HIPS with centralised monitoring


What about a HIPS style program, but beyond just monitoring system vectors?

I’m looking at another one of these types of programs at the moment called PREVX1 (www.prevx1.com). Very nicely done but very noticeable impact on system performance. One interesting thing they do is unknown or potentially dangerous objects are automatically reported back to a central database for investigation.

Once investigated they are either classified as safe or unsafe. These classifications are then distributed back to other users of PREVX1. Sort of distributed collation - centralised distribution. This would have an advantage in that every application each users ran would be reported, logged, investigated, classifed and reincorporated. Nice way of picking up zero day defects. Huge load initially but long term benefits, if only in timeliness.

Thinking further, if this method was adopted and the HIPS-style application reported back each object for classification, updating within each application would be unnecessary, as the HIPS could send objects and receive and install incremental updates for the firewall, anti virus and the anti spyware.

This method could be leveraged into the anti virus and the future anti spyware.

what do you think?
ewen :slight_smile:

HISP is something on the roadmap and even perhaps for the next version of the CPF, plus some other innovative ways of providing better security and trust.

I am not sure about the idea of automatically reporting the “malware”/“suspicious” files. What if its a false positive and some file that you don’t want gets reported? How would you feel about it? What is the legal issues with that?

I would love to hear everyone’s opinion on this auto-reporting. I can see the advantages but would everyone want it? Please tell us…


I think that it would be too much of a hassle to implement.

We already have :slight_smile:

Just tidying up some loose ends :slight_smile:

(HIPS, no centralised monitoring yet…)

If it was proven to be a false positive, then it could be classified as such and redistributed back to the users as a flagged, or known, false positive. The apps using this would then no longer flag the object as a false positive. The fact that it was reported doesn’t mean it would automatically be flagged as bad, just that it requires investigating.

Re. legal issues - this could be mitigated by having the autofile upload as a user set preference, with the default set to OFF. A user opting in would signify acceptance. Alternatively, pop an alert for unknown objects with an option to send or not to send.

What are the benefits? 10,000 users equals 10,000 potential more points of infection equals 10,000 more potential reports on potential infections. Zero day reporting and logging delivered by the established user base.

Downside? Obviously larger infrastructure at the back end, larger support staff workload. Far higher workload on analysis and updating of signature and definitions databases.

A simplified example of how this could work is currently in use at www.x-raypc.com. Scroll down and have a look under the heading BENEFITS - subsection ONLINE.

If this approach is adopted the alert popup could have a text field where the user could provide any known details on the object to aid classification, along with the option to send or not send. This might help in the classification process.

ewen :slight_smile:

I believe the idea has merit although as pointed out by Ewen PREVX1 has already shown noticeable system performance downside which would want to be avoided, especially with something called VISTA on the horizon. If and when people adopt Vista the OS itself is going to create a drag on resources and as we all see many users opt for bare minimum resources or slightly better so any application that draws too heavily is going to be uninstalled pretty quickly.


something like Online Armor… is simply, user friendly but powerfull, even if System Safety Monitor is even more

I like to have an hips module separated from CPF or integrated with CAV (like PDM of kaspersky).

If totaly separated would be very handy the possibility to pass file processed by “Comodo Hips Module” ( :stuck_out_tongue: ) to an antivirus, chosed/lauched by commad line.



Hi, there are so many HIPS in the market, bith free and paid. Almost all have one thing in common that they are only for geeks, not even for mediorice users.
My idea of HIPs is that of an intelligent one that wil not pop up every now and then( even on moving the mouse), rather it should only pop up when there is some suspisious activity or highly dangerous activity so that user will not get too many pop ups. It will be a good balance.
If only simple HIPS is needed, there are so many out there already that a new HIPS wil not make any difference in my opinion.
To me only intelligent HIPS so far in the market is ZoneAlarm,s OS firewall( and it has an option to connect to the central data base as well if user wants). I like this approach much better than Prevx and it causes much less system slow down.
Another such product is CyberHawk but it still seems to be buggy but it is under development.
A bit of minimal HIPS feature is present in SpyCatcher as well.


You hit the nail on the head!!!
People writing HIPS and showing every single action to user for their confirmation is not our idea of hips :wink:

wait and see what we will do :wink:


Thanks Melih. Regarding HIPS, I think u are exactly on the same track as i wished.

Panic .
Prevx is much better today than what it was . Oh dear . It slowed startup to a crawl at one point and actually kept things slow while running . Today , this is not the case for most . It starts up fast and runs fairly quiet in the background . I was a tester and can assure you that this is MUCH better today than what it used to be .
By the way Melih . Very simple answer is this . During install , have a section that asks if the person installing wishes to help by submitting things back in automatically .

Thanks for the suggestion Falkor.

I have some interesting ideas that will help us have the biggest safelist in the world :wink: I just gave the go ahead to recruit another 25 people to our safelisting dept :slight_smile:

I think the idea we have will help us build the most comprehensive safelist in the world!

give me a month or two… you will see what i mean and why Comodo can do it while others can’t.
don’t want to give too much away to our competitors at this stage. I want our competitors to “follow” our leadership after we launched the products not before :wink:


This is just what I was thinking.

Melih . You kill me with all this good stuff . My goodness . I think I might just pull up a cot and never leave this forum . Best forum I have seen .

Well its a fun forum, filled with lots of fun people who love helping and building to protect others!

It certainly is great fun for me :wink:


Well said ;D

This is what happens when honestly good-hearted people get power…

I tried the PREVX bought and paid for have about 8 months left
but I removed it as it slows things down to a CRAWL…
Just trying to copy a few animated GIFs to a CD would take
3 times as long as w/out PREVX…

It’s a strange program to me anyway, although the concept seems to be good
I just wasn’t happy w/the serious slow down it brought to my machine.


I’ve been using this for some time,both Prevx1 and it’s former incarnation Prevx Home.The reason they switched to the community database model was that Prevx Home suffered the same problem as many other HIPS products,pop up fatigue.Even the most security conscious user would tend to just click yes after the 15th warning message (or shut the thing down altogether).

I find there are very few warning messages now since they operate a large whitelist,plus any unknown files are verified with the central database and I have to say this works extremely well.I gather CAVS will operate on a similar principle,if so it’ll be a very useful tool for the armoury. (:WIN)

Hello all.

Odd this in so far as I’ve just registered to pose a Catch22 type situation that has arisen recently whilst trying out such a HIPS program. I started using Sandboxie a while back and was impressed with it (despite it being a little, well; ‘clunky’ in the interface department) but migrated to GreenBorder Pro recently to try it out. I have to say that of the HIPS style progs I’ve tried recently, not be confused with the whole Sandbox/Virtualisation type apps which one can use to run/monitor apps without messing with yer box, and which clearly don’t really warrant consideration given the subject at hand, this is the best I’ve found.

Essentially what most people need, and I suppose to a lesser degree, want, is a protective bubble when running Internet Explorer with ‘all the doors open’ ie; ActiveX, JavaScript, etc. (for the kids or whatever) and also at a push Outlook/Express, so that if anything (inevitably) creeps in, the cnotrolled environment will prevent any contamination of your Windows system. Greenborder excells in this area but unfortunately is (now) Shareware.

The reason I registered was because I then figures I’d try out GesWall as I wished to try and stick with the ‘good stuff’ ie; free if I could find something that would do the same thing. This performs the same task as GreenBorder Pro, but also provides ‘templates’ for all manner of additional applications such as P2P, Messenger apps, etc. etc. to also be protected in this fashion.

The issue I’ve noticed with using this particular app, which wasn’t apparent when using GreenBorder Pro, was that upon every subsequent reboot/connect to the t’interweb, Comodo’s App Protection would signify that IE had changed and asked me whether I wished to allow it, this I attribute to GesWall somehow affecting IE whilst it runs from within its environment.

Anyone know on this note whether there is any resolution for this short of disabling the Application Behaviour settings within Comodo, as it has for now forced me to migrate (once more) to running CyberHawk as an alternative as I’m not prepared to lower my defences from within Comodo in this respect.