Which is the most secure setting(s) HIPS or the BB? I currently have HIPS turned on, BB turned off - the HIPS is on safe mode. Is it okay to turn off the behavior blocker when HIPS is enabled???
Yes if you an advanced user and know how to answer HIPS alerts. But having just HIPS is not secure in my opinion. So I have HIPS on (safe mode) and BB on (untrusted). If something goes wrong other security layer can back it up.
That’s a good IDEA! Can you run them together/no clashes etc.,?
Depends on how you mean. They don’t clash as in create conflicts, however if you sandbox something, that won’t give you HIPS alerts. HIPS is still active in the sandbox but the alerts aren’t. (It’s something I hate with the sandbox)
Correct me if I’m wrong but isn’t HIPS still active (cis 5 style) when BB enabled and HIPS disabled?
It’s enabled but doesn’t generate alerts, so CIS decides what is allowed and what isn’t.
And that is the beauty of it. No more alerts for safe actions by safe things. I, personally, will never enable HIPS when it is actually already active as the hidden backbone of the Behavior Blocker. I’m happy with putting my trust in my security software. If you don’t trust it, why use it?
Another thing is this. If you have the BB set to untrusted which will block anything unknown from performing any harmful actions why would you need HIPS on at all? Especially in safe mode which just like the BB, only kicks in for unknown things. It seems to me that you’d just be getting needless alerts for things that are being prevented anyway.
what if you run an unknown app that you KNOW is safe? then you will have to go into the GUI to take it out of the sandbox. This is why i prefer hips i can just allow the app as an installer
No you don’t. You just tell CIS in the BB alert to not restrict the app again and it automatically gets added to the trusted list. There is no need to go into the GUI unless you have set the BB on blocked which does not give the alert and in my opinion is an unusable setting because of that.
I guess this is why CIS is so great can be configured so many different ways. It can please most people.
+1
Yes you can. Many do. HIPS would be just double checking the files.
I don’t trust Comodo to decide which applications are allowed and which aren’t, hence why I run HIPS in Paranoid and Firewall in Custom so I’m not using it in the way you describe, I can trust them in some ways as in I trust them not to track me, but I can also decide not to trust what they let into my computer and not, I want to be the one who decides that.
If you have BB set to untrusted, many applications won’t even work, so then why even run it in Untrusted and not in “Blocked” mode? Why would you want a malware to run at all? And if you know the file is safe then you’d allow it to run outside the sandbox, no? So then please tell me why to use untrusted instead of Blocked?
And as you say, it only kicks in for unknown things, I personally don’t want it to only kick in for unknown things, I want to use CIS the way I want to use it, which is block everything until I decide it’s a safe application.
However we have been over this in how many threads? And how many times have I said that not everyone wants just one and the same thing? A few times at least. Yet this topic always seem to come back up with the same things being said.
CIS doesn’t just have one way to operate, there isn’t one setting to rule them all. There isn’t just one correct way to set it up. You may have a config that is perfect for you and I’m happy that you have been able to find that, however that doesn’t mean that it’s the perfect settings for everyone else.
CIS can be what you want it to be, a tool for scanning files, a tool for sandboxing unknown files, a tool for blocking incoming connections, a tool for blocking everything unless you say to allow it, and then it’s so many more configurations.
Yes I agree that CIS should have the current options and I agree that it should have the current way of dealing with things, like for example a silent HIPS in the sandbox. But I do not agree with that it should be the only options available, in my opinion I should be able to turn on HIPS alerts in the Sandbox, Why can I do it for safe applications outside the sandbox but not for unknown applications inside the sandbox?
Now please tell me, even though we have gone through this so many times in so many threads, why does it seem like the whole conversation reset as soon as it skips into another thread and suddenly it goes back to only being one god-given setting to rule them all?
Many different opinions. I use ‘untrusted’ and not ‘blocked’ because I can see Comodo alert not just the ‘error message’. Also with keyloggers on 64-Bit system if I just run the BB on ‘untrusted’ and it gets sandboxed it can still sometimes work (no idea why). While if I run HIPS (safe mode) I see the alert from HIPS first and select action to block the keylogger so it fails to even start.
This is because the HIPS in the BB automatically allows some ways of logging keys, the power of automation! While if you could get alerts from HIPS, you would be able to easily block it.
That makes sense. Yeah that’s why I use HIPS and BB. Thanks. :-TU
Question: Do you get alerts from HIPS when you run things within the Sandbox? I don’t. Hence while a keylogger running outside the sandbox would be stopped by the HIPS, that isn’t the case in the sandbox and I can’t find a way to make HIPS give alerts for things inside the Sandbox.
Optional HIPS alerts for sandboxed items would be a huge plus in my opinion, you don’t need to put them on by default but at least give us the option.
The reason is that I want to be able to control and limit safe applications but not have them enter the sandbox, while unknown applications should be sandboxed as Fully Virtualized but with HIPS enabled and giving alerts ← currently not possible.
First off, the blocked setting of the BB just blindly blocks things with no alert given and no option to not restrict the app again. This makes it necessary to manually remove the file from the unrecognized list and then manually add it to the trusted list. You really have no idea what has happened other than the file not running at all. In the untrusted mode, you get the alert and the option not to restrict again. When you choose this, the item automatically gets added to the trusted list and all you need to do is restart it. That is a pretty big difference between the two modes.
As far as the rest goes, I have never presented anything as being the only way to go but simply as the easiest way to maintain a high level of security. Maybe I’m not completely right but it seems to me that enabling HIPS alerts for actions that are already being restricted by the BB in the untrusted mode is redundant.
The title of the thread is “HIPS or BB”, not “HIPS and BB”.
So then if Blocked setting had alerts that allowed you to trust files, would you switch to that instead of using BB in untrusted?
Personally I believe in a option that lets you choose this as soon as an unknown program starts, so instead of automatically sandboxing, you get an alert from which you can decide whether to sandbox it, let it run outside of sandbox or block it. That’s probably not going to happen though, since not many others like that idea it seems like.
Not everything is blocked in BB, for example some ways of key logging is allowed, while this would be blocked with HIPS using alerts (if you choose to block it)
You really can’t see the HIPS in BB as the HIPS outside the BB, that’s because the HIPS inside the BB seems to be using a rather dumbed down light version of HIPS, hence the allowed key logging using some techniques, all the malware creators have to do is test which techniques are allowed.
However if you’re using HIPS in Safe mode and have BB enabled I really don’t see the point of that, I haven’t really tried it that much myself but it seems like it doesn’t really do anything since if you sandbox something then it’s the silent version of HIPS running, hence the HIPS set to safe mode really doesn’t do anything if you are sandboxing things.
[Quote]However if you’re using HIPS in Safe mode and have BB enabled I really don’t see the point of that, I haven’t really tried it that much myself but it seems like it doesn’t really do anything since if you sandbox something then it’s the silent version of HIPS running, hence the HIPS set to safe mode really doesn’t do anything if you are sandboxing things
[/quote]
That was exactly my point. The HIPS in safe mode only kicks in for unknown things where the BB is already doing it’s thing. This would make the HIPS redundant, if if even worked at all.
Just one last thing, When something is restricted by your chosen level of the BB, it is not sandboxed in any way unless you have enabled and chosen the fully virtualized setting. In all of the other settings, it is merely having some or all of it’s possible actions blocked by the underlying HIPS functions depending on the level of restriction the user has selected. This is not sandboxing.