what are the HIPS programs which load first on re boots?

I notice that online armor starts early and eqsecure starts very early during bootup.

Because you can have malware which can run on startup before your HIPS program starts.

I once had eqsecure and system saftey monitor installed. I set them both to deny each other to run. I then rebooted and because eqsecure starts very during bootup SSM didn't stand a chance.

So other than eqsecure what other HIPS starts early during bootup??

Rising's HIPS is an early bird

Arran, I use Startup Monitor from Mike Lin: http://www.mlin.net/StartupMonitor.shtml

Arran, I use also Tiny Watcher from Mr Olivier Lombart: http://www.donationcoders.com/kubicle/watcher/

Arran, patience please ... I use also SystemShield from Ludwig Ertl , leecher: http://www.usec.at/ushields.html

Yes, this is maybe not a HIPS ... but it works faster on Boot! All very tiny softwares.

Yours impressions, please ...

PRO

-{ Quote: "
Arran, I use also Tiny Watcher from Mr Olivier Lombart: http://www.donationcoders.com/kubicle/watcher/
" }-

"Detects changes afterward: It will not prevent your system from being modified or corrupted. It will only tell you that something suspicious happened. Think of it as an early CAT scan against system tumors."

The same goes for most other applications: WinPatrol, MJ Registry Watcher, System Protect ...

A free "real-time" startup protection tool is Arovax Shield (http://www.arovaxshield.com/) ;)

Real Time Defender (RTD)

-{ Quote: "what are the HIPS programs which load first on re boots?" }-

This is theoretically impossible to guarantee that a program can be the first to start on reboot because everything one program does, another program can do as well. The only way to guarantee nastie from stating on boot is to protect autorun registry keys, which most of the HIPS do.

you could try anvir taskmanger its very good

-{ Quote: "The only way to guarantee nastie from stating on boot is to protect autorun registry keys, which most of the HIPS do." }-

I concur with alex. The malware has to have infiltrated the system in the first place before it's going to wreak havoc on bootup.

-{ Quote: "The only way to guarantee nastie from stating on boot is to protect autorun registry keys, which most of the HIPS do." }-
Well, what about explorer.exe... and write or even read permissions? Think about it ;)

-{ Quote: "Well, what about explorer.exe... and write or even read permissions? Think about it ;)" }-

Let us talk about it ? :)

Introduce your scenario. It can accept that protection of the reg records ONLY is not enough, but the main idea is the only way to prevent startup is to prevent the actions that result in something to start.

By locking strategic locations (with file or application protection), following malware patterns, denying specific and obvious application operations, etc...

-{ Quote: "By locking strategic locations (with file or application protection), following malware patterns, denying specific and obvious application operations, etc..." }-

This sounds great, sure, but I do not understand what do you mean, sorry. Could you be more specific ?

System Saftey Monitor loads very early. Taken from my Win 2k unit using LoadOrder:
Boot Boot Bus Extender 1 ACPI Microsoft ACPI Driver
Boot Boot Bus Extender 2 PCI PCI Bus Driver
Boot Boot Bus Extender 3 isapnp PnP ISA/EISA Bus Driver
Boot System Bus Extender 4 IntelIde
Boot System Bus Extender 8 MountMgr
Boot System Bus Extender 9 Ftdisk Volume Manager Driver
Boot System Bus Extender 10 Diskperf
Boot System Bus Extender 12 dmload
Boot System Bus Extender 13 dmio Logical Disk Manager Driver
Boot System Bus Extender 5 PartMgr
Boot System Bus Extender 6 safemon System Safety Monitor 2.0 Core Engine
Boot SCSI miniport 25 atapi Standard IDE/ESDI Hard Disk Controller
Boot SCSI Class 2 Disk Disk Driver
Boot Base 1 KSecDD
Boot NDIS Wrapper n/a* NDIS NDIS System Driver
Boot PnP Filter* 3* agp440 Intel AGP Bus Filter
Boot Network* 2* Mup Mup
System System Bus Extender 14 lbrtfdc
System Primary disk 4 Sfloppy
System SCSI CDROM Class 2 Cdrom CD-ROM Driver
System Filter 5 Changer
System Filter 6 Cdaudio
System Boot file system n/a* Fs_Rec
System Base 1 Null
System Base 2 Beep
System Keyboard Port 4 i8042prt i8042 Keyboard and PS/2 Mouse Port Driver
System Pointer Class 1 Mouclass Mouse Class Driver
System Keyboard Class 1 Kbdclass Keyboard Class Driver
System Video n/a* sglfb
System Video n/a* tga
System Video Save 1 VgaSave
System Video Save n/a* mnmdd
System File system n/a* fwdrv Kerio Personal Firewall Driver
System File system n/a* Msfs
System File system n/a* Npfs
System Streams Drivers 1 RasAcd Remote Access Auto Connection Driver
System PNP_TDI 4 Tcpip TCP/IP Protocol Driver
System NetBIOSGroup 1 NetBIOS NetBIOS Interface
System Parallel arbitrator 1 Parport Parallel port driver
System Extended base 1 Serial Serial port driver
System PCI Configuration 1* PCIDump
System Network* 5* MRxSmb MRXSMB
System Network* 4* Rdbss Rdbss
System Pnp Filter* 2* redbook Digital CD Audio Playback Filter Driver
Automatic Base 18 ousbehci OrangeWare USB Enhanced Host Controller Service
Automatic Event log n/a* Eventlog Event Log
Automatic PNP_TDI 5 NetBT NetBios over Tcpip
Automatic TDI n/a* AFD AFD Networking Support Environment
Automatic PlugPlay n/a* PlugPlay Plug and Play
Automatic Extended base 2 ParVdm
Automatic extended base 5 hidusb Microsoft HID Class Driver
Automatic n/a* n/a* dmserver Logical Disk Manager
Automatic n/a* n/a* Fips Fips
Automatic NetworkProvider* n/a* lanmanworkstation Workstation
Automatic n/a* n/a* mdmxsdk
Automatic n/a* n/a* NtmsSvc Removable Storage
Automatic n/a* n/a* PersFw Kerio Personal Firewall
Automatic n/a* n/a* ProtectedStorage Protected Storage
Automatic n/a* n/a* RpcSs Remote Procedure Call (RPC)
Automatic n/a* n/a* SamSs Security Accounts Manager
Automatic n/a* n/a* SchedulingAgent
Automatic Network* n/a* SENS System Event Notification

How early a HIPS starts is not that critical. How well it's configured and what the user chooses to allow is what counts. With a decently configured HIPS on board, user error is the only likely scenario that will lead to a compromise. Malware isn't going to be in the autostart unless the user has already allowed it to run or install. If the user allowed the process or installer, they most likely allowed the autostart entries as well. The only other scenario is a horribly insecure configuration of the HIPS which also points to user error.

-{ Quote: "This sounds great, sure, but I do not understand what do you mean, sorry. Could you be more specific ?" }-
What i mean is that relying on the registry isn't enough. There's two other important layers missing: application and file protection. They can both make a superb job aswell!

I wonder if WOULD BE SAFE so we could advance EQS to start up even earlier in the pecking order.

I finally killed the mspaint AKLT keylogger #1 easily with a rule but the #2 evades like it was part of the system, but i found out the API it uses (bitbit) or something on that order would have to be hard coded in EQS to knock it off. NO real biggie, just bugs me because EQS BLASTS! BLOCKS! and otherwise SEALS! off a ton of entry points with either alerts or outright blinds them in the same manner as their own stealth. :thumb:

EASTER

Easy solution would be to lock down the autostart directories and reg keys, and then run as a User. This way only admin can create any autostart features. Of course, you still need to trust what admin is doing. I like apps like StatupMonitor or Arovax because they are small and really only do one thing. But for advanced users this can be enough.

Sul.

-{ Quote: "What i mean is that relying on the registry isn't enough. There's two other important layers missing: application and file protection. They can both make a superb job aswell!" }-

Agree :)

I said about reg protection as an alternative to trying to boot "first of all". I didn't mean reg protection is enough, I did mean that you shuld not rely on a boot order which cannot be guaranteed.

Just imagine the two programs fight to be the first to boot. The moment one program makes itself the first the second jumps up and reconfigure a boot order. But the moment it reconfigured a boot order the second program jums up and do the same. What we have in this situation is a permanent fight :)

Absolutely, it's a given that registry protection is only part of the solution. Malware Defender, for one, will protect against file writing to any directory, all file types if desired, though this latter option will produce a very "chatty" HIPS. I'm building up my global rule to alert on common high risk executables attempting to write to critical directories such as root and \Windows\*.

Memory Use of my softwares from #post3 is only: 1924 Kb + 456 Kb + 228 Kb = 2608 Kb.

They are sufficient for me.

PROROOTECT

Just for references;
LoadOrder from the sysinternal suite can determine the load order of all your programs and even all your hardware. Give it a go if you want to determine when precisely HIPS loads.

-{ Quote: ""Detects changes afterward: It will not prevent your system from being modified or corrupted. It will only tell you that something suspicious happened. Think of it as an early CAT scan against system tumors."

The same goes for most other applications: WinPatrol, MJ Registry Watcher, System Protect ...
" }-

Sorry, but that's just not true. MJ Registry Watcher not only hooks registry changes but also files and directories. As soon as an unexpected change occurs to system registry settings, it will undo the change and pop up an alert offering to reject or accept the change. If you accept the change, it then redoes the undone change for you. If files are unexpectly deposited in windows\system32, MJRW will pop up with an offer to quarantine them, and if it can't move them immediately, move them at next reboot. MJRW has evolved way past a simple registry poller. It's free and available from http://www.jacobsm.com/mjsoft.htm#rgwtchr ! ;) :D

-{ Quote: "it will undo the change and pop up an alert offering to reject or accept the change. If you accept the change, it then redoes the undone change for you." }-

That's what I don't like ::)

-{ Quote: "Sorry, but that's just not true. MJ Registry Watcher not only hooks registry changes but also files and directories. As soon as an unexpected change occurs to system registry settings, it will undo the change and pop up an alert offering to reject or accept the change. If you accept the change, it then redoes the undone change for you. If files are unexpectly deposited in windows\system32, MJRW will pop up with an offer to quarantine them, and if it can't move them immediately, move them at next reboot. MJRW has evolved way past a simple registry poller. It's free and available from http://www.jacobsm.com/mjsoft.htm#rgwtchr ! ;) :D" }-hi nice litle program:thumb: how is it compare to WinPatrol Plus?not comparing them but i just met with MJRW and already like the idea;) and where can i find the MJRW Quarantined?thanks and if i set on highest when first install does it blocks any existing security apps thanks again
also if i set the protection to max and reject then i decided to to auto allow will that released the quarentine to be allow or it will remenber previous action(reject)

Please read the help file which should answer all your questions. Keys can be prefixed with an overriding action symbol. They are detailed :-

PREFIXES

You can prefix keys and filespecs with these mnemonics :-

# - the line is commented out, and is not monitored.

! - automatically reject any changes to this key.

= - automatically accept any changes to this key.

$ - automatically prompt for any changes to this key.

HTH,

-{ Quote: "Please read the help file which should answer all your questions. Keys can be prefixed with an overriding action symbol. They are detailed :-

PREFIXES

You can prefix keys and filespecs with these mnemonics :-

# - the line is commented out, and is not monitored.

! - automatically reject any changes to this key.

= - automatically accept any changes to this key.

$ - automatically prompt for any changes to this key.

HTH," }-thanks alot

@GE

It's always a pleasure and a relief that you periodically but timely chime in to your great project MJ Registry Watcher

I look for your opinion in this matter and appreciate your sincere recommedations.

Compatible as it is, would you think it redundant at all to apply your app alongside and in tandem with the likes of #1 EQSecure ( HIPS ) as well as #2 MAMUTU (Behavioral Blocker) as yet another monitor in order to better double up coverage to the areas most vulnerable that your app covers, including file & especially registry monitoring?

I have yet to find a single app that is capable in covering this vast array of so many areas of possible contention should that arise, and feel confident that MJ Registry Watcher would especially compliment either or both those apps aforementioned.

Thanks and keep up the good work GE, it is greatly appreciated.

EASTER

I am already working on MJRW 1.2.6.5 and I have added a mass of keys to it, all from :-
http://gladiator-antivirus.com/forum/index.php?showtopic=24610
as well as other places. This is quite an exhaustive list and covers virtually any entrypoint. This would mean that MJRW should stop nearly any trojan attack in its tracks, and provide a log of changes made to your system so you can manually remove them, if MJRW failed to do so when the attack was launched.

How MJRW sits with other types of security app, I'm not entirely sure, but it does little to upset the system. It installs nothing (no drivers or system table hooks) to the PC! It does set up hooks on changes to the registry and various directories, but does so using the standard Windows API functions to achieve this. It will fail gracefully with a relevant message if a hook fails to install and fall back to polling for changes. So, it is pretty robust.