Hello,

I'm still pretty undecidable on what wwuld be the best HIPS. So I'm setting up this poll ;D

When voting, please explain why you think a product is good, and which are its pros/cons. Protaction, but also impact on system performance, compaitibilty, usability, etc...
Don't mind if it's free or not

Thanks for voting !

Ice.

I voted for Online Armor but I think it's the same as your AV, the main thing is what's works best with your own configuration.

OA also has my preference because of the very good, very friendly, and very fast support.:)

Ghost Security Suite, it is lightweight, has a great developer who is constantly innovating the application, offers a great deal of protection, and is very customizable. Also, the free version has ghost popups which funny stories, what more could you want :P

Alphalutra1

If I'm a super alpha geek I would take Ghost security suite, ProcessGuard or SSM or Antihook.

GSS and SSM indulges the super geek in me, allowing me to tweak my defenses to the uttermost. Last week, I spent a happy few hours checking my regdefend
settings versus a comprehensive list of registry places where malware can hide (http://weblog.infoworld.com/securityadviser/archives/2006/05/where_windows_m.html) and testing for useability for example.

While SSM allows me to set parent-child control processes to my heart's content.

Processguard's probably the easiest to use of the bunch but still fairly geeky, be prepared to get messages about hooks and questions about 'physical memory'.....

Otherwise I would go for Prevx1 first (ABC mode or maybe Pro mode, expert mode defeats the purpose of prevx1 I think) then Online Armor.

Prevx1 has a nice big list of white listed programs so you don't get annoyed by pointless prompts whenever you go download or upgrade some standard program like Opera, Java, adobe reader whatever. On the negative side, it seems to slow down a bit whenever it autheicates something new , I'm not sure if it is connecting to the web or something.

Online Armor I haven't tried for a while, but it might have something similar, and it also tracks changes made by install programs, so you can reverse some changes if they prove harmful.

So I guess I'm supporting Prevx1, and unlike Notok, I'm fully independent and have no ties with them.

Your only problem is figuring out if I'm playing devil's advocate in this post. :D

OA but it need a good black and white list.

hi there,

I am just using the latest free version of ProcessGuard and Ghost Security Suite (AppDefend) . And WinPatrol plus. this three I think is good enough for me, coz I don't like to have too many pop-ups appearing unexpectedly on my screen asking like you are on an exam tests. I didn't experience any problem w them, they didn't affect my system and internet speed and best of all I am not annoyed with pop-ups.

for AppDefend, there's suggestions on the forum to lessen pop-ups. WinPatrol just pop-ups when it really matters...;D

I like Online Armor the best due to its simplicity and start menu scanner. having said that, it does lack a few features compared to other HIPS like PG, AppDefend, or PrevX1.

-{ Quote: "hi there, I am just using the latest free version of ProcessGuard and Ghost Security Suite (AppDefend) . And WinPatrol plus. this three I think is good enough for me, coz I don't like to have too many pop-ups appearing unexpectedly on my screen asking like you are on an exam tests. " }-

Hi! U are very brave. I wonder u are managing pop ups of three programmes and still condidering them not too much.

I also think that Prevx1 and OA are the two best HIPS out there (well, I use OA AV+).

Both products are trying to make HIPS more intelligent (meaning you get less popups), and both products deal with the issue of 'installing new programs' adequately (unlike many other HIPS).

There are other HIPS out there that are aimed at intelligent behavioural detection - ViGuard and Safe-n-Sec are the two others that I know of (although I think ViGuard considers itself a IPS...but there's little to no difference in the end)

I like PG ,OA and DefenceWall .I really like the idea of DW. Keeps the bad boys locked up.

It´s hard to say which HIPS is the best, but so far my favorite tools are:

ZoneAlarm Pro
Kaspersky AV 6
System Safety Monitor

Other promising tools:

Neoava Guard
ProSecurity

For me its tough to choose between Online Armor (which i picked) and System Safety Monitor. I picked Online Armor because of its simplicity and it gets the job done with less things to configure, but Online Armor doesn't quite yet cover all the areas that SSM covers currently so it wouldn't go wrong running them both together and disabling the things you want so they don't overlap ;)

i use KIS/KAV's (kaspersky). used to use ZoneAlarmPro as well... but didnt want the firewall anymore, so deleted it all... just got KIS now, does the job!

OA-AV+ -- the combination of a powerful HIPS (Online Armor) that incorporates one of the very best antiviruses (Kaspersky), PLUS a spam killer, PLUS (soon) a firewall is simply amazing! Add to that unrivaled support and OA is ichi-ban. Taste it & c

sayo-noodles... bellgamin *puppy*

Ghost security suite :thumb:

gss::)

Thanks everyone for your answers and your votes,

I decided to go for Online Armor, mainly because of its excellent rollback feature, that is very useful. Your opinions were much different and, like Antartica's said, the best is what works better on my workstation :)

Again, thanks to all ^^

For me it's SSM. Not only is it feature rich but it has a very responsive support team as well. Plus they are working on its usability for novice users.

at the moment it is SSM all the way .. waiting for GSS to update but SSM is way better then before lol..those kickass russians again lol .. (I think they are at least!)

-{ Quote: "gss::)" }-

hmmm a lurker lol ... welcme kvirus!

I voted for Prevx. Install it on a clean (if possible) system partition.
It's the most userfriendly one IMO.

I agree but the reason is obvious as it has a data base on the net and contacts it.
BTW. it is the only HIPS that might be used by ordinary users.

Without any doubt, AppDefend!

GSS for me too. :thumb:

-{ Quote: "I voted for Prevx. Install it on a clean (if possible) system partition.
It's the most userfriendly one IMO." }-

BTW, does it has some heuristics and local data base, I mean these will be useful if u are not on the net.

I've tried a few Hips:

Prevx seems to slow down my machine
OnlineArmor screwed w/ my start up list
ProcessGuard doesn't play nicely w/ FD-ISR

ProSecurity is very nice :)

SSM gets my vote :thumb:

I was in way over my head when I first installed it. After reading the forums and asking questions. I think I've got a handle on it now. I'm not claiming to be any kinda expert... After running it in "Learning Mode" taking it out of learning mode and answering a few popups. (reading the DETAILS in popups) If you feel compelled: configuring all the Parent / Child relationships...

I feel I'm pretty well protected.

...screamer

-{ Quote: "OnlineArmor screwed w/ my start up list
" }-

Hi Screamer - if OA caused you a problem, please drop me a PM.. happy to help you with it.


Mike

-{ Quote: "I've tried a few Hips:


RegDefend doesn't play nicely w/ FD-ISR


...screamer" }-

What problems did RegDefend cause with FD-ISR. I for sure don't see any issues at all.

You might post questions about this in the leap frog forum.

Pete

Pete, my mistake, it was process guard. I corrected it.

...screamer

I vote for Cyberhawk (version 1.1.0.4), which is non-intrusive, has a decent foot print and I don't notice impact on performance.

I have voted for SSM,..
This I have done, not simply for its excellent protection, but also due to the fact I have found that the SSM team listen to its customers,.. they listen and impliment good ideas brought forward,.. and fix any bugs reported_ very quickly.

Online Armor with AV+ was amazing since the first stages of beta. Along with all the other features, it is amazing. And the support!

Prevx1 comes closely behind it with lesser feature offerings.

SSM... Simply perfect.

System Safety Monitor: :thumb: :thumb: :thumb:

1.EVERY malware test I have thrown at it I've been able to block

2.great support and committed company

3. REAL ;) zero-second protection (does not work with a signature/data base)

4.monitors all running processes and operating system activity in real time

5. extremely fine-grained control over apps

Prevx1 here:thumb:

Hi guys,

Sorry for the off-topic but I have a question regarding HIPS... I'm currently using Winpatrol PLUS, which I don't know whether it qualifies as a HIPS or not. Do you think that's enough? Besides the standard protection of course (avast home, Kerio PF, Windows Defender)...

Anyways I tried PrevX and although it seems pretty good it was really heavy on my system (PXAgent ~25MB, PXConsole ~6MB).

Now I'm trying SSM. Should I set it to learning mode?

i personaly do consider winpatrol an HIPS but to each their own.

as for learning mode, its up to you. some people dont like it and prefer to validate each app themselves. i havent tried SSM but id use learning mode as i dont like having lots of alerts.

as for the poll, i already voted for online armor but i have just recently switched to prevx. its memory usage is heavy but its being worked on, and its quite powerful and thorough on its policies. plus running in ABC mode, i havent seen any alert yet except for two small notifications when it is authenticating a program or scanning it.

-{ Quote: "Hi guys,
Now I'm trying SSM. Should I set it to learning mode?" }-
Hi
The way I use SSM is this:

After installing SSM on a clean system I trust (for instance, a newly installed and patched OS), I set SSM in learning mode ("connect the user interface" - SSM icon is green in the systray), and I open every app I currently use in turn, one after another.

Each time, of course, SSM would intercept it and ask me what I wanna do with it. Since they're all apps I just decided to open myself, I answer "allow to run each time" for those.

Once this is done, I right-click on SSM and "disconnect the user interface" (SSM icon is grey in the systray), which means that now, SSM won't ask me anymore when a new app will try and start: it will then simply block it. Only the apps I previously launched and instructed SSM to allow will be able to run in this new "disconnected-user" mode I just set.

It stays that way from then on. In the options of SSM, I check the option "start automatically at OS startup" and uncheck "connect user interface automatically". I also instruct SSM to monitor apps, processes, services, regkeys and so on, also by right-clicking in the systray.

That's it. Your system is now bulletproof against any leaktest or whatever bad app which would even try and install on your system.

This way, you don't have to always play questions and answers with SSM: it now knows what to do and what not to allow (which is anything it doesn't know or trust already).

Try it: it succeeds against any leaktest or whatever I ever throw at it. That's not a surprise once you set SSM up the proper way.

Cheers

-{ Quote: "Hi guys,

Sorry for the off-topic but I have a question regarding HIPS... I'm currently using Winpatrol PLUS, which I don't know whether it qualifies as a HIPS or not. Do you think that's enough? Besides the standard protection of course (avast home, Kerio PF, Windows Defender)...

Anyways I tried PrevX and although it seems pretty good it was really heavy on my system (PXAgent ~25MB, PXConsole ~6MB).

Now I'm trying SSM. Should I set it to learning mode?" }-

Hi, I think learning mode is must with SSM otherwise u will waste ur time with pop ups.
Put it in learning mode and do watever u are doing normally every day. When u think it is over then go to normal mode.
About WinPatrol, if u use windows defender then I think it covers a lot of things covered by WinPatrol( new start up enteries, new services etc). I will personally remoeve it if I am using Ws Defender.

Thanks for the help guys! :)

-{ Quote: "Hi
The way I use SSM is this:

After installing SSM on a clean system I trust (for instance, a newly installed and patched OS), I set SSM in learning mode ("connect the user interface" - SSM icon is green in the systray), and I open every app I currently use in turn, one after another.

Each time, of course, SSM would intercept it and ask me what I wanna do with it. Since they're all apps I just decided to open myself, I answer "allow to run each time" for those.

Once this is done, I right-click on SSM and "disconnect the user interface" (SSM icon is grey in the systray), which means that now, SSM won't ask me anymore when a new app will try and start: it will then simply block it. Only the apps I previously launched and instructed SSM to allow will be able to run in this new "disconnected-user" mode I just set.

It stays that way from then on. In the options of SSM, I check the option "start automatically at OS startup" and uncheck "connect user interface automatically". I also instruct SSM to monitor apps, processes, services, regkeys and so on, also by right-clicking in the systray.

That's it. Your system is now bulletproof against any leaktest or whatever bad app which would even try and install on your system.

This way, you don't have to always play questions and answers with SSM: it now knows what to do and what not to allow (which is anything it doesn't know or trust already).

Try it: it succeeds against any leaktest or whatever I ever throw at it. That's not a surprise once you set SSM up the proper way.

Cheers" }-

I like to do like this but I want to ask, this way is it not going to cause any trouble with auto- updates of windows and Av etc? I put it in learning mode for many days but still it pops up some times( after AV and probably after windows auto-updates).

Also what of the HIPS is the less resource consuming? ??? (but still a good one?)

of teh various HIPS ive tried, ProcessGuard is the lightest. Its no slouch either, it can block drivers, hooks, process modification/termination, etc...

-{ Quote: "of teh various HIPS ive tried, ProcessGuard is the lightest. Its no slouch either, it can block drivers, hooks, process modification/termination, etc..." }-
Thanks and
How is SSM in resources usage?

SSM is quite light on resources, it uses about 8MB on my system (XP PRO SP2).

Max

-{ Quote: "SSM is quite light on resources, it uses about 8MB on my system (XP PRO SP2).

Max" }-

Thanks, I will try SSM. 8)

Online Armor - without a doubt.

-{ Quote: "Online Armor - without a doubt." }-

+1:)
Cheers,
Hervé

@ dylanfan

I use SSM in the same way, however I´ve noticed that if I choose to use the "block everything paranoid mode" setting, some browsers will not work correctly. So that´s why I´ve installed Neoava Guard as a backup HIPS because SSM will not block everything when in "block process creation" mode.

DefenseWall deserved a place in this poll :(

-{ Quote: "Without any doubt, AppDefend!" }-

yes, ghostsecurity suite is my winner too

-{ Quote: "I like to do like this but I want to ask, this way is it not going to cause any trouble with auto- updates of windows and Av etc? I put it in learning mode for many days but still it pops up some times( after AV and probably after windows auto-updates)." }-
Hi...
First of all, I'd like to correct something I stated previously. I do not use the learning mode in SSM. I had in mind that the way I use it can be called some kind of learning mode, but I just realize that there is a built-in function in SSM which is precisely called that way! Sorry.

Anyway. I've just been PMed a question about the concept of interference between SSM and some AV. The question is: "is there any?" My answer: nope.

How do you do that? I'll try and redescribe my way of doing things if I may. First of all, I install SSM on a clean system, i.e. one that I just installed and patched. Best way to do this, of course, is to use some imaging software to restore a valid backup of your choice.

I also make sure that I'm physically disconnected from the net.

Then I install SSM. Once that is done, and after I have restarted the system as demanded by the installation routine, I have the green SSM icon activated in the systray.

I then rightclick on this icon. I "enable application rules" and "all the modules". Then I click on "preferences". I choose "options". I check "start automatically" and I also check "connect user interface at startup". Then I restart the system again.

Right after startup, now SSM alerts me that some pilot is executing some action, and asks me if I would allow it. Since I know for sure that my system is clean (because I checked it with AV's and Spybot and so on BEFORE I installed ssm) I answer "always allow running of this application". Then it asks me if I want to allow this or that process or this or that AV to run, and this or that firewall, and each time I answer the same as above. It may be some 20 questions, depending on how many legitimate processes are running after startup on your pc. No big deal.

Once it calms down with the questions, I restart the pc again. Some new question may arise again, but much less than previously. I again answer ok each time.

Once that is done, I manually launch my Openoffice, and ssm asks if I want to allow it, and I say yes. I do the same with Opera. Then the same with FireFox, same with 7Zip, same with whatever application I like and currently use day in and day out. I could do this with windows update if I wanted to use it.

This way, I know that ssm will allow these apps to function anytime they want to.

Then I go back to ssm/prefences/options. And now I UNCHECK "connect user interface at startup". I restart a last time (or I could just rightclick on the icon in the systray and "disconnect user interface".) Now the icon is blue.

That's it. All the apps I authorized can run as many times as they want to. Any other app or process or whatever that would wanna start or install or exec on my pc is stopped by SSM, without SSM even asking any question (since now the user interface is disconnected).

If some day I want to allow a new app, I then rightclick on SSM again, "connect user interface", launch my new legitimate app, answer to the SSM question(s) regarding this new app and its components (it may be two or three questions for a single app, for instance), and then disconnect the user interface again.

Hope this helps.

One can also locate the antivirus scanner executable file by "preferences/options/antivirus", this way teaching SSM where it is.

Cheers

The one I'm not using... see no need for a HIPS on my computer.

I have a question for all those that pointed to online armor.

I am really but not really a big fan of creating a white list of trusted application.
So I wouldn't use the feature to allow / deny program execution.

Even with that feature disable is there anything that make OA stand out of the crowd (not considering av) ?

____________________________________________________________________________________________

On another topic the best hipss ( what the plural of hips ? ) all miss one usefull feature.
The one i'd like to see is something like track-and-reverse of Tiny firewall:
EG have all the power to accept/ block program action but alwais be able to rollback our errors for this particular program only

well it does have a content filter for removing activex and advertising content.

and OA does have a feature like track-and-reverse. when it prompts u to run a program, there is a checkbox "track this program". in the program section u can then delete the program and undo any changes it made.

btw the plural of HIPS would stay HIPS because its an acronym not a word.

-{ Quote: "Now I'm trying SSM. Should I set it to learning mode?" }-
Learning mode is pretty much a necessity unless you thoroughly know your system and the parent/child dependencies of each executable on your PC. The early versions of SSM didn't have the learning mode, which made going to paranoid mode quite a project. Dylanfan mentioned it but it bears repeating. Make certain that you're starting with a clean system, easpecially in learning mode. The learning mode tells SSM to trust everything that's running or gets started by another process. If your system is infected with adware/malware or a virus, their activities will also be trusted.
You can use learning mode and the paranoid setting together. When SSM rules are made in this fashion, the allowed parent processes are also being set. Using your media player for example, if you launch it using windows explorer, it becomes an allowed parent process. If you then disabled the learning mode and your browser wanted to launch your media player, SSM would block it. It takes longer to get everything set this way, but you get a much stronger ruleset. You just have to remember to start the processes you use with each expected parent process. I realize this sounds like a real pain, but the strength of SSM is its ability to control what each process can and can't do and what each is and isn't allowed to start. It's not just the making of a listing of allowed processes. I've run into a few instances where a process is a parent or child of another instance of itself. While you may want to use the registry editor or the system configuration utility (via windows explorer), you definitely don't want your e-mail program to be able to do so.
-{ Quote: "Hi, I think learning mode is must with SSM otherwise u will waste ur time with pop ups.
Put it in learning mode and do watever u are doing normally every day. When u think it is over then go to normal mode." }-
When you do decide to stop using learning mode, I suggest you leave the UI connected for a while. You'll also want to reboot your system at least once after leaving learning mode but with the UI connected. This will help make certain that all the processes involved in bootup are covered, along with any "RunOnce" items used during startup. This also applies to shutdown. You'll find that you probably don't have rules made for all the executables, and you will need to be prompted about some of them. Office programs, CD burners, AVs, IM programs, etc are instances where you can run into this. Your CD burner may use different executables for burning data and music CDs. Run thru all the update processes for your AV/AS programs as well while the UI is connected. Some of them use several executables during the update process that will need rules made for them. Launch any scheduled tasks you have set up with the scheduler before disconnecting the UI, especially if you use a different scheduling agent. Run thru everything in the "Send To" folder. On my system, "Send To" is treated as a separate parent. If you use software that integrates with your AV like a download manager, IM program, or WinZip, use them to start the AV scanner so they're shown as allowed parent processes. If you use the file transfer or webacm components of an IM program, start them as well.
It takes a while to make a tight ruleset. One more thing you might consider doing is to save copies of the ruleset as you go, in case you make a mistake and need back up a little. Since the default ruleset is named "global", use names like "global1" "global2" etc. Just take your time and ask if you have any questions.
Rick

exacly :thumb: !

-{ Quote: "You can use learning mode and the paranoid setting together. When SSM rules are made in this fashion, the allowed parent processes are also being set. Using your media player for example, if you launch it using windows explorer, it becomes an allowed parent process. If you then disabled the learning mode and your browser wanted to launch your media player, SSM would block it. It takes longer to get everything set this way, but you get a much stronger ruleset. You just have to remember to start the processes you use with each expected parent process." }-

Hi! I am using free version and there is no paranoid mode. However as I see it makes rules specific to parent and child, not general rules.

Hello Forum,
I have been using SSM for the last 3 days with every few problem's. Now I have my Three Musketeers working perfectly together,Kis6 SSM, and Spysweeper.This is all you need.
Badcompany.:thumb:

-{ Quote: "
Hi! I am using free version and there is no paranoid mode. However as I see it makes rules specific to parent and child, not general rules." }-
That's the version I'm using as well. Look under Options>applications, under "program behavior". It's listed as "block everything (paranoiac setting)"
Rick

hi! It is for dosconnected GUI only.

I dont have it (jet). But saying whats best HIPS or Mediaplayer evertime will only make it easy for major players to snap up small softwaremakers with a good product.

I didn't vote for any of them. I have been using PG for a couple of years but I no longer like it much and I can't stand any of the others. They are a million times more irritating than PG and have way too many problems. PG has too many problems also but it is not nearly as bad as the others. I only want PG to stop IE from going to WU without authorization or any other Microsoft crap trying to call home. I could do with a software firewall what I use PG for but I hate software firewalls even more than I do applications like PG.

-{ Quote: "I only want PG to stop IE from going to WU without authorization or any other Microsoft crap trying to call home." }-Can't you do that by renaming iexplore.exe.

If you have XP Pro, you could try the software restriction policy. A pain in the butt to set up but it works without a problem. Then again, PG worked without problems for me.

-{ Quote: "hi! It is for dosconnected GUI only." }-
When in paranoid mode, UI disconnected, any activity or parent-child dependency not specifically allowed by the rules is blocked. When the UI is connected, you're prompted about anything not specifically permitted. The "block process creation" mode doesn't block other activities performed by processes that are permitted whereas the paranoid mode does. Nothing is blocked when the UI is connected unless it's specifically blocked in the ruleset. You're prompted for all unknowns and anything unspecified.
When the UI is disconnected, "ask" means "blocked".
Rick

-{ Quote: "The "block process creation" mode doesn't block other activities performed by processes that are permitted" }-

u mean even if there are no rules before for these activities?

Man, the latest 2.1.5.580 SSM version sends cpu loads over 50% !! I think it's coming from the low level keyboard access control.

I'll stick to the free 2.0.8.577 version for now...

Cheers

-{ Quote: "Man, the latest 2.1.5.580 SSM version sends cpu loads over 50% !! I think it's coming from the low level keyboard access control.

I'll stick to the free 2.0.8.577 version for now...

Cheers" }-

Not seeing that here with 580.

Pete

DefenseWall - first
Set it and forget it plus it has great support

Process Guard - second
an old faithful which deals with other concerns not
covered by the former

Hi again everyone,

I settled with SSM after some testing, i got rid of OnlineArmor because it slowed down my download/email speed much and messed with my start menu (duplicate entries, no entries...)

Now I'm using for resident protection, as you can see in my signature, Nod32+Outpost Pro+SSM.

I've got two questions now (I know I'm annoying and undecidable but given I've to renew all my licences in very few days... ::) ;D )

1.Is there a way to configure SSM to control DLL's loaded by an application ?
2.Is it more secure to use KIS (with all options enabled including applciation integrity control) or this current setup ?

Thanks again for your opinions, votes, they were very useful to me :)

-{ Quote: "-{ Quote: "The "block process creation" mode doesn't block other activities performed by processes that are permitted" }-u mean even if there are no rules before for these activities?" }-
What I mean is that in process creation mode, a permitted process is allowed to perform any activity it normally does, like system hooks and starting any other permitted process. That doesn't allow it to launch processes that haven't been permitted by rule or anything else specifically blocked. In Paranoid mode, only what you specify is allowed.
I use an older version of Yahoo IM. When started, Yahoo tries to set hooks for the keyboard and mouse. In the process creation mode, UI connected (used to be called administrator mode), they're allowed. In paranoid mode, you're asked first. With the UI disconnected (used to be user mode), they're allowed in process creation mode and blocked in paranoid mode. To carry the example farther, Yahoo IM also wants to start Regedit when launched. If Regedit is already a permitted process, this will be allowed in process creation mode, whether the UI is connected or not. In paranoid mode, UI connected, you'll be asked if Ypager (the main Yahoo IM executable) is allowed to start Regedit. It will be blocked with the UI disconnected if you didn't already permit it earlier.
If I've missed what you're asking, let me know.
Rick

-{ Quote: "-----process is allowed to perform any activity it normally does, like system hooks and starting any other permitted process. That doesn't allow it to launch processes that haven't been permitted by rule or anything else specifically blocked. In Paranoid mode, only what you specify is allowed.
I use an older version of Yahoo IM. When started, Yahoo tries to set hooks for the keyboard and mouse. In the process creation mode, UI connected (used to be called administrator mode), they're allowed. In paranoid mode, you're asked first. With the UI disconnected (used to be user mode), they're allowed in process creation mode and blocked in paranoid mode. To carry the example farther, Yahoo IM also wants to start Regedit when launched. If Regedit is already a permitted process, this will be allowed in process creation mode, whether the UI is connected or not. In paranoid mode, UI connected, you'll be asked if Ypager (the main Yahoo IM executable) is allowed to start Regedit. It will be blocked with the UI disconnected if you didn't already permit it earlier.
If I've missed what you're asking, let me know.
Rick" }-

Thanks, a bit clear now. But still i am confused that when user interface is connected there is only one mode. Paranoid mode option is shown only in user interface disconnected mode( see OPTIONS> APPLOCATIONS> Programme behaviour).

When the UI is connected, only what is specifically denied in the ruleset is blocked. It's more of an administrator setting that's used during setup or rule modification and when accessing system components that you don't want accessed in a normal user setting. Treat it like you would the administrator and user accounts on your system. When fully configured, SSM normally runs with the UI disconnected, which ends all prompts.
I'd have to reload a test ruleset to be sure, but I believe that the default action for parent or child (not sure which) on the advanced rule screen gets changed from allow to ask when the rules are made in paranoid mode. Hopefully I'll have time tonite to check on this for you. Right now, the temperature is going into the 90s with nasty humidity, and I have a friends PC to service, who happens to live on the lake. ;D
Rick

DefenseWall

Peace & Love,

CogitoErgoSum

-{ Quote: "Not seeing that here with 580.
Pete" }-
I'm on XP¨SP2.

I have a laptop, which I use as if it was a screen, i.e. I have mouse and keyboard usb-connected to the laptop. Might be related to the cpu hyper-high usage I have since two latest SSM versions have this low level keyboard access control ?!

Aigle,
Sorry about the delay getting back to you.
I just finished creating a couple of test rulesets in learning mode, with the UI connected throughout both runs. I used Win98 for this, but I doubt the results would be any different on a newer OS.
I left SSM in "block process creation" (default setting) for the first run. On the 2nd run, I Used learning mode and Paranoiac setting together.
On both settings, the rules that were made for processes that started before SSM loaded were "allowed" rules. On the "advanced properties" screen of the individual rules for these processes, the default action for both parent and child is "allow". This includes any process launched from HKLM....RunServices. On win98, SSM is started from the HKLM.....Run, and doesn't load until the user logs in. On the DOS based systems, you can manually add an entry for SSM to RunServices and uncheck it's own autostart entry if you want it to start earlier. This works on 98/ME units with one user profile. It will work on multiple user 98/ME PCs, but all profiles will be on the same ruleset if you do this. If you need separate rulesets or filters for different user profiles, leave its "start automatically" option as is.
The difference is in the rules made for processes started after SSM starts. When the block process creation setting is used with learning mode, the rules made for most (not all) new processes are of the "allow" type with "allow" as the default action for parent and child.
When the paranoiac setting is used with learning mode, nearly all the rules for newly started processes were the "advanced" type, with the default action for "parent" set to ask. The default action for "child" remained as "allow".
The rules created in learning mode using the paranoiac setting permit the new processes to be started only by the parent process(es) that was used, while the "Block process creation" setting makes rules that allow all parent processes. This assumes that the parent process is already permitted. You won't see any difference in behavior until you disconnect the UI. As long as the UI is connected, nothing is blocked unless you specifically make a blocking rule.
Learning mode doesn't stop all prompts. On mine, if I used "Send To" to send a file or folder to a process that there was no rules for, I am prompted. If a rule existed for the process that "Send To" directs the file/folder to, then I wasn't prompted.
Paranoiac setting and learning mode work together well, at least they did for me. The main difference in how you treat the learning process is that you need to launch the processes you will be using from all the locations they would be started from. If your browser starts your media player, you'll need to launch it with it as well as using explorer to do it. You can also manually add (or remove) processes from the parent listing on the advanced rule menu. Make sure you're thorough with your AV software, launching it from everything it's integrated into and run the full update process for it. Rules for CD burning software can also be complicated. At times, a process is a parent and child to another instance of itself. If you're up to it, get to know what process each process on your system starts (the parent) and is started by (the child) and gradually edit the existing rules to match. Be very careful with system processes used during bootup. I used Process Explorer to get the parent+child settings accurate. On the DOS based systems, you can manually add an entry for it to RunServices, which gives you the opportunity to see any "run once" processes that aren't normally visible. Take your time and save copies of the ruleset as you go. One more thing. SSM can make separate rulesets for each user. If you're set up with multiple user accounts (or profiles on the older systems) wait until you finish the global configuration (for all users). You can edit it to account for any differences you may want to add for different users and save the result as a user configuration. This is where SSM is extremely useful on 98/ME. You can block any individual user from accessing any program or executable (like regedit) and allow it for yourself. The filters are also user specific and work on system files and folders as well as web pages. On a familt PC, want to keep the kids and their friends out of the control panel or the Internet Explorer options screen? SSM made this easy.
Rick

-{ Quote: "Man, the latest 2.1.5.580 SSM version sends cpu loads over 50% !! I think it's coming from the low level keyboard access control.

I'll stick to the free 2.0.8.577 version for now...

Cheers" }-

Just noticed this today with free version, 2.0.8.577, services exe is giving these spikes. Anybody noticed it?

If i exit from SSM, services exe spikes stop.

-{ Quote: "
The rules created in learning mode using the paranoiac setting permit the new processes to be started only by the parent process(es) that was used, while the "Block process creation" setting makes rules that allow all parent processes. This assumes that the parent process is already permitted. " }-

Thanks for the detailed reply. But from the screen shot I posted before it apperas that the rules are made with specific parent child relationship always. There is no option for two modes while in learning mode. But they are applied differently when u are in disconnected GUI(paranoid mode-- allowing only already existing rules with specific parent child relationships and process creation mode--{ where parent shild relatioship is ignored-- not sure about this though}). Am I correct? I wil try to ask in theor forum when I get some tume to post there.

Hi Aigle

Go to Preferences>Modules>Services and change the polling to a higher number.

That will cut down the cpu spikes.

Pete

-{ Quote: "Hi Aigle

Go to Preferences>Modules>Services and change the polling to a higher number.

That will cut down the cpu spikes.

Pete" }-

Thanks. This way I can decrease the no of spikes. But the spikes are normal in any case u mean?

-{ Quote: "Thanks. This way I can decrease the no of spikes. But the spikes are normal in any case u mean?" }-

Yes, until they change the services stuff from polling.

Aigle,
The easiest way to see this would be to duplicate it on your system. In the SSM folder you'll find 2 files named global.cfg and global.dat. Shut SSM down and rename these 2 files. On mine, I just altered the file extensions to .cff and .das so SSM wouldn't recognize them. Then restart SSM. It'll launch with only a couple of rules listed. Leave the UI connected and select paranoiac setting and apply the changes before you enable the learning mode. Start a short list of processes, including a few that launch processes of their own. Save the ruleset under a temporary name, like test1 or take a couple screenshots.
Shut SSM down again and delete the new clobal.cfg and global.dat files, then launch SSM again. Run thru the process again, UI connected but in Block process creation setting. Apply, then enable learning mode. Launch the same processes as before. You'll see the differences in the rules.
When you're done, shut SSM down again and delete the same 2 files as before. Change the 2 files you renamed back to global.cfg and global.dat. You'll be back to your original ruleset and settings.
I took a screenshot of the 2 different rulesets I made in the above manner.
Learning mode + block process creation setting. (http://www.freewebs.com/herbalist1001/SSM/procreat.gif)
Learning mode + paranoiac setting. (http://www.freewebs.com/herbalist1001/SSM/paranoid.gif)
The processes used aren't identical in both, but there are enough that are listed in both to show the difference.
Rick

does SSM still use polling ?
I tougth it moved to kernel...
Or it's only in the paid version.

-{ Quote: "does SSM still use polling ?
I tougth it moved to kernel...
Or it's only in the paid version." }-

It has for registry stuff, but still uses polling to monitor services.

-{ Quote: "Aigle,
The easiest way to see this would be to duplicate it on your system. In the SSM folder you'll find 2 files named global.cfg and global.dat. Shut SSM down and rename these 2 files. On mine, I just altered the file extensions to .cff and .das so SSM wouldn't recognize them. Then restart SSM. It'll launch with only a couple of rules listed. Leave the UI connected and select paranoiac setting and apply the changes before you enable the learning mode. Start a short list of processes, including a few that launch processes of their own. Save the ruleset under a temporary name, like test1 or take a couple screenshots.
Shut SSM down again and delete the new clobal.cfg and global.dat files, then launch SSM again. Run thru the process again, UI connected but in Block process creation setting. Apply, then enable learning mode. Launch the same processes as before. You'll see the differences in the rules.
When you're done, shut SSM down again and delete the same 2 files as before. Change the 2 files you renamed back to global.cfg and global.dat. You'll be back to your original ruleset and settings.
I took a screenshot of the 2 different rulesets I made in the above manner.
Learning mode + block process creation setting. (http://www.freewebs.com/herbalist1001/SSM/procreat.gif)
Learning mode + paranoiac setting. (http://www.freewebs.com/herbalist1001/SSM/paranoid.gif)
The processes used aren't identical in both, but there are enough that are listed in both to show the difference.
Rick" }-

Thanks, I will do it later. My ISP blocks ur uploaded snapshots by the way, so I can,t see them.

Here are two snapshots I took from my 580, while no particualr program is running, no AV and so on...
Any advice?

and...

It,s just too much and highly abnormal to me. I will suggest to post in their forum, u will sure get reply there. Infact I have no idea. Is it constantly like this or some spikes only?

-{ Quote: "In fact I have no idea. Is it constantly like this or some spikes only?" }-
Constantly like this, as soon as 580 detects the keyboard and I instruct it to allow always.

No such thing on the free version.

SYSTEM SAFETY MONITOR continues to get my vote without question or second thought.

It covers all thats ever needed watching over on my 98SE/XP Pro dual drive units and is effectively ended unwanted and unneeded forced intrusions entirely. Case Closed.

I don't know about "the best", but I've had now for a year ProcessGuard full + RegDefend. I don't see why I should even try others as the main reason for HIPS, for me is to have security applications protection against termination and registry protection.

I can happily declare that the latest version 3.405 is as stable as 3.150 on my system.

SSM without any doubt
Rui

-{ Quote: "I don't know about "the best", but I've had now for a year ProcessGuard full + RegDefend. I don't see why I should even try others as the main reason for HIPS, for me is to have security applications protection against termination and registry protection.

I can happily declare that the latest version 3.405 is as stable as 3.150 on my system." }-

I agree with Osaban to a "T". I have used ProcessGuard (namely, the purchased/complete version) plus RegDefend as my primary HIPS defense for several months now. Admittedly, I have not tried SSM, that others have mentioned in this thread to be their favorite, and I do not know if I would find SSM superior to the combination, ProcessGuard plus RegDefend, were I to trial SSM. Nonetheless, I have found ProcessGuard 3.150 plus RegDefend to have been both very effective and very stable on my system.

As I draft this reply, I have just uninstalled PG 3.150 and installed PG 3.405 as its replacement. I trust that the newest version of PG will be as effective and as stable a program as the version I just removed.

Note: I have tried the Ghost Security Suite, RegDefend and AppDefend, which at the time -- and I haven't checked since -- was in beta, and may still be in development, but I had stability problems when using the Suite on my system. Hence, I use the RegDefend component of the Ghost Security Suite, alone, with PG as my primary HIPS. The two programs appear to get along well.

SSM. Even as an unregistered user of the free version, I had my query answered within 24 hrs after sending it.

-{ Quote: "SSM. Even as an unregistered user of the free version, I had my query answered within 24 hrs after sending it." }-

wow thats nice. i dont have any installed maybe i should start with ssm.

It's Ghost Security for me. RegDefend and AppDefend work flawlessly and the Security Suite uses very little system resources. It plays nicely with firewalls AV and Antispyware apps. It has similar features to Process guard but I find the Ghost interface easier - though it doesn't look the best.;)

I use
- PrevX home (free) for Memory violation and shielding of vulnareable XP ares
- ProcessGuard (free) to control program startup and proces modification
- ANTIVIR free
- DefenseWall (30 dollars life time license) as extra sandbox layer for LimeWire, Internet (IE7) and Outlook Express
- Key Scrambler (IE plug in for free) to fool any key logger (works on https sites)

I do not use an outbound firewall. Use my Nat-routers inbound firewall. I first tries to set up sandboxing with GeSwall (free). Could not get it working completely hassle free (delayed write errors, printing via HP spooler, etc.), so I opted for DefenseWall (which worked hassle free out of the box).

Did some security testing (by Googling the test programs used by Kareldjag) and was safe with all the test I could find and execute on my PC. Only some leak test fall through, but stealing of data is prevented.

-{ Quote: "" }-
tiny i like

I find ghost security suite to be the best for me. Its lightweight, stable and easy to use.

I use DefenseWall HIPS, because it has no annoying quiz questions, like yes, no, allow, block, query, execute, abort, ... I'm tired of these questions. Anti-Executable is almost the same like DW, it always says NO, period.

If the software needs my help, it means that it can't do its job by itself. Only retard softwares act like that.

System Safety Monitor

Also EQSecure is showing promise as it continues thru developments.

-{ Quote: "System Safety Monitor

Also EQSecure is showing promise as it continues thru developments." }-
Which one is the most not userfriendly one ?

Hello!

My vote goes to Online Armor. It is easy to use and works nicely on my machine! It supports KIS 7 nicely!

Kristian

-{ Quote: "
If the software needs my help, it means that it can't do its job by itself" }-

Hey Erik, do you have a list of Software that doesn't require any help, my wife would be interested.;D :P

-{ Quote: "Which one is the most not userfriendly one ?" }-

Neither.

If you station yourself in front of your PC long enough to overview and read the manual, BOTH are very user-friendly and also quite a SHIELD!!!

just wanted to mention winpooch.
it's free, open-souce, lightweight and "portable" (i.e. runs w/o installation).
I'm not a hips expert but this little program looks promising to me.

I happen to like ProSecurity. It can be set to scan a clean system and then not bother you hardly at all after that. The others are much more annoying and difficult to deal with.

-{ Quote: "I happen to like ProSecurity. It can be set to scan a clean system and then not bother you hardly at all after that. The others are much more annoying and difficult to deal with." }-

Hi all,

What you like is called learning mode in most HIPS

Regards,

MaB

PS has it's "learning mode" as well, which I turn off after the first reboot. What I'm saying is that I can have PS scan my HD and since I tell it my system is "clean" (just reformatted), then it flags everything in the Win and Program Files directories as "trusted", which is fine. So after that, PS doesn't bother me at all, or if it does, extremely rarely. Learning mode is off also. Now the good thing is, anything new that comes up or tries to execute or whatever, I'll get an alert, which is exacty what I want. In other HIPS's, if you leave learning mode on for a few days or a week, then you're vulnerable to anything that may happen during that period. PS I can turn that off right after the initial HD scan that marks everything trusted. That's what I like about it.

-{ Quote: "PS has it's "learning mode" as well, which I turn off after the first reboot. What I'm saying is that I can have PS scan my HD and since I tell it my system is "clean" (just reformatted), then it flags everything in the Win and Program Files directories as "trusted", which is fine. So after that, PS doesn't bother me at all, or if it does, extremely rarely. Learning mode is off also. Now the good thing is, anything new that comes up or tries to execute or whatever, I'll get an alert, which is exacty what I want. In other HIPS's, if you leave learning mode on for a few days or a week, then you're vulnerable to anything that may happen during that period. PS I can turn that off right after the initial HD scan that marks everything trusted. That's what I like about it." }-

Hi all,

Sorry Kerodo, i did not understand what you was meaning and i can tell you that Neoava Guard works in the same way ( Scann + learning mode ) and Online Armor scans too but without a learning mode

No problem at all... :)

The others sound interesting too..

Online Armor was going to get a learning mode, but Mike knows more about that and if it will get added.

dja2k

If criteria for "the best" are the features/scope of protection, then I'd say ProSecurity is #1. But what the heck is going on with that GUI? They can't be serious about it, it's one of the ugliest I've ever seen. Really. I often thought about replacing my SSM with ProSecurity, but in the end I always say "no, I can't put that abomination on my system".
Seriously - it is an excellent piece of software, and in active development also. I'll most probably buy a license for PS very soon. I will also buy a pair of sunglasses, just to ease the pain that GUI is giving me.
My sincere apologies to developers.

Well can't say which is best sence I have not used them all.
Using SSM now and liking it very much.

-{ Quote: "If criteria for "the best" are the features/scope of protection, then I'd say ProSecurity is #1. But what the heck is going on with that GUI? They can't be serious about it, it's one of the ugliest I've ever seen. Really. I often thought about replacing my SSM with ProSecurity, but in the end I always say "no, I can't put that abomination on my system".
Seriously - it is an excellent piece of software, and in active development also. I'll most probably buy a license for PS very soon. I will also buy a pair of sunglasses, just to ease the pain that GUI is giving me.
My sincere apologies to developers." }-

Hmmm.. But it seems as if ProSecurity's leaktests according to matousec is not as strong as SSM?

-{ Quote: "Hmmm.. But it seems as if ProSecurity's leaktests according to matousec is not as strong as SSM?" }-

Apparently so.
http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php

WindBlade & LoneWolf,

Hi.:)
Matousec, you say? Ah yes, the eternal judge. But the link provided by LoneWolf shows results of leaktests. AFAIK, they test protection against techniques used to send the data out. A HIPS app does more than that. Please correct me if I'm wrong here. I was actually looking at this HIPS comparison table (http://wiki.castlecops.com/HIPS/IDP_programs/services).
Nevertheless, I stand corrected, it was rather stupid of me to pronounce anything as "#1". The thread title is wrong.

Cheers.

-{ Quote: "WindBlade & LoneWolf,

Matousec, you say? Ah yes, the eternal judge. But the link provided by LoneWolf shows results of leaktests. AFAIK, they test protection against techniques used to send the data out. A HIPS app does more than that. Please correct me if I'm wrong here. I was actually looking at this HIPS comparison table (http://wiki.castlecops.com/HIPS/IDP_programs/services).

" }-

Yes about that table....

-{ Quote: "

* Do not use this solely or even primarily as a guide to choose HIPS! Particularly if you have never used HIPS before you should just pick one of the well known HIPS (SSM, ProSecurity or Prevx) and forget about this table.
Do not use this table to pick combination of products to try to cover every area!

* Table only lists existent or claimed features not quality of implementation. Some information is incomplete or inexact because of the need to pigeon hole products into standardised features.


* Products (or combination of products) that cover the most areas or has the most features, are not necessarily the best products.

" }-

i will say again DefenSeWall Hips;D and ProcessGuard:thumb:

ThreatFire slowed down my PC boot and load time wayyyyyyyy too much.

After you find the best 5 or 6 HIPS it becomes a matter taste, compatibility with other software, and compatibility with and complement to other security programs. I found that in Online Armor. It works with Sandboxie (has paid and free), NOD2, and SpywareBlaster without any problems. My main machine is ancient AMD Athlon 1.2 Ghz and 768 MB ram XP Pro SP3. The only other software with global influence on performance I have are PGP Desktop and MozyHome. I do not get a visible hit on performance. It can be measured with diagnostics but it is small.

Drive Sentry and Defense+

The best HIPS is the one that is the best match to your security policy. On my PCs, that policy is default-deny and SSM is a perfect fit.

EQSecure w/ Alcyon's Rulesets and i might add, consistently updated for many months and still being released!

I couple EQS with ProcessGuard for that one-two punch complimented with Mamutu Behavioral Blocker that seals the deal full circle.

Use Firefox Portable or another good browser and your safe as a bug in the rug. LOL

The best, that's debatable. :gack:
The best for myself, at least right now............
That would be DefenseWall alongside Malware Defender. ;D

For me still, it is SSM!.....It keeps on keeping on! :)

I think it's time HIPS be upgraded in the polls starting with the next poll, covering all of 2009 or June-Dec 2009 like AVs & firewalls. Date-stamping the poll-threads gives us a better vision of changes.

I have to lean heavily in favor of EQSecure 4.0 Beta 3 and thanks to Alcyon's generous contributions to the rulesets for v3.41 which also work for 4 beta for me, this HIPS is (1) "Lite"
(2) Extremely Configurable (3) Flexible, you can export/import rules or entire system rules as a whole (4) Is a million-volt electronic curtain with it's monitoring abilities (5) Can double better then Windows own SRP (6) A very FUTURISTIC modernized alert details window you set the show for, or none at all. (7) A great script blocker ...........................THE LIST IS ENDLESS

-{ Quote: "
What is the best HIPS out there?
" }-
Other...

1. LUA + SRP + DFTs + ARs

2. Properly configured Norwegian web browser

3. Properly configured web filter

4. Properly configured virtual container

5. Properly configured external router/firewall

6. Prudent web surfing and downloading

While I may now think I can dance merrily in the Internet carefree, I still exercise caution and always perform my dance....while on egg shells. ;)