The thraed by underdog (http://www.wilderssecurity.com/showthread.php?t=250833) inspired me and I tested a special scenario with multiple HIPS. I wanted to see how clear, simple and user friendly are the pop up alerts given by multiple HIPS on a driver/ service instasll.

I tried three HIPS:

- CFP
- EQS
- OA

I am summarizing my findings here. I may be wrong anywhere as I am just an ordinary user with very limited knowledge.

I installed the trial version of virtual cd 9

http://www.virtualcd-online.com/vcd/apps/download/vcddownload.cfm?lg=0

and looked for the pop up alerts generated by HIPS on drivers/ service install. This software install following drivers/ services:

1- VDRV9000.SYS( driver)
2- HH9Help.sys( driver)
3- VC9SecS.exe( service)

My observations are as follows:

1- Out of the three HIPS I tried, IMO best alerts are given by EQS. It clearly warned that a driver/ service was being installed. Pop ups were not few but they were not also too numerous to be lost. Look at the pop up alerts by EQS. Not all pop ups are shown, I am showing the relevent alerts only.

211374211375
211376

2- Worst type of alerts are given by CFP( ofcourse in my opinion only). CFP alerts are too numerous. It never tells you directly that a service/ driver is being installed. Rather it gives alerts about registry modification that many users wil not understand that it,s infact a driver/ service install alert. Moreover registry modification alerts in this case are so numerous that one might just lost in these alerts and overlook the registry modification alerts that actually indicate that a service/ driver is being installed.

Look at the alerts by CFP. Not all alerts are shown, I am showing the relevent alerts only. CFP gave countless alerts about reg modifications.

211377 211378
211379

3- OA was inbetween( may be on top by some). It gave very few alerts. It clearly gave red alerts on driver/ service install but IMO alerts were not
so clear as they did not mention that a driver is being installed athough the red alarming color compensated it to some extent.OA howevre did not gave any alert about service install( VC9SecS).

Look at relevent pop up alerts by OA.

I could not try MD as I have no licenec for that. If anyone can try and post relevent alerts I will be thankfull.

Conslusion: CFP needs to make their alerets clear that a service/ driver is being installed and it also need to decrease the huge no of registry modification alerts( IMO).

I am posting very same thread on their forums if they can listen. Let,s hope. Let me know of your opinions.

any chance ud be willing to try Outpost Firewall?

Hi aigle

Thanx for the tests.

When a driver is about to be installed, i think a much more clearer warning should be given on all such Apps, as most people wouldn't even know what it was, or .SYS

Something like,

A potentially harmful piece of software is about to be installed, if this came from a reputable source, then it's probably ok. If in doubt, do NOT proceed make a note of it's name, and then use a search engine for more information.

I agree. OA gave red alerts atleast.

-{ Quote: "any chance ud be willing to try Outpost Firewall?" }-
Never used it and it takes a lot of time to try n understand anew HIPS. I spent almost a day already.

-{ Quote: "Never used it and it takes a lot of time to try n understand anew HIPS. I spent almost a day already." }-

im not really interested on an indepth understanding of the HIPS. i just wont be home for 4 days and am curious of what Outpost HIPS alerts look like for this situation at default level and if that doesnt alert then at max (preferably the alert at max or w/e it is between middle and max). since im considering installing Outpost on my main machine.

-{ Quote: "I could not try MD as I have no licenec for that. If anyone can try and post relevent alerts I will be thankfull.

Conslusion: CFP needs to make their alerets clear that a service/ driver is being installed and it also need to decrease the huge no of registry modification alerts( IMO).

I am posting very same thread on their forums if they can listen. Let,s hope. Let me know of your opinions." }-
Aigle, don't forget about Conficker test:
http://www.wilderssecurity.com/showpost.php?p=1444190&postcount=115

Good job! :thumb:

-{ Quote: "Aigle, don't forget about Conficker test:
http://www.wilderssecurity.com/showpost.php?p=1444190&postcount=115

Good job! :thumb:" }-

lol so watever happened to the infamous conficker? wasnt it supposed to like cripple the world ;D

Were all the software run with their respective default settings?

-{ Quote: "Aigle, don't forget about Conficker test:
http://www.wilderssecurity.com/showpost.php?p=1444190&postcount=115

Good job! :thumb:" }-

I'll always remember that topic in the back of my head - don't worry. ;D

Good test. Thanks.

They all did mention services or blah.sys which is good.

personally I'd only want to know how many *.sys files were being loaded , so
more alerts than that would be a nuisance.

I agree completely with your findings, I too saw mostly "registry modifications" in CFP alerts, which, well, to put it rather bluntly, are useless. Allow me to hop up on my soapbox again real quick, I won't be up there long: Imho, none of these apps you tested have acceptable alerts. Okay, so they say "if you trust this program", well, okay, so what IS that program? Just about every legit program I've ever ran has done "suspicious" things, it's simply the way programs work. If that's the case, how in the world are the "average" among us supposed to know when to answer allow and when to answer deny?

A lot of people here (and elsewhere too of course) are quick to praise these HIPS apps and recommend they be added whenever someone comes along and asks if their setup looks ok or they are brand new and wonder what they really need to be secure. That's fine, but right after we all suggest this stuff, how about we point them in the direction of a good "OS basics" manual, whether that be a post set up here, a website, whatever?

If people are going to answer these prompts right and have the apps work for them and not against them, and if HIPS is ever going to be more than just a "specialty", then these people are going to need to know WHY "injections" are occurring, and WHY files and registries are being modified. We seem perfectly willing to make pages and pages of posts on the intricacies of Sandboxie, even explaining why the configurations that we post in detail are suggested. We do that for Sandboxie, SRP, firewalls, anti-virus, but no one ever bothers to explain much about HIPS (unless I'm missing posts here).

Yet, with so little explanation, we cheerily sing HIPS praises daily, suggesting them to people that just want to make a secure environment for their small office, right down to people that admit they don't even understand the concept of things like Sandboxie...and then we want them to answer prompts about .sys files being modified and other cryptic jargon being spewed forth from these apps. *takes deep breath* All I'm saying is apply the same amount of knowledge and willingness to help towards HIPS as we do other security measures. HIPS might be the strongest security out there, but it isn't going to secure a bucket of chicken if one prompt is answered wrong.

-{ Quote: "I agree completely with your findings, I too saw mostly "registry modifications" in CFP alerts, which, well, to put it rather bluntly, are useless. Allow me to hop up on my soapbox again real quick, I won't be up there long: Imho, none of these apps you tested have acceptable alerts. Okay, so they say "if you trust this program", well, okay, so what IS that program? Just about every legit program I've ever ran has done "suspicious" things, it's simply the way programs work. If that's the case, how in the world are the "average" among us supposed to know when to answer allow and when to answer deny?

A lot of people here (and elsewhere too of course) are quick to praise these HIPS apps and recommend they be added whenever someone comes along and asks if their setup looks ok or they are brand new and wonder what they really need to be secure. That's fine, but right after we all suggest this stuff, how about we point them in the direction of a good "OS basics" manual, whether that be a post set up here, a website, whatever?

If people are going to answer these prompts right and have the apps work for them and not against them, and if HIPS is ever going to be more than just a "specialty", then these people are going to need to know WHY "injections" are occurring, and WHY files and registries are being modified. We seem perfectly willing to make pages and pages of posts on the intricacies of Sandboxie, even explaining why the configurations that we post in detail are suggested. We do that for Sandboxie, SRP, firewalls, anti-virus, but no one ever bothers to explain much about HIPS (unless I'm missing posts here).

Yet, with so little explanation, we cheerily sing HIPS praises daily, suggesting them to people that just want to make a secure environment for their small office, right down to people that admit they don't even understand the concept of things like Sandboxie...and then we want them to answer prompts about .sys files being modified and other cryptic jargon being spewed forth from these apps. *takes deep breath* All I'm saying is apply the same amount of knowledge and willingness to help towards HIPS as we do other security measures. HIPS might be the strongest security out there, but it isn't going to secure a bucket of chicken if one prompt is answered wrong." }-

Agree unfortunately. The hips component can be the strongest part of your security arsenal but it could also be the weakest.

Ice

-{ Quote: "It clearly gave red alerts on driver/ service install but IMO alerts were not so clear as they did not mention that a driver is being installed athough the red alarming color compensated it to some extent." }-
There is simply no extra prompt for drivers/services, everything comes as Autostart warning. This may be ok for standard mode, but in expert mode there should be an accurate information.

-{ Quote: "
OA howevre did not gave any alert about service install( VC9SecS)." }-
Some parts of Virtual CD may be excluded because of signatures or OASIS, so I think you have to disable the OA whitelist for this prompt.

-{ Quote: "any chance ud be willing to try Outpost Firewall?" }-
Outpost is very accurate, apart from 'driver or service'.

211388 211389
211390

It's pretty much the same with PS/RTD, but here everything is a service.

211387

Cheers

Thanks for the nice screenshots.

-{ Quote: "3- It clearly gave red alerts on driver/ service install but IMO alerts were not
so clear as they did not mention that a driver is being installed athough the red alarming color compensated it to some extent." }-
One thing to notice for CIS is that it DID give red color alerts vs orange or yellow (see the top bar color), so this ought to be mitigation as with OA. That said, the content of these alerts were meaningless for me.

I do think that Outpost probably has the best alerts for this, but is it the pay or the free Outpost shown?

-{ Quote: "
I do think that Outpost probably has the best alerts for this, but is it the pay or the free Outpost shown?" }-
These are from Outpost Pro, but as far as I know there will be no difference with OP Free because the Host Protection is the same.

-{ Quote: "I could not try MD as I have no licenec for that. If anyone can try and post relevent alerts I will be thankfull." }-
These are the MD prompts.

211402
211403
211404

IMHO also very accurate prompts with useful informations.
There are also all these prompts about the registry stuff, like with CIS.

Cheers

Malware Defender & Outpost look the best to me. This was a great idea for a thread. Funny the way the different apps compare.

-{ Quote: "I agree completely with your findings, I too saw mostly "registry modifications" in CFP alerts, which, well, to put it rather bluntly, are useless. Allow me to hop up on my soapbox again real quick, I won't be up there long: Imho, none of these apps you tested have acceptable alerts. Okay, so they say "if you trust this program", well, okay, so what IS that program? Just about every legit program I've ever ran has done "suspicious" things, it's simply the way programs work. If that's the case, how in the world are the "average" among us supposed to know when to answer allow and when to answer deny?

A lot of people here (and elsewhere too of course) are quick to praise these HIPS apps and recommend they be added whenever someone comes along and asks if their setup looks ok or they are brand new and wonder what they really need to be secure. That's fine, but right after we all suggest this stuff, how about we point them in the direction of a good "OS basics" manual, whether that be a post set up here, a website, whatever?

If people are going to answer these prompts right and have the apps work for them and not against them, and if HIPS is ever going to be more than just a "specialty", then these people are going to need to know WHY "injections" are occurring, and WHY files and registries are being modified. We seem perfectly willing to make pages and pages of posts on the intricacies of Sandboxie, even explaining why the configurations that we post in detail are suggested. We do that for Sandboxie, SRP, firewalls, anti-virus, but no one ever bothers to explain much about HIPS (unless I'm missing posts here).

Yet, with so little explanation, we cheerily sing HIPS praises daily, suggesting them to people that just want to make a secure environment for their small office, right down to people that admit they don't even understand the concept of things like Sandboxie...and then we want them to answer prompts about .sys files being modified and other cryptic jargon being spewed forth from these apps. *takes deep breath* All I'm saying is apply the same amount of knowledge and willingness to help towards HIPS as we do other security measures. HIPS might be the strongest security out there, but it isn't going to secure a bucket of chicken if one prompt is answered wrong." }-
This is an EXCELLENT post dw426! It would be great if there was some resource which could explain to newbies such as myself how to answer HIPS prompts correctly.

Hi there, SSJ. I have to say I agree with what you say also, HIPS apps ARE like an AV with an awesome detection rate and horrible FP rate. I've never heard it put that way, but I don't think it could have been defined any better :) Now, on to your example of surfing the internet and having that ".exe wants to run" prompt...you're darned right that's a HUGE red flag....unfortunately that scenario is rarely played out, it's 99% of the time a GOOD program bringing up these alerts, and lots of times when you aren't surfing but just running/installing a program.

I wish I knew of a better way to make HIPS "smarter", and have these alerts not appear so cryptic yet still give enough information to evaluate the prompt. However, I have no such knowledge to do so. To me, HIPS products scare people more than help them. They run a simple game or something, and all of a sudden these red-bordered warnings with the words "malicious" and "execute" pop up, they're likely to freak out, even if they already scanned said game for malware/viruses beforehand (I use that example because it happened to me once before I knew a bit more about how things work).

-{ Quote: "There is simply no extra prompt for drivers/services, everything comes as Autostart warning. This may be ok for standard mode, but in expert mode there should be an accurate information.


Some parts of Virtual CD may be excluded because of signatures or OASIS, so I think you have to disable the OA whitelist for this prompt.


Outpost is very accurate, apart from 'driver or service'.

211388 211389
211390


Cheers" }-

i got a kinda dumb question about Outpost. it has the allow and deny buttons but then thers the OK button. what does OK do exactly if u dont pick allow or deny?

and 2nd. if u just press Allow and dont do any of the drop down options of it does it just allow once or remember it?

thx

wj32, developer of process hacker, has elaborated it very well.
-{ Quote: "
There are two main ways a program can load a driver. One is by writing to the registry in HKLM\System\CurrentControlSet\Services and then calling NtLoadDriver. The other is by contacting the services controller (services.exe) and telling it to create a service to load the driver. In the first case, D+ correctly reports that a program is attempting to load a driver, and tells you the filename of the driver. The prompt is also in red (I think). In the second case however, D+ only prompts you about registry access (which most people will allow since it comes from services.exe) and then the driver is loaded. This is a HUGE problem with D+ and I hope the developers will fix it." }-

-{ Quote: "Attached is a small test program demonstrating the two methods. You will be able to see how CIS responds to the two methods with different alerts..." }-

https://forums.comodo.com/empty-t44186.0.html

-{ Quote: "i got a kinda dumb question about Outpost. it has the allow and deny buttons but then thers the OK button. what does OK do exactly if u dont pick allow or deny?

and 2nd. if u just press Allow and dont do any of the drop down options of it does it just allow once or remember it?

thx" }-
the pop up opens with OP default recommendation-allow/block...so if its allow and you press ok you would not be asked again for that particular action...then there is smart advisor which when pressed connects to OP server and provides additional info...based on that you can use the allow or deny buttons to either allow the action once or block the action once and see if say blocking it has any effect on the execution/running or functioning of the said programme.....

-{ Quote: "the pop up opens with OP default recommendation-allow/block...so if its allow and you press ok you would not be asked again for that particular action...then there is smart advisor which when pressed connects to OP server and provides additional info...based on that you can use the allow or deny buttons to either allow the action once or block the action once and see if say blocking it has any effect on the execution/running or functioning of the said programme....." }-

and what about my second question?

-{ Quote: "and what about my second question?" }-
If you click just Allow, OP uses the default, which is 'allow once' and no rules will be created for this action.

Cheers

-{ Quote: "If you click just Allow, OP uses the default, which is 'allow once' and no rules will be created for this action.

Cheers" }-

ok thx

Tried the install with Free SSM.

No alerts during install specified drivers were being installed.

You could see in the modules log ( attached ) but this was only updated after the drivers were in there.

V Disappointing...

Will try with the new Threatfire soon.

Ok so I tried the install with SandboxIE.

-{ Quote: "I installed the trial version of virtual cd 9
http://www.virtualcd-online.com/vcd/...nload.cfm?lg=0
and looked for the pop up alerts generated by HIPS on drivers/ service install. This software install following drivers/ services:
1- VDRV9000.SYS( driver)
2- HH9Help.sys( driver)
3- VC9SecS.exe( service)" }-

Did very nicely.

If you switch to File & Folders view you can find the Drivers.
You get a pop-up saying that the service has been started under sandboxIE's control.

So nicely done.
8)


I think this is a very good way to check for drivers in an install file , and hence for rootkits.

The cavets are :
a) Some POC malware can check if its running in a virtual environment, and so alter its installation
b) It might be possible for this file and folder view to be tricked some other way than b)
c) It might be possible for driver file to be named something other than *.SYS , and be located in an other location than the drivers folder.
b) & c) are just my personal theories , make of them what you will.

I would use sandboxie to check if a program/file I intended to install/use & trusted say 90% , had a driver file I did not expect.
Personally I think in this role , it would cover me against say 80% of these cases , given a), b), and c).

(Please note I am not saying sandboxie is only 80% effective in general !)