I'm just thinking about the idea that HIPS will be silent like an AV app in the near future...

Classic HIPS that ask questions about every action an application makes are no longer for this world. Their era is coming to an end from an innovation point of view. These HIPS induce "lazy clicking OK" and even so if you want to make a correct decision you can't without knowing the inner workings of every program. Say firefox requests low level keyboard access. You know this is ok but what if firefox was tampered. A change in the hosts file redirects the autoupdate to a malicious IP address? which downloads a malicious update of firefox...

These days we have intelligent behaviour blockers using intelligent algorithms, a point based system, or white lists to reduce alerts and false alarms. But these are still flawed - they still require the user to make the decision and are more and more like AVs relying on known behaviours. All it takes is one truly unknown behaviour to bypass such programs. What if the System Shutdown Simulator's Shutdown Call was executed as a scheduled task (run windows\system32\shutdown.exe -s)?. This is just a simple example to show that these programs have limitations in the behaviours they monitor.

So what would the HIPS of the future be? And here is my answer - silent, eliminating the user all together. How? Well it's already here... Stop focusing on detecting new behaviours, leak test methods etc, but rather combine the following features:

Encrypt key strokes completely using a technique like key scrambler... no user input required. Defeats all key loggers without prompts.

Generic buffer overflow protection to prevent unpatched software exploits. Such protection found in WehnTrust, Comodo Memory Firewall, DefensePlus etc... Once again no user input required.

Sandboxing / System Freezing - Rather than asking for each behaviour e.g. Load a service / driver, sandbox the action and allow it to run without it affecting the actual system. Once again no prompts. Examples Sandboxie, Returnil etc.

So the HIPS of the future is already here. Just combine all these features of separate softwares into one HIPS and you've got one heck of a security program - a powerful HIPS with no prompts!

:thumb:

Edit spelling

Key strokes encription is a "snake oil", unfortunately- just remember about "TranslateMessage" keylogging technique. If any app may get a keys input- there is always a chance malware can intercept it.

DMenace,

My list of truly silent HIPS:
1. DefenseWall
2. GeSWall
3. Primary Response Safe Connect on Vista64 with UAC in quiet mode

defensewall is a Silent HIPS, you will never to feel it is running in your system.

-{ Quote: "defensewall is a Silent HIPS, you will never to feel it is running in your system." }-
I second that, if the DW-icon wasn't there, I would forget, I have it on board. :)

-{ Quote: "
Classic HIPS that ask questions about every action an application makes are no longer for this world. Their era is coming to an end from an innovation point of view. " }-
I agree with you. I never liked security softwares with multiple choice questions, like "Yes" or "No".
I have 50% chance to answer right, that's not security, that's gambling.

Faronics Anti-Executable is also very quiet, unless you try something new.
Also very simple to understand and acts immediately without questions, because the answer is always NO.

Silent hips is just right for me but not for many others here wish to have full control over their system.

Silent hips: threatfire, norton antibot, prevx.

-{ Quote: "Silent hips is just right for me but not for many others here wish to have full control over their system. " }-
1. The problem is that full control doesn't mean full defense.
2. Most of the people just need to do their everyday work, they don't need to have a full control.

-{ Quote: "1. The problem is that full control doesn't mean full defense." }-
There is also no such thing as full control. There are plenty of programs that offer full annoyance, yes, and too many people are mistaking this for full control.

-{ Quote: "1. The problem is that full control doesn't mean full defense.
" }-
I agree that it doesn't mean the same thing, but I like to have my pure system partition (Windows + Applications) back as it was, when I created it. That is full control.

The only thing I have to do is to stop any possible execution of malware immediately to protect the contents of my system partition and data partition completely. That is full defense, easier to say than doing it.

The last difficult problem is NEW stuff, which is more based on trust, than anything else, unless you have knowledge enough to check them out.

Hi, folks:

If I need a program to perform a particular task, I would give it a chance to fulfil. And trust it, not to control it fully.

If I want to be its boss and treat it as a slave, why do I need it in the first place, I could have written a application myself !

Silence is golden ! I respect those apps which work tirelessly in the background, not those which make a lot of noises and deliver nothing but headaches.

-{ Quote: "
Silence is golden ! I respect those apps which work tirelessly in the background, not those which make a lot of noises and deliver nothing but headaches." }-
I agree with that principle, unfortunately too many security software don't know how to be quiet.
That's why I created an off-line snapshot in my computer to do my work and hobbies without any disturbance of malware and anti-malware and it works also faster.

-{ Quote: "Hi, folks:

If I need a program to perform a particular task, I would give it a chance to fulfil. And trust it, not to control it fully.

If I want to be its boss and treat it as a slave, why do I need it in the first place, I could have written a application myself !

Silence is golden ! I respect those apps which work tirelessly in the background, not those which make a lot of noises and deliver nothing but headaches." }-

Good points Perman. But on the converse side when you've gone from something like SSM to Threatfire (at the time Cyberhawk) it's actually quite difficult to convincve yourself that is in fact doing anything at all such is it's quiteness ;D

I'm sure it was, but SSM was in a way quite reassuring, in that it made sure you darn well knew it was doing it's thing ! ... and it was most certainly the boss and me the slave to it's most exacting demands :ouch:

Hi, OldMonk:

I 100% know what you are saying.

There always a clear distinction exists between a highly visible one (such as SMM) and a lowly profiling one (such as TF,PRSC). But, at end of day, they all achieve one same thing, that is protecting our a--. Should we call it, time and money(if any) well spent ? Take care.

-{ Quote: "

But, at end of day, they all achieve one same thing, that is protecting our a--. " }-
Agreed. That this there goal.
-{ Quote: "Should we call it, time and money(if any) well spent ?" }-
Also agreed ;D (in the case of SSM - a lot of time)

-{ Quote: "Take care" }-

You also

-{ Quote: "Also agreed ;D (in the case of SSM - a lot of time)" }-
SSM is still much better in this regard than some overbloated HIPS out there; in fact, it's one of the best. If I ever had to give up ThreatFire, I'd go right back to SSM Free.

-{ Quote: "SSM is still much better in this regard than some overbloated HIPS out there; in fact, it's one of the best. If I ever had to give up ThreatFire, I'd go right back to SSM Free." }-

No argument from me there Solcroft :)

In terms of fine-tuning, it certainly packed a punch. Disengaing the GUI was a nice touch, too.

Bit liking pulling up your drawbridge and having a moat the size of the Pacific for your enemies to cross ;D

I don´t think that we will ever see quite HIPS, and that´s because they would then have to be able to recognize 100% of all malware, this will never be possible. And besides, if you don´t ever want to see an alert, and fall prey to "lazy clicking", then classical HIPS is clearly not for you. It´s for the people who want more control, and want the ability to "analyze" an app after execution. As you might know, scanners can´t spot all malware, so a "clean" file may in fact be not so clean. This is where the HIPS can play an important role. Of course, some knowledge is required, but like I said before, it´s not exactly rocket science.

-{ Quote: "Encrypt key strokes completely using a technique like key scrambler... no user input required. Defeats all key loggers without prompts." }-
Sounds like a good protection method, but according to Ilya it´s not bulletproof. But I agree, HIPS must be able to stop most keylogging methods.

-{ Quote: "Generic buffer overflow protection to prevent unpatched software exploits." }-
Yes, another nice feature that could stop a lot of exploits. But I wonder if process execution control would stop these attacks also.

-{ Quote: "These days we have intelligent behaviour blockers using intelligent algorithms, a point based system, or white lists to reduce alerts and false alarms. But these are still flawed - they still require the user to make the decision and are more and more like AVs relying on known behaviours. All it takes is one truly unknown behaviour to bypass such programs." }-
Yes, even if TF is a so called smart HIPS (designed for dumb people? Just kidding guys! ;D) it will still ask you questions, but it´s a lot less noisy so it´s becoming more popular. Still, it can be bypassed when it´s not monitoring a certain behavior or if there is some kind of programming error, just like all other HIPS.

-{ Quote: "Sandboxing / System Freezing - Rather than asking for each behaviour e.g. Load a service / driver, sandbox the action and allow it to run without it affecting the actual system. Once again no prompts. " }-
Well yes, but sandboxes are different from classical HIPS. HIPS can alert you about stuff when you´re installing tools on your real machine (not in the sandbox) and that´s what you will be doing most of the time. And besides, you can´t sandbox everything, you can´t sandbox "driver loading", and if you allow "code injection" in the sandbox, then malware may still be able to take control of your sandboxed apps/system, and that´s no security.

-{ Quote: "SSM is still much better in this regard than some overbloated HIPS out there; in fact, it's one of the best. If I ever had to give up ThreatFire, I'd go right back to SSM Free." }-
What´s wrong with SSM Pro? And such a statement is quite surprising to me since SSM can be one of the most noisy HIPS, especially with process and registry control enabled. And we all know how much you hate "false positives" alerts. :blink:

Wow, very interesting to read everyone's replies!

Clearly there is already some relatively quiet hips software out there like DefenseWall.

Just to make my initial argument a little more clear I wanted to discuss the idea whether or not it is possible to create a truly silent hips (even more silent than threatfire) that does not monitor individual behaviours but rather uses some of the ideas I mentioned above.

By the way, Ilya when will DefenseWall 2.10 come out? I've read at Gladiators the help file is complete?

Personally, I just don't trust the vendors to make the right choice. Or, let me rephrase - they can't know what the right choice is, because it's different for everyone.

For instance, all the quite HIPS let IE6 execute on XP. For me, if IE is starting, it's likely I didn't start it as I use Opera pretty much exclusively. The 15 times a year I start it to prove to my ISP the problem is THEIRS, I'm happy to click "OK".

Just like my firewall should not auto allow IE out, and I'd prefer to lock it down to my ISP page, speedtest and WU only.

Similarily, Adobe quicklaunch/version cue whatver - sometimes it's easier to just kill with the HIPS than to try and figure out how to disable it from the prefs...

I could go on, but just because a program is "safe" doesn't mean *I* want it executing, or talking to the internet.

Then again, I don't like stupid HIPS like Vista UAC - I *do* want it to give me a chance to have it remember a setting.

I'm very interested in Comodo v3 with D+ - a very noisy HIPS, but very finely tuned and remembers your settings. Plus you can go to whitelist mode if you want. I really think the slider is a great idea - set it to "Don't bother me mode + use my already set rules" most of the time, but if you're trying a new app, set it to paranoid.

Plus it helps you learn about Apps. I found out at work that Firefox wants to access the screen directly (which enables screenshotting), + wants access to the service control system, wants to make relayed DNS queries + lots of stuff to load google that I can't see why it needs them. Especially when I denied them all, it still worked fine! Mozillazine was strangely silent about my queries too.

Maybe all apps do this (I haven't started using Comodo at home yet), but it would be nice to understand why they want certain accesses - and the silent HIPS would just allow it all.

The above said, the average user wants the PC to figure it out for them. This can only work if they basically are not in control, so these silent company remote controlled HIPS are probably the way to go - but I'd like to have the option to limit outgoing info about my PC (to the HIPS vendor) and let ME make the choices. Even modern AV tell you they've found something, and ask you what to do (they just don't find stuff very often anymore).

-{ Quote: "Yes, another nice feature that could stop a lot of exploits. But I wonder if process execution control would stop these attacks also." }-
Unfortunately, no. Not unless you block the vulnerable programs, like IE, RealPlayer, Yahoo IM etc., from running in the first place (meaning you don't get to use them).

-{ Quote: "And besides, you can´t sandbox everything, you can´t sandbox "driver loading", and if you allow "code injection" in the sandbox, then malware may still be able to take control of your sandboxed apps/system, and that´s no security." }-
You can sandbox driver loading. The driver runs isolated inside the sandbox, as demonstrated by Sandboxie. I'm not certain if other sandboxes do this, though.

Also, allowing code injection inside the sandbox is no problem. The manipulated process will be able to do no harm anyway, since it is sandboxed as well.


-{ Quote: "What´s wrong with SSM Pro? And such a statement is quite surprising to me since SSM can be one of the most noisy HIPS, especially with process and registry control enabled. And we all know how much you hate "false positives" alerts. :blink:" }-
Like I've said, SSM is far from the most noisy HIPS. I've used quite a few, and I think I know what I'm talking about. If I had to pick a worst, it'd be Comodo D+, hands down. Meaningless and redundant alerts all over the board. Notepad.exe requesting keyboard + SCM access? Come on. >:(

I do know how to use a dumb HIPS, it's just that I feel TF's product design has superceded them in general.

-{ Quote: "



By the way, Ilya when will DefenseWall 2.10 come out? I've read at Gladiators the help file is complete?" }-
I also want to know:(

-{ Quote: "You can sandbox driver loading. The driver runs isolated inside the sandbox, as demonstrated by Sandboxie. I'm not certain if other sandboxes do this, though." }-Never knew this. Is it a new feature?

-{ Quote: "Never knew this. Is it a new feature?" }-
This is impossible. sandboxie is not VM.8)

why is it impossible. Download a program that doesnt require a reboot, install it and choose to sandbox it on install. The drivers installed are then run in the sandbox.

-{ Quote: "why is it impossible. Download a program that doesnt require a reboot, install it and choose to sandbox it on install. The drivers installed are then run in the sandbox." }-
sandboxie block all driver load.
sandbox will be bypassed or destroied if allow driver load.

-{ Quote: "You can sandbox driver loading. The driver runs isolated inside the sandbox, as demonstrated by Sandboxie. I'm not certain if other sandboxes do this, though." }-

Really? This is news for me, AFAIK you can configure SBIE to let tools install drivers, but it won´t be in the sandbox, it will be outside, meaning that if it´s malicious, it´s basically game over, and your infected with a rootkit.

-{ Quote: "Also, allowing code injection inside the sandbox is no problem. The manipulated process will be able to do no harm anyway, since it is sandboxed as well." }-

Now that I think of it, with the latest SBIE versions, sandboxed tools can load global hooks, but what if a malicious process, which isn´t supposed to have network access, attacks another sandboxed process? Then it can still bypass the firewall, not? And besides, a lot of tools won´t even function correctly if they are allowed to only modify other sandboxed processes, that´s what I meant, you can´t sandbox every behavior.

-{ Quote: "Unfortunately, no. Not unless you block the vulnerable programs, like IE, RealPlayer, Yahoo IM etc., from running in the first place (meaning you don't get to use them)." }-

Perhaps a silly question, but what I meant was, that if a certain tool gets exploited by a BO, in most cases, the bad guys are going to want to load an executable, correct? I wonder if this can be stopped by simple process execution monitoring. Or isn´t it always neccesary to load some other process into memory? This is a bit OT, sorry about that.

-{ Quote: "Like I've said, SSM is far from the most noisy HIPS. I've used quite a few, and I think I know what I'm talking about." }-

OK, then it must be me, but AFAIK you first have to configure it quite precisely to reduce popups even from trusted processes, and when installing tools it´s not exactly quite. But I agree about Comodo, it´s totally out of control with the ridiculously nagging/useless alerts.

-{ Quote: "Just to make my initial argument a little more clear I wanted to discuss the idea whether or not it is possible to create a truly silent hips (even more silent than threatfire) that does not monitor individual behaviours but rather uses some of the ideas I mentioned above." }-

My answer is: totally silent will never be possible, it´s not realistic. Basically you´re dreaming of a HIPS that can spot EVERY malicious tool out there, aren´t you basically talking about perfect heuristics? And I really doubt that you are ever going to see more quite tools than TF.

Btw, you (and others) also need to see the difference between sandboxes and HIPS. Of course sandboxes are almost totally silent because that´s what they are made for, but they won´t protect you against things happening outside of the sandbox. And you know what I don´t like about sandboxes based on virtualization? It´s the fact that they won´t do anything to stop an infection inside the sandbox, I´d rather don´t get infected at all.

-{ Quote: "Say firefox requests low level keyboard access" }-
No browser should have "low level keyboard access", just block it.

-{ Quote: "A change in the hosts file redirects the autoupdate to a malicious IP address?" }-
Block changes to the hostfile?

-{ Quote: "What if the System Shutdown Simulator's Shutdown Call was executed as a scheduled task (run windows\system32\shutdown.exe -s)?. " }-
Block task creation, or just disable the Task Scheduler?

-{ Quote: "Btw, you (and others) also need to see the difference between sandboxes and HIPS. Of course sandboxes are almost totally silent because that´s what they are made for, but they won´t protect you against things happening outside of the sandbox. And you know what I don´t like about sandboxes based on virtualization? It´s the fact that they won´t do anything to stop an infection inside the sandbox, I´d rather don´t get infected at all.
" }-
defensewall is not a sandbox based on virtualization like sandboxie, it is based on policy restrictions.
yes, you are right. "they won´t protect you against things happening outside of the sandbox." defensewall is base on the idea of "'threat gateways". "threat gateways" include "Applications and processes which interact with the internet" and removeable source. malicious software have no possible to infect your system if "threat gateways" is protected by defensewall. defensewall prevents untrusted processes from modifying the executables, inter-process communications, multimedia, documents, phone databases (target for 'dialer' malware), Hosts files, adding or modifying autostart areas (both registry and file system), adding or modifying drivers/services (targeted by 'rootkits'), modifying the desktop and browser settings, plugins and extensions (IE, Firefox, Mozilla, Opera, Flock, etc.), setting global hooks (usually used by 'key loggers'), injecting their code into Trusted Processes, stealing screenshots and many other dangers.

-{ Quote: "defensewall is not a sandbox based on virtualization like sandboxie, it is based on policy restrictions." }-

Yes, I prefer sandboxes based only on policy restrictions, I don´t believe that virtualization is necessary, it will only slow things down, at least at the moment. Btw, some classical HIPS (like SSM, NG and CPF) also offer "sandboxing", the only difference is that you will have to make the rules yourself.

-{ Quote: "defensewall prevents untrusted processes from modifying the executables, inter-process communications, multimedia, documents, phone databases (target for 'dialer' malware), Hosts files, adding or modifying autostart areas (both registry and file system), adding or modifying drivers/services (targeted by 'rootkits'), modifying the desktop and browser settings....." }-

LOL that was quite a sum up, wasn´t it? ;D

-{ Quote: "Btw, some classical HIPS (like SSM, NG and CPF) also offer "sandboxing", the only difference is that you will have to make the rules yourself.
" }-
I agree;D . The different between defensewall and classical HIPS is Ilya has already Complete the rules setup for you.:shifty:

and I like the 'attribute inheritance' and rollback of defenswall. Classical hips has no this function.

-{ Quote: "and I like the 'attribute inheritance' and rollback of defenswall. Classical hips has no this function." }-

Can you tell a bit more about this? Is the rollback function similar to how you can clean the sandbox in, for example, Sandboxie? And yes, classical HIPS don´t have this function, but as long protected processes are not exploited, they don´t have to, not? I´m starting to get a bit confused. Of course, ThreatFire does have a rollback feature, but that covers non-sandboxed processes.

'attribute inheritance' ---all potentially dangerous files which are created by Untrusted Processes will be marked as 'Untrusted'. Any process launched by an untrusted process will be Untrusted as well.

The Rollback function allows you to manually cleanup the debris left behind on your hard drive by malware after an infection attempt. The Rollback List contains executable modules created by Untrusted processes.

Be as objectively speaking as warrants this subject but for all to get a better grip on the best possible confidence to be realized, isn't it more favorable to combine say a SandboxIE with a classical HIPS combination, or do you feel SandboxIE alone is quite to the task of preventing intrusion even though it's contained in a protected state for dismissal/delete after session reboot or just emptying the contents of the collectables in that sandbox?

Personally, i feel a HIPS can ward off entry ahead of the curve and then anything else of mischief is not able to fully make use of it's designed disruptions on a windows O/S.

Thank You

-{ Quote: "Really? This is news for me, AFAIK you can configure SBIE to let tools install drivers, but it won´t be in the sandbox, it will be outside, meaning that if it´s malicious, it´s basically game over, and your infected with a rootkit." }-
Actually, I stand corrected. Sandboxie can isolate services. The release notes never mentioned drivers IIRC.

-{ Quote: "Now that I think of it, with the latest SBIE versions, sandboxed tools can load global hooks, but what if a malicious process, which isn´t supposed to have network access, attacks another sandboxed process? Then it can still bypass the firewall, not?" }-
How on earth is network access going to be detrimental to your system security?

Network access to steal personal info is dangerous, but fretting about network access itself alone is utterly pointless if the requesting application is sandboxed. Different sandboxes provide different ways to deal with the former; for example, here's Sandboxie's take on it: http://www.sandboxie.com/index.php?DetectingKeyLoggers

-{ Quote: "And besides, a lot of tools won´t even function correctly if they are allowed to only modify other sandboxed processes, that´s what I meant, you can´t sandbox every behavior." }-
Nope, that requires a VM. But they do their job well enough, and with far less intrusiveness than a "dumb" HIPS, which makes them superior for everyday use.

-{ Quote: "Perhaps a silly question, but what I meant was, that if a certain tool gets exploited by a BO, in most cases, the bad guys are going to want to load an executable, correct? I wonder if this can be stopped by simple process execution monitoring. Or isn´t it always neccesary to load some other process into memory?" }-
Nope, not always necessary. BO exploits can be triggered by data files, such as scripts.

-{ Quote: "By the way, Ilya when will DefenseWall 2.10 come out?" }-
Right now :) Unfortunately, I don't know when I'll be able top upload updater's definitions- have some problems with my hosting provider.

Hi All

I was somewhat surprised about Ilya's comment:

"Key strokes encription is a "snake oil", unfortunately- just remember about "TranslateMessage" keylogging technique. If any app may get a keys input- there is always a chance malware can intercept it."

It seems to imply that KeyScrambler has no value ie the use of the term "Snake Oil". This is a surprising comment from a developer of perhaps a competing product.

I would ask Ilya these questions?

1) Is his own product completely fool proof, and has there ever been flaws identified? Indeed is there any foolproof security product?

2) Does Ilya really mean "Snake oil" which has connotations of something without value masquerading as something of great value ie KeyScrambler?

I use KeyScrambler because like many other novices I try to keep up with security issues as best I can. Indeed I welcome well founded commentary, particularly so from someone of Ilya's distinction. But I must confess to some uneasiness to his terminology about KeyScrambler. (In relation to his position as a competitor developer)

On the other hand if KeyScrambler is worthless "Snake Oil" I really would like to know?

Over to you Ilya ........


Terry
__________________

Hi!

Well, maybe, "snake oil" is not a 100% correct term, I just didn't find a proper definition. Yes, this will protect you from some kind of threats like AKLT implemented methods, but... Just lets take a loot at following:
1. Does key encryption protects from TranslateMessage/GetMessage keyloggers?
2. Does it protects from direct form grabbing?
3. Does it protects from direct memory data grabbing?

The answer is "no" as key encryption method is incomplete in its initial core- basic ideology. If an application can get your key input- malware, infiltrated into this app, can do that too.

Yes, maybe I'm a hard maximalist by my own nature and, thus, thinks that "some protection" means "no protection at all" and, this way, KS and ZA ForceField keyscrambling protection methods are the "snake oil" for me.

P.S. I don't think KS as a competitive product. Anyway, even if it would be a competitive product, I would never say any bad words about it with no evidence. Do you remember my history with BZ? And I never mentioned KS by myself...

Ilya

Thanks for your reply I am sure others will find it as interesting as I did.

Given your clarification, could I turn the questions around so that I can use your experience (and willingness to give very direct comment) to advantage as follows:

Rather than state what is not so good about the various types of AntiKeylogger software/techniques:

1) What would be an ideal combination of software that in your professional opinion is better able to deal with defeating keyloggers (including those methods methods mentioned in your reply)? So in simple terms if KeyScrambler falls short what should we novices replace it with. Before you answer this you might just reflect that you did not reply to the question about your own product in my previous post.

2) If your answer to this is simply "DefenseWall" can we really be sure that it is infallible?

Regards

Terry

Hi!

To be protected from keylogging, it is need to:
1. Terminate all the external-methods-based (AKLT-like) keyloggers or encrypt keystrokes.
2. Make sure there is no malicious drivers at all (don't forget about driver-based keylogging).
3. Run the clean instance of the browser (i.e., there should be no malicious add-ons, extensions, BHO's and so on).

We are talking here about the protection methodology, not about the concrete realization of it, so "DefenseWall" is not an answer here :)

Hi, my name is Qian Wang and I'm from QFX Software, the maker of KeyScrambler. Since KeyScrambler came up in the discussion and Ilya offered a general critique of keystroke encryption technology, I feel that I should respond and clarify some of the issues he raised.

First of all, I freely admit that keystroke encryption is not perfect in its current incarnation. There are definitely attacks that it does not yet protect against. One example that Ilya brought up is form stealing. It affects IE more than Firefox, Opera and Safari, but it is a threat. However, form stealing is an intrusive activity that is fairly easily detected by the majority of virus/malware scanners. Which is why we say KeyScrambler provides an additional layer of protection and we're not telling our users to get rid of their anti-virus programs. I think forcing malware into more easily detected vectors has value in itself, but we are also working on solutions to these kinds of problems, because they are not fundamentally unsolvable. Remember, keystroke encryption is still relatively new, whereas IPS technology, for example, has been around for decades.

The second point I want to make is that keystroke encryption isn't limited to browser forms. KeyScrambler protects more than just information you type into web pages. KeyScrambler Pro, for example, protects master passwords in IE and Firefox. The master passwords are not vulnerable to form stealing, but they are vulnerable to keylogging. KeyScrambler Premium protects MS Office applications, including Outlook. We are already taking KeyScrambler beyond the browser to many more applications and the list will soon increase greatly. We should not confuse browser specific vulnerabilities with shortcomings of keystroke encryption technology.

Finally, not all keystroke encryption programs work the same way. We have put a lot of thought into the design of KeyScrambler and if Ilya had tested it himself, he would see that it does indeed protect against TranslateMessage/GetMessage keyloggers, because our decryption actually happens after that level of message processing.

I think when we look at a new security technology, it's easy to confuse early implementation shortcomings with fundamental technological flaws. It's also hard for those who aren't intimately familiar with the technology to see its full potential. I think that right now, KeyScrambler provides a useful level of protection, but in the coming months, some of the things we're working on will truly show the power of the technology. Stay tuned.

If you've read this far, thank you. Thanks also to Terry for letting me know of this thread. Thanks to Ilya for starting the discussion. And by the way, Ilya, the browser hang that occurred with DefenseWall and KeyScrambler is now fixed in KeyScrambler 1.3.3.

Best,

Qian

And many thanks to you also qzwang for taking the time to weigh in on this subject yourself.

Some really useful and helpful information in this brief but concise response.

A HEARTY WELCOME TO WILDER'S SECURITY FORUM

-{ Quote: "And by the way, Ilya, the browser hang that occurred with DefenseWall and KeyScrambler is now fixed in KeyScrambler 1.3.3." }-
Hi Qian!

Yes, I know- I have been notified about it. Thanks! Hope, that my little criticism will help you to bring up more powerful protection for your users.

-{ Quote: "And many thanks to you also qzwang for taking the time to weigh in on this subject yourself.

Some really useful and helpful information in this brief but concise response.

A HEARTY WELCOME TO WILDER'S SECURITY FORUM" }-

Thank you EASTER. Glad you found the info useful.

Obviously, silent non-signature security software is the way to go. In the not too distant future, the scanning engines will be a secundary part in your "average" Norton/McAfee/Trend suite. Behav. blockers and policy-based sandboxes are a sample of what is to come.
A smart, well-behaved HIPS will be the core of NIS 2010/2011, complemented by an enhaced scanning engine (better emulation and sandbox analysis to thwart anti-emulation tricks), big whitelists, sensible integrity checking and a quiet firewall with exploit signatures/engine in its IDS (like Link Scanner).
IMO, the big challenge will be implementing protection against social engineering.

-{ Quote: "Right now Unfortunately, I don't know when I'll be able top upload updater's definitions- have some problems with my hosting provider." }-

Thanks Ilya, I have updated DefenseWall to version 2.10 today! Thanks for fixing the cpu usage issues I mentioned earlier. Now DefenseWall is better than ever, keep up the good work and merry russian christmas!

-{ Quote: "Finally, not all keystroke encryption programs work the same way. We have put a lot of thought into the design of KeyScrambler and if Ilya had tested it himself, he would see that it does indeed protect against TranslateMessage/GetMessage keyloggers, because our decryption actually happens after that level of message processing." }-

Thanks for your detailed reply! It is very good to see a developer who is so open and interested in questions and discussions relating to their software! Good luck!

-{ Quote: "merry russian christmas!" }-
Thanks, but I don't celebrate _any_ christmas as I'm jew.

-{ Quote: "Thanks, but I don't celebrate _any_ christmas as I'm jew." }-

Although the Solemn rememberance celebration is now past, we trust your family was joined together for the Hanukkah! :)

Festival of Lights,

-{ Quote: "Personally, I just don't trust the vendors to make the right choice. Or, let me rephrase - they can't know what the right choice is, because it's different for everyone.

The above said, the average user wants the PC to figure it out for them. This can only work if they basically are not in control, so these silent company remote controlled HIPS are probably the way to go - but I'd like to have the option to limit outgoing info about my PC (to the HIPS vendor) and let ME make the choices. Even modern AV tell you they've found something, and ask you what to do (they just don't find stuff very often anymore)." }-

@ jp10558, I know exactly what you mean. With classical HIPS you can control all processes (trusted/untrusted) quite precisely, so if you need complete control, TF won´t help.

-{ Quote: "Network access to steal personal info is dangerous, but fretting about network access itself alone is utterly pointless if the requesting application is sandboxed." }-

Let´s say some app installs a malicious BHO into your browser, then you´re still infected. But SBIE´s solution is to clean your sandbox when you´re about to browse, or just make separate sandboxes.

-{ Quote: "Nope, that requires a VM. But they do their job well enough, and with far less intrusiveness than a "dumb" HIPS, which makes them superior for everyday use." }-

I don´t see how they are superior. AFAIK there is a difference between sandboxes and HIPS. Sandboxes will not warn you about stuff going on outside the sandbox. Of course, sandboxes block a lot of stuff automaticly (stuff that could compromise the real system) and virtualize or track file/registry modifications, but I can also tell my dumb HIPS to sandbox certain apps, and it won´t make a sound.

-{ Quote: "Nope, not always necessary. BO exploits can be triggered by data files, such as scripts." }-

I´m not sure if you understood me correctly. My question is, what happens when a BO occurs? Will a malicious process be loaded, or can they directly modify for example the registry, or do any damage?

The problem with silent HIPS is that there is no effective way as such to test it's effectiveness as you have no idea what it might have missed altogether.

Besides more powerful AI in these products is what is required, but as some others have already said the problem is simply that tracking hostile behavior based solely on lists that the AI uses as entry variables to make decisions is not without it's pitfalls either...

Personally I don't think that a fully silent HIPS is actually possible as for it to be effective a process by process assessment is required and due to the dynamic nature of executables it is actually impossible to be exact as to the nature of said process and as such user intelligence is required to be effective...