hi, i am new to this forum. it's good to know that there are so many experienced people here that i can learn from. does anybody know of a good free hips that i can use? i am using windows xp on a system that is capable of running most things. the most important features to me are the blocking of rootkits and keyloggers. aside from that, all i ask is the ability to disable specific parts of the program to make it less noisy. for example, suppose i wanted to allow the execution of any program. if i uncheck a box somewhere then all programs will execute without asking. if i'm missing something important like access to physical memory or preventing the reading of other processes etc etc, i'm taking suggestions, but please know that i am still inexperienced and learning so excuse my ignorance because you may know a lot more than me :D. i've actually tried a few hips myself but my experiences are out of date and limited. here are some of the ones i've tried:

antihook 2.6: very noisy and caused lots of problems with windows.

processguard free: this free version did not protect from driver loading which i think is one way rootkits can get onto a system. besides i think diamondcs has ceased development of their products now?

SSM free (latest version): this one does not block driver installation. i tested this by installing hardware drivers and they were not blocked. besides the free version is always based on obsolete versions of the commercial product. this might prove to be its achilles's heel against some new attack.

prevx: i don't even think this is a behavioral blocking based hips. it just seems to detect what the community knows to be malware. true more settings are available in advanced modes but i'm not particularly fond of this one, at least as a primary HIPs.

eqsecure: it is very hard to get support with this one because the site is in chinese, though its features do seem promising. if only more english documentation was available.

winpooch: this one does not seem to stop drivers.

i may have tried more, but i can't seem to recall any at the moment. so there you have it..any completely free hips or even a commercial one that has a free version would work for me, as long as it's got the right features. any suggestions?

COMODO V3:-*

ProSecurity

When testing, what method did you use to install these drivers?

Just remember that most of the time a rogue application will need to execute in order to install drivers.

Also, Winpooch can be configured to monitor almost anything, even driver installs. It may not protect itself very well, but it adds an excellent layer of security when configured correctly.

Did you take a look at: http://wiki.castlecops.com/Lists_of_freeware_behavior_blockers

Neoava Guard
a different HIPS with its own features

HI,

Give ThreatFire a try, combine this with returnil or safespace personal for dodgy browsing and you have adequate protecton.

Regards

Dynamic Security Agent (http://www.privacyware.com/dynamic_security_agent.html). Free. easy to understand & use. Test info HERE (http://membres.lycos.fr/nicmtests/Dynamic-Security-agent-tests/DSA_index.htm) and HERE (http://www.wilderssecurity.com/showthread.php?p=925697#post925697).

Another recommendation of DSA here.
It's just as Bellgamin says it is.

If you want a quite HIPS you might consider a policy based HIPS.
GeSWall and DefenseWall are both excellent. IMO.
DefenceWall is paid only but GeSWall has a paid and a free version.

-{ Quote: "eqsecure: it is very hard to get support with this one because the site is in chinese, though its features do seem promising. if only more english documentation was available." }-

Welcome to Wilder's jetfighter :)

I think your views are pretty much on target. I recently migrated ALL of my systems to "free" EQSecure 3.41 for a single HIPS shield. It's full-featured, very light-weight and surprisingly strong w/ file protections/registry(drivers)/program. It's as tight a HIPS as i seen since SSM first came out IMO.

What surprises me most is that it doesn't hook 200+ entries in the SSDT table like SSM but protects very well in most respects & even better in my experience since changing over to it.

I agree it's lacking in ENGLISH support docs and would benefit users with a help file even if in brief, but with that limitation (temporarily?) it's one well worth accepting in exchange for EQS's protection as i see it.

Best of Luck in your Decision.

How about Online Armor Free!

dja2k

I'll tell you another preventitive feature that EQSecure offers that SSM always wasted keystrokes and effort for a user to correct.

I'm often multi-tasking like most of you, if you accidently click on a wrong program which you didn't intend to open and you selected NO in SSM, a lotta times you had to open up the program settings (application rules) and reset the rule for that program back to open or at the very least on the next program you always had to tick the radio button back.

In EQS, it's Very Forgiving and even helps a user in mistakes like that. When you click a program unintentionally you simply press "Block" on it's alert box and click OK to the ensuing Windows box, and go right on to what you wanted to do in the first place. The other program mistakingly open remains available without a user either having to reset it's permissions again or re-tick the radio button in the alert rule settings unlike SSM.

I can't count the times i done this before and still do but for EQS it's no problem at all.

-{ Quote: "Did you take a look at: http://wiki.castlecops.com/Lists_of_freeware_behavior_blockers" }-
Of that list, WinSonar is one I haven't heard of before. Seems like a small app. that would go good with TinyWatcher...

Pro Security, one of the best rounded HIPS.

Online armor all the way ^^

-{ Quote: "Online armor all the way ^^" }-

Couldn't put it better myself! ;)

dja2k

Just curious if Online Armor Free has the same HIPS protection as the Full Version does? I thought I read that Mike Nash said it did.

-{ Quote: "Just curious if Online Armor Free has the same HIPS protection as the Full Version does? I thought I read that Mike Nash said it did." }-

Hi,

OA free as the same HIPS protection level as OA paid

MaB

Thanks.

I have been trialing the Webroot Firewall and it has the HIPS program Dynamic Security Agent in it, and I had previously been using Online Armor Free. I liked the simple and easy use of OA Free and although Webroot isn't that difficult to use, it does seem to be more advanced. Since I don't really need anything like that. I was thinking of going back to OA Free, and was wondering how good of a HIPS protection it provides.

-{ Quote: "
OS: XP MCE 2005 Sp2 Ru2
SECURITY: Online Armor AV+, ProSecurity
VIRTUAL: SandboxIE, Returnil
BROWSER: Firefox (KeyScrambler, RoboForm, Adblock Plus)
OTHER: OpenDNS, HostsXpert (MVPS), Blacklists (B.I.S.S.)
BACKUP: Acronis (TI, DD-Suite, & OSS)

Member of Online Armor Beta Test Team!

dja2k" }-

Hey dja2k

I see although your an OnLine Armor team member you've listed ProSecurity alongside OLA AV+.

What benefit do you see in supplementing OLA with ProSec?

-{ Quote: "I have been trialing the Webroot Firewall and it has the HIPS program Dynamic Security Agent in it, and I had previously been using Online Armor Free. I liked the simple and easy use of OA Free and although Webroot isn't that difficult to use, it does seem to be more advanced. Since I don't really need anything like that. I was thinking of going back to OA Free, and was wondering how good of a HIPS protection it provides." }-
In my opinion from using both OA and WDF, they both let you use as advanced or as simply as you want. WDF's HIPS protection is off by default but it does have a learning-mode. OA's HIPS are on by default but may inquire as to the unknown apps. Both are very user-friendly. Both developers post here. Both would be rated as very secure. So really, it boils down to which works better on your pc, and which you feel more comfortable with. You can't fail with either one IMHO. I've tested both and it's a tough decision. They are both "tops" in the FW/HIPS market, free and pay. The difference may be what their "pay-versions" offer, if you're so inclined...

One of the best and completely free HIPS is using a limited user account :-*

-{ Quote: "Just curious if Online Armor Free has the same HIPS protection as the Full Version does? I thought I read that Mike Nash said it did." }-
-{ Quote: "OA free as the same HIPS protection level as OA paid" }-

I wouldn't say it has the same protection, since according to their own comparison it doesn't support detection of certain keylogging mechanisms (kernel, other?), while the full version does.
http://tallemu.com/comparisons.html

EQSecurity 3.4 is tight a HIPS as you want. It covers file protections/registry associations/program rights etc. It's very light but M I G H T Y ! in it's capability to prevent intrusions of most any sort. A good, free HIPS and then some.

-{ Quote: "EQSecurity 3.4 is tight a HIPS as you want. It covers file protections/registry associations/program rights etc. It's very light but M I G H T Y ! in it's capability to prevent intrusions of most any sort. A good, free HIPS and then some." }-
I tried EQSecurity but if I understood that correctly it doesn't do hash comparison of files by default, you have to enable that on a per program basis (that is for every program one by one) and then the only choice is MD5, which is as unsafe as it gets because it has been broken. Furthermore I had some system freezes when it initially blocked some behaviour.

-{ Quote: "I tried EQSecurity but if I understood that correctly it doesn't do hash comparison of files by default, you have to enable that on a per program basis (that is for every program one by one) and then the only choice is MD5, which is as unsafe as it gets because it has been broken. Furthermore I had some system freezes when it initially blocked some behaviour." }-

Hello sunking

As with any program for a Windows PC what works just fine with one doesn't always work like expected for another, so sorry EQS doesn't fit the bill for your setup, but have you looked at OnlineArmor yet? Theres much abuzz over it plus you get prompt answers and help from one of it's chief characters who is always at the ready to take any concerns seriously enough to work anything out to users satisfaction.

EASTER

Hi,

I tested OA Free, good app but I had a few problems with it, therefore I’ m in waiting position right now.
So Sygate PF is back (with KAV) and I’m looking out too for a Freeware HIPS/Behavior blocker.

Suddenly DefenseWall came as a gift, but I had to recognize, that it couldn’t even defend itself.
Both processes can be ended within windows task manager, worst behavior for a security app in my opinion, had to give it away immediately.

So I’m looking out again.
It’s a little bit irritating, because everything seems to be HIPS today and many offer (limited) Free Editions as well:
ProcessGuard, ProSecurity, System Safety Monitor, ThreatFire, WinPatrol and so on.

On Matousec.com are some Leak Tests:
http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php
CastleCopsWiki offers this: Lists of freeware behavior blockers
http://wiki.castlecops.com/Lists_of_freeware_behavior_blockers
On another site I found this: unhooking tests
http://membres.lycos.fr/nicmtests/Unhookers/unhookers_results.htm

Does anyone know links, where these kinds of (free) apps have been tested?

So what would I require in general?
Low on resources (memory, CPU usage)
Cannot easily be terminated within task manager (or by scriptkiddys)
No point and click adventure (set it and forget it)
Good protection against unwanted/unknown apps, drivers, autorun entries, root kits etc.

That’s all. Which one to choose?

Cheers!

-{ Quote: "

Suddenly DefenseWall came as a gift, but I had to recognize, that it couldn’t even defend itself.
Both processes can be ended within windows task manager, worst behavior for a security app in my opinion, had to give it away immediately.
" }-
I'm afraid you missed DW's purpose completly. It's not supposed to protect you/itself from trusted processes, only untrusted (sandboxed).

Hi, Subset.

Still searching for your love(free, but good to your heart, HIPS
)? No need to look further. They are just all around you.

I would do a thorough search of this forum, there are tons of tons reports/remarks/suggestions for you to digest. Independent tests serve good guidance, but it is you, I mean yourself to use the app to protect your own...
You just need to feel it yourself. And other thing, any free offer from any good quality program, I would be thrilled to know it, let alone to critize it. Enjoy it, when you can get your hand on it free.

Take care.

There are sandboxes (SandboxIE and GeSWall have useful free versions, SandboxIE is almost the same as paid).

Then if "classical HIPS" is what your looking for, stand alone, i prefer SSM free. It's stable, does the most important thing which is block executables, and other features make it VERY flexible - disconnect UI , parent- child control, registry monitoring (take it as just that, monitoring) etc.
Disconnect UI is one cool feature, it will allow you to block all unknown executables + optionally block all previously not allowed actions. AND you can for ex. allow IE7 in normal mode, but block it in disconnected UI mode.

SSM rocks in this regard, someone asks to use my PC, i just disconnect the UI and "go ahead". They can't tamper with it even if they try, it's password protected, and silent!

Now there's CFP3, firewall and HIPS. I need time to get used to it and form an opinion (the HIPS part, not the firewall).

Threatfire over BoClean.

However.............


If you need a firewall with inbuilt hips, then Comodo v3.0 is your savour

-{ Quote: "I have been trialing the Webroot Firewall and it has the HIPS program Dynamic Security Agent in it, and I had previously been using Online Armor Free. I liked the simple and easy use of OA Free and although Webroot isn't that difficult to use, it does seem to be more advanced. Since I don't really need anything like that. I was thinking of going back to OA Free, and was wondering how good of a HIPS protection it provides." }-

When you run external facing communications aps like your webbrowser, p2p (eg limewire/kazaa), e-mail, messenger etc as safer (with limited rights), it is a strong (de)bugger.