I’ve used the following HIPS products:
- DiamondCS ProcessGuard
- SysSafety System Safety Monitor
- InfoProcess AntiHook
ProcessGuard was the gold standard for IPS products for awhile but has gotten long in the tooth and other products have surpassed it. It didn’t take much for resources (CPU, memory) and the host remained responsive. One problem with ProcessGuard is that it would not watch the command-line parameters passed to, say, rundll32.exe so there was no way to know you really wanted to allow the DLL to run. That meant you had to set rundll32.exe to prompt you everytime so you could check what DLL was being called and which method specified in it. Same for services.exe. System Safety Monitor (SSM) is better, not much different for resource consumption, my host still seemed responsive, and it checks the command-line (so rundll32.exe trying to run method A from DLL #1 was a different rule than for method B from the same DLL or if a different DLL were used). AntiHook seems more robust but definitely impacts the responsiveness of my host, in part because it modifies the processes when loaded into memory (which CPF will alert is similar to a trojan’s behavior). While perhaps better, AntiHook slowed my host too much so I went back to SSM.
So I’m wondering how potent is the HIPS included in CAVS 2.0 beta when compared against these other products. Is CAVS attempting to compete with, say, System Safety Monitor as a HIPS solution? I’d like to reduce how many security products that I have to manage. Both CAVS and CPF with HIPS could be a usable solution in just 2 products rather than adding a separate HIPS product into the mix. Right now I could end up with 3 IPS products popping up windows asking about the same process (which begs the question of how well integrated is the HIPS in CAVS with the HIPS in CPF).
Also, while it might provide some protection as to which programs are allowed to load into memory (since nothing runs unless it is in memory), I don’t see anything for restricting which processes can be terminated. For example, using ProcessGuard or SSM, I can specify which processes cannot be terminated, like the anti-virus program, task manager, or other security programs. Regulating which processes can run is only half of the protection for an IPS product. It should also regulate who can terminate what.