What do you think is the best HIPS?

Most off us are fairly familar with Host Intrusion Protection Systems.

OTHER then CFP’s HIPS (Defence+), Would would be the best Alternative??

Your opinions are greatly appreciated.


EQSecure, Netchina S3 HIPS - free…

You can find it here - http://wiki.castlecops.com/Lists_of_freeware_behavior_blockers
and here - http://wiki.castlecops.com/HIPS/IDP_programs/services

Are you referring to HIPS in general, or so called ‘classical’ HIPS, like PG and SSM?

Any kind off HIPS/Behavior Blockers.


If freeware only, then:

Sandboxes - SandboxIE, GesWall

‘classical’ : (they’re behavior blockers, but they warn you of everything monitored, like a tripwire)
-SSM free (logical, highly configurable, almost unique feature - disconnect ui),

Behavior blockers - ThreatFire, DriveSentry (?) .

Execution control only - Abtrusion Protector (good ideas behind it, in a LUA the user can do squat, it’s good for that, lock down). No longer developed, few bugs, nothing major afaik.

Script Blockers :
-Script Defender (basic but extensions are configurable),
-Script Sentry (some flaws, but it provides a basic analysis of the script, and can block embedded scripts in .doc’s etc.)
Either one uses no resources, but they’re also not being developed.
WormGuard is also good like SS, it’s payware but i don’t know if the trial expires :slight_smile:
NOTE: don’t buy WormGuard, DiamondCS (the company behind it) seems either dead, or non responsive. You will lose your money, and win no license. Avoid it.

Rollback - Returnil

Hope i didn’t miss any.


Dont matter… :slight_smile:


Payed, same as above (some have paid versions which are much better), and include DefenseWall, Anti-Executable, Prevx (not freakin CSI), ProSecurity.
Few more, all different.



oops… sorry… didn’t see that… I will delete that post…


Let’s keep on topic please…

Josh plays with the padlock


Maybe Antihook, if it weren’t depending on .NET framework. If you HAVE to use .NET framework anyway, you might give it a try, combined with AnalogX scriptdefender. If not, stay away from it.



But why this thread?


There is also spyware terminator hips, but I don’t think it is a good one.

Never tried, so I can’t tell, Darth Vader (:WIN)

Host Intrusion Prevention as in Network security?
Snort, PortSentry, some other misc.

For local protection such as Defense+, there’s also good’ol TeaTimer that comes with SpyBot S&D. :slight_smile:

I think the HIPS of the Comodo Firewall is one of the best in the paid and free market!!! Has anyone compared the speed and the reaction time of defense + and a paid hips app??? I think defense + beats them all! it is incredible fast! Also its protectiveness is worth an A+ and the impact on the system is almost 0% percent! (ok, maybe I am exaggerating a little bit…) anyway it’s combination of protectiveness and speed is lethal for paid competitors I guess… This is just what I think, I have not done a real test, but I hope I am right… (:WIN)

I use:
-D+, for me the best HIPS i never used, and i used a lot. No impact resources, easy configure and FREE!!
-Returnil free, when i want test a program (i only test safe programs)
-Geswall free edition if i need execute isolated an aplication.

I really don’t know why I started this topic lol

D+ all the way.

i talked with a kaspersky team member, and i talked about Defense+ that was actually the best solution to protect your system.
the man said kaspersky 8.0 had this kind of protection, like it was so great, he thought it was as good as D+ in his mind, ok he’s here to make business and will not tell that D+ is far better and can be called a real HIPS.
so kav hips is what? u start some app, the great AV tells u to wait as it’s analyzing the new app u launched.
wow, what a great protection, u don’t know anything about the file, then kasper says it’s ok and u got to trust it, and this kind of analyse is enough comparing to D+?
i told him i was safer with comodo FW 3.0 than kav as i find undetected malware every week,
he told me hey there’s KIS, wow KIS? who saw the FW they released on this new prooduct?
it’s crap, the 7.0 kis FW was far better, just choose to create rules (all the rest with no rule got no access), or answering alerts to get what system services are needed,
svchost.exe is still in trusted zone so anything can use it with no alert, ok delete it, but now the FW chooses where to put the app: 4 levels : safe, less safe, be carefull, and blocked apps
then u got some symbols that looks like nothing, some other window with services allowed or blocked, then connected process, the FW look is crap, u understand nothing, u choose nothing, and the HIPS is nothing, u just wait for a little windows to allow the app, that’s what they call the HIPS.

i wonder if concurrents look at other security tools and test them.
a freeware was able to save my sytem like 4 or 5 times as kav perfect scanner detected nothing.

actually with the situation of the internet and the explosion of malwares with packers joking with AVs,
what will i do without Defense+?
even if i’m not safe 100%, D+ is the solution u cannot not using, and i use it for months but i found D+ new setting, with the help of posters in here, so the potential of this software is terrible,
people that says it’s bad app don’t see the reality of the security today, they’re marks,
your AV is uptodate? oh cool, u’re dead man, but u don’t know, like most of people, he trust a good av uptodate detecting no prob, who can blame him? i used to trust my av.
now i wonder why i bought a new licence, it’s useless.
when they’ll understand that comodo security approach with this FW and this D+ is so logical, how can u protect a system using an AV.
with just KAV 8.0, i can say my both machines would be contaminated.
no AV can see the future, reading articles on packers to bypass AVs as i told friends to get kaspersky cause i was using it for long time and was the best AV… now i can tell AVs are crap, they explain u how to make undetectable file in 10 min…
but on virustotal.com when i find some file undetected by kav, there’s always like 6 scanners detecting something when it’s some new package,
once i sent a file to virustotal and i got like 20 scanners that detect a malware except kasper, i send the file, they say no malware…today i sent one that is known as unsafe file but they replied, no malware…
i think on 5 files they replied 3 times no prob,
so what do u propose to replace D+ actually?
i don’t care about things i read that we’re fanatics and blinds and def,
what i see is that the logic is this solution, so why to be logic is to be a fanatic…
what i win by saying this is the actual solution?
fan, fan of what, even when i was young i never was fan of anything.
so for a piece of code… maybe they think all people are youngs and react this way.

they don’t understand, i was for OA at the beginning, i bought it, i fighted with melhi about OA and comodo as i thought i was right, then when u join the testing group and u test OA then comodo,
oulaaaa, ok OA is not at the same level, so at this moment a fanatic would stay with OA continue to say OA is the best as all tests i made is a total logic and i understood why melhi was talking this way about comodo,
it’s the best security product at the moment, and people telling it’s crap just don’t live in the reality,
the prob is maybe what we think about others products,
i can say yes there are other FWs as good as comodo but it’s a lie,
some are not bad but comodo is THE leader far,
is it my fault if people that got the idea to code this FW had the exact vision of the situation and release the best answer to face all those security probs? nope, i don’t think this code is due to hasard.
u need to know so many infos and follow the mlaware evolution for years and think about the project that will be the solution, especially when u see what users got as alternative, so u release that, and give that for free is crazy,
when u see the work done, the security level, the quality for a freeware, seriously, all sharewares are a joke cause of the price, what can u do when a freeware is better than all the rest?
1 : drop the price
2 : contacting comodo FW coders and dream about the fact they will join some concurrent team
3 : pray for comodo to stop developping FW
4 : accept the situation
5 : become a comodo member
6 : put a link on their site for comodo
7 : no need to say we’re the best, it’s old new
8 : they should pay matousec site to test the last comodo
9 : and accept again that we take the lead

(i say we lol, but i didnt code anything, i’m just some poster, to say we is a fanatic attitude?lol)

for me OA is the best HIPS !!!


Please ailef see screenshots for KIS 2009 HIPS: (:NRD)

[attachment deleted by admin]

Also should be said that inherit option is great, logic of it is simple, if “untrusted” process starts trusted process, originally trusted process becomes then untrusted (you will be prompted for actions which it make)
CPF is better at COM interface (addable/editable) and Firewall is better in CFP3 (KIS will not prompt you if app. tries to send ICMP code/request)

Logs and application analysis in KIS 2009 are simply the best (see sample)

[attachment deleted by admin]