HIPS POLL!

Hello,

I would vote no, I believe this because, HIPS cannot detect any viruses that are already on your PC which is fine because in theory it should be able to detect its activity and give you the option to disable it, but what happens when you get a virus that passes itself as another program, sure HIPS will ask you about it, but if the virus looks like a trustworthy app (i.e. Microsoft Office) and you have that specific app installed then HIPS really doesn’t help. That is where detection comes in. And of course the firewall can help prevent all of this from happening. So in the end I believe HIPS is equal in protection with Antivirus and Firewall applications, and I think it is a great thing to have. That is why I am so happy Comodo Antivirus will have HIPS built in :slight_smile:

an HIPS application like “SSM” can tell you straight away that an app. executable, if it has changed, is not the same as the one you allowed to run in the first place. SSM examine files md5 signatures constantly.(that’s for the free version, as in the commercial one it can implement new sha512 signatures to files; obviously, according to specialists in cryptography, still more secure). Now if the file has changed, you’ll be advised and prompted to allow or not allow it to run…that might not be an ultimate proof of security, but that’s one step further than many other security software go…

Hello,

I understand that, however if this is a less educated user then all they would see is outlook.exe (for example) and allow it.

I agree that a full and sophisticated hips program is not meant for casual users, or average users who just want to surf on the web securely, but without being aware of anything. That’s a normal issue, and not just in the field of windows and internet security software. But what’s the solution then? more automated hips for average users? Such a program ( I mean an efficient one) has not been developed yet, but I’m sure it will come in the coming 2 or 3 years. programs like Spyware Terminator or Cyberhawk seem to have chosen that way, but I don’t trust them yet.

I agree, and that is why I think HIPS does not give better protection then antivirus and firewall software, I believe it gives equal. But that is simply my opinion. Programs change all the time (updates) and if you get infected between an update and using the program then HIPS would prove to not be as effective. However HIPS is a great protection method and I recommend it to the more advanced computer users :).

Also http://wiki.castlecops.com/HIPS_FAQ

http://wiki.castlecops.com/Different_classes_of_security_software

Interesting. Lots of firewalls are adding HIPS like features, not to mention antiviruses/antispyware like Counterspy and Spyware terminator. I’m preparing to add such products to my table of HIPS comparison on the wiki soon but I’m currently concentrating on specialist products.

The more it does, the more resources it uses. The more resources used, the more user complaints about the product. users don't like software that consumes resources! But at the same time, they demand security. Sometimes, there is no compromise, and we (the users) need to understand exactly what our software is [b]supposed[/b] to do in the first place. We should not place expectations on it that it is not supposed to fulfill in the first place.

True but you guys at Comodo want to make your firewall beat all leak tests, that’s the price you pay. You guys are half-way to HIPS anyway.

Me , I prefer to keep my personal software firewall simple so I don’t use Comodo. I supplement it with the currently best HIPS on the market Prosecurity (SSM is close 2nd). Of course maybe 1 in a 100 users will be able to use Prosecurity properly.

For such users I recommend a sandboxing type of software. Something like Sandboxie, Defensewall, GESwall, Bufferzone.

That's something else I didn't mention in my diatribe on HIPS & security; a lot of HIPS use a safelist and/or definitions; those that have any kind of automatic settings usually seem to. CH doesn't run on Auto - it asks,

You seem to contradict yourself. Popups are what makes HIPS intrusive. If the HIPS as a safelist/whitelist of safe programs, it is to the advantage to the user that the HIPS silently passes it without prompting Otherwise it is just plain intrusive.

Of course, if you are the control freak type and want to be informed that’s another question.

Prevx1 for example is probably the leader in implementing application white lists with HIPS. They allow different modes that prompt you to approve even safe apps at the highest paranoid modes in ABC mode it’s almost silent.

Personally i think an application whitelist helps a lot, I estimate that for most HIPS programs supporting typical functions, prompting on executable starting is by far the majority of prompts.

I checked out CyberHawk, and have found it to be pretty decent. Not too invasive, but it seems to be pretty effective. It works off definitions/safelist, along with (I believe) application behavior. It was engineered to have low resource consumption; it puts a little load on the system, but not too much. So far, it's been pretty quiet.

From the point of view of a user who wants control, I’m rather freaked out by Cyberhawk because it is pretty much a blackbox. You don’t know exactly what it will block, it’s pretty much standard HIPS monitoring the same functions plus some expert ruled base system/heuristic trying to make decisions on whether the change is okay.

I played with cyberhawk a while to see what triggered a prompt, certain actions like trying to do a dll injection seemed to trigger a prompt every single time, while others might or might not.

KAV6’s PDM works in a similar vein I believe. SafenSec has something similar (intelligent decision maker module) on top of the normal rule based module you can tinker with it just like SSM.

I agree on Cyberhawk, I’ve installed it once and uninstalled almost straight away cause the interface looks so poor. From what I’ve seen from it, and I admit that I did not spend more than 3 minutes on it,you don’t know at all what it does. I have to give a try to PrevX. I think I did more than a year ago, correct me if I’m wrong but I think it was only an anti-spyware then, no HIPS yet. The ui looked really good, loads of features. I don’t remember what went wrong, I had to uninstall it. I’ll try the new version
anyway…

You might have tried Prevx Home the earlier product.

The current Prevx1 is a completely different product.

Prevx Home was in fact more HIPS then prevx1. Lots more popups and whatnot. Kind of like system safety monitor.

Supposedly, they analysed the responses of people using Prevxhome and they found like over 50% of people were responding wrongly to prompts, allowing nasties to run, to change critical registry keys etc.

That is why they switched to Prevx1 which was based on the idea of removing the burden from the user from 2 directions.

  1. Whitelists of safe applications , so safe known legit apps could do things without triggering prompts. It had this huge list of constantly updated file names. It even includes baddie file names so it had a blacklist or signatures too , kind of like a AV according to one guy.

and

  1. Heavy use of heuristics analyzers that made decisions for the user.

The way it worked was very cool.

It had different sections which it monitored for example there was a section on registry autostart entries, another on bhos, yet another on LSPs etc.

Say we take the section on registry monitoring.

If that section was set to “heuristics”, the system would make all the decisiosn for you whether to block or not, whenever something triggered a change in that section. This would be best for beginners.

If that section was set to “query unknown” , the system would ignore it , if the action was done by a known legitmate whitelisted app. If not it would query. I personally like this setting the best.

If that section was set to “query unknown/known”, the system would always query when the change occured regardless of which application (even known legimate) did the change. This would be the ultra control freak mode. Some people want to know a change occurs even if it is by a supposedly safe application. And who knows if the application is really safe? I might not agree with your definition of legimate.

If the section was set to “prevent”, the system would always prevent the change.

A pity Prevx1 indidivual didn’t allow you full customization, you only could choose between 3 modes.
The “ABC” mode set most sections to “heuristics” and a rare few to “query unknown”.

The “expert” mode set more to query unknown/known but many are still set to “heuristics”

the family edition allows you total customization so you could set everything to query unknown/known if you wanted to.

I think prevx1 is great in that it caters to everyone. The control freaks would put pretty much everything to query known/unknown , the beginners would put everything to heuristics, and the intermediates would probably put a few settings to query unknown.

If you understand what the registry changes is warning about, you can go ahead and set it to query known/unknown and get prompted about it, but if you don’t understand what the hell "access to physical memory " is you just set it to heuristics and let the system decide.

very detailed and interesting comments.Which version of prevx are you running now?have you tried SSM, I’m using the free edition, but they mailed me about a new commercial version,and a new beta as well, I’m gonna try them both. I mean SSM really amazes me…there will be a HIPS feature in the 3.0 version of comodo firewall. They say it’s gonna be really good and Vista compatible. But that’s not before next march…

SSM is the only program I know that offers the feature to keep processes in memory…I’ll tell you more about it later, or you can read my previous posts here in this topic…must leave the computer now.

I don’t run Prevx1 at all. Though i have a license.

You can save your words on SSM, i’m very familar with it.

The “keep process in memory” is a very old outdated feature back in the early dates of SSM (pre 1.95 version I think). It was necessary back in the days when SSM had minimal process termination protection so being able to auto-restart a critical process was semi useful.

These days SSM can resist pretty much every termination attack known to man, so you don’t need this feature…

I would highly recommend you get the paid version of SSM.

There are vast improvements in anti-termination attacks, registry control, anti-keylogging as well as protection against low level disk access techniques used by killdisk variants that can nuke your hard-disk and a few other stuff i’m forgetting.

I was not talking AT ALL about SSM’s own process protection; if you were that familiar with SSM you would know that if you decide it, it can prevent any OTHER process than itself to be terminated, like a firewall, or your favorite AV, or anything else…well you probably know that too. Just gonna save my words… (:WIN)

Yes of course (though it’s limited in the free version) but that’s not what the option of “keep processes in memory” which you mentioned does!

From the menu.

“If process was terminated or not started, then SSM will again start this program.”

This is not the same as anti-termination protection!

ok, now I know that you’re really familiar with ssm. Indeed it does not prevent a program’s termination, but it restarts it when it’s stopped, by you or anyone else, or anything else. I find that already important. Once I was trying to dowload a program (Messenger Plus). The program was known, from software like MS antispy at the time,(now Defender),to be a big source of spam and spyware. I tried to download it anyway. And as the download just began, my MS anti-spy was suddenly automatically neutralized, stopped! and SSM would have restarted it again, which would have prevented my desktop from being suddenly crowded with adds about gambling and all that sh**…well that’s just an example.
the only thing to be carefull with concerning that feature of SSM is that you MUST disable it fo each program set to be protected, before you reboot. Otherwise SSM would keep restarting them, well you know what I mean…What kind of stuff do you use to check MD5 on files?

This merely shows you the failure of SSM! It should have being able to protect MS antispyware from being shut down in the first place!! The current version of SSM is much better against termination attacks, handling WM_QUIT, WM_CLOSE and other advanced kill methods. There is no way in which any process can get shut down without your permission man.

the only thing to be carefull with concerning that feature of SSM is that you MUST disable it fo each program set to be protected, before you reboot. Otherwise SSM would keep restarting them, well you know what I mean...

That is why this is a lousy feature. Also In the couple of seconds that it takes SSM to poll (which is memory intensive) and realise that the process is shut down, the malicious process could have taken out half your system.

What kind of stuff do you use to check MD5 on files?

I know what a md5 hash is, but I’m not quite sure what you are asking. I have a small program (script actually) that modifies the context menu of explorer, so i can right click a file can choose between crc.md5 and sha1 functions and it will calculate the hash value. Is that what you mean?

Also SSM free records the md5 hash of all executables no? BTW md5 hash (and to some extent sha1) is a bit outdated and in some crypto contexts it is broken already. though I think chances of someone exploiting the flaw to force a hash collison of 2 specially prepared files is rather small.

Still in theory it is possible for someone to prepare 2 files with the exact same md5 hash, one safe, one malicious. You use the safe one and ssm adds it to the safe list, and the bad guy then runs the unsafe one which ssm allows because it has the same hash function and ssm thinks it the same file… :slight_smile:

That’s why most modern HIPS are slowly moving towardsa SHA256 or some completely different hash function like Tiger or whirlpool.

I think you misunderstood me .I was not using SSM at all by the time, otherwise it would have worked. I just wanted here to underline the value of the feature.

Oh sorry. Yeah i get overly excited sometimes. Anyway this will be my last post on this forum.

Good Luck.

the commercial version of SSM uses sha512. Does that mean that hips implement new signatures to files? Well I’m not a specialist in crypto at all.It probably works like PGP, when you sign a file yourself. I just found it rather convenient that SSM free records md5 hashes from files, just to tell you just in case that an executable has been modified. I get an alert for example if I uninstall a program, and reinstall a new version of it. I’ve read that stuff about sha1 one being partially broken. The guy who wrote truecrypt published a new version of his program last year, just a few days after another new version had been released, just because some users worried about the use of sha1, and that was just in the password generation process, not in the volume creation process. Jesus I know bloody nothing about cryptography, so I should stop talking about it…

ok, bye!

Maybe i’ll stick around anyway.