EASTER
January 6th, 2008, 05:12 AM
A lot is been made over our newest introduction to computer security known as HIPS, classical if you will. But very little is ever discussed to EXACTLY why they are very effective in spite of some neccessary user interactions just to get them fine tuned enough where many have left AV's for this type of protection.
From my standpoint, HIPS is a highly specialized field on the same order of anti virus software with the exception that from real world results, HIPS, properly configured, often and do surpass protections we been known to trust in with anti virus apps for the security thats paramount to keeping intruders at bay and in check from wreaking total havoc on windows systems.
I feel its high time now that we don't just draw comparisons between them but rather concentrate solely on exactly how & why HIPS better in many ways, conventional anti virus programs in warding off potential disruptions to our productive favored investments, the PC.
This leads us into the depths of the windows operating system files and undocumented areas of interest which many if not all AV's lack in keeping these type risks from interrupting the very internet service that we pay a common fee for but can experience lost time, effort, and of course be denied the very service we finance for internet access or even functional operations of the machine that we expect to be available for us.
I would dearly like to read into this seriously so as to draw out the absolute FACTS which make a quality HIPS security program such the useful compliment and in some cases, reliable replacement for anti virus apps.
A lot is made about ring0 & the low level driver actions which are designed to take up residence in whats called the SSDT table. From what i gather, HIPS distributes it's .sys drivers into areas of this $M internal base of operation which together with all the other supporting instructional positions in order to set itself in place of windows own default code.
The question is, just how much mapping of these areas are of importance with HIPS in order for them to not only identify but more importantly, intercept AND then effectively abort any hostile take over by some rootkit malware which by design is made to target this table of system instructional code?
Once a RK displaces or joins so to speak windows own default code at this level a system can be said to have become compromised.
And since this deals mostly with drivers, exactly what & where is the window of opportunity most available for them (malware) that makes them such a threat to the overall normal functioning of a windows system?
Just exactly how many points of normal instructional code in this table is afforded for them to replace the default file with it's own? Whatever intention that may be?
I think these are very crucial questions that demand absolute answers if we, the end user, are to get a better understanding of how much space is sitting ready for them to occupy and overtake the control they are designed to replace?
We all welcome concrete answers to this concerning chiefly XP, vista not included of course for obvious reasons.
Just how many so-called potential "hooks" can be of an immediate threat to our windows XP machine?
Is this one area of concern simply some freak blunder overlooked or even ignored by microsoft in order to expand discovery by coders talented enough to solve this challenge with their own solution to satisfy or fail some preconceived quiz?
Thats a subject area for another topic for open discussion.
System Safety Monitor by virtue of their first solid introduction into addressing SSDT table compromise by implimentation of their own "hooks", on the surface and in reality, replaced MANY of these positions with their own system drivers by concept to detect and alert to possible displacements where otherwise malware might easily take up those same positions, which would overtake by force/stealth important instructional commands the SDDT table appears to support.
I've noticed in both Online Armor & EQSecure that their drivers by contrast position much less than SSM. Is this by design that they only occupy a fraction of this SSDT table in comparison to SSM, and does it make a difference? Do some HIPS (hooks) that only displace such fewer positions then SSM does do so to protect only the most targetted instructions and feel the others are really of no risk or threat?
I really want to bring this rarely understood aspect of HIPS functions to the forefront in an effort for HIPS users to fully understand just what is the real truth of whether this is important or not.
Thanks and i eagerly & with concern look forward to realizing the absolute truth as concerns these methods employed by the HIPS many of us take a great deal of confidence in. Is more coverage actually better for all of us or is there in reality particular positions which are all thats required that our HIPS have the handle and upper hand on this protection technique.
THANK YOU
From my standpoint, HIPS is a highly specialized field on the same order of anti virus software with the exception that from real world results, HIPS, properly configured, often and do surpass protections we been known to trust in with anti virus apps for the security thats paramount to keeping intruders at bay and in check from wreaking total havoc on windows systems.
I feel its high time now that we don't just draw comparisons between them but rather concentrate solely on exactly how & why HIPS better in many ways, conventional anti virus programs in warding off potential disruptions to our productive favored investments, the PC.
This leads us into the depths of the windows operating system files and undocumented areas of interest which many if not all AV's lack in keeping these type risks from interrupting the very internet service that we pay a common fee for but can experience lost time, effort, and of course be denied the very service we finance for internet access or even functional operations of the machine that we expect to be available for us.
I would dearly like to read into this seriously so as to draw out the absolute FACTS which make a quality HIPS security program such the useful compliment and in some cases, reliable replacement for anti virus apps.
A lot is made about ring0 & the low level driver actions which are designed to take up residence in whats called the SSDT table. From what i gather, HIPS distributes it's .sys drivers into areas of this $M internal base of operation which together with all the other supporting instructional positions in order to set itself in place of windows own default code.
The question is, just how much mapping of these areas are of importance with HIPS in order for them to not only identify but more importantly, intercept AND then effectively abort any hostile take over by some rootkit malware which by design is made to target this table of system instructional code?
Once a RK displaces or joins so to speak windows own default code at this level a system can be said to have become compromised.
And since this deals mostly with drivers, exactly what & where is the window of opportunity most available for them (malware) that makes them such a threat to the overall normal functioning of a windows system?
Just exactly how many points of normal instructional code in this table is afforded for them to replace the default file with it's own? Whatever intention that may be?
I think these are very crucial questions that demand absolute answers if we, the end user, are to get a better understanding of how much space is sitting ready for them to occupy and overtake the control they are designed to replace?
We all welcome concrete answers to this concerning chiefly XP, vista not included of course for obvious reasons.
Just how many so-called potential "hooks" can be of an immediate threat to our windows XP machine?
Is this one area of concern simply some freak blunder overlooked or even ignored by microsoft in order to expand discovery by coders talented enough to solve this challenge with their own solution to satisfy or fail some preconceived quiz?
Thats a subject area for another topic for open discussion.
System Safety Monitor by virtue of their first solid introduction into addressing SSDT table compromise by implimentation of their own "hooks", on the surface and in reality, replaced MANY of these positions with their own system drivers by concept to detect and alert to possible displacements where otherwise malware might easily take up those same positions, which would overtake by force/stealth important instructional commands the SDDT table appears to support.
I've noticed in both Online Armor & EQSecure that their drivers by contrast position much less than SSM. Is this by design that they only occupy a fraction of this SSDT table in comparison to SSM, and does it make a difference? Do some HIPS (hooks) that only displace such fewer positions then SSM does do so to protect only the most targetted instructions and feel the others are really of no risk or threat?
I really want to bring this rarely understood aspect of HIPS functions to the forefront in an effort for HIPS users to fully understand just what is the real truth of whether this is important or not.
Thanks and i eagerly & with concern look forward to realizing the absolute truth as concerns these methods employed by the HIPS many of us take a great deal of confidence in. Is more coverage actually better for all of us or is there in reality particular positions which are all thats required that our HIPS have the handle and upper hand on this protection technique.
THANK YOU