I am a bit curious about what makes people decide on what HIPS or CIPS to use.

in choosing prevx1, i tested teh application myself and i grew fond of it.

the fact that its a CIPS rather than HIPS also played a factor.

Hello,
If I have to choose, it's the level of annoyance. I don't want to see any popups reading "ntkernel.exe" is trying to eat itself" or such. And then, the simplicity of the solution.
Mrk

Any security software that prevents installation of malwares has priority #1, because if malwares succeed to install themselves, I get two and more serious problems :
1. I have to stop the execution of these malwares.
2. I have to remove these malwares completely.

Upto now, I only solved one of these three problems : complete removal.
Finding the right (combination of) softwares to solve the other two problems is my actual project.

Prevx1 is one of these softwares to prevent installation of malwares :
- It's one of the first softwares, that makes HIPS userfriendly. I respect that.
- I like its general character, kind of all-in-one anti-malware.
- I like the community spirit.

My preference still goes to Anti-Executable, because it works with a local whitelist.

HIPS are just an outline.

[[sorry for the double post]]

A couple months ago, I had a friend who teaches at a major university in the US send me an executable that she had received from one of her students. The executable was attached to an email that was clearly written by the student and sent with the attachment rather than being generated by a worm or other type of malware. This was obvious by the text of the email that referred to something that had been said in class the previous day as well as referred to the executable. The student said in the email that it was a video that she woudl be interested in. Clearly this was a red flag as it was in fact an exe file. I got the file and checked it with NOD, which said it was clean. I sent it to virus total, and one of the checkers there said that it was suspicious. I imaged my computer with Acronis, exported a known good ISR snapshot, turned up all of the levels on my security apps, and ran the file. That sucker attempted multiple changes to registry, tried to terminate multiple processes, attempted to modify services, and made repeated attempts to make outbound connections. System Safety Monitor caught it all except for the outbound connection attempts since I'm not running the beta with network controls (Jetico caught the attempts, however). After denying everything it tried to do, I did some investigating with comparing snapshots, images, etc and it appeared that SSM prevented any "infection." I knew at that moment that I had made a sound purchase. Of course, I did restore images, etc to be 100% sure, but I'm fairly confident that I would be perfectly fine if I hadn't.

C

Same here. After evaluating and testing SSM I am really satisfied.:thumb:

Frank

I had to vote "other" as both 3 and 4 fit equally. I've been using/testing SSM since Max was the developer, version 1.8 or 1.9? My testing is limited to Win98, which the "experts" consider unsecurable. The majority of my testing would qualify as "combat" condition testing, visiting malicious and drive-by sites, opening infected e-mail, and trying to contact as much malicious code as I could find. I'm completely convinced that SSM can protect my old box from malicious code, well enough that I don't run a resident AV anymore. IMO, when used with a good tight ruleset and a firewall, SSM can protect a PC from anything except bad decisions by the user. I'm also convinced that a user can safely run a Win98 unit on the internet, protected by SSM and a good firewall, as long as they excercise good judgement when responding to SSM's alerts.
As for why I would choose HIPS over CIPS, not including OS compatibility problems, I'm not comfortable with letting someone else, whether it's a company, individual or community, decide what is and isn't acceptable or allowable on my PC. I'm not willing to give that amount of system access to someone I don't personally know. I'm not convinced that the server that a CIPS depends on is completely immune to being compromised and possibly being used to compromise the users or that the CIPS would continue to reliably protect my system should the server be subjected to an extended DDOS attack.
Rick

+I like a HIPS that can be tested, & wants to be tested, and makes improvements instead of excuses when test results are a bit unfavorable.

+I like a HIPS that calls itself a HIPS & doesn't make up advertising fluff to make it sound like its program is some new sort of amazing invention that no one has ever thought about before.

+I prefer a HIPS that has its own ACTIVE support forum.

+I prefer a HIPS where the hands-on staff is more than one person.

+I prefer a HIPS that first seeks to iron out bugs and customer problems concerning its CURRENT version before turning its major attention to the addition of more & more & more bells & whistles.

+I like a HIPS that does a really REALLY good job of uninstalling itself for those users who change their minds.

+I like a HIPS that shows ingenuity and subtlety in protecting its software from piracy, so that the burden of such protection is NOT placed upon users (via such crapola as "activation").

I test it for myself. That's my vote, but i 1st read about it. I go for concepts and check if they work.

I also chose "other". Think about it... a HIPS can stop a malicious process from even getting its wheels spinning. I love how SSM works. Attempting to even launch a leaktest, for example, results in a prompt: "Parent process abc is attemping to launch child process xyz". Like herbalist says, only a poor decision by the user can get you in trouble. As for the pop-ups so many complain about, once you create the necessary rules to allow/disallow, they will practically come to a complete standstill. Just run in "Learning Mode" for a day or two to expidite the process and reduce the pop-ups. That is all it takes.

I was using Kerio 2.1.5 firewall (terrific little firewall) with SSM beta, but Agnitum's latest 4.0 version of Outpost Pro is excellent. I'm a paid subscriber so I'm running it with the latest beta (596) of SSM with NOD32, 2.7 RC1. The three security applications run beautifully together, even on my P4 1.7 GHz, 512 MB RAM machine, and likely afford me Fort Knox-like protection. Crackers...go to Hel1 ;D

-{ Quote: "Like herbalist says, only a poor decision by the user can get you in trouble.
" }-

That's a pretty big "only"....

-{ Quote: "
As for the pop-ups so many complain about, once you create the necessary rules to allow/disallow, they will practically come to a complete standstill. Just run in "Learning Mode" for a day or two to expidite the process and reduce the pop-ups. That is all it takes.
" }-

Depends on how static your system is and the range of activities and software you use and do. For me there are some activities I do only once a month, or even once a year, Lots of popups for me. Just the other day, I was firing up this accounting package and .........

Also one wonders how many popups you really get after 1-2 days of training.
Human memory is extremely subjective and what may feel like little popups to you might actually objectively be quite a large number, particularly if you don't mind answering popups.

It would be nice if the HIPS implemented some tracking of the number of prompts produced. Some software already display "X number of attacks blocked", and when I look at them, I see a *huge* number.... Assuming that this is proportional to the number of prompts generated.....

-{ Quote: "That's a pretty big "only"...." }-

Depends on who's making the decisions. I have confidence in my decision making ability regarding the alerts.

-{ Quote: "That's a pretty big "only"...." }-
That depends on the user. I trust my judgement as well. I know what executables are on my system and what they do. Anything I don't recognize gets denied. Apps like SSM are more suited for those who know their systems. It's also much better suited for systems that are finished, as in configured and equipped the way the user wants it. For these, it's the ideal tool to lock it down and make sure your system doesn't get modified or compromised. HIPS is a much less ideal choice for users who aren't familiar with the processes on their systems and the functions they perform. It's also not a good choice for those who are always installing something new or changing what software they use. For those, the prompts don't go away because their system is always being changed. SSM is designed to prevent changes, whether they're desirable or not. It makes it very inconvenient for those who are always adding or removing something. HIPS, especially SSM is a bad choice for the casual user and for anyone who either doesn't want to or doesn't know how to properly respond to what the alerts tell them. Users who just click thru the alerts to get rid of them can cause all kinds of problems from allowing malicious code to blocking critical system processes.
Rick

-{ Quote: "That depends on the user. I trust my judgement as well. I know what executables are on my system and what they do. Anything I don't recognize gets denied. Apps like SSM are more suited for those who know their systems. It's also much better suited for systems that are finished, as in configured and equipped the way the user wants it. For these, it's the ideal tool to lock it down and make sure your system doesn't get modified or compromised. HIPS is a much less ideal choice for users who aren't familiar with the processes on their systems and the functions they perform. It's also not a good choice for those who are always installing something new or changing what software they use. For those, the prompts don't go away because their system is always being changed. SSM is designed to prevent changes, whether they're desirable or not. It makes it very inconvenient for those who are always adding or removing something. HIPS, especially SSM is a bad choice for the casual user and for anyone who either doesn't want to or doesn't know how to properly respond to what the alerts tell them. Users who just click thru the alerts to get rid of them can cause all kinds of problems from allowing malicious code to blocking critical system processes.
Rick" }-

herbalist, you always seem to say it best :)

-{ Quote: "I am a bit curious about what makes people decide on what HIPS or CIPS to use." }-

I look for 2 things in a HIPS program:

1. It must work well, stopping most malware
2. It needs to make most decsions without my input. I don't want constant popups and alerts that I won't know how to handle anyway

-{ Quote: "
2. It needs to make most decsions without my input. I don't want constant popups and alerts that I won't know how to handle anyway" }-

Personally, I love the pop-ups. They provide me a way of learning how many of the system's processes influence and interact with others within the Windows environment. For example, it's quite an eye-opener just to see how much of an active role explorer.exe has on so many other processes and applications.

-{ Quote: "SSM is designed to prevent changes, whether they're desirable or not. It makes it very inconvenient for those who are always adding or removing something. HIPS, especially SSM is a bad choice for the casual user and for anyone who either doesn't want to or doesn't know how to properly respond to what the alerts tell them. Users who just click thru the alerts to get rid of them can cause all kinds of problems from allowing malicious code to blocking critical system processes.
Rick" }-

Absolutely, plus in addition.............

A solid HIPS program (Such as SSM to name one) :thumb: are important more so now than ever. It goes without saying that the malware populous is increased greatly and continues to grow even more stealthy recently, with the introduction of adventurous rootkit coding going on, makes HIPS a MUST! for at least staving off most if not all threats of forced intrusions.

I do a lot of local research and continue to experiment with different scenarios to ensure that the HIPS i turn to, can in fact meet those type challenges and if discovered lacking in some area, pass on that concern to those developers for their review & opinions.

On XP Pro i'm testing a modified rootkit as recently as today that only RKunhooker was able to find under the [CODE HOOKS DETECTOR] and offered a dll location then striked the code back to default. BOTH process and dll were completely hid from other Rootkit Detectors (Including IceSword 1.20, Gmer, RKdetector etc. :blink: ) and since the cmd shell was compromised, command-line scanners was helpless to even load. RKunhooker action, released the rootkit files from their cloaking and they surfaced safely. Oddly enough of all things an old freeware i used a lot on my 98SE [FileMapbyBB] box did in fact identify the dropped files in WINDOWS as having been there at all but of course they rapidly went ghost. :lurking:

Point is, HIPS is VERY IMPORTANT for PC Security today, even for the average user although as herbalist points out, many users can make just one fatal mistake and to coin an old phrase, then their hooked ??? or rooted :-X .

System Safety Monitor is still my personal choice plus if your so-inclined, is a wonderful program also for learning a lot of your windows code instructions along with plenty areas of interest that can be compromised in a moment of time.

-{ Quote: "herbalist, you always seem to say it best :)" }-

Well if by best you mean long wordy sentences with no paragraphing.... ;D

As far as I can tell SSM seems to be great for windows 98, all you people here singing the praise of SSM and helping with the development are mostly win98 users right?

I hope they got enough testers for XP people, now that win98 support is dropped.

Also I wish I had your confidence that I would never make a mistake when replying to prompts. I guess that is why you guys using SSM have never being hacked or infected before....

-{ Quote: "...all you people here singing the praise of SSM and helping with the development are mostly win98 users right?" }-Nope, Win2K. ;)-{ Quote: "Also I wish I had your confidence that I would never make a mistake when replying to prompts. I guess that is why you guys using SSM have never being hacked or infected before...." }-SSM can certainly be prompt-heavy to start with (unless you use Learning Mode), but this is a very good way to find out how your system "normally" operates (which programs need to set hooks, which try to send network traffic, what programs and parameters are used for common functions).

It is this knowledge that is probably the most important in determining when things are amiss but at the same time it does mean that SSM is not well suited to the casual user who isn't interested in what goes on "under the hood". For those that are, SSM is one of the most fully-featured system firewalls out there (the term "HIPS" seems inappropriate here - "host-based" means everything including anti-virus/trojan scanners).

-{ Quote: "Nope, Win2K. ;)
" }-

Must not forget that.

-{ Quote: "
For those that are, SSM is one of the most fully-featured system firewalls out there (the term "HIPS" seems inappropriate here - "host-based" means everything including anti-virus/trojan scanners)." }-

A point made several times, but it's too late now.

-{ Quote: "Point is, HIPS is VERY IMPORTANT for PC Security today, even for the average user although as herbalist points out, many users can make just one fatal mistake and to coin an old phrase, then their hooked ??? or rooted :-X ." }-
do u have any advice or suggestions for users who dont want to learn HIPS or just click allow to everything?

-{ Quote: "do u have any advice or suggestions for users who dont want to learn HIPS or just click allow to everything?" }-Don't use one - simple as that. They require judgement and if a user does not wish to exercise this they will be useless. Stick with a malware scanner and use safe hex to reduce your chances of being hit with a zero-day exploit.

yes that is the obvious answer. but heres what im saying: HIPS are supposedly "VERY IMPORTANT" yet people would have to learn and configure the program.

anyone not wishing to do so can excuse themselves from using the "VERY IMPORTANT" HIPS.

-{ Quote: "do u have any advice or suggestions for users who dont want to learn HIPS or just click allow to everything?" }-
Download a copy of Knoppix (http://www.knopper.net/knoppix/index-en.html), burn it to CD and use it in place of windows. You can't get much more secure than that.
Rick

-{ Quote: "Don't use one - simple as that. They require judgement and if a user does not wish to exercise this they will be useless. Stick with a malware scanner and use safe hex to reduce your chances of being hit with a zero-day exploit." }-
Agreed. It's unfortunate, but malware has evolved to the point that the average user will not be able to adequately secure their system unless they take the time to understand how it works. Rootkit technology is getting to the point that it takes a very skilled user to remove them and even that is getting questionable.
(new paragraph for D.A.):P
Windows is an open system. Windows design basically permits everything to run and allows anything to start and/or access anything else. It's files are accessible and modifiable. That's why it's so vulnerable and gets compromised in so many ways. At the other end of the spectrum is Knoppix on CD. It's burnt to CD, unchangable, making it immune to attack.
(new paragraph for D.A.):P
HIPS is an attempt to undo that basic Windows design flaw by limiting what behaviors each executable is allowed to perform and what other executables they're allowed to access. It effectively begins to convert Windows to a semi-closed system, governed by the rules made by the user or the learning mode.
The user has these choices:

Secure windows with conventional security-ware, practice safe hex, and keep backups of your system made when it was clean.
Use a closed system like Knoppix on CD which is immune to attack, but has problems of its own.
Learn how your system work, what belongs there, and secure it with HIPS, a good firewall, and content filtering.

HIPS requires knowlegable input from the user. No way around it. I doubt any learning mode will ever be good enough to really secure all the different apps and software available to the user. Until the time comes that someone releases a truly functional operating system that can't be modified or installed to that still satisfies most users, those are the choices. Don't hold your breath waiting for that operating system.
Rick

-{ Quote: "
all you people here singing the praise of SSM and helping with the development are mostly win98 users right?" }-

Win XP here.

-{ Quote: "
Also I wish I had your confidence that I would never make a mistake when replying to prompts. I guess that is why you guys using SSM have never being hacked or infected before...." }-

Confident but it doesn’t mean I will never screw up. After all, I’m only human :) So far, so good…no screwups yet. Besides, it is a constant learning process. We can’t know everything, but if you are interested in this stuff and enjoy learning about it, then it isn’t that difficult. If you don’t want the hassle dealing with pop-ups and trying to figure out what they mean, then it is best not to use a HIPS or any kind of security app that requires considerable user input. A set-‘n-forget type app is probably the best if you fall into the latter category.

-{ Quote: "Originally Posted by Devil's Advocate

all you people here singing the praise of SSM and helping with the development are mostly win98 users right?" }-

Singing SSM praises here with BOTH! Win XP Pro (AND) Win98SE!

VERY IMPORTANT! As already explained, Windows in raw form is an open system that allows most anything & everything to access, run, or remove files, settings, etc.

A good solid HIPS in fact TIGHTENS your property lines as an end-user by filling in like a middleman, and intercepting live signals that carry those type of instructions. It also compliments anti-virus and firewalls nicely even though some like myself have long since abandoned "resident" AV's for Online one's.

Like herbalist already hinted at, untill an Operating System is constructed which already includes such secure safeguards or one is made which severely limits malware interactions with it's core base code, you're better off to use Knoppix or something on that order.

Otherwise take the learning initiative and discover what many of those Windows machine instructions (and files) actually do and where they go and why they transfer where they do and all that. ;D

-{ Quote: "
(new paragraph for D.A.):P
" }-

Now if we can teach Herb to leave a line between paragraphs ...... :)

-{ Quote: "Now if we can teach Herb to leave a line between paragraphs ...... " }-
I did. Just put the note in the empty line for your benefit. :P

-{ Quote: "Originally Posted by Devil's Advocate

Also I wish I had your confidence that I would never make a mistake when replying to prompts. I guess that is why you guys using SSM have never being hacked or infected before...." }-
There's no way I'd ever begin to claim that I won't make a mistake. If I ever make one that severely compromises my system, that's what system backups are for. So far, it hasn't happened but that doesn't mean it couldn't. That said, when the user configures SSM to the point of specifying parent-child dependencies, drivers, etc, most of the time it will take more than one mistake to get you in real trouble. Considering that a very large percentage of the malware a user is likely to run into will be some form of an installer, it's likely there would be several prompts.
-{ Quote: "Originally Posted by Devil's Advocate

all you people here singing the praise of SSM and helping with the development are mostly win98 users right? " }-
I've installed SSM on quite a few systems from 98 thru XP. It works great on all of them. I just prefer Win98 over XP and intend to continue using it, at least until I sufficiently understand Linux or BSD.
Rick

-{ Quote: "As far as I can tell SSM seems to be great for windows 98, all you people here singing the praise of SSM and helping with the development are mostly win98 users right?" }-It's rather a snooty remark, wot?;)

My net uses SSM & all are on XP.
~~~~~~~~~~~~~~~~~~~~~
If some folks find SSM a bit complex, Cyberhawk & Prevx & Online Armor are jolly good HIPS that are much less demanding. So also is DefenseWall (a different flavor of HIPS, with a sandbox)

What I find surprising is that so far no one voted for pass leak tests.

I mean if you look at threads here, what is the first thing people do when they try a new HIPS...?

"I tried HIPS X and it passed all the leak tests, I'm impressed!" :)

I guess this means that people expect them to pass so it's a minimum requirement and not a deciding one?

if it makes a difference, i personally dont care for leaktests.

hi devil.

so what do you suggest/use?

thanks

-{ Quote: "I guess this means that people expect them to pass so it's a minimum requirement and not a deciding one?" }-
Definitely a minimum requirement. Any HIPS that can't intercept the leaktests process and hook is defective. I also think that most of the people here know the difference between the legitimate uses of leaktests and using them for advertizing purposes.
Rick

My criteria when choosing a HIPS (or any other tool that I will be using a lot):

- GUI (look and feel)
- resource usage
- features
- ease of use

In no particular order but if the GUI sucks it´s game over. :)

And of course I always test the apps myself first, if it claims it can intercept stuff but it doesn´t, this tells me that the app sucks! :-X

I also run SSM on XP.

-{ Quote: "And of course I always test the apps myself first, if it claims it can intercept stuff but it doesn´t, this tells me that the app sucks! :-X " }-

Btw, a little correction, if an app can not intercept a couple of things it does not have to mean that the app is garbage, no app is perfect, but it must not miss a lot and it must be quickly fixed/improved, of course. ;)

Installed SSM on my VPC (XP installed), and went visiting the 'dark' places of the web - worked a treat - but really only suitable for users who are aware of what is legitimate and what isn't. So now it is running happily on my main XP box

-{ Quote: "Don't use one - simple as that. They require judgement and if a user does not wish to exercise this they will be useless." }-

That's what limited user accounts and security policies are for :D - dont allow a user the option in the first place - if only ms did'nt ship windows with admin access as default, we probably wouldn't even need hips.

Thanks everybody for your views. I too found it interesting that no one has voted for "passes leaktests" since if a security software, for what ever reason, (and there are some valid reasons imo) doesn't pass the leaktest tends to get a lot of heat here and elsewhere :)

I think RL malware experience is more valuable than leaktests (ie a security app doesn't/does protect as promised in live conditions). But I do think they are great tools for us geeks to help us understand how windows works, but thats about it.
But maybe herbalist is right that communities like this has passing of leaktests as a minimum requirement.

peace

-{ Quote: "...if only ms did'nt ship windows with admin access as default, we probably wouldn't even need hips." }-That plus the all-too-easily exploited background services and applications (*cough* Internet Explorer *cough*) which either have, or can easily gain admin access.

-{ Quote: "+I like a HIPS that can be tested, & wants to be tested, and makes improvements instead of excuses when test results are a bit unfavorable.
+I like a HIPS that calls itself a HIPS & doesn't make up advertising fluff to make it sound like its program is some new sort of amazing invention that no one has ever thought about before.
+I prefer a HIPS that has its own ACTIVE support forum.
+I prefer a HIPS where the hands-on staff is more than one person.
+I prefer a HIPS that first seeks to iron out bugs and customer problems concerning its CURRENT version before turning its major attention to the addition of more & more & more bells & whistles.
+I like a HIPS that does a really REALLY good job of uninstalling itself for those users who change their minds.
+I like a HIPS that shows ingenuity and subtlety in protecting its software from piracy, so that the burden of such protection is NOT placed upon users (via such crapola as "activation")." }-
Good criteria.
The envelope please:
And the lucky winner is ...

-{ Quote: "Thanks everybody for your views. I too found it interesting that no one has voted for "passes leaktests" since if a security software, for what ever reason, (and there are some valid reasons imo) doesn't pass the leaktest tends to get a lot of heat here and elsewhere :)

" }-

Actually, if you find that there is a difference between what people say and what they do, always take what they do as a more reliable indicator of what they really believe.

Aside from the cynical view, I suppose while ideally, you would like to see how well HIPS do against real malware ("proven in combat"), most people don't have access to such malware to test , don't have the time, or don't dare to do so. So they just do leak tests which are faster and safer (though almost impossible to interpret!!!). Also the option "evaluate,actually use..." was a bad option to throw in IMHO, because obviously that was the number 1 thing unless you were really really short of time.

People make their decisions on information they have, rather than what they want to have. So I believe when it comes down to it leak tests (which is information they have) have a much greater determination on people's choice of HIPS, then this poll seems show.

I suspect the poll was answered based on an "ideal view point", ...

I.e

Given that I have access to the following information..... what criteria would I use to choose a HIPS....

PS I prefer leak tests (or more accurately technical test) to malware tests. :)

-{ Quote: "hi devil.

so what do you suggest/use?

thanks" }-

based on current wilder's trends and fads.

Classic HIPS : Prosecurity or SSM with the former being hotter because it is the newer kid on the board

Sandbox : DefenseWall

Behavior blocker: Cyberhawk or Prevx1, with Prevx1 losing some support because of one poor performance in the AVcomparitaive test.

The answer might change next month and certainly will change in 6 months, but that is currently how it stands if you want to keep up with wilder's trends.

-{ Quote: "Actually, if you find that there is a difference between what people say and what they do, always take what they do as a more reliable indicator of what they really believe.......I suspect the poll was answered based on an "ideal view point", ..." }-
Really? I'm interested to know on what facts this is based. I've been using SSM since 2004, before the term HIPS was thought of. SSM was called an application-firewalling tool then. I also know for a fact that others have tested it with live malware, drive-by sites, etc as well.
-{ Quote: "based on current wilder's trends and fads.......The answer might change next month and certainly will change in 6 months, but that is currently how it stands if you want to keep up with wilder's trends." }-
IMO, you're badly underestimating many of the members here, if you believe that most choose their defenses based on what's popular here. Except for using newer versions of some software, my core security package is the same as it was when I first started posting here. Quite a few members here have been using the same core security apps for some time.

For anyone who's interested. Web Archive of Max's SSM page. (http://web.archive.org/web/20040806225625/http://maxcomputing.narod.ru/ssme.html?lang=en) Interestingly enough, the page's alternate download link still works. It'll bring in version 1.96b2+ for those who want to see what SSM used to be like before Syssafety took it over. This version expired in Dec 2005. It functions but won't save a ruleset unless you change the date on your system to one before the expiration date. It won't import a ruleset froma current version either. Interesting to check out on a test unit though.
Rick

-{ Quote: "Really? I'm interested to know on what facts this is based.
" }-

Facts? I said i "suspect", so it's just a hunch....

-{ Quote: "
I've been using SSM since 2004, before the term HIPS was thought of. SSM was called an application-firewalling tool then. I also know for a fact that others have tested it with live malware, drive-by sites, etc as well.
" }-

Not sure what the relevance here is with you citing your own experience. Unless a sample of 1 is considered sufficient. After all you are hardly typical, few of us use win98 machines. So even if you were tempted you were stuck with SSM. So no temptations.... :)

In any case yes, SSM was one of the first ones, I starting using it in end 2002 or 2003, for a while it's only competition was ProcessGuard released in 03. The paranoid among us, used both. :) Another one that we used to kick around was abtrusion protector .


It was simpler days then, lol...

-{ Quote: "
IMO, you're badly underestimating many of the members here, if you believe that most choose their defenses based on what's popular here.
" }-

IMO I think you are taking this too personally, particularly I find it interesting the way you feel compelled to defend yourself using yourself as an example of someone who doesn't follow fads. Nobody is saying *you* follow fads (not that you could if you wanted to given your choice is windows 98 bit that's besides the point).

I'm not even saying every member follows fads of course, but some do obviously. If you put your ego aside, I'm sure you will agree.

Hint look at threads where people post their security setups.

IMHO fads *do* determine to some extent what people chose here.
Certainly, interest generated by a product that garner's long threads, comments by perceived 'experts' all contribute to someone deciding to give it a test drive....

And that's the first big step....

Throw in some vendor made test that only the new security tool passes, some good comments by members perceived to be competent, add a dash of some vendor techno-babble or sexy technical talk about how good his product is compared to rivals, and who can resist?

:)


Anyhow someone asked me what I recommended, since I have no special insight into the matter that I feel is worth sharing , using the 'wisdom of crowds' , crudely proxied by interest displayed by posts seemed to be a worth a shot.


-{ Quote: "
Except for using newer versions of some software, my core security package is the same as it was when I first started posting here.
" }-

Did anyone say *you* followed fads?

BTW my post was definitely not aimed at you, so I don't know why you seem to be taking offense. I'm just reflecting the realities of this forum, in another 6 months, we will be talking excitedly about yet another new product that currently doesn't exist. And many (not all or even most) will be testing it, some will be won over etc... New tests will lead to rise of new favorites and fall of old favourites etc...

I've seen it since I started reading this forum in 2002/2003. in recent years, this trend has accelerated because the barrier to entries of HIPS seems to be very low compared to AVs and ATs which tend to be the same ones.



-{ Quote: "
Quite a few members here have been using the same core security apps for some time.
" }-

Never said otherwise. Though we are both guessing at what "Quite a few" means.


But quite a few people are using the same core security, would imply that quite a few aren't either. It would be foolish to deny that.

And some who follow the fad are perfectly aware of what they are doing and are doing it for fun, as a hobby etc... This is pretty old ground rehashed dozens of times already....

-{ Quote: "
Web Archive of Max's SSM page. (http://web.archive.org/web/20040806225625/http://maxcomputing.narod.ru/ssme.html?lang=en) Interestingly enough, the page's alternate download link still works.
Rick" }-

Here's a interesting post if you are interested in SSM history

http://www.wilderssecurity.com/showthread.php?p=8092&highlight=SSM#post8092

The very first post drawing attention to SSM version 1.0 back when the forum was but a babe (look at the date!!!!). Seems like ancient history... I wasn't reading yet of course.

LOL. You make it look like fashion!:D Of course it does look like that sometimes. But that's not necessarily true. I give my own example, but i think it applies to others.
I registered to this forum to check out what i could add in security to my pc. I found alot could be added, and learned alot. Still after some point i didn't change much, at least the core. I just like to test/ check out what's new. Like i did with SSM free. Uninstalled already because of stability issues (1 HIPS too many).
I'm using GeSWall now, but i know that in future i'll install Sandboxie because i think it's alot safer. Or CPF3 which will have a sandbox module. I use GeSWall now for pratical purposes.
I'm in this testing period, lol, which i know will fade out. I just want a External HD to back up what i want, reinstall Windows again with my chosen set-up, to set and forget.
Your perception of trends could be true, but maybe it's just the news arriving (tests) and people wanting to test them. For the fun. If they are like me they'll reach some kind of conclusion and settle (sort of). Not following trends, but opinions from others and themselves. :thumb:
Others yes, they'll do what is on "MTV";D

I didn't take your posts as being aimed at me. They struck me as derogatory to the membership in general. The first appears to imply that the responses are more imagined than real. The statements about fads here when the question was "so what do you suggest/use" implies that people use what's popular here instead of forming their own conclusions. After these and statements like
-{ Quote: "all you people here singing the praise of SSM and helping with the development are mostly win98 users right?" }-
what kind of response were you expecting? If I've mistaken the meaning of your statements, I apologize, but that's how they looked to me.

-{ Quote: "What makes you choose a HIPS?" }-
Nothing.

-{ Quote: "I didn't take your posts as being aimed at me. They struck me as derogatory to the membership in general.
" }-

And membership in general includes yourself right? that is why you took offense? lol.

And if my comments struck you as being derogatory, that is because they were meant to be in part. As I said, if you put aside your ego for the moment, and see what is going on, you would agree that this is indeed going on to at least some extent.

You can even find threads or posts where people express discomfort about the product they are using, because they see a lot of people are trying some other newer product. (Don't ask me to link to the posts/threads, they will just get deleted because that would single out people)

Besides I'm including myself in the condemnation. :)


-{ Quote: "
The first appears to imply that the responses are more imagined than real.
" }-

Are you referring to the leak tests comment?

-{ Quote: "
The statements about fads here when the question was "so what do you suggest/use" implies that people use what's popular here instead of forming their own conclusions.
" }-

Right. I also explained why I described what is popular.


-{ Quote: "
what kind of response were you expecting? If I've mistaken the meaning of your statements, I apologize, but that's how they looked to me." }-

No need to apologize, you have not mistaken to the meaning of my statements. I have never shied away from saying unpopular things.

Except maybe the SSM and win98 comment, which was a crack about how many SSM users use win98. Because obviously SSM supports win98 and the rest don't. Should have just come out and said that.

What makes you choose a HIPS. In relative importance (in terms of availability of information)

1) Leak tests and other tests by vendors
2) Recommendation/ adoption by experts/gurus
3) Lot of people posting , talking about the product
4) Lots of posts by vendor providing support and/or boasting about their product
5) User friendliness and stability
6) Real world performance against malware.


1) Leak tests and other tests

The problem as I see it is that 99% of posters here are not really qualified to tell if a product is superior to another in providing protection. That includes myself and probably you too herbalist.

So we rely on tests created by other people. This also explains why leak tests or any other tech produced by vendors to hawk their products are such a big deal on these forums (even though people pretend that they don't matter much when asked straight out). The problems with relying on leak tests alone to assess technical merit is the difficulty with interpretation of results.

Also relying on tests created by security vendors has obvious drawbacks in that their product will definitely pass , while others won't.

So most new products already give you one reason to switch.

2) Recommendation/ adoption by experts/gurus

Then There is the "follow the leader" strategy. Some guys are perceived as being technically component, and if they throw their support behind some product, suddenly it looks a lot better. A point that is not lost on many vendors (see trend of getting long time posters here to join the team).

3) Lot of people posting , talking about the product

There's the "wisdom of the crowds" method. If a lot of people are talking about it, it probably is worth looking into.

Lots of 'hobbyist' in this forum, so any new product that is halfway decent will definitely get some buzz. So any new product that is talked about a lot gives you another reason to switch.

4) Lots of posts by vendor providing support and/or boasting about their product

Then there is the "nice developer taking time to post here" reason. I have noticed that if the developer takes time to establish a presence to post here,
the product immediately gain fans. Never mind if the developer's comment is "you are right, our product stinks, we will work on it". :)

I have seen cases where literally within a few days, posters change from condemning the product from being useless and nearly a rogue product to considering it as a top notch product and demanding that tests conducted months ago include it!

What is the difference? Simply the developer coming here and posting. Never mind if the product hasn't changed at all.

Typically any new product will have favourable views on 1-4. That alone is sufficient in many cases to cause one to start playing with it seriously.

In theory 5-6 should be deciding the factor on whether one rejects or accepts it, but in most cases, anything that gets past 1-4 has a high chance of winning through.


5) User friendliness and stability


there is look and feel , user friendliness, stability etc.

Assuming that the above two factors are favorable, "look and feel" probably isn't such a big factor as befits a "techie" product. Also unless the developer fouls up in a huge way, most people won't care since all their competitors aren't really models for usability anyway. :)

And in any case, it is fairly easy for the GUI to be changed ............

Stability is of course important. And if a thread starts off with people posting problems, it is a bad sign and the vendor has to do a lot of damage control....
If the problem is bad enough, no one will even borther to try , but these days where we all have vms and spare machines this isn't such a big factor.

Stability is probably the biggest stumbling block to acceptance, particularly when people run a lot of overlapping security software. But I have found that this isn't that big a problem as I thought ,because the conflicts can sometimes be pretty subtle , I seldom get a case of a total BSOD (though not unheard of).


6) Real world performance against malware/ personal experience.

This one looks great and in theory should be the ultimate factor (assuming stability) . But who in the world actually manages to get this data??

Let's face it, most people here have computers guarded more tightly than fort knox and are paranoid when surfing to boot, so what real world threats testing are we talking about??

Certainly if you just go about surfing (even into 'dangerous sites') fully patched (browser fully locked down), armed to the gills wtih every security program on the planet while testing your new addition, nothing is getting through obviously.

The rare threat that gets pass all your defense and is blocked by your new addition will probably not occur unless you test for 1-3 years maybe. And that's assuming your new addition is superior (you might replace with a weaker option!).

By then you will already be invested emotionally ....

Very interesting point of view Devil´s Advocate ;)
You address the point of testing methodology and the repeatability of results. For the end user is almost impossible to test new apps, specially HIPS

Most of the people posting here look for holes or gaps in their security setups or ask for more features. My position is to keep the smaller possible amount of running applications. For example:
-A powerful AV preferably with web scanner
-A good firewall/packet filter with some amount of component monitor
-A sandbox/policy management/virtualization app like Sandboxie, GreenBorder, BufferZone, DefenseWall, GeSWall, etc. Alternatively but not preferably is to use some antispyware(covers registry, browser setings, etc)
This is very easy to maintain and covers almost all areas with very few gaps and overlaps. Throw any malware at this setup and see the results
Don´t forget the basics: backup strategy, NAT/SPI router, system and application hardening and common sense
If you like, add a backup malware scanner and/or a classical HIPS. Both provides little security gains
I don´t believe in smart AI, in community databases, in redundancy apps

-{ Quote: "What makes you choose a HIPS. In relative importance (in terms of availability of information)" }-.... this is actually a rather interesting discussion. Although fads were mentioned, I tend to view the rise and fall of discussion more a consequence of "lead adopters" discussing the latest offerings than simple following of fads, though I'm sure their are components of both.

As for myself....
-{ Quote: "1) Leak tests and other tests by vendors" }-I really can't say that I follow these. I'd say that most attempts at tests of this type of product yield some convoluted combination of the intrinsic capability of the product and presumed or assumed user knowledge. Even if I try to get beyond this, they say very little to me.
-{ Quote: "2) Recommendation/ adoption by experts/gurus" }-It's a factor if I can understand or make sense of what they're saying.
-{ Quote: "3) Lot of people posting , talking about the product" }-This will get me to look, take a test drive, and maybe comment on my experience.
-{ Quote: "4) Lots of posts by vendor providing support and/or boasting about their product" }-Personally, I have mixed feelings here. Support is good, boasting can be a downer. I also have mixed feelings in that a lot of the support is with regard to beta testing. While beta testing is fine, it really shouldn't run in parallel with product development, which does seem to be the norm in many cases these days.
-{ Quote: "5) User friendliness and stability" }-On a personal scale, this is (1) with me. If they don't pass muster here, it's a deal breaker. As noted, stability problems can be subtle and difficult to diagnose.
-{ Quote: "6) Real world performance against malware." }-More typically, it is real world performance against perfectly valid applications. Any user of a HIPS type product will have oodles of experience on this count. That seems to be an unfortunate fact of life.

Overall, I've been rather disappointed with the evolution of the HIPS type of products to date. They're simply still not ready for the market en mass. Ultimately, they fail with respect to user friendliness in my estimation simply because their alarms are too indiscriminate and too obscure for a typical user to adequately address. Some products seem to be getting close to suitable, but there is still some distance to go.

I realize many users employ these applications for purposes of control, not unlike a firewall. With a firewall, I can get my head around the concept of talking to the outside world - allow or block. I really have a hard time getting around many of the alerts provided by HIPS applications. At the level of allow/block execution, I'm fine and I think most users would be as well. If it is more esoteric than that, then it can be hit or miss; sure - I know what many alerts do mean, however and unfortunately, many elude me as well.

If it is control a typical user wants, I can see the merit of that, it is not unlike the control I desire when using a software firewall. However, I do believe that realistically that means pure execution control only. Applications that go beyond that result in a pure guessing game for most.

Blue

-{ Quote: "Overall, I've been rather disappointed with the evolution of the HIPS type of products to date. They're simply still not ready for the market en mass. Ultimately, they fail with respect to user friendliness in my estimation simply because their alarms are too indiscriminate and too obscure for a typical user to adequately address. Some products seem to be getting close to suitable, but there is still some distance to go." }-
What about sandboxes-like HIPS such as DefenseWall, GeSWall, Sandboxie, etc?? IMHO, they are very close to user friendliness.
In general, security alerts are away of understanding for most computer users. This includes AV alerts

-{ Quote: "Nobody is saying *you* follow fads (not that you could if you wanted to given your choice is windows 98 bit that's besides the point)." }-

For clarity's sake on this end my choice is BOTH, and in retrospect to the imposed dangers fashioned on XP by malware writers as well as Microsoft's limitations in the performance arena, have found 98SE far superior in many aspects to this very day. (Will run circles around XP) Velocity tests and my own eyes and reflexes bare that statement out. :thumb:

Back to Topic. somewhat...
In reality HIPS as such has slammed the door tighter on common (malware)interuptions than anything Microsoft is produced to date and that is by design in case anyone is been sleeping. After all, how else could soft creators, both freelance & commercial ones, draw onto this platform to display their art and us end-users enjoy the vast variety of programs to share with in those efforts.

-{ Quote: "Overall, I've been rather disappointed with the evolution of the HIPS type of products to date. They're simply still not ready for the market en mass. Ultimately, they fail with respect to user friendliness in my estimation simply because their alarms are too indiscriminate and too obscure for a typical user to adequately address. Some products seem to be getting close to suitable, but there is still some distance to go." }-

Disappointment goes with the territory when it comes to HIPS or any other security type programs for Windows PC systems, but one should focus on the core reason for that, and it's not the security vendors who are trying (and performing!) to fill the gap "deliberately" left wide-open by Micro's engineers. It certainly doesn't make their efforts any simpler to have to sift thru thousands of hours of reports, in-house research, and code modifications to accomadate as many configurations and platforms as possible in order to keep errors at a bare minimum in the face of so much that's required from them.

-{ Quote: "I really have a hard time getting around many of the alerts provided by HIPS applications. At the level of allow/block execution, I'm fine and I think most users would be as well. If it is more esoteric than that, then it can be hit or miss; sure - I know what many alerts do mean, however and unfortunately, many elude me as well." }-

Looking at this from the point of needing/wanting the most simplistic and least user-action as concerns HIPS, once you've gone thru an initial series of prompts of course, (akin to firewalls naturally), then there you have it. Your choices are written in stone or in this case in a ruleset that becomes a "new default" for your system and keeps things safe for both your machine & conscience IMO. ;)

Personally speaking, and from working feverishly over the years on various HijackThis Logs in security forums from end-users battered & confused by un-announced forced internet intrusions in the form of malware & their bad programs lodged in their good machines, HIPS IMHO is the ABSOLUTE best approach ever to come into play here with these computers since sliced-bread.

-{ Quote: "What about sandboxes-like HIPS such as DefenseWall, GeSWall, Sandboxie, etc?? IMHO, they are very close to user friendliness.
In general, security alerts are away of understanding for most computer users. This includes AV alerts" }-I haven't gone down that road as yet, I've been occuppied with some other things over the past year. At some point I'll probably give them a whirl.

Blue

-{ Quote: "The executable was attached to an email that was clearly written by the student and sent with the attachment rather than being generated by a worm or other type of malware. ... The student said in the email that it was a video that she woudl be interested in. Clearly this was a red flag as it was in fact an exe file." }-I personally would have deleted the attachment straight off on the basis of being told it was a video when it was not that kind of file. That would have been, for me at least, the best prevention against the executable trying to do anything.

-{ Quote: "In reality HIPS as such has slammed the door tighter on common (malware)interuptions than anything Microsoft is produced to date and that is by design in case anyone is been sleeping." }-I'm not saying these products don't work. As far as I've been able to discern, they all work as advertised with some variance in the net impact on overall system stability, which typically gets wrung out with sufficient testing. I've tested many of these products, sometimes for extended periods of time, they do work.
-{ Quote: "Disappointment goes with the territory when it comes to HIPS or any other security type programs for Windows PC systems, but one should focus on the core reason for that, and it's not the security vendors who are trying (and performing!) to fill the gap "deliberately" left wide-open by Micro's engineers. It certainly doesn't make their efforts any simpler to have to sift thru thousands of hours of reports, in-house research, and code modifications to accomadate as many configurations and platforms as possible in order to keep errors at a bare minimum in the face of so much that's required from them." }-Well, if you accept the lead adopter scenario I mentioned, that always has associated disappointment. Realistically, part of that gap arises from the desire to impart dynamic functionality to the OS. That can be used for good, but many have used that as a route to bad.
-{ Quote: "Looking at this from the point of needing/wanting the most simplistic and least user-action as concerns HIPS, once you've gone thru an initial series of prompts of course, (akin to firewalls naturally), then there you have it. Your choices are written in stone or in this case in a ruleset that becomes a "new default" for your system and keeps things safe for both your machine & conscience IMO. ;)" }-I'm trying not to focus on what the capable hands of many here are able to do since we are a very small niche market that is now completely saturated with offerings. I'm trying to articulate why none of these options has seemingly penetrated the mainstream user population - and that's not only as discrete products, but also as modular components in mainstream suites. Again, it does depend on the specific product to some extent. I'm sure many users can make it through that initial series of prompts and provide answers to alerts. However, have those answers risen above the level of pure guess? I take it as a given that many users here will provide an informed answer, but the majority of users won't be able to.
-{ Quote: "Personally speaking, and from working feverishly over the years on various HijackThis Logs in security forums from end-users battered & confused by un-announced forced internet intrusions in the form of malware & their bad programs lodged in their good machines, HIPS IMHO is the ABSOLUTE best approach ever to come into play here with these computers since sliced-bread." }-Again, I am not saying the approach is wrong, but that the current implementations may not be quite there yet for the masses. It really comes down to the operating costs and inconveniences a user is willing to bear. I realize that a consideration of inconvenience does have to include at least a passing thought to a rebuild in the event of real problems. If a nonexpert coworker or family member were to ask me what to do, and my usual suggestion of a router/"strong" AV or suite/firewall was not adequate, I would not be pointing them to HIPS type solutions at present aside from the embedded HIPS starting to emerge in some suites. Rather, I'd probably mention approaches like AntiExecutable (static machines only), Prevx (dynamic or static machines), and ones along these avenues. In some respects, they are not that different from HIPS in that they can be used to control execution at some level, but they stop there.

If you decide to run an application, it is handled without second guessing the programmer as to what functionality is allowed or needed. If that application is new to the system (AE) or unknown/known bad/known caution to the "community" (Prevx), if will either be denied by default (AE) or you will given an opportunity to block execution (Prevx). I don't think these offerings are quite there yet either, they just seem a whole lot closer IMHO...

...but I could be wrong....

Blue

-{ Quote: "What makes you choose a HIPS?" }-

Nothing. Use your brains.

Nothing.

Proven in combat and leaktest should be survived.

was an early adopter of ProcessGuard and never had any reason to stray
but know Im considering the next gen so what is written here, with additional research and then trials :p

-{ Quote: "+I like a HIPS that can be tested, & wants to be tested, and makes improvements instead of excuses when test results are a bit unfavorable.

+I like a HIPS that calls itself a HIPS & doesn't make up advertising fluff to make it sound like its program is some new sort of amazing invention that no one has ever thought about before.

+I prefer a HIPS that has its own ACTIVE support forum.

+I prefer a HIPS where the hands-on staff is more than one person.

+I prefer a HIPS that first seeks to iron out bugs and customer problems concerning its CURRENT version before turning its major attention to the addition of more & more & more bells & whistles.

+I like a HIPS that does a really REALLY good job of uninstalling itself for those users who change their minds.

+I like a HIPS that shows ingenuity and subtlety in protecting its software from piracy, so that the burden of such protection is NOT placed upon users (via such crapola as "activation")." }-

I'm holding my breath while waiting to hear your recommendation...

nothing"

HIPS is too over-rated, a gimmick.

I think HIPS type programs are highly overrated and not needed, although I do find the community based concept behind Prevx very interesting.

Passes leaktests :)

Other- how smooth it runs on my computer and gets along with other programs.

Other.
I hate HIPS. I downloaded ProcessGuard only because when I left Returnil for ShadowDefender,there was no equivalent of the Anti-Execute module in Returnil 2008.
I have few programs installed,so I was able to open them all,allow them,and quieten the beast down to a tolerable level.

Actually i like it more when

"Proven in "combat" - ie catches the bad stuff in "real life""

But most of the time i base my opinions first on forums then i try it 8)

Using it in real life, I became fond of Prevx when it stopped Kizar's iStealer 5.0 while others didnt even after reporting for over 3 days.

HIPS programs seem too sticky, kind of like walking across a floor spread with industrial glue. Would much rather use standard account in Win 7.

;D

I am new to HIPS but I will share my opinion.

1. It must be used by lots of people on any forum I use. That way if I have a problem I know someone will most likely know the answer.

2. It must be user friendly, I dislike answering ton of Pop-ups.

3. It must be FREE. I dislike paying for security software, because I never have extra money to spend.