HIPS POLL!

Hi all, (:WAV)

I had this idea of a new poll as I progressively become aware of the evolution of HIPS (Host Intrusion Prevention System) in our desktop systems. Since HIPS interferes at the lowest possible level in Windows, it appears to me as possibly more efficient as other anti-virus or anti-spyware solutions, based on database of signatures and files. I don’t know if the way is to integrate HIPS in actual
anti-virus or anti-spyware software, or if it is in stand-alone applications, that could possibly
replace any other kind of security software (except firewalls) in a near future… :THNK

                                                         apache (:KWL)

admin, feel free to move this poll/topic to another section. I posted it here because it seems that the beta corner is the most visited section in the Forum. If not, it is at least the most interesting one… (:WIN)

If not, it is at least the most interesting one...

I agree with that :). If HIPS can replace AV and AS that would simplify software securities. The question is it may be too complicated for general pc users. I trust version 3 will be mostly automated with most decisions already set (R).

But HIPS is new relative to AV and AS technology, so I voted for “Don’t Know” :-.

I vote Yes, but with the following qualifier: HIPS protects better, when used in conjunction with AV and AS applications.

I do not think that HIPS, by itself, is the answer/solution. A HIPS which would block every malware no matter what, would be so intrusive/obnoxious/overwhelming that you would not be able to function normally on your system. If it did it automatically, I think you’d lose your access to the internet, etc. If it required user interface, you’d have a never-ending stream of popups. Simply because the malware is constantly changing its approach and strategy. No security app can keep up, so to make something strong enough would bog everything down, and probably use all your system resources. Which would solve the problem, :wink: in that you wouldn’t get malware, but you also wouldn’t be able to use your computer anyway. ;D

There are so many different approaches to HIPS; some work off of definitions, similar to an AV; some are more heuristic, looking for types of activities; some monitor every single action and want you to approve it. Some work well on one system but not on another (I tried Prevx1 and it froze my system completely). As Soyabeaner said, it’s a newer, less established technology that is basically still in development. I think that’s the route, or wave, of the future, but you still have to have a balance.

If, with a HIPS, you do get malware that the HIPS didn’t catch/stop (or let you “allow” it), then what do you do? How do you even know you have it? That’s where AV/AS software comes in, to detect, quarantine, and possibly even remove for you.

Having AV/AS/HIPS/FW all integrated together ensures (hopefully) that they play well together, but tends to leave the impression (whether right or wrong) of not being as effective as stand-alone products. On the other hand, if you go for stand-alone products mixed together, you may have conflicts and difficulties between them. Multiple HIPS, multiple AVs, multiple FWs don’t seem to play nicely, in general. Multiple AS’ (I’m gonna leave off that 2nd “s”…) seem to do okay, as long as they don’t combine elements of the others…

LM

look, although I’m really interested in the subject, I must admit I’m not a specialist at all. I’d like anyway to mention a program that seems to do quite well, even if after a first approach you’d think "WOW!!, this is gonna be really intrusive!!! and pop up thousands of alerts. I’m talking about “System Safety Monitor”. First you can put the program in “learn mode” for a while. After 2 or 3 reboots, you can switch back to normal mode,you’ll notice that the program has now integrated any “safe” program that belongs to your system, probably referring to a database of it’s own; it has also applied rules to these applications, without having prompted you for anything. Now that you’re back to normal mode, any attempt to change these rules, or any change in a file signature will lead to an alert where you’ll have to decide what to do. And this does not sound too intrusive to me.

On top of that this program allows you to control writing to the registry (allow or not allow an entry to be written during a new program installation for instance). You can choose exactly what kind of alert you want and what other kind you do not want to see. You’re free and that concerns the registry, but also services etc…the program is fully customizable. My favorite feature is , under application rule, the ability to keep (for each app) a process in memory. Which means for instance that, when done, if anything attempts to stop your firewall or your anti-virus shield, then SSM will restart it 1 second later. I’ve tried this with comodo firewall and that works perfectly. Just don’t forget to remove the setting before you reboot (that’s a problem). You can also prevent that any application start without your consent, by passwording SSM ui. The program can be active and the ui “disconnected”. In that case any process marked by you :“block by disconnected ui” will never be able to start from a hidden script or anything else, or anyone else.

Well I definitely think that the guys who developed this program have some kind of genius. There is absolutely no equivalent to SSM, at least not that I know…tell me what you think

but I agree with you that after all, you’ll always need av+as software. Just I don’t understand why so many of them are able to detect malware once it’s too late, I mean after a scan. Why did their resident shields not prevent access in the first place? Database not properly updated, or zero day exploit? I hate Internet Explorer but my wife uses it on my system. How come that I always have either to empty the cache manualy or manuly scan with adaware, Spybot S&D etc… to find the spyware stuff by myself. And these anti-spy programs are resident!

Another example: once, just by clicking on the link of a car reseller inside a google search, I got an AVG alert telling me that a virus was being downloaded! Some kind of win32 exploit, related to an activeX. And I blocked the ActiveX!!! The virus was nevertheless downloaded. AVG could see it but could not stop it. I had to give my system a scan with avg, could remove the virus and heal or remove infected files. Anyway that was the day I decided to stop using Internet Explorer forever, as Firefox does not use ActiveX controls. There are hundreds of other reasons why I prefer Firefox but that’s another topic…I did not have any hips installed by the time this happened, so I cannot tell how things would have been if…

I reported the Virus and it’s link to Google, to the French authorities and god knows to what else. And that was useless. I know it cause I checked the link again, knowing that this was a very minor virus. Of course with Firefox nothing happens, but with IE it did happen again. Which means that even though I reported the bloody virus, nobody cares!!!

Here’s a link to a website that has some info on HIPS-type programs.

http://www.av-comparatives.org/

You’ll go to the “Comparatives” link. On that page, scroll down to the bottom half of the page, and follow the link to the “Comparative of various protection tools / October 2006”. They specifically state that no one is allowed to post links other than to their main page, or I would’ve given a direct link.

I thought they discussed SSM, but that was not one of the products tested.

LM

PS: They have some good info on what AV programs are, what they do, and how they do it.

thanks I’ll check that,

here are some where you’ll find stuff about hips:

http://wiki.castlecops.com/HIPS/IDP_programs/services

Part of the thing is understanding the different program types, and what they are designed to do.

Just as in the Matousec FW tests discussed in this forum, there are different concepts…

But it seems that users these days expect each software to take care of all their needs/wants/desires (no offense to anyone intended).

If we have an AV/AS program, we expect it to not only detect the instant that we touch any malware, but to isolate and destroy it. In other words, if there’s a trojan on a website that we visit (even if we haven’t downloaded it yet), we expect our software to say, “Hey! There’s Trojan ABC.a.b.c.Win.slapsyouwithafish.32M on this website. We have created a protection layer so that you cannot accidentally download this Trojan. If you actively download it anyway, we will immediately vaporize the Trojan with our deadly Trojan-Vaporizer Ray Gun.” Then when we do download it anyway, we want it to say, “Hey! You just tried to download Trojan ABC.a.b.c.Win.slapsyouwithafish.32M from this website. We just vaporized this Trojan with our deadly Trojan-Vaporizer Ray Gun.” Then we say, whew! Dodged that one! Hurray for AV/AS!! But that’s really outside the design of such a program. The intent and design of AV/AS software is to detect malware once it is on your machine. Hopefully it will do this before an infection actually occurs. Most are not designed or intended to remove the malware; at best they can quarantine it, so as to neutralize it. Some do claim to remove, as part of the package, but for the most part they do not seem to be very good at it. You need separate individual removal tools, targeting the specific threat/infection.

If we have a FW, we really want it to do the same thing. You look a the Matousec reviews, they tested all sorts of things that really do not fall into the definition of a Firewall; monitoring processes and things like that. And stopping/killing malware is really not what it’s supposed to do either. Not before it’s on our machine. A software FW is only intended to keep things in that are not supposed to get out. A hardware FW is supposed to keep things out, but that only applies to penetration attempts; it will not stop something that you have allowed (ie, a download, etc). I want to take a second to note, however, that there is at least one known, documented instance of Comodo’s Firewall (and not the most current version, even) alerting a user of suspicious activity by something that turned out to be a new variant of a virus. The user’s AV had the definitions to detect it, but failed to do so. The Firewall caught it; not because it was scanning for viruses (NOT the firewall’s job), but because the virus (a mass-mailing worm) was trying to get back out of the computer; thus, it prompted the user to block the connection.

This is where HIPS comes in. It seeks to bridge that gap between detection of an existing problem, and prevention of the problem ever happening in the first place.

Some AV programs (such as Comodo’s) are integrating a HIPS feature to provide better protection, as a first line of defense. Comodo’s FW will soon contain a full-blown HIPS that will protect on a multitude of levels. Just like getting your teeth cleaned on a regular basis so you don’t get tooth decay and gum disease, prevention is the key to keeping your computer safe and secure from malware. Here’s the rub with any of this PC security software: The more it does, the more resources it uses. The more resources used, the more user complaints about the product. The more complaints about the product, the less people use it. The less people use it, the more the product gets reduced, and the less effective it becomes. Look at the complaints towards CPF here in the forums, that it uses more resources than (whatever previous FW was used - Outpost, Kerio, Sygate, LnS, Norton, whatever); users don’t like software that consumes resources! But at the same time, they demand security. Sometimes, there is no compromise, and we (the users) need to understand exactly what our software is supposed to do in the first place. We should not place expectations on it that it is not supposed to fulfill in the first place.

Another aspect of HIPS is the reliance on user decision. Some HIPS don’t; they function on full auto, with a user-adjustable level for the amount of authority the HIPS has. If you set it for high, the HIPS can actually destroy your system if it objects to something that’s happening. If you set for low, you have no protection. Somewhere in the middle is probably okay, but you’re left wondering if good things are actually being stopped (at least I would, as a user). On the other hand, while the user-decision style of HIPS will solve that problem, then the user has to know whether or not to allow the action to take place. Therein lies the big problem there. In the example I gave above, with CPF catching activity of a worm, the user was upset because CPF was causing problems with his internet connection; he had blocked the worm, and CPF wouldn’t let him continue to connect. Why? Because he chose to block the worm! He didn’t even know he was blocking a worm; all he wanted was his internet connection restored. Who can blame that? But the firewall was designed to stop all connections; after all, there is obviously a threat, and it might try a different route. But the user has to be aware of what is actually going on, and what to do about it.

Well, that’s probably enough out of me for now… ;D

LM

thanks for spending so much time on your reply. I found your answer very useful. And it could probably benefit to other users in this forum who would read this topic.

Well I agree on the point that it must be hell for developers to find the right compromise between users’ expectations, program efficiency etc… it must be also hell for them to deal with contradictory users’ expectations, like program efficiency and resource demanding security software. The worse is when users start to think that the software should think for them when it comes to take a decision about an alert, and it’s up to the user to fully understand the implications of his decision. That’s where I come to what you said that one should not expect from a program that he does something he was not made for in the first place. And actually you’re right, an AV cannot stop a virus from being downloaded, it can only tell when it’s there, in your system. God how could he know that the link was suspicious…Firewall could stop that, but if you’ve allowed the download in the first place…god knows…then come HIPS, maybe…that’s it for now. Bye!

p.s. the latest 2 or 3 betas of cpf are not resource demanding at all. If you want to experiment some really really really resource demanding stuff, give a try to the beta of Norton 360! This is hell!
(between 5 and ten minutes between win logon, and start to be able to use anything in windows)

Thanks, LM. Interesting indeed :).

I’m a complete newbie with HIPS. Recently installed Spyware Terminator with HIPS enabled. Quite easy to use. I think it mainly relies on a white list (after scanning your system), so there’s no problems of conflict nor does it negatively impact normal system operations. This may be a over-simplified question but is true that if whenever a new/unknown executable is opened that if you constantly block it with HIPS alerts does it mean there’s almost no way your system will be infected with malware? What if the malware file is disguised as a known extension like something.html? I suppose that’s where all those extra file integrity checks come in ???

p.s. the latest 2 or 3 betas of cpf are not resource demanding at all.
More features usually equate to more resource consumption, but if that's true then hats off to the development team (:CLP) for amazing work.

I use Spyware Terminator too, together with SSM. The problem with spyware terminator is that it only seems to worry about dll for example, at program installation time. It never tells about a change in signature like SSM does. For instance if you uninstall a beta of comodo firewall, reinstall anew one and SSM will tell you that cpf.exe is not the same cpf.exe as the one from the previous installation, You get prompted to allow the change. Spyware Terminator does not do that. That’s why I doubt the efficiency of “automatic hips”. I’m not even sure that Spyware Terminator deserves the name of HIPS, cause it relies too much on a white list, and seems unable to analyse new events, it just ignores them.

to your question: well Spyware Terminator says it’s taking care of file extensions. Can’t tell if it would recognize a disguized file.

One thing I’m sure is SSM would prompt you to prevent that a file that has been modified with no known reason, becomes active and harm your system.

wanted to add, like Little Mac said, you can’t rely just on HIPS, cause that would imply that you have to answer to thousands of alerts to protect your system and files. So to be effective against malware you still need an anti-virus + anti-spyware based on a database of signatures from suspicious files like viruses etc…

Thanks for answering, apache255. Ugh! (:AGY) That’s what I’m trying to avoid: constantly relying on updated signature and scanning software. I currently have comodo firewall (of course), nod32, and spyware terminator. I’m not going to install more security programs because that’s the reverse path I’m aiming for (recently uinstalled spybot because no longer need it; good program, though).

So you think ST only detects baddies based on filenames and dll’s? If so that would be too basic, but would explain the low resource usage.

no, cause SSM which is more efficient about changes and gives very relevant alerts about them, is not resource intensive at all. Just ST does not do what it pretends it does…too much work fot the dev team I suppose :SMLR

I tried ST with its HIPS, but turned off the HIPS very quickly, and later replaced the program with SpyBot S&D (without TeaTimer running). I didn’t like ST’s HIPS, as it seemed very noisy and intrusive. I felt like I was constantly answering popups, and the alerts were slow in responding to my clicks. :frowning:

I checked out CyberHawk, and have found it to be pretty decent. Not too invasive, but it seems to be pretty effective. It works off definitions/safelist, along with (I believe) application behavior. It was engineered to have low resource consumption; it puts a little load on the system, but not too much. So far, it’s been pretty quiet. Since I’m using the latest CAVS Beta, I have the HIPS there in addition to CH. They seem to function a bit differently, and I have had absolutely no conflicts between them.

That’s something else I didn’t mention in my diatribe on HIPS & security; a lot of HIPS use a safelist and/or definitions; those that have any kind of automatic settings usually seem to. CH doesn’t run on Auto - it asks, but one of the things I like about it is that its popups are very understandable. It really does a good job of explaining what is occurring, and what type of threat it is. I think Comodo would do well to see what CH does for their popups.

The only downside (at present) to CH is that in order to get updates to definitions/application/etc, you have to have the “Community Protection” turned on. This allows Updates to be turned on, but also means it phones home regularly. This helps keep CH developers aware of threats stopped, new threats (based on user action), and aids in the future of the product. However, some users don’t want to participate in that, but still get the updates. In future versions (which you’ll get if only you allow the connection… :wink: ) you will be able to have Updates turned on with Community turned off.

LM

that’s where ST leaves you the choice,between sending or not sending infos to the dev team. I chose not to, it’s a privacy matter. And ST keeps being fully functional without that (auto-update included).
Well I personally find ST not intrusive enough (lol) except at progr. installation time . That’s when I switch it off, cause I think it’s only useful when you use your apps, not when you install them. After a scan of your drives st will know about all installed apps anyway, and then, and only then you’ll be able to switch on HIPS. So it’s obviouly good to scan regularly with it.

After what u told me about CH, I don’t think I want to try it.

Oh yes, don’t forget after a st scan to check the results closely, and move any unknown app. detected.but known from you, to the safe application list…may you had so many alerts because you forgot to do that. I personally complain about not having enough alerts with st (:SAD)(lol)

CH seems too “involving” then :P. I’ve read various reactions towards CH, as I have towards ST. Different versions, different systems, different opinions.

I haven’t even received malware in a long time. The only recent ones are htm files picked off by Nod, which are easily and immediately removed (if not, even CCleaner will do :D). I’ll just stick to comodo’s HIPS once it comes out, leaving me with just 2 real-time security programs. Anymore will be redundant (for me).

I agree with you!

Similar to CyberHawk, there is Prevx1. a community based HIPS.

i prefer having AV to secure my computer though.