Without comparing specific products, if you had to choose between a solid HIPS or a solid AV, which would you choose and why. I am hoping this thread may help to clarify some of the issues and/or myths of both for folks like me.

A solid HIPS, of course.

Sensible application of execution control alone can stop 99.999% of all malware out there. Using an AV, on the other hand, is always a gamble.

A solid AV for me. I dont feel protected with HIPS as they dont identify malware.

A solid HIPS. As a matter of fact, i 've been thinking of a setup without resident scanner and using only on demand. The bad thing is that nowdays, most antivirus programs need background services running even when used on demand and i don't like that. I do have Dr. Web Cure it, but i would like more...

Anyway, HIPS. You can always scan something before installing it (even use online scanners like jotti's). And HIPS can always make you suspicious. While if you rely on your AV and it fails, then you have no warning about the malware you just installed.

Hi, folks:

Your Solid HIPS is comprised of ......... ?

I am still in search of such a creature .

-{ Quote: "Hi, folks:

Your Solid HIPS is comprised of ......... ?

I am still in search of such a creature ." }-
ProcessGuard would be more than enough for a default-deny policy.

I havent decided yet. I would use both, but if i have to choose i would go with HIPS! Hips would make me feel safer.

-{ Quote: "ProcessGuard would be more than enough for a default-deny policy." }-
Hi,, Thanks.

I just wish someone can take over what PG has left of and continue.

-{ Quote: "Hi, folks:

Your Solid HIPS is comprised of ......... ?

I am still in search of such a creature ." }-

Personally i like SSM free. For the simple fact that if you uninstall programs, you can can momentarily go on and off learning mode and it will ask you to delete the "unused rules". This way you don't clutter your rule list with applications that no longer exist on your PC.

HIPS... Of course I like to add some other programs but not AV.

Well I can't resist, but Online Armor AV+ is HIPS plus on-demand AV (Kaspersky Engine), best of both IMO, but most of you already know that.

dja2k

It depends on which type of environment I´m running in:

If I´m running in a restricted account, I would choose an AV for some protection against keylogger classified malware.

If I´m running in an admin mode I would choose HIPS for kernel level protection before malware can activate a process.

/C.

If I had to choose it would be HIPS but as I don't have to choose I choose to use neither.

For me to choose one over the other, the HIPS gets the edge and it would be SSM Pro, but the free version is nice, too.

Interesting question.
For me the answer is (by a slim margin) "a solid AV".
Reason? I don't know enough about how to accurately interpret the information displayed in a HIPS alert to know I'm going to be safe every time. And I think a lot of folk are in this situation, though maybe not so many members of this forum. (How often do you read about users wanting a security solution that doesn't give them pop-ups?)
Of course, since I have the option of running both, that's what I use. And have, as a result, learned a bit about the mysterious, shrouded, occult workings of the computer as a result.
It's been so long since I encountered any real malware that I think I'd get quite a shock if the HIPS popped an alert for something genuinely harmful.

-{ Quote: "Well I can't resist, but Online Armor AV+ is HIPS plus on-demand AV (Kaspersky Engine), best of both IMO, but most of you already know that.

dja2k" }-
yep,

also Safe N Sec + AV includes Drweb.

personally, i use prevx with the original drweb program and modules :)

If I had to pick only one, then I think a HIPS would be it nowadays.... seems more likely that it would catch and stop anything bad....

Hi,

I try to answer it this way:
My everyday setup is KAV and OA.
Currently I am testing KIS 7.0.1.321 Beta without any other security software.
And I must admit that I feel kind of naked :-[

If I should decide, I would take a HIPS.

Cheers

In principle LUA/SRP will protect you from drive by downloads, so the only reason to have anything else is you are not sure of what you are putting on your machine intentionally. If all your software came from the sites of reputable publishers, that should cover everything.

I suppose a HIPS will tell you all sorts of stuff when installing software, but not everyone will know the difference between malware and ordinary software from those warnings, if indeed the program will install without turning off HIPS or going into the install mode.

why not HIPS+AV? more than security.

I think if one is running a sandbox/virtualization program, HIPS is preferable mainly to stop executables. If you are running 'normally' (no sandbox) I would definitely use HIPS and AV.

-{ Quote: "yep,

also Safe N Sec + AV includes Drweb.

personally, i use prevx with the original drweb program and modules :)" }-

Yep but who still uses Safe'N'Sec these days?

dja2k

Hi all,

I have recently updated the Cyber Self defense (http://www.hermes-computers.ca/index.php?pid=35) part of my web site...

No hamster was harmed in the making of this article...

I'd choose AV which includes HIPS :)
If I could only choose an AV scanning engine or HIPS, I'd choose HIPS personally... far better against 0-day malware.

If I shares a computer with someone less techy than me, I'd choose AV though... (more user-friendly).. non-techy users tend to allow all popups from HIPS

-{ Quote: "Yep but who still uses Safe'N'Sec these days?

dja2k" }-
lots of people, why?

Av's are much longer and wider in use and hips aren't. Av's haven gone trough serious tetsting against many millions of malware and done pretty good for the majority. I still haven't seen one serious test where a high number of malware is tested against hips and the ones (avc, nicm) that i know of didn't come out flawless. I need to see more facts before i can believe hips stops 99% of malware. For me a combo of av and likes of threatfire,prevx.antibot would be best. Firewall with outbound protection included so 3 security tools would be about it. Oh yer av's and hips are getting better everyday especially the heuristics. If you're a safe low risk surfer one anti malware tool plus firewall would be gud enough. You can always add other stuff such as sandbox,etc.

2 awnser ur question instead of rambling my simple joe's thoughts if i had to pick only 1 out of those 2 it would be a hella strong av.

A strong AV and something as simple but effective as Sandboxie would suffice for about 95 percent of PC users. The reality is, Chris is right about our fear of infection. We lock up protection for our computers better then we do for our families.

I agree with Long View that it would be nice to see some type of criteria based on user/habits/protection=results.

Matching the product to the individuals needs is the key.

I use my own HIPS only.

-{ Quote: "Av's are much longer and wider in use and hips aren't. Av's haven gone trough serious tetsting against many millions of malware and done pretty good for the majority.

<snip>

I need to see more facts before i can believe hips stops 99% of malware." }-
All I can say is: dear lord.

Blacklist scanners miss at least 60% of zero-day malware, and I already think that's a very conservative estimate. AV-C's retrospective tests have stopped reflecting reality since a very long time ago.

As for asking to see proof of HIPS stopping 99% of malware, that's like asking to see proof that the air you breathe really contains oxygen.

-{ Quote: "Without comparing specific products, if you had to choose between a solid HIPS or a solid AV, which would you choose and why. I am hoping this thread may help to clarify some of the issues and/or myths of both for folks like me." }-

Hi trjam:

Good question, should make members think.:thumb:

Your question is like this one, "which would you choose breathing or water?" Either way you are dead, one in 70 days, the other in 70 seconds.

So, clearly we need both and the same is true of HIPS and AV's.

Another thought is it depends on users risk profile and definition of "solid" for HIPS and for AV's. I doubt their is a 100% HIPS or AV out there so again both are best. This is from a believer in the layered defense of course.

For me I want/need? a solid AV that does defense work heuristically as well as scanning against a current signature data base. I want it to scan I/O email, attachments and memory and files as they are opened.

If, a parasite exe slips through, my HIPS should catch it and prevent it from running.

Of course the main tool is missing from your question, a "solid" FW.8)

That's it;D

some offer both.;)

-{ Quote: "

Your question is like this one, "which would you choose breathing or water?" Either way you are dead, one in 70 days, the other in 70 seconds.

So, clearly we need both and the same is true of HIPS and AV's.

" }-

LOL - "clearly we need both" - ok "and the same is true of HIPS and AV's"

You may or may not be correct but could you please explain the logical link between the first part and the second ? otherwise you might just as well have written " as far as I' concerned we need both"

(which would you choose - being burned at the stake or hanged,drawn and quartered ? Clearly you would prefer neither and the same is true for HIPS and AV's )

-{ Quote: "LOL - "clearly we need both" - ok "and the same is true of HIPS and AV's"

You may or may not be correct but could you please explain the logical link between the first part and the second ? otherwise you might just as well have written " as far as I' concerned we need both"

(which would you choose - being burned at the stake or hanged,drawn and quartered ? Clearly you would prefer neither and the same is true for HIPS and AV's )" }-


Hi Long View:

I was replying with my opinion for the OP and will continue to phrase things my own way;D

I would prefer hanging over the fire method as it is faster! You may want to do me in some other way!

Happy 2008!

Have a look at the process list below. what do you see

That I have surfed the intranet for nearly three hours and that took (OPERA) 1 minute and 29 seconds to process.

DefenseWall
That the core service of DefenseWall (HIPS core = defebnsewall_serv.exe) actually used the lowest anount of CPU time. On the other hand the user interface of DefenseWall (where you arrange the settings and the programs that displays "DefenseWall Status: Untrusted" in the windows of Opera used the highest amount of CPU cycles = 16 seconds CPU for only reminding DefenseWall is running (mind you the core is so efficient it uses very little CPU cycles). (HIPS)

Comodo
Comodo V3 with D+ enabled but cut down (less file protection, more registry protection, D+ does not look at memory violations, setting hooks, process terminations, Windows Messages, Direct Screen and Keyboard read. All existing applications are set to be trusted (clean PC = D+ looks only at new arrivals) with Image Execution control off. In this way tDW and D+ overlap on low level disk access, driver installation, registry items and file system protection on admin level also overlap. But what the heck it only cost 6 seconds on 2.51 hours of surfing, downloading, reading mail etc. (FW + IDS)

Avast
I have enabled all relevant instream data. Avast now checks instream data of web pages before they are executed (WebShield), Network Shield (known worms), Internet Post Shield (mail attachements when they are downloaded with Pop3) and P2P shield (checks the LimeWire instream data). All Avast service use together 2 seconds of CPU Time.
Next all Avast modules only take about 2 seconds. WebServ can spike up, to al littel more of DefenseWall (so it would have been maximum of 18 seconds al together (worst scenario opening a lot of web pages with active content) Avast is my AV with trimmed back checking.

Conclusion
My security cost me about 30 seconds CP time on nearly three hours surfing, downloading files and checking mail. That is [B]0.3 percentage of my working time. It is an Athlon64 3900+. So who cares?

If I had to choose, I´d go for HIPS. I really don´t know why the AV section is one of the most popular sections, I mean don´t we all know that there are perhaps about 5 scanners with the best detection rate/heuristics, and that they probably still miss quite a lot? What´s so exciting about that? ::)

Call me crazy but I believe I have a better chance to identify malware based on their behavior then to trust blindly on some scanner who can´t spot all malware. For example, let´s say I download some Notepad replacement called Notepad2000.exe, my scanner tells me it´s clean, but my HIPS tells me it wants to inject code and terminate my firewall. Who do you trust? :)

-{ Quote: "Call me crazy but I believe I have a better chance to identify malware based on their behavior then to trust blindly on some scanner who can´t spot all malware. For example, let´s say I download some Notepad replacement called Notepad2000.exe, my scanner tells me it´s clean, but my HIPS tells me it wants to inject code and terminate my firewall. Who do you trust? :)" }-

Good point. You know what to look for in these situations. But what about everyone else who is not cautions/aware.

My vote would be, HIPS for an educated user, AV for a less educated user.

-{ Quote: "Good point. You know what to look for in these situations. But what about everyone else who is not cautions/aware.

My vote would be, HIPS for an educated user, AV for a less educated user." }-

This is why I am so enamored with PREVX since it is the embodiment of the best features of most great ideas in security. Signature based scanning but with a dynamic live online database coupled with powerful client side reporting and a full blown H.I.P.S. driven half by AI and half by user intelligence.

What could be better than improving on this concept? I cant think of anything besides what Comodo is doing with it's firewall and the new Defense + Integration. In fact we need more Intelligence built into these products but always with the users in full control to bolster understanding and confidence in the technology...

What fascinates me is how well Comodo Firewall 3.0 and Prevx complete each other... It's beautiful to watch in action.
I think it will be exciting to see where these products will be 5 years from now. I think I should count threatfire in this as well as they are all very similar conceptually...

-{ Quote: "If I had to choose, I´d go for HIPS. I really don´t know why the AV section is one of the most popular sections, I mean don´t we all know that there are perhaps about 5 scanners with the best detection rate/heuristics, and that they probably still miss quite a lot? What´s so exciting about that? ::)

Call me crazy but I believe I have a better chance to identify malware based on their behavior then to trust blindly on some scanner who can´t spot all malware. For example, let´s say I download some Notepad replacement called Notepad2000.exe, my scanner tells me it´s clean, but my HIPS tells me it wants to inject code and terminate my firewall. Who do you trust? :)" }-

As a well seasoned veteran of sorts in this i have to agree with Rasheed187, what is all the crow about in the AV forums? At least i guess it does very well in the post numbers count and there is been some really challenging engagements plus statistics between competing products, but really, what's so terribly exciting about them IMO compared to HIPS. For pity's sakes since i turned to HIPS i don't even use them anymore except for research purposes and then only on-demand or online.

My theory and results have proven that is it's safer for the end users when groups that develop HIPS, by making better use of time & resources studying windows code and then implimenting methods to intercept signals/code that translate into identifiable paths/files which show up on the screen as prompts while at the same time ABORTING commands, untill YOU the user has had a chance to make your determination. Some HIPS are even better equipped at running automatic then some AV's i've used in the past where i would have been hammered if not for my firewall alerting to an "outgoing connection attempt".

My choice obviously, for these few reasons and many more is HIPS, and i wouldn't hesitate to recommend the same for anyone else unless of course they are totally new to using the internet, which IMO is what drives these AV's to be as popular as they are.

Given my current skill level and work habits, I would feel safer with HIPS if forced to choose only one.
AVs are just dumb database clients.

Am just using Threatfire on one computer-no AV-nothing except the Windows Wall-goes much faster than a speeding bullet-no problems !

I wonder How comodo Antivirus will be It also Has Hips Still In beta2

Recently, there have been a number of viruses sent to me by people on MSN Messenger... I was disappointed to how long it took many of the good AV programs to detect these. It highlights how an AV may struggle to keep up with malware, & that having an AV does not substitute for common sense & safe computing. Of interest my HIPS did pick these up (although I readily recognised them as malware). I'm beginning to think that if a HIPS is good for zero day malware... why not for all malware... & keeping an on demand AV like Avira Free to check occasional files, & to run a hard disk scan from time to time.

I would vote for using HIPS. Only drawback for me atm is that i cant find a free HIPS that provides full fuctionality - both SSM and Prosecurity have disabled features in the free version which is off putting. Are there any very good HIPS apart from comodo defence + and online armour that are completely free?

ok Easter, this ones for you. On my laptop it "had" Threatfire and Sandboxie. My 16 year old son was on it last night and I see where twice TF alerted to something and of course he just clicked allow and kept right on rolling. That is my issue with TF. I love it, but it is the "other user" factor. That is why I also like Antibot because it allows you to set it to react instead of hesitate for action. My issue with it though, is that I dont feel it is up to the level of other HIPS. Suggestions?

-{ Quote: "I would vote for using HIPS. Only drawback for me atm is that i cant find a free HIPS that provides full fuctionality - both SSM and Prosecurity have disabled features in the free version which is off putting. Are there any very good HIPS apart from comodo defence + and online armour that are completely free?" }-
SSM free works fine for me. You can control what executes, and who can (disconnect ui).
For full featured free, other than CFP, i think there's only EQSecure (never tried it).

Then there are sandboxes, limited but as safe as the paid versions (GeSWall and SandboxIE).