Just thought I'd start a thread asking what you think the perfect HIPS should consist of <irrespective of how hard it would be to program it all into one HIPS> :

I personally think it should sit at the kernel level, and should do/have :

-Whitelist the computer drivers/exe's etc upon install

-A firewall

-Registry Protection <incl Autostart & DLL injection>
-Global Hook protection

-Internet Browser Protection (for home pages, toolbars etc)
-Decent cookie manager
-Hosts file protection
-Prevent service/driver installation whilst surfing net (or ask user)
-Ask user if exe runs whilst surfing the net

-Script Analyser (for scripts from all sources)

-if an unwhitelisted exe makes changes outside of it's Windows folder/registry region, have popup warning stating such, and ask if they are installing a program (I think this idea would work properly - haven't seen it anywhere)

-Prevent modification to any computer whitelisted executable by any nonwhitelisted script/program, unless added to the whitelist

-Prevent the reading of address lists (in email, IM etc) by outside programs (anything not the email, IM client etc)

-Have an trusted install feature, so that you don't have to disable the HIPS to install, but still get warnings about certain things (like a new autorun program, dangerous scripts etc)

Lastly, although I know this steps on AV's areas, I believe it should keep a signature database of the months top 10,000 Malware (this would take some of the decision making out of our hands, but make the HIPS much quieter, and much more intelligent. 10,000 would make any realtime scan quick, and if it didn't have the signature, it would revert back to normal HIPS function). Only problem with this idea - to keep track of what the top 10k were, you'd have to have a reporting function in the HIPS, and I know not everyone would like that (so option to turn it on or off).

Can't think of any more idea's for now. Have fun making some more suggestions :)

Hi Vikorr,

A welcome idea for a topic. I would like to suggest the following.


First of all the importance of starting with a clean PC from day one when the HIPS is installed. If this means doing a reformat and a fresh install of the OS etc, then so be it.

Whitelist the computers dll's also.

Folder write protection Allow/Deny popup.

I think the AV idea might work better if the HIPS worked in tandem with the AV/AT etc, and just called on them to verify things etc when required to do so.

Boot sector tampering prevention/warning Allow/Deny popup, with possible Google etc lookup beforehand.

Motherboard tampering Bios/Video card etc prevention/warning Allow/Deny popup with possible Google etc lookup beforehand.

Encrypted HOSTS file, along with protection.


I don't believe in a one for all App though, as this could lead to Big problems if the App should go down for any reason. For example, a firewall should be a firewall and Nothing else.

Also all Apps should be written in as Highly effecient code as possible, and bloat free. I am a firm believer in having both a simple interface for non techies, and a much more comprehensive one for those that wish to explore further and understand things better.

If i think of anything else i'll post it.


StevieO

Hi Guys,

A couple of comments seem appropriate as I've already disclosed some of the upcoming OA facilities and this seems like a good place. I won't comment on stuff OA already does as that's fairly well documented here, and on the site - and as we have around 40 pages of concepts and ideas, I won't list it here.

In the 1.2 release of OA, we're planning to implement powerful registry protection as I have said before. Part of this will be centrally updated rules with plain english descriptions and guidance. For example, a program trying to add itself as a Winlogon notification as some malware has done (stripping rights off the logging on user) would receive a detailed (and red) warning.

Services and device drivers - I've already got code that will protect device drivers and services - but also centralised whitelist as well which includes signature verification (ie MS or other signed code). In this way (like the OA program blocker) the user is not bothered with making decisions if we already know what the answer should be based on the whitelist. The last thing we want is people to make bad decisions based on "popup fatigue".

There are also plans for more extensive protection options for folders and files. For example, as a programmer I want to be able to do repeated builds of my exes and not have OA stick its nose in each time... so my "build" directory would be exlcuded from monitoring. In a similar vein, I don't want *any* program accessing my "personal finances" folder without my explicit consent (read, write, delete).

The other thing that has become clear - we have focused OA on ease of use, but it seems that it's also highly desirable for the experts around here to have full control and visibility of what's going on. So, we'll likely have a couple of levels of operation... ranging from "Expert, show me *everything* control freak" down to "make decisions for me."

We do have plans for an integrated firewall in OA - but this will likely be in a release 1.4 of the product. As people have already pointed out, there are existing personal firewall solutions that already work well - so this is a nice to have for OA, rather than a critical hole. But, it is coming.

More than anything I am interested in listening on this thread to see what people want to see - and if it fits in with what OA is supposed to do, then it will surely be added to our list. We want to make OA the "no brainer" decision for protecting computers.

@Vikorr - I would not be concerned about HIPS programs stepping on the toes of AV companies. Programs like OA already step on those toes to some extent (mail filter could easily check attachments for viruses) and personally, I think that AV will need to adapt or die.

Mike

-{ Quote: "First of all the importance of starting with a clean PC from day one when the HIPS is installed. If this means doing a reformat and a fresh install of the OS etc, then so be it.

StevieO" }-

@StevieO... man, you beat me by seconds!

It's obviously best to start with a clean PC and keep it clean.. but it should still give some protection/recovery capability even if not. Speaking from a purely commercial perspective, if OA required a reformat and rebuild to install I don't think we'd sell many.

Some neat ideas in there... but it's late here, so I'll have to leave it 'till tomorrow to copy and paste them into the OA to-do list.


Mike

Hi,

I think an HIPS product has to do one think really well - that is, to stop the "bad guys" as early as possible so as they cannot perform any malicious work. Stopping the bad guys from updating a registry or any other system file/database may already be too late.

To this end, the HIPS should be comprehensive in its knowledge of "executable portals". Any vulnerabilities in this area: e.g. scripts, dll injections, inadvertent executable permission, could be fatal to the user. So all "entry points" most be covered. In addition, the user should be given as much information as possible concerning the executable event. Security Task Manager, for example, has a database of "user reviews" of executables to assist users in making their decision.

Refining the "upfront" user decision making process is critical to mass-market acceptance. While all of the other features (e.g. monitor registry/system file access and updates) are interesting, I think the more decisions that a user has to make, the more likely they are going to make the wrong decisions. So the key is to 1) minimize the number of decisions that have to make by concentrating on the key "choke points" and 2) provide as clear direction and information as possible so as to ensure correct decisions are made, where necessary. Automation, of course, is desirable where plausible.

Rich

Although I didn't exactly list it, my thoughts on what HIPS should protect from (not how they should protect from) are :

Internet
-Browser
-user downloaded files
-driveby downloads
-IM
-server
-attached files
-address list
-P2P
-server
-downloaded files
-Email
-attached files
-address list
-VOIP
-don't know if secure it is, but even if so <once more if it accesses a place it shouldn't>
-Other
- any other internet vehicle I missed
-General
-scripts/exe's etc not access areas they shouldn't whilst Broswer etc open

Installations
-vital changes (autostarts etc)
-exe's etc accessing area's they shouldn't

Exe etc monitoring
-same as installations

Mike, thanks for the info on the direction of OA. StevieO and Rich, I like those thoughts. Quite agree that even with all those features, that it should be as light on system resources as possible.

More ideas/criticisms ? :)

-{ Quote: "Hi,

To this end, the HIPS should be comprehensive in its knowledge of "executable portals". Any vulnerabilities in this area: e.g. scripts, dll injections, inadvertent executable permission, could be fatal to the user.
Rich" }-

The whole "I want to catch them as early as possible" motto is a nice one, but that's covered by execution protection only. HIPS covers far more than that.

Scripts? Fair enough, Though unless you have a exploit in the application , most of the scripts will be executed by you double clicking on them.

Dll injection could only happen if you had already run a rogue process, so that isn't one of your "executable portals" (did you coin this funny phrase?).

Also, I'm not sure how the system could figure out if an execution was "inadvertent". Could be cool though if it was possible. Maybe mind reading powers?

I'm afraid like it or not, you have to set them run a bit, before the system can even begin to determine if it's a possible baddie.

-{ Quote: "I'm afraid like it or not, you have to set them run a bit, before the system can even begin to determine if it's a possible baddie." }-

Maybe, maybe not. The company that solves the "tough problems", will be the one that wins in this marketspace. "Me to" products will be numerous and undifferentiated - and unlikely to return on the investment in any substantial way (e.g. AntiHook). The "me to" vendors will end up like the AT vendors, scrambling for some small differentiator that will keep them afloat. Hopefully, some vendors will take the time to analyze the problem and come up with unobvious and unique solutions. I believe it is possible. It just takes one person with one special insight that possibly no one else has had.

Rich

-{ Quote: "I'm afraid like it or not, you have to set them run a bit, before the system can even begin to determine if it's a possible baddie." }-

This is why I like the idea of having white/black lists (with central database) and/or an AV type integration (or maybe calling on the AV to scan as suggested previously) - can tell upfront in 'most' cases, and if not, then revert to 'traditional' HIPS method.

-{ Quote: "Maybe, maybe not. The company that solves the "tough problems", will be the one that wins in this marketspace." }-

The above hopefully solving that problem.... and the problem, as Mike put it, of 'popup fatigue' (and/or lack of knowledge of what the popup means)

A-squared ? ;D
Version 1.7 beta personal - is really pretty nutts, as well as unique :D

Tower of Power play a tune called "What is Hip?". :P

As another side note I'm thinking the real answer might be Charlize Theron?

Sorry for the Humor... really - how about a-squared? You say IDS I say tomato.

Worms and trojan droppers are among the most prevalant threats out there, and many do not require any user interaction to run, often achieved with mobile code (ie, scripts).

-{ Quote: "and unlikely to return on the investment in any substantial way" }-Wtf? Investment generally means you get money back. If you buy a winter coat, and it's durable and works well, that's still an expense.. an expense of living in a climate that gets cold in the winter, not an investment. It may be high quality, but that's not the same thing. If your investments require you to give them additional money every year without any payout, it's time to find a better investment.

I also wouldn't judge a product by it's uniquness to the market. There were plenty of registry monitors around when RegDefend came about, and file system filter drivers were nothing new when Prevx came to be. It's all stuff that's already been done, just given a new face with some new features. It's just going to take some time and feedback before they start figuring out how to make these generic protection programs suitable for the masses. It will probably be the company with the largest R&D and marketing budgets that really "win", then there will be plenty of smaller companies to come along and do it better. Personally I judge products by their features, reliability, stability, and ease of use. I'd rather base my decision of a product on it's own merits, rather than it's place in the market or any other such abstractions.

There have been plenty of groundbreaking ideas in this world, most just go by the wayside unless they come at the right time and in the right place. Until it happens, I doubt any of us will be able to see what the right 'formula' really is.

On the topic at hand, to me the ideal IPS would be something that thoroughly covers all entry points (internet, email, program installations), fortifies existing common security applications (ie, blocks termination, hooking, etc.), then covers the most crucial infection points (ie, stops keyloggers, rootkits, etc., from installing, and generically blocks exploit behavior). To top that off it needs to be light on resources, unintrusive, easy enough to use that I can put it on my mom's machine, and customizable enough for people like myself to configure around other software, security or otherwise.

-{ Quote: "Also, I'm not sure how the system could figure out if an execution was "inadvertent". Could be cool though if it was possible. Maybe mind reading powers?
" }-

Maybe it's not entirely possible to figure out inadvertent - but let me give you a real example...

Without OA:
I received a zipfile which contained a nice little "screensaver" - double clicking on it and it failed... it opened up a notepad window saying "unpack failed". Ah well, the free screensaver was no good.

But, of course I knew it was nasty so I ensured I had OA running to test it and see what *really* happened - the sucker dropped a few files in windows\system32, set them to auto run, dropped a couple of batch files - one of which was to give the exes it had just dropped access thru the windows firewall! (dont get me started about API's on firewalls )

Now, obviously I did this as a test to see what OA did... but, if you double clicked on a "screensaver" and you got:

0 - A warning - the EXE is trying to start
1 - A warning telling you that batch files were being executed
2 - A warning saying that the EXE was being set to auto run
3- A warning saying "this 'lil sucker is trying to write to windows/system"
EDIT: OA doesn't do point(3) just yet...

Finally, followed by the notepad window. Of course, by this stage you'd be wondering what was going on (and, using OA as I did, I was then able to block the exe and rollback the file and reg changes it made).

The point is this - I "intended" to open a screensaver to see what it looked like.. and all that nasty stuff started to happen. The screensaver was my intent, the rest was not.

Mike

Oh yeah,

Add to my list, a HIPS that

Handles
-svchost.exe properly
-rundll32.exe properly
- and maybe services.exe (though not exactly sure about this exe)

-{ Quote: "Oh yeah,

Add to my list, a HIPS that

Handles
-svchost.exe properly
-rundll32.exe properly
- and maybe services.exe (though not sure about this one)" }-

Rundll32 we already handle correctly, and I believe svchost as well :-)

(Assuming by correctly, you mean "dont trust RunDLL, trust what runDLL runs"

Mike

Yup, that's what I meant.

-{ Quote: "The above hopefully solving that problem.... and the problem, as Mike put it, of 'popup fatigue' (and/or lack of knowledge of what the popup means)" }-


Yes, ... or another way to put it, minimizing the number of decisions a user must make, and at the same time maximizing the chances that the user will make the right decision, while all the while maintaining the highest level of system integrity.

Rich

-{ Quote: "
The point is this - I "intended" to open a screensaver to see what it looked like.. and all that nasty stuff started to happen. The screensaver was my intent, the rest was not.Mike" }-

Yes, I agree. And a HIPS product that could follow the action and provide feedback to the user , that something ain't kosher is far more valuable than simple pop-ups. I think these type of capabilities will differentiate HIPS products in the future, as opposed to how many "system objects" are being tracked and being alerted on.

Rich

-{ Quote: "Rundll32 we already handle correctly, and I believe svchost as well :-)

(Assuming by correctly, you mean "dont trust RunDLL, trust what runDLL runs"

Mike" }-

Good job Mike.

Rich

-{ Quote: " Investment generally means you get money back. " }-

I wouldn't look at it like this. Investment, means putting resources into something while expecting some value returned at some future date. I think I good ROI is very important to a company, and good value important to customers. Everyone, should theoretical feel that it was a "good investment" with a good return.

-{ Quote: "I also wouldn't judge a product by it's uniquness to the market." }-

Unique features tend to drive the market. For example NOD32's heuristics vs. KAV's signature database. When a potential customer comes along and asks why should I purchase A instead of B, companies better have a good story or else their product is very short-lived. Notice how lack of differentiation is driving AT vendors out of the market.

In the case of HIPS, I believe it will be the "ease-of-use" that drives the market - as opposed to "number of objects that are protected". There is lots of potential in creating friendly interfaces, as Online Armor is beginning to demonstrate, though I believe lots more can be done. I am sure Mike would agree.

Rich

-{ Quote: "In the case of HIPS, I believe it will be the "ease-of-use" that drives the market - as opposed to "number of objects that are protected". There is lots of potential in creating friendly interfaces, as Online Armor is beginning to demonstrate, though I believe lots more can be done. I am sure Mike would agree.

Rich" }-

Sure... we've already had good feedback and suggestions for improvements and enhancements to the product, so watch this space :-)

Personally, I think another major factor will be support - the accessibility and availability of the sort of support that people want, in a way that is appropriate for the user.

-{ Quote: "Sure... we've already had good feedback and suggestions for improvements and enhancements to the product, so watch this space :-)

Personally, I think another major factor will be support - the accessibility and availability of the sort of support that people want, in a way that is appropriate for the user." }-

Totally agree. If a user has their questions answered - that's 99% of it. It is all about "building a comfort level".

Rich

;D Of course, you don't want to have to call/email that support too often. That could lead to some well chosen swear words I would think.

But in the event that you do need to contact support, a prompt response can increase a persons good impressions of a company/product.

-{ Quote: "I wouldn't look at it like this. Investment, means putting resources into something while expecting some value returned at some future date. I think I good ROI is very important to a company, and good value important to customers. Everyone, should theoretical feel that it was a "good investment" with a good return.
" }-This just sounds more like pompus marketing speak to me, and I think it would probably drive away anyone with real money, the ones that are fully aware of what investments are all about. Quality would probably be a better focus, IMO. Insubstantial, really, I just don't see why you keep bringing it up.

-{ Quote: "Unique features tend to drive the market. For example NOD32's heuristics vs. KAV's signature database." }-Versus Norton and McAfee's market share?

-{ Quote: "Totally agree. If a user has their questions answered - that's 99% of it. It is all about "building a comfort level". " }-This I very much agree with :) I'd add customer respect/appreciation to this too, as we all here know *cough*, although I think that plays more than a 1% part. This all seems to be already present with OA, however :)

One thing I can add to my above list is intelligent decision making. This is something that you don't see very often, except by a few like Principal, LOM Heuristic, and possibly Panda's TruPrevent (haven't really used it, but it's the impression I get). I wouldn't want to substitute that for the standard alerts, just add it to them.. "this process is behaving very suspiciouslly and warrants further investigation. It has been shut down in the meantime. Would you like to submit it to us for further analysis? [yes/no]"

-{ Quote: ";D Of course, you don't want to have to call/email that support too often. That could lead to some well chosen swear words I would think.

But in the event that you do need to contact support, a prompt response can increase a persons good impressions of a company/product." }-

Well, here's the current plan for OA support:

1) - Free support in the OA forums; It's going to be manned by Tall Emu guys including myself, Ben, Chris, Scott, Darryl and Justin (the new guy). We're all based in .au. I have also agreed with a guy in the USA (subject to us actually selling one or two copies of OA ;D ) that he's going to work for us as well, which extends the amount of time someone is available to respond to queries.

2) - Premium Phone support, using Wombat, our remote desktop support tool. The idea here is that the user with problems can sit there on the phone and ask "How do I do this...?" and listen/watch as we help solve the problem in real time. Because our phone system is VOIP-based, we can seamlessly (in theory at least) transfer calls between the US and AU locations depending on time of day and operator availability.

By providing this mixture of support - some free, plus an additional paid option, it means that we can keep people who are happy with electronic support supported, but also - those who need extra assistance can get it on a user-pays basis. (We've done some discreet field-testing with this - without the voice part - Sydney to Seattle, Geneva and London - no problems)

While we haven't finalised pricing or timing on the premium support, it will be priced high enough that we can recover the costs of providing it, but not so expensively as to make it unfairly expensive.


Mike

-{ Quote: "This just sounds more like pompus marketing speak to me, and I think it would probably drive away anyone with real money, the ones that are fully aware of what investments are all about. " }-

Hmmm ... I really need to bone up on that part of the computer industry. ;)

Rich

-{ Quote: "
2) - Premium Phone support, using Wombat, our remote desktop support tool. The idea here is that the user with problems can sit there on the phone and ask "How do I do this...?" and listen/watch as we help solve the problem in real time." }-That sounds worth paying for :)

-{ Quote: "This is why I like the idea of having white/black lists (with central database) and/or an AV type integration (or maybe calling on the AV to scan as suggested previously) - can tell upfront in 'most' cases, and if not, then revert to 'traditional' HIPS method.
" }-

I don't think calling the AV to scan and letting it pass if the AV says it's okay is a good idea.

After all, the whole idea of HIPS if I remember the hype is to get past traditional signature based approaches. If HIPS is going to use AVs to decide whether to run something or not, I might as well just stick to AVs.


-{ Quote: "
Now, obviously I did this as a test to see what OA did... but, if you double clicked on a "screensaver" and you got:

0 - A warning - the EXE is trying to start
1 - A warning telling you that batch files were being executed
2 - A warning saying that the EXE was being set to auto run
3- A warning saying "this 'lil sucker is trying to write to windows/system"
EDIT: OA doesn't do point(3) just yet...

Finally, followed by the notepad window. Of course, by this stage you'd be wondering what was going on (and, using OA as I did, I was then able to block the exe and rollback the file and reg changes it made)." }-

Mike, let me check my understanding. Wouldn't OA react with (1),(2) or (3) even if it was an action that was "advertent".

Say I choose to run a batch file.

-{ Quote: "I don't think calling the AV to scan and letting it pass if the AV says it's okay is a good idea.
Mike, let me check my understanding. Wouldn't OA react with (1),(2) or (3) even if it was an action that was "advertent".

Say I choose to run a batch file." }-

Hi -

I think the AV function will get eaten by products like OA. Here's why - OA is doing behavioral type stuff, monitoring stuff - and it already contains a whitelist. BUT included is also a signature file of "bad" programs, primarily so that if we say sskbho.dll is trying to install, the user can know "Its Surfsidekick, and here's what it does".

With that in mind, as OA's base of legitimate *and* illegitimate signatures increases, what is the purpose of the AV? It can already do realtime monitoring, it can already see what apps are doing - and it can already check signatures. The "only" thing lacking in a product OA against an AV is the size of the sig database. As we start to implement more checks and analysis of programs and what they are doing, the AV component becomes redundant.

Of course, a big AV player could turn the tables on that. Lets see what happens :-)

Yes, you are right, OA would alert on each of those events. The reason for my edit is that OA does not (yet) alert on writes to Windows\System directory and I didn't want to have something that wasn't correct up there. However, it will in the next version so my slip I hope can be excused.



Mike

Personally, I would prefer to run BOTH a product like Online Armor AND an Anti-Virus. I don't really see one replacing the other, but rather complimenting it. What one doesn't have in it's current database, the other very well may...and that added protection could prove invaluable.

Besides, I don't believe that products like OA "scan" like an AV, per se, so if you received or downloaded something and wanted to run it past an AV before execution, that could always prove useful as well.

Having said this, I would HATE to see OA or any other HIPS program incorporate any kind of "AV" into their software (i.e. - Prevx). The firewall idea for OA sounds like a winner, but IMO AVs should remain as a stand alone specialty type product....and focus on their job at hand.

Hi Mike/JR.

I suppose I haven't explained what I've been thinking clearly, when I say incorporating an AV into a HIPS...only realised that when I read what Mike said...

Pretty much that a decent whitelist, combined with either AV signatures, or a decent blacklist would work for the HIPS.

The only possible problem I see with a blacklist, is that Malware could evolve into producing randomly generated names, to bypass this feature (but it would still presumably be caught by other features of the HIPS).

-{ Quote: "Hi Mike/JR.

I suppose I haven't explained what I've been thinking clearly, when I say incorporating an AV into a HIPS...only realised that when I read what Mike said...

Pretty much that a decent whitelist, combined with either AV signatures, or a decent blacklist would work for the HIPS.

The only possible problem I see with a blacklist, is that Malware could evolve into producing randomly generated names, to bypass this feature (but it would still presumably be caught by other features of the HIPS)." }-

Hi Vikorr,

Unless I'm confused, I think I understand you well. I still think OA has the potential to "eat" AV if you look at the features that will be added.

As far as I can see, the role of such a product is "Keep stuff off the computer that does not belong there." Whether it does it with a firewall, signatures, heuristics, behavioral analysis, whitelists, blacklists - or a combination of all of the above.

Your previous comments on this thread indicate - at least to me - that this is the sort of product that you are looking for.

I can forsee OA, noting that a site you are visiting is considered "Dangerous" and not downloading executable content at all; If that is overridden the next step would be to compare the downloaded content using one or more types of signature scheme prior to execution; Finally, if that gate is passed and execution of the process is requested, monitoring to see what it actually does.


Mike

Hi,
I think a really good HIPS should prevent the USER from doing bad things. 99% of malware comes down to user interaction, either by downloading cracks in p2p, clicking links in sites, not protecting the machine properly etc.
When it comes to a popup alert by a program, an average user does not know what to answer. What's hooking, api, kernel or dll to an average computer user? To make you understand what I mean, what are eigenvalue, trace, determinante and graham-schmidt process? Someone with good mathematics will know this, but for 99% of users it's gibberish.
If you KNOW what to answer to a security popup, most likely you KNOW what to do in the first place and what to do and what to avoid, and vice versa.
Good HIPS should under-privilege the machine, that is password and encrypt all processes and access to them. But, Windows is not configured well enough to work smoothly as limited user, so good HIPS, aside from watching the registry, hosts file and everything you mentioned, should also allow easy accessability to system tokens (like Run As ..., only more smartly). In simpler words, HIPS should be a good negotiator between admin and non-admin.

On a funny note, good HIPS = Linux!

Mrk

I would disagree completely with that. Parental Control programs are for preventing people from doing the 'wrong things'. HIPS are for letting people do the 'wrong things' <as you put them> safely.

The way I would describe it would be like this:

1) HIPS alerts when an "exception" to normal processing occurs (e.g. a new script or process has started on a machine).
2) A user can then decide whether or not to allow this "exception" process to continue with whatever work it chooses to perform.
3 HIPS, can also, track and alert users as to whether the process is attempting actions that may be considered "dangerous" or abnormal (e.g. install a driver/service/rootkit).
4) The user then has an opportunity,at these points, to prevent the process from continuing.

This stuff is really great, and for users who want to put a little time into understanding what is going on in their machine and regaining control of their machine, nothing can beat this paradigm.

Rich

I would hope that the perfect HIPS provide comparable protection for alternative browsers such as Firefox, Opera, rather than assume everyone uses MSIE.

The antidns spoofing in online should extend to firefox too.

Maybe some other monitoring of minor firefox/opera functions.

-{ Quote: "I would hope that the perfect HIPS provide comparable protection for alternative browsers such as Firefox, Opera, rather than assume everyone uses MSIE.

The antidns spoofing in online should extend to firefox too.

Maybe some other monitoring of minor firefox/opera functions." }-

Hi

Anti DNS spoofing works on all browsers for protected sites. Definitely agree that monitoring of more FF and opera functions is needed - right now we only worry about FF and IE homepage, but we'll be changing that in a subsequent release once we rework the registry protection to be more powerful.


Mike

The perfect HIPS to me would not alert the user merely because a certain event occured, but rather if a sequence of events occured that is likely to be unusual.

It would for example keep a record of the past few event alerts, and make decisions based on a logic engine.

Certain sequence of events would be considered normal, others wouldn't

This would lead to fewer alerts, an the user is alerted only when something truly unusual occurs.

Users could also help give hints by giving certain processes special rights, which is actually a package of behaviors allowed.

Update rights
- To Connect outbound through firewall
- To Start or stop files/processes within same directory
- Maybe certain rights to change regitry, install drivers.

Uninstaller rights

Install rights



I'm not sure but I suspect Prevx1 and Safe N sec, are already evolving towards that.

It would also have a flexible rule based system that allowed advanced user to tinker with the rule set and share them with others.

For those of you familar with email rule filtering, you could process a email via several nested rules, to find decide if it was spam. Eg If it lacked a 'from' header go to rule 2.

Similarly, the event in question could be processed by user defined rules before finally deciding on an action , Whether to allow, deny, or ask for instructions.

I doubt it would ever occur though, since it could be very complicated to do and might be computationally expensive.