Are answering prompts in hips really that obvious?

Discussion in 'other anti-malware software' started by LUSHER, Jan 17, 2008.

Thread Status:
Not open for further replies.
  1. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I know, but I just found it annoying. Fine for the ABC mode, but in Expert you should be able to override it.
     
  2. wat0114

    wat0114 Guest

    I think besides how knowledgeable/experienced the user is about typical processes and applications in a windows environment, it also depends on how much information the HIPS provides in its alerts for the user to determine how to answer them.

    I took a screenshot of a recent alert from SSM, maybe not the best example of a typical, hard-to-answer-correctly alert, but probably a fairly typical one.

    The description it provides of a DLL injection is probably, at least IMO, the least helpful information provided because on one hand it's telling you it could be a key logger, while on the other it tells you it could be a legitimate component. It really does little or nothing to help.

    Now for the Process and library: I would say most users can recognize iexplore.exe but few will recognize mshtml.dll.

    Now for Technical Information: There is some helpful info here as well, because SSM is providing the paths for the process and library, as well as the "Microsoft" vendor information.

    Provided the hash check is enabled and the HIPS was installed on a known clean system, I believe a fairly well informed (about Windows processes, libraries and applications) user can make the correct decision on the majority of alerts, if not all of them. No one is perfect so mistakes can, of course, be made.

    All I would ask is take a look at the screenshot and decide if that is enough information to base an informed decision on for the typical HIPS user.

    HIPS is clearly not for those ill-equipped to use one. A "default deny" policy will quickly lead to frustration for them as applications and the O/S will freeze, leading to reboots and an eventual attitude change of "default allow" policy for all other forthcoming alerts.
     

    Attached Files:

  3. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Wow, talk about redundant statements. "A comb is clearly not for those who are bald."

    A HIPS cannot distinguish between benign and malicious behavior. That's why so many people cry about using them, and that's also why they're so powerful - because they lack intelligence and hence cannot be tricked. There's no point in asking HIPS vendors to "dumb down" their programs, so to speak; you either learn how to use them, or get a watered-down program that's lost its whole point. It's either for you, or it's not, simple as that.

    For those people really wanting to use one, why not take the time to learn, instead of hoping the program will grow to accomodate you?
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    HIPS are IMO S.M.A.R.T programs that border on the same level as Artificial Intelligence although their years away from becoming Auto-HIPS, but like solcroft suggests, if a user spends the time to learn and add rules, the HIPS then turns into an Auto-HIPS. It's IMHO a far more safe poposition then depending solely on blacklists apps, definition updates, etc, which are not only time consuming but always will never be fully accurate, whereas HIPS draws it's POWER from it's mapping of critical areas of concern from the operating system itself and set's itself to intercept signals, any signals, plus location and targets and brings that information up to the user in order to establish a Rule for that activity/file.
     
  5. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    yes, though you are pretty much saying a guy with no hair shouldn't have a comb. That's obvious.

    But as others have pointed out, there are different degrees of knowledge. Certain decisions are easier than others.

    Also unlike the condition of being bald, judging whether one is really equipped to answer hips prompts is not trival. I would guess a lot of people here think that they are more than competent to handle hips, but is there any possibility they are mistaken?
     
  6. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    I will raise my hand and cant argue the valid point you make Lusher.
     
  7. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    It's supposed to be, but as far as I can see, not really. Some people will go out of their way to install a program they have no idea how to use, and then whine about it and call it useless.
     
  8. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    I am sure I have been guilty of that to. And that doesnt help anyone. It is fun to come here and see all that is offered in reality. But some of us are like kids playing with a loaded pistol.:doubt:
     
  9. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    I'm actually more concerned about people who *think* they are competent to use HIPS but really aren't.

    It's very easy to click yes/no whatever and feel good about oneself, but how can one be sure one is making the right decisions?

    The vast majority of decisions will be made where the correct decision is probably to allow (most people here don't come into contact with malware that much), how many times do people click allow? how many times deny?

    Granted clicking deny in most cases won't cause the system to fail, but occasionally it results in some subtle problems that one won't notice until months done the road by which time it becomes hard to trace the problem.

    On the flip side, if the correct decision is to deny, how often does one do so? The problem is one just doesn't come up against malware that often (except delibrately, and that doesn't count obviously), so how can one be confident that when faced with a critical decision one will respond correctly?

    BTW, making boasts that one has remain malware free doesn't help.... :)

    I don't know about you guys, how often have you run something, see some prompts, decide to click deny to be safe and the app fails, then you say what the heck, run it again and decide to click allow .....
     
  10. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    This question contains more variables than I can count. Without any definite, concrete examples, one can probably claim anything they like, and that's that.
     
  11. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,177
    Location:
    Canada
    I know I am no expert and probably not competent to use HIPS, but in the other hand it is by playing with Process Guard first, OA, SSM and now EQSecure that I learned how Windows works.

    And if I make mistakes I have FD ISR and ShadowProtect to back me up. The only way to learn is by your own mistakes.
     
  12. wat0114

    wat0114 Guest

    There was no intent for my statement to elicit a sarcastic response, but I understand that is just you ;)

    Agreed.

    Absolutely.

    On a side note, this is another benefit (possible) of using a HIPS; it can make for a nice learning tool.
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    One of the problems in the DLL injection example above is many people won't understand what the term injection means in that context. It can be made worse by language issues.

    Kaspersky in the above example would have refered to that as an invader in their PDM pop up. That was the case when I was testing, don't know if it has changed.

    Always wondered what a user would do when the got a pop up stating explorer.exe was an invader.

    It is indeed a challenge. Software vendors always test with beta testers. They also should test with their "aunt sara" They might learn a lot.

    Pete
     
  14. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Another issue that i have never seen discussed is that even for a regular user of different HIPS, there is an implict assumption that all the products use the same terminology (dll injection, access to physical memory, low-level disk access) to mean the same thing.

    I have noticed that even when they use the same terms, they actually are quite different. I'm sure you guys have occasionally seen people like Rasheed etc asking why HIPS X alerts on such and such, while HIPS Y doesn't even though the same actions are done and on the surface both have the same features... There is inevitably no reply of course.

    I myself have found that some hips conform closer to my expection in that I can predict when they will create a prompt and others that totally confuses me.... and create prompts when i don't expect them, or doesn't create prompts when i do....

    I wonder how obvious answering prompts in HIPS can be, when hips vary among themselves...
     
  15. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    I think your answer is there. Not obvious to many.

    The main problem I saw was whether the alerts themselves provided an adequate balance between useful information and paranoid popup that implied your computing world was about to end horribly. Many seemed to choose the latter approach - more exciting but really tended to miss the mark on most alerts. PrevX has the best balance in applications that I've seen in this characteristic.

    Blue
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Well, first you need to make sure that you understand all the things that HIPS are monitoring, responding to alerts will become a lot easier then. If you´re not willing to learn about this stuff, then don´t use HIPS, it´s that simple. And we all know that HIPS are geared to the (paranoid) security geeks, it´s not for everybody, so I don´t know why people keep saying "well my mother wouldn´t be able to respond to these alerts", no sh*t Sherlock!

    Now about my approach to all of this, I must say that after installing/testing lots of tools, I came to the conclusion that most apps should be able to function just fine without trying to modify the system in a possible malicious way. So this basically means that if your HIPS does alert you about stuff, you need to ask yourself if it makes sense or not. And this comes down to experience/basic software knowledge. Most of the time, when I´m about to run some tool, I can already predict that I will probably get to see a certain kind of alert. And when you´re not sure about something, just block it, until you make sure that you really trust a certain app (after doing some research), basically, that´s all you can do. :)
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    And here is where HIPS comes in play. You scan a file and it comes up clean, but you never know if your scanner might be wrong, so a HIPS gives you a second chance to think about if you really trust a tool or not. If you see anything suspicious (unexpected behavior) you block it. Of course some knowledge is required, so if you have a 50/50 chance, then better don´t use any HIPS. :)
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    One off topic post removed.

    Pete
     
  19. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Actually I'm wondering whether YOU or I are responding correctly, much less your mum... :D

    Interestingly as i remarked, people keep saying this, but the only example of such knowledge citied is the old driver thing... Is that the only piece of knowledge one has?

    Actually on another forum a guy made a similar boast and he promptly got it wrong. Rasheed care to put it to the test? I will insist that you make the predict BEFORE running it first. It's very easy to retrospectively say.. "okay i can see why it might need X, AFTER seeing the prompt"...

    I would say whether I could predict to any degree depends on the HIPS used, some as i said are totally contratry to my expectations...

    I remember a couple of posts from rasheed asking questions why HIPS X prompts on A, but HIPS Y does not... More recently he asked why the antikeylogger can work without any HIPS alerting on anything...

    So maybe prediction is not so easy?

    PS Can anyone recap why being able to predict prompts in advance is important?
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes I know, but I´ve noticed that a lot of people are complaining about HIPS, while to me it´s a no brainer that HIPS is not meant for everybody, I wouldn´t recommend any HIPS (not even smart HIPS like TF) to security noobs, so IMO it´s not really necessary to discuss about if HIPS are useful or not, or if they will ever become mainstream.

    Well, that example comes up because it happens to be one of the most dangerous behaviors, but of course there are a lot of other dangerous things. It´s all about understanding the possible consequences of allowing certain stuff. So, if I allow a certain modification, a certain bad thing might happen.

    You're missing the point, it´s not about bragging, what I meant was that if you know that (for example) certain kind of system utilities need a global hook to do their job, you are already expecting to see this behavior. Same with anti-rootkit tools, you know it´s likely that they are going to need to load a driver, so this is expected behavior. But can you tell if this hook/driver is malicious? No you can´t, a HIPS won´t help you when it comes to this. It then becomes a matter of trust.

    But of course you also have unexpected behavior, like I said before, most tools don´t really have a good reason to trigger any high risk alerts. And if you´re not sure, why not just block it? I rather deny a harmless tool from running than to take the risk of becoming infected.

    I´m not sure what you mean, this was about NG malfunctioning on my VM, it couldn´t spot all of Firelion AK´s high risk behavior. Speaking of FAK, this is another example of an app that displays possible malicious behavior (not unexpected to me), so either you trust it or not.
     
    Last edited: Jan 26, 2008
  21. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Exactly my point, talking only in general, no specifics.. "certain bad thing might happen".... :)

    Sigh, actually you wouldn't know what a point is if it came up to you introduced itself to you and bit you in the ass.
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    LOL, what do you want me to do? Should I tell you what could be dangerous, something like "a BHO might spy on you", "a global hook can be dangerous because...". Don´t most people know about this stuff?

    Did I hit a nerve or something? I think I have explained my approach to all of this, as clearly as I possibly could, you would think that a more knowledgeable person like you at least gets part of my point. Or was I talking BS? If things are still not clear, let me know. :)
     
  23. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?

    I agree fully with you. I think the real winners in the long run will be built as hybrids. Combining powerful AI with some user interactivity where unrecognized variables appear as a fail safe. But the devil is in the database of processes and listed behaviors... The explanations and the ability of the user to comprehend the requests as a result.
     
  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    All the points made above regarding HIPS prompts are true, and is why Layered Approach in complimenting them with Sandboxes, Virtuals, ISR's and such is simply the most Logical approach. Most assuredly regular back up images at the ready of course = final line of defense, preferably stored OFF MACHINE.

    Alone, or even combined with another app is just not enough given the potential risks involved. Theres even more protection coming in HIPS i hope and that they realize this is been of enormous help in warding off baddies even where even AV's/AS's miss.

    Personally i never been more excited for users and myself since the introduction of HIPS, it's made a very big difference.

    I like to think System Safety Monitor pioneered the first real full featured HIPS although credit goes back to other apps who took similar approaches like for one example, ProcessGuard and i know there must be a few others who stirred up attention for some developers to take on such a radical new approach to Pre-Emptive protection instead of after-the-fact apps who many of them lost the battle.
     
  25. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    My answer to the topic's question is -- it's EZ if you do your homework.

    My granddaughter uses SSM & readily does the research needed to answer the occasional pop-up for which she has no immediate answer. In result, she is well ahead of her age-group in computer mastery.

    She has been taught NOT to adhere to the platitude "If you can't raise the bridge, lower the water."

    She has also been taught that, to be regarded as "equal to the boys" in her computer class, she must be ~twice as proficient as they are. Fortunately, that is not difficult. :D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.