Can anybody explain (technically, with examples) what does mean behavior blocker ? What is the difference betweet behavior blocker and HIPS ? (with examples).

My Educated guess, would be that HIPS alerts you to all activity, And Behavior Blockers would only alert you to suspicious activity that is similar to that of malware, but i don't deal with either of these so its only my best educated guess ^^

-{ Quote: "What is the difference betweet behavior blocker and HIPS ? (with examples)." }-See the CastleCops HIPS FAQ (http://wiki.castlecops.com/HIPS_FAQ) for a decent discussion of the topic.

Blue

-{ Quote: "My Educated guess, would be that HIPS alerts you to all activity, And Behavior Blockers would only alert you to suspicious activity that is similar to that of malware, but i don't deal with either of these so its only my best educated guess ^^" }-
Hm .. interesting. I never knew OA is behavior blocker. I always thought it is classical HIPS :)

-{ Quote: "See the CastleCops HIPS FAQ (http://wiki.castlecops.com/HIPS_FAQ) for a decent discussion of the topic.

Blue" }-

Ahh. Thanks. If I got it right BB is some subset of more common name "HIPS".

cite:
"The most common type of HIPS for home users are behavior blockers."

Then there hardly can be strict criteria. Sigh.

I think you can differentiate them as, ThreatFire is a behavior blocker and OA is a tripwire.
The tripwire part is easy, the BB is ambiguous. :/

-{ Quote: "I think you can differentiate them as, ThreatFire is a behavior blocker and OA is a tripwire.
The tripwire part is easy, the BB is ambiguous. :/" }-

As experienced OA tester I can say it pays very much attention to reduce user interaction, and yes, this is very tricky part to reduce interaction and preserve security. But there is visible progress. For example the latest beta runs here for two day now after fresh install without ANY interaction :)

Though, I'd like to hear more strict criteria of BB, because HIPS provided with "intellect" seems to do the same.

Edit. Nope, I was wrong, there was a single popup (FW-specific) about "new network discovered" and either I trust it or not.

I may have complicated that post. When i say "The tripwire part is easy, the BB is ambiguous." i mean only the terms. :P

Hi alex_s,

both H.I.P.S. and Behavior Blockers intercept Program and Procedure Call APIs.

The main difference is that H.I.P.S. need to build a whitelist database of the files on the host machine and then treat any application/file newly introduced to the host as hostile. This means that until the user add this application to their whitelist they will warn the user about any action that the file/program tries to perform.

On the other hand Behavior Blockers are "H.I.P.S. with Artificial Inteligence". They do not need a whitelist database (although it could help) and treat every application as equal; neither friendly nor hostile. They are configured to alert the user only on certain actions or sequences of actions that seem suspicious (for example creation, modification or elimination of multiple files on the system) or try to access critical areas of the system.

hope it helps,
Panagiotis

-{ Quote: "I may have complicated that post. :P" }-

Just a bit :)

-{ Quote: "Hi alex_s,

both H.I.P.S. and Behavior Blockers intercept Program and Procedure Call APIs.

The main difference is that H.I.P.S. need to build a whitelist database of the files on the host machine and then treat any application/file newly introduced to the host as hostile. This means that until the user add this application to their whitelist they will warn the user about any action that the file/program tries to perform.

On the other hand Behavior Blockers are "H.I.P.S. with Artificial Inteligence". They do not need a whitelist database (although it could help) and treat every application as equal; neither friendly nor hostile. They are configured to alert the user only on certain actions or sequences of actions that seem suspicious (for example creation, modification or elimination of multiple files on the system) or try to access critical areas of the system.

hope it helps,
Panagiotis" }-

OK. Let us take direct disk acces for example. On what basis BB can block/allow/ask user about it if it treats every program equally ? Many system programs (for example svchost) use dda (I dunno what for). Then how BB can decide "this is svchost, it can be allowed" or "this is malware, this should be blocked" without some kind of whitelist ?

I think it has to know something about Windows no? :)

-{ Quote: "OK. Let us take direct disk acces for example. On what basis BB can block/allow/ask user about it if it treats every program equally ? Many system programs (for example svchost) use dda (I dunno what for). Then how BB can decide "this is svchost, it can be allowed" or "this is malware, this should be blocked" without some kind of whitelist ?" }-
svchost uses dda? What for? This is new to me since I have never seen svchost to try to access directly the disk. :blink:

Some blockers use the certification and the vendor information of the app for identificate it as legitimate. Others use whitelists. Others use on the cloud technology with statistics about the actions of an app. Others could have another approach that I do not know; (you must ask the developers of the various BBs for that). But all have a user whitelist, needed when a user accepts an application as legitimate after an alert.

Panagiotis

-{ Quote: "I think it has to know something about Windows no? :)" }-

Sure, but then we come to the very beginning. Knowning something about Windows it knows that svchost is "good" process which is conceptually nothing, but whitelisting :)

VERY generally speaking...

1- Classical HIPS (C-HIPS) & Behavior Blockers (BB) both monitor to detect behavior that is *typical* of the behavior of malware.

2- A C-HIPS will also monitor for *significant changes* to your computer, over & beyond behaviors commonly typical of malware. Although those changes may not be *typical* of malware, they are nevertheless deemed to be sufficiently *significant* to be brought to the user's attention.

3- Some BB *reportedly* monitor for a SERIES of behaviors, no single one of which is necessarily typical of malware, but the SERIES of behaviors IS typical of malware. C-HIPS, however, do not monitor series.

4- BB usually have a goodly degree of artificial intelligence such that they will automatically take action against certain types of threats. C-HIPS, on the other hand, are dumber, and tend to ask the user about every little action they perceive to be significant.

5- C-HIPS are highly configurable. Some of them have fairly large sets of default rules, whereas others have barely any. In any event, tweaking of rules is very much in the hands of the user. On the other hand, BB are less user-configurable, & tend to have LOTS of built-in/default rules, many of which are invisible to, & un-tweakable by, the user.

6- BB are primarly *expert systems* such that the developers of the program exercise almost SOLE control over the basic operations of their application. On the other hand, C-HIPS are primarily a team effort -- the user and the program developers (in effect) work together as a team by jointly developing and applying a rule set to provide high protection -- see "7" below.

7- C-HIPS usually have "learning" modes, so that the user can (in effect) *train* the C-HIPS to recognize the apps the user is using, and learn the ways in which s/he typically uses those apps. During this learning period, the C-HIPS builds a rule set on its own, based upon the apps the user uses & what s/he does with them. BB, on the other hand, often do not use learning modes inasmuch as they are more on the order of apps *designed by geniuses for execution by doofuses*.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

THERE-- I have written well beyond my own depth of knowledge, so that those who know more than I do will have something to pick apart or add onto. And awaaaay we go...

-{ Quote: "svchost uses dda? What for? This is new to me since I have never seen svchost to try to access directly the disk. :blink:

Some blockers use the certification and the vendor information of the app for identificate it as legitimate. Others use whitelists. Others use on the cloud technology with statistics about the actions of an app. Others could have another approach that I do not know; (you must ask the developers of the various BBs for that). But all have a user whitelist, needed when a user accepts an application as legitimate after an alert.

Panagiotis" }-

Do not ask me why and what for svchost uses DDA, I dunno :) But I see in my log:

[15:56:28.978] D00 ---- --- AppName: C:\Windows\system32\wbem\wmiprvse.exe
[15:56:28.978] D00 ---- --- FileName: \??\PHYSICALDRIVE0
[15:56:28.978] D00 ---- --- Access: C0100080

[15:57:02.040] EA0 ---- --- AppName: C:\Windows\System32\svchost.exe
[15:57:02.040] EA0 ---- --- FileName: \??\PhysicalDrive0
[15:57:02.040] EA0 ---- --- Access: 100180

This is under Vista.

Well, what I see there is no clear difference between so called "classical HIPS" and BB. In the end they use the same techniques (more or less the same, I mean).

I think the very thought that something just might be more sophisticated than OA makes you ignore what the others are (trying to) telling you.
You might need beer and a shot of tequila. ;D

the difference between HIPS and behaviour blocker is that behaviour blocker is an actual descriptive term that indicates what it specifically does, while HIPS is an entirely ambiguous term that many people (and organizations) have used to mean many things...

i seem to recall gartner had a HIPS grid that showed virus scanners in one of its quadrants... that's how ambiguous and unspecific the term host intrusion prevention system (HIPS) is... virtually anything that prevents malware can be labeled as such...

-{ Quote: "I think the very thought that something just might be more sophisticated than OA makes you ignore what the others are (trying to) telling you.
You might need beer and a shot of tequila. ;D" }-

Oh, no. I just want to understand it clear. To compare what is sophysticated and in what extence you should run some set of the tests and compare outcome. This is not enough just to say "this is sophysticated because it is called BB" and "this is less sophysticated bacause it is called HIPS". After all this is vendor who calls product in this or other way and different vendors can just have different points of view. This is something like "SPI" question. Everybody knows the word and everybody uses it, but very few actually understand what does it mean, what it is for and what practical value does it have. My personal position is not ot use the term if I can't explain very clear what does it mean (at least for me). You see, we have here some different opinions and no clear statement. Ehhh .. as analist I hate this kind of things, they bring a lot of confusion ..

PS. and "holy wars" :)

-{ Quote: " You see, we have here some different opinions and no clear statement. Ehhh .. as analist I hate this kind of things, they bring a lot of confusion .. " }-
That's why i try to avoid getting into technical details and showing how dumb i am ;D

I think you can look at it this way. What we've been calling BB, or what Pandlouk calls "H.I.P.S. with Artificial Inteligence", try to detect/ should detect only real malware, and state something like "this is behavior typical of malware, quarantine?". The rest is FP's.
Some will be more "intelligent" than others, all have flaws and so on. But this is their purpose.

What bellgamin calls fries, pardon, C-HIPS, are tripwires, alerting on single events regardless of context /application.

The distinction can and will blur on this or that program, but you can look at this as the main difference or starting point.

-{ Quote: "Oh, no. I just want to understand it clear. To compare what is sophysticated and in what extence you should run some set of the tests and compare outcome. This is not enough just to say "this is sophysticated because it is called BB" and "this is less sophysticated bacause it is called HIPS". " }-

I agree, the focus, I believe, is not " if " or " how " a software is sophysticated, but how it is effective to ensure the system protection. And imho an HIPS well setted and well used is too far efficient than a BB.

-{ Quote: "I agree, the focus, I believe, is not " if " or " how " a software is sophysticated, but how it is effective to ensure the system protection. And imho an HIPS well setted and well used is too far efficient than a BB." }-

But BB is also HIPS :)

Actually, "Better" here is a complex function of security/reliability/usability (I mean they do have the main value, there are many other less essential parameters). The first two parameters can be "more or less" estimated by the tests, though the last one is very difficult to formalize, and there is a problem.

-{ Quote: "But BB is also HIPS :)

Actually, "Better" here is a complex function of security/reliability/usability (I mean they do have the main value, there are many other less essential parameters). The first two parameters can be "more or less" estimated by the tests, though the last one is very difficult to formalize, and there is a problem." }- a behabiour blocker can be consider as light hips

-{ Quote: "a behabiour blocker can be consider as light hips" }-

Not a real HIPS: it has not the complete control on the system, neither allows to create rules, limits and blocks on all the applications, processes, services...

-{ Quote: "
Not a real HIPS: it has not the complete control on the system, neither allows to create rules, limits and blocks on all the applications, processes, services..." }-i know i red an article where they call bb as hips,but i think you are correct 150%:thumb: plus you can get more protection with a pure hips app8)

-{ Quote: "i know i read an article where they call bb as hips" }-You are correct (not the other fellow). That is -- Behavior Blockers are a subset of HIPS.

A- HIPS = Host-based Intrusion Prevention System. Thus, a HIPS is an application delineated primarily by 2 factors as follows...

1- WHAT it is designed to do -- a HIPS is designed to be an Intrusion Prevention System. That is, it is designed to protect information systems from unauthorized access, damage or disruption. It does this by monitoring system activities for malicious or suspicious or unwanted behavior, and by reacting, in real-time, to block or prevent those activities. In essence, a HIPS acts as a firewall between (a) applications and (b) the operating system kernel.

2- WHERE it is designed to function -- a HIPS is designed to function "Host-based." That is, a host-based IPS is designed to be operated on one specific IP address, usually on a single computer.

Conversely, a network based IPS is a NIPS. HIPS & NIPS -- when it comes to security, they really are pips. (cha-cha-cha)

B- Thus, an application which is designed to be "host-based", & which is designed to function as an "intrusion prevention system" is a HIPS.

C- For example, Threatfire (TF) is a Behavior Blocker (BB) whereas MalwareDefender (MD) is a "Classical" (C-HIPS). Although TF & MD have somewhat different structures/concepts, they are BOTH host-based, and they are BOTH intrustion prevention systems, so they are BOTH HIPS.

D- The ability or inability to set custom rules is NOT a discriminator between HIPS & non-HIPS. Threatfire (our BB example) has quite a powerful *advanced* option to set custom rules.

-{ Quote: "THERE-- I have written well beyond my own depth of knowledge, so that those who know more than I do will have something to pick apart or add onto. And awaaaay we go..." }-

Really? Was good enough for this ole researcher to do a Copy/Paste to my category notes :) So thanks for pointing out those certain distinctions and others and i really like the term you used "Artifical Intelligence", since i dabbled a long time with those AI speaking/moving bots for a time and still get a rise from any form of PC AI when they really start to gel and make sense if only for awhile.

EASTER

-{ Quote: "You are correct (not the other fellow). That is -- Behavior Blockers are a subset of HIPS.

A- HIPS = Host-based Intrusion Prevention System. Thus, a HIPS is an application delineated primarily by 2 factors as follows...

1- WHAT it is designed to do -- a HIPS is designed to be an Intrusion Prevention System. That is, it is designed to protect information systems from unauthorized access, damage or disruption. It does this by monitoring system activities for malicious or suspicious or unwanted behavior, and by reacting, in real-time, to block or prevent those activities. In essence, a HIPS acts as a firewall between (a) applications and (b) the operating system kernel.

2- WHERE it is designed to function -- a HIPS is designed to function "Host-based." That is, a host-based IPS is designed to be operated on one specific IP address, usually on a single computer.

Conversely, a network based IPS is a NIPS. HIPS & NIPS -- when it comes to security, they really are pips. (cha-cha-cha)

B- Thus, an application which is designed to be "host-based", & which is designed to function as an "intrusion prevention system" is a HIPS.

C- For example, Threatfire (TF) is a Behavior Blocker (BB) whereas MalwareDefender (MD) is a "Classical" (C-HIPS). Although TF & MD have somewhat different structures/concepts, they are BOTH host-based, and they are BOTH intrustion prevention systems, so they are BOTH HIPS.

D- The ability or inability to set custom rules is NOT a discriminator between HIPS & non-HIPS. Threatfire (our BB example) has quite a powerful *advanced* option to set custom rules." }-i knew i was correct;D
thanks for the long explanation it is very clear

-{ Quote: "i really like the term you used "Artifical Intelligence"" }-

Indeed, the words are pretty nice. When you say "beautiful girl", for example, the words are also very nice, but everybody has his own picture in his mind :)

Let me explain what I mean. "Intelligence" is a term from tha same line as "beauty". Easy to imagine, hard to explain. But in the tech we need only to use the words that can be clearly stated.