000 a day and we are increasing this number further.

It is easier to find good applications and create signatures for them than trying to find viruses and create signatures for them! This way, you can make sure you will never have any Day Zero viruses in your machine because your AV provider is yet to get the signature.

2)If there is an application that is new to your CPF HIPS, then it makes a web lookup to Comodo to see if we have it in our system or not. If we do have in our system you get the signatures straight away thru that lookup, if not you get the choice of submitting that to us. We are working on ways whereby we can create quick turnaround of these submittals. However pls note that we will be very agrresive when it comes to creating a huge safelist db! This is the key to the success of any HIPS!

3)We use Cryptographic signatures. You simply cannot fake them with the computing power available.

Melih

Melih,

I was looking at ProcessGuard recently, and the full version looks pretty impressive as far as capabilities. Very much a behavior-based approach, relying largely on user interaction. I’ve attached a screenshot from their manual, concerning different types of threats that it (the full version) stops (the free version only protects against Termination, Modification, and Reading). It has no scanning, to definitions, no lists. The user defines the type of protection desired for each application/process and PG does the rest (these settings can be changed by the user if needed).

Is the future CFP’s HIPS planned to incorporate any of these types of approaches, or is it strictly a whitelist of applications?

LM

[attachment deleted by admin]

These are fairly basic protections that any HIPS should have…
we, naturally, aim to have LOADS more… :wink:

Melih

;D :BNC (R) :■■■■

Kool now I know what HIPS is and it is really kool :BNC . Just one question, I am an addictive computer game player, will the HIPS system implement signature hashes for almost all computer games that needs internet connectivity ? What happens when a news game is released, say Crysis, until and unless I get the HIPS # for Crysis.exe I can not play Crysis whatsoever, is that right, or will CFP popup a message asking me whether to add the # of Crysis.exe in it’s HIPS list and let me continue with the game ? Also what will be the appoach when say due to some reasons your servers will be down and I cant get an updated HIPS list form your server, will CPF let me play a game that is not included in HIPS list ?

Attached are some screenshots from the free version of ProcessGuard, to show some functionality about it that I like (why should I pay for the full version when I know Comodo’s is on the way for free…?). I don’t know how you plan these sorts of things, Melih, but I like some aspects of this.

The first shows what alerts/events have occurred; when you click on an item, it has more details about that item at the bottom, which can help identify what the item is. You can also access the detailed text logfiles from that screen as well.

The second shows the level of protection for each item, which can be modified by the user at any point. I cut off the screenshot, but there are options for the full version as well.

The third (and last) shows the actions taken/assigned to each item; this can be changed as well thru the context menu.

To me these aspects give a high degree of control to the user; it’s not operating in its own little world with which we have no interaction or control. To me this is very desirable; I want to know exactly what my security software (especially a HIPS) is doing/has done, and if necessary change it (since there is no doubt it will at some point automatically stop something that I want/need to run). This is better than just a deny/allow popup (which it also gives), because based on the settings, some things will occur automatically (just like an AV quarantining a suspect file).

I’m sure you guys have a great product planned for this HIPS; this is just some user pre-feedback regarding functionality/interaction… ;D

LM

[attachment deleted by admin]

Just some comments. Have not tried ProcessGuard, but it seems similar to System Safety monitor. I have used several versions of SSM (several of both free and pay) and the pay version is more advanced as one would assume, but both could be extremely daunting for even an intermediate computer user, it would seem to be like Comodo Firewall application behavior pop ups and then some, you can fine tune every behavior concerning every application in minute detail. I have not tried the beta 2.x of CAV although forum comments discuss a HIPs so I cannot comment on that, but I like SSM alot and personally would like something similar. I also realize this would be very overwhelming for alot of users, and for a less experienced user something like version 2.x of Prevx is pretty nice, although I find it hard to categorize that program( but most HIPs programs seem to be unique). I merely wish to point out more so than the firewall or antivirus market, HIPs could aim toward the expert or novice, possibly in the same product by way of some choices during installation. Prevx would be easy for an inexperienced user to install and use, requiring very little in the way of user interaction, but SSM can absolutely floor even moderatly experienced users as it can give pop ups for absolutely everything. I can appreciate both approaches. As a user I like to fine tune alot of things, but as someone who sets up and troubleshoots systems for other users a simpler approach can be much easier to manage and implement for others.

Well, its a difficult balance to get usability and security all in one easily. The magic for HIPS is the “safelist”. The bigger the safelist, the less noisy the hips is. Ok great, but then how do you create this safelist, securely? Some companies have choses to create safelists based on what users have classified as good, some have chosen not to have any. However, the industry wide acceptance for such critical piece of component as “what is a safe application” has to deserve more attention and a more secure approach.

That’s where Comodo comes in… Not only will we give the one of the most feature rich and secure HIPSs in the market place, it will also come with a huge Safelist. However, our safelist is created differently… hence we expect a huge market adoption of our technology.

Comodo is a Certification Authority. What that means is we validate Companies who applies to us for Certification (SSL certificates, Code signing certs etc). So as "The only HIPS (Security) Provider who is also a Certification Authority Comodo is in a unique position to provide a “Trusted Safelist” that will be acceptable in the industry for widespread adoption.

Our aim is to provide a seamless, quite security experience using HIPS.

I believe we will be able to provide that very soon with v3 :slight_smile:

Melih

Being a Certification Authority does put Comodo in a very unique position, one that end users will only benefit from. I will shortly have the CPF on all of my pcs, and have been recommending it to everyone I know. I am very impressed with both its power and usability, please keep up the excellent work. I do not mind a noisy HIPs , at least while it gets accomodated to each of my systems, as you learn some things that are going on that you weren’t aware of, and also learn how to fine tune certain things. I agree though having a large, and accurate safelist is a major part of effective security. :slight_smile:

As a new user to CPF I have been very satisfied and now that interest is growing with HIPS in CPF this sounds to be very promising. I’m sure that out there on the WWW there is going to be alot of competition and so far from what I have been reading in this SHORT period of time it looks like McAfee Host Intrusion Prevention is developing software which seems to be “similar” to what CPF/HIPS will be but I am just speculating at this point. Any insite to ‘the competition’ and how CPF/HIPS will come out on top?

Best Regards,

Razorback

in a true Comodo tradition…Competition will be enjoying the view from behind :wink:

we will innovate and bring products that are unmatched!

wait and see!

Melih

That is an interesting comment. I’m doubtful though. As you know better than me, the fact that you can be reliably certain that the person is who he claims to be, is a completely different question from whether he is trustworthy or not. And there will be a lot of reliable and safe code from people who do not borther to get a digital cert from you.

Still it will be increasing to see what you come up with.

Littlemac seems to have fallen in love with the ProcessGuard style of HIPS (currently carried to almost absurd extremes by SSM and prosecurity where you almost need a masters in computer science to use it!) but I think anything more complicated than that is likely to be too difficult to use for most people.

I would much prefer the Prevx1, cyberhawk etc style which lifts the load from the shoulders of users. by embeding some blackbox intelligence/heuristics + whitelists.

Ideally of course, both modes should be available.

I tried Prevx1, but was unable to use it; apparently it didn’t play well with my system, and/or vice versa. At any rate, after installing and until uninstalling in Safe Mode, it created a complete freeze, which was not desirable. Sad, I wanted to see how it worked.

I used CyberHawk for a while, and liked it. Then after an update it started saying that everything was a keylogger, and wouldn’t quit, so I moved on…

That’s part of the reason I like the way ProcessGuard works; there are no definitions, there are no whitelists, no blacklists, and no heuristic analysis of behavior. The definitions of allowed behavior are very clear-cut (and can be changed for any application). However, that does require a high degree of user interaction, which is probably not desirable to the majority of users. If you say that SSM and Prosecurity are even more so than that, whew!

I am very interested to see what Melih & Comodo bring to the table with version 3…

LM

Your assumption that only Comodo Customers will be in the safelist is NOT correct!
Our safelist is independent of the Comodo Digital Cert buyers. Hence I remain my position.

thanks
Melih

Actually with respect that is not my assumption. I’m not sure where you got that idea.

sorry if I misunderstood what you said:

this line led me to this assumption: “And there will be a lot of reliable and safe code from people who do not borther to get a digital cert from you.”

That made me think, that you think that the only people who we qualify as safe are the people who buy from us, which is not how our system work.

Melih

(:AGL)
Hi, LM.
Have you tried on the SpywareTerminator with hips? Many users have said that It works up very smoothly and It is a great and small software with no apparently conflicts. Best Regards.
PS: Now I am trying on one of my computers Online Armor 2.0 preview with firewall together with System Safety Monitor and sandboxie while cpf3 with hips is not started up.

(V)

carioca, yes I have used ST w/HIPS. First time I didn’t like it because of the “noise,” so I uninstalled it. Tried it later, and I guess my perspective had changed, as it didn’t bother me so much any more. As far as conflicts, I have not noticed any with CFP. Of course, ST is not the most highly-rate antispyware application for the spyware it finds; the HIPS is probably the selling point on that. Kind of like CAVS 2.x… :wink:

LM