Hips & Sandbox

In anticipation of version 4, aside from a brief explanation on Webopedia, I as a user of limited knowledge would like to ask what I need to know about HIPS and sandbox in the new version. Are they interactive or something that’s just there and does its thing? Is there a tutorial, or can someone guide me to an easily understood explanation? Thanks in advance. :slight_smile:

Unfortunately there are no concrete details available on the HIPS component of future CPF versions. The latest beta of CAVS incorporates an application-centric HIPS component that will co-operate and interact with the full HIPS when it appears in CPF.

That’s all I know.

Hope this helps,
Ewen :slight_smile:

Soyabeaner - Sorry, I meant to say version #3. :stuck_out_tongue:

we are well down the coding stage with the V3…

wait and see the beta…
you know what they say: One GUI is worth a thousand word!


Someone in Wilders Security forum sent me this site from Castle Cops: http://wiki.castlecops.com/hips_paq which might shed some light about HIPS. :slight_smile:

It took me nowhere, too… :wink:


It will take you nowhere indeed, just like the reality that governments have close contact with Microsoft about the undocumented “features” no single firewall in existence will block.

Now, still, have a happy and “secure” New Year (:WIN)

OK, I accessed the web page again, and the url is http://wiki.castlecops.com/hips/idp_programs/services

I don’t know what happened with the url in my original post. Sorry for the wild goose chase.

Nope. Deja Vu :stuck_out_tongue:

In the meantime I found it

Soyabeaner - Great! I figured out what happened myself. You had to navigate to it. Arghh! I hope it helps.

Yeah, I think LUSHOR (I think that’s the user name) posted that link a couple places here in the forums. It seemed to place a lot of responsibility on a HIPS that I wouldn’t think to be part of its responsibility. However, Matousec placed a lot on a firewall that I would think belong to HIPS, AV, etc.

We all want our software to do everything for us, that’s for sure. It’d be nice if it could… :wink:


Soyabeaner & Little Mac - I am just trying to figure out what HIPS does so when CPF updates offering it I’ll know if I need it or not. When someone sent me the article I posted it knowing there must be other people like myself. I’m glad you pointed out that it’s overwhelming and not all features are essential, so when I study it I’ll just use the info as a referance. Thanks for your responses. ;D

twl845, as far as what HIPS is, I think that in its current stages (as a type/mode of security software) it’s what the individual user defines it as. Not meaning that is what it’s supposed to be, but what the reality is. Let me explain…

At this point in time, all “HIPS” products are pretty new; it’s a relatively new concept, as compared to antivirus, antispyware, firewalls, popupblockers, etc. These things have been around a while, and are well-established. There are different types of HIPS, approaching this new security from different standpoints - behavior analysis, definitions files, blacklists, whitelists, user-built/community safelists, heuristics (similar to behavior analysis, but seemingly somewhat different), and probably others as well (or combinations of the above).

As you’ve no doubt seen or heard about from the Matousec tests, they seem to require/want a firewall to do things like monitor processes, etc, which would typically be WAY outside the purvue of a firewall. Then you’ve got AV programs like Avast! with its Webshield, which kind of acts like a firewall-in-training (my terms, not theirs). The security softwares have morphed over time (and I think we can thank the giant’s - McAfee, Norton - for a lot of that, with their “suites” programs encompassing AV, AS, FW, and “internet security” with popupblockers, “safe” browsing, etc); the threats have changed (ahead of the software, no doubt) and security’s trying to keep up. Any time they take a step forward, BAM! the threat is there all over again.

HIPS is the next step in this, moving towards prevention, rather than detection (which may not stop the threat, just alert you to it) and removal. If you can stop the threat in its tracks to start with, then you move away from a dependency on detection/removal. The idea is that this gives you a “safer” experience. Just how this is going to come to pass is still (I think) up in the air.

I know that Comodo is being pretty close-mouthed about the HIPS to be included with CFP in the upcoming version(s). All they will say is that it’s full-blown, and will eliminate the need for the HIPS-product in CAVS. I think they may have gone so far as to say that you won’t need any other HIPS (however, that could always just be the confidence in their product!). :wink:

As to whether or not you will need anything else, that’s going to be up to you, and the level of security you’re comfortable with. A lot of times, HIPS apps don’t play well together, because they’re all trying to get their “hooks” in the system to monitor and protect everything. They are thus trying to protect each other as well, allow each other, deny each other, etc, and the user will either go brain-dead from popups, or the system will end up blocking itself if it’s on full auto… :’( You’ll just have to see…

I’ve said before, I personally think a layered approach is best. Don’t rely on any one application to resolve all your problems. Part of it lies in what you are expecting from your security programs. I’ll give a brief rundown of my expectations:

Hardware Firewall - keep the bad guys out (won’t stop things I download, as those are seen as “allowed”)

Software Firewall - keep the bad things in (such as trojans, hijackers, etc that are already on and trying to get back out; perhaps with personal information, etc)

Antivirus (resident) - detect, and perhaps remove viruses, worms, trojans; hopefully will prevent infection; uses active scanning (on-access), user scanning (on-demand; either by right-click, or scheduled)

Antispyware - detect, prevent, and remove miscellaneous nasties that are not specifically viral; things like keyloggers, backdoors, hijackers, etc

HIPS - monitor processes, applications, for things that don’t seem right (may be masquerading as something else, trying to use other apps, etc), and alert or stop (depending on user settings)

Add to this regular online scanning by a site like Housecall, Panda, VirusTotal, etc, and rootkit detection/removal like RootkitRevealer, IceSword, etc.

I DO NOT expect that ANY solution is 100%. I DO expect to take an active role in the security of my computer, and be aware (as aware as I can) of what’s going on. That means, being aware of email scams and viruses (how they work), watching where/how I browse, what I download, keeping applications up to date, etc. I can be completely paranoid to the point of not getting anything done if I want to, so it’s a balance game, IMO. You have to decide when you are comfortable with your level of security, and just live with it. Otherwise, just turn your computer off and don’t ever use it - that’s the only safe computer! ;D

I will say that I have only gotten a major infection once, and that was before I had any security software, or any knowledge of such things. That was many years ago. All this ONLY applies to MY computer; if it’s shared with others (such as a workplace) that’s a different story - it’s clean on my profile, but the others, whew! That aspect of it is a battle; it seems most people don’t have safe computer habits… I’m paranoid, but only moderately so. :wink:


Little Mac - I really appreciate your taking the time to send me the explanation. I think I am understanding HIPS now to the point where I’ll feel comfortable when cpf ver.3 comes out.

       Happy New Year!!   :Beer

Well what is this HIPS all about?

Its all about the fight for the CPU time!

A malware is useless unless it gets executed (eg: got some CPU time). So what gets executed?
its the Instructions that gets executed. ok great, what are those instructions? It is what a software is made of. It tells the CPU what to do: eg: draw a line etc (of course these instructions are slightly different than just saying draw a line etc. ). Anyway, malware has these instructions as well, so they try to get the CPU to give them time so that they can also execute their own instructions. Of course those instructions are usually kind of instructions that cause damage eg: wipe hard disk, or some other nasty stuff like send keystrokes to the malware author etc.

So, who controls the execution of these instructions? Can any executable simply go ahead and execute? The answer is there is no control, and anyone can execute those instructions. There is no system saying: Hey I don’t like you, so I won’t let your instructions get to the CPU. There is no protection for the CPU. CPU does not know who is good or who is bad. It simply executes any instruction it gets.

So, that’s where the HIPS come into picture (at least the HIPS that we are developing). Our HIPS is a layer of protection around CPU (kind of) whereby all the instructions (at least the important ones) are checked before it gets executed. So no instruction can be executed without CPF HIPS’s approval. What this means is CPF HIPS controls the execution of all instructions. it checks to see where this instruction is coming from, if a good software, that has already been verified by Comodo, is trying to execute some instruction/command then CPF HIPS allows that, if an unknown application/malware is trying to get some instructions executed, then CPF HIPS will say, NO! The bottom line is: If your name is not in the list you ain’t coming in!

This is a different approach than other security techniques utilised today eg: AV, where it lets things in, then tries to find if that was bad or not.

Your first line of defense against any known or unknown threat will be CPF HIPS. The biggest advantage is, it only executes known apps. so any unknown or a new threat will be caught and won’t be executed with CPF HIPS.


[Quote=Melih]Your first line of defense against any known or unknown threat will be CPF HIPS. The biggest advantage is, it only executes known apps. so any unknown or a new threat will be caught and won’t be executed with CPF HIPS.
I know someone’s going to ask, so I’ll go ahead and pony up…

Does that mean it’s going to stop my applications, just because it doesn’t know them?

If it’s a safelist-based HIPS, how/when does my system get updated on the safelist?

What if an application is masquerading as a “safe” app (say, Firefox); in other words, it either hijacks it (and somehow leaves the hash value the same), or names itself firefox.exe. Even if the hash is different, and HIPS alerts me, won’t I just allow it, if it says it’s firefox? (ie, how will I know the difference?

That’s all the questions I can think to anticipate at this point… ;D


Melih - A thanks for your response as well. This is all a big help.

Happy New Year! (B)

What if you already have a HIPS program like Prevx installed?

Ok let me answer them:

1)Your applications are most likely to be in our safelist. If not, you can submit them for us to put them in. Currently we have over 130,000 verified applications in our safelist. This number is growing by 2000 a day and we are increasing this number further.

It is easier to find good applications and create signatures for them than trying to find viruses and create signatures for them! This way, you can make sure you will never have any Day Zero viruses in your machine because your AV provider is yet to get the signature.

2)If there is an application that is new to your CPF HIPS, then it makes a web lookup to Comodo to see if we have it in our system or not. If we do have in our system you get the signatures straight away thru that lookup, if not you get the choice of submitting that to us. We are working on ways whereby we can create quick turnaround of these submittals. However pls note that we will be very agrresive when it comes to creating a huge safelist db! This is the key to the success of any HIPS!

3)We use Cryptographic signatures. You simply cannot fake them with the computing power available.


Let me explain how we solved this problem.

When you install CPF HIPS, it will create a specific safelist for only the files you have in your machine. After all you don’t need the other signatures for other software as you might never use those applications.

So, when you install a new application, CPF will make a web lookup to see if Comodo has this new application you installed in its safelist, if it does then it will give the signature to the CPF and your CPF will allow that application.

This way, you will never have more signatures in your machine than you need.

Also one important point is: Unlike AV software which requires scanning of a file against all the signatures that exist, the CPF HIPS only requires checking signature against a subset of signatures (not all).

Another important point: How many times a day will you run a “new” application? not many!

Because of these reasons, CPF HIPS will be the first line of defense product, replacing AVs as the main protection software.