HIPS Vs Behavior Blockers

Here’s an interesting discussion :slight_smile:

My understanding is that -
HIPS alerts to every action that a file performs, good or bad. (This could be multiple actions requiring multiple alerts)
BB monitors the file as a whole and not by a single action (Unless significant), rather by a series of “behaviors” that relates to a suspicious behavior that malware performs.

Kyle :slight_smile: I know this isn’t strictly relevant to your topic (at least from what I gathered in your post), but I’d like to share some quick information of HIPS and BB’s, if that’s ok with you :slight_smile:

Classical HIPS (eg Defense+, Malware Defender) - more secure than BB, but suited more to the advanced user. Some, like D+, incorporate a whitelist to help identify safe programs, therefore reducing alerts, which can be very intimidating otherwise.

Behaviour Blocker (eg ThreatFire, Mamutu) - not as secure as Classical HIPS, but does a good job, and is more suitable to the novice user.

But there is more than one type of HIPS…

Policy Restriction HIPS (eg DefenseWall, GesWall) - as secure as Classical HIPS, yet (most of the time) as easy to use as a BB.

I know I’ve probably missed a HIPS type or two, so please feel free to add to this.

If Comodo still plan on integrating a BB into Defense+ - I saw a post mentioning this I think - I believe they will have created a bridge between the two - a Classical HIPS designed for use by a computer novice.

Beanie :slight_smile:

That’s no problem Beanie :slight_smile: this thread is to get a discussion\argument between the two .

Isn’t a BB basically a HIPS that only alerts you on behavior that the usually malware performs?
So I doubt that Comodo/anyone will be able to make a Bridge between the two.

Here’s the thread that I was referring to.

I’m honestly not sure how it will be integrated either, if at all. But if it is, and it works well, it will be awesome :slight_smile:

After I use Bitdefender with B-Have and Comodo Internet Security.
I’ve found that HIPS generate a fewer FP.

Petit, I find that hard to believe :smiley:

My understanding after using D+ is that it alerts about security related actions with different color coded severity levels whereas actions not relevant from a security standpoint don’t trigger alerts.

Whenever a security critical action is seemingly used in malware Red alerts specifically mention this in security considerations.

http://i44.tinypic.com/azdncz.png

Though it appear there are also security critical (red) actions that could be used by legitimate apps it is not unlikely that some less security critical alternatives could have been used in some cases.

Very good peice of infomation you’ve mentioned :-TU

I guess to some extent the maliciousness of an action could be susceptible to personal interpretations according to the enduser expectations about an application functionalities.

eg: automatically downloading an executable from the Internet could be considered a security critical behavior also abused by trojan downloaders.

Though updaters download executable in an automated fashion as well:

In some cases the application that download the executable is visible, in some other it is not (eg chrome googleupdate.exe).

From a behavioral standpoint the additional action of hiding the application GUI (window or tray icon) that carry that download task could be either considered malicious or unnecessary.

In the previous post the Appinit_DLL registry alert provide another example of actions that could be abused by malware though it could be also used by legitimate security applications.

Another security critical registry key would be HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options which is ATM used also by a legitimate app to bypass windows file protection for notepad though is not intended for that use.