Which HIPS or "alert" software can meet my criteria?

I am very new to HIPS & behaviour alert software. I have spent some hours reading old topics in this forum. But I feel overwhelmed in attempting to narrow down which software meets my criteria. So I will just ask you wise folks for recommendations.

Here is what I would like:

1) I would like thorough interception of *any* action (no limited coverage, no "making decisions for me", no crippled functionality).

2) I would like to know *what* the action is attempting to accomplish (don't just tell me an app is executing...tell me what it's trying to do).

3) I would like the ability to *allow or deny* that action.

4) I would like the ability to *whitelist* an application (so I am not alerted about its future actions).

5) After the above criteria are met, I would like the software that takes the *lightest* possible toll on my computer.

Thank you for any suggestions.

I should mention that I am operating "Windows 7 32bit". I understand that this affects the variety of software available.

--------------------

LATEST UPDATES to this topic

Malware Defender
- Succeeds at criteria #1-3 & #5
- Poor implementation of criteria #4 (no way to conveniently whitelist app from pop-up alert, must navigate multiple steps through GUI)

Emsisoft Online Armor (free edition)
- Succeeds at criteria #1-2
- Fails at criteria #3 (see problem & configuration used)

Comodo Defense+
- Succeeds at criteria #1-4
- Fails at criteria #5 (No standalone available. Though, with extra modules disabled, 'Comodo Firewall' more efficient than 'Comodo Anti-Virus')

SpyShelter (free edition)
- Fails at criteria #1 (even with settings configured, missed many actions Comodo detected)
- Succeeds at criteria #2-5

AppGuard
- Pending review

 

Everything you point out that you expect from a respectful classical HIPS exactly (and so much more) was found in EQSysecure (Freeware BTW). Problem is that it's been sadly abandoned. If you could still find it and add configurable Alcyon's great rulesets you can have all that in a super lite framework for XP (maybe 7 32bit?) There are also others similar like MalwareDefender etc.

I'll step back out from this now and leave the answer for CURRENT available HIPS suggestions since I'm waiting for the same, if any. Guarantee some recommendations will point to Comodo for one and perhaps AppGuard for another.

Sorry i couldn't offer you any choices because I'm windows 8 x64 now and the closest to HIPS i found is Outpost Pro 8.1

 

Easter,

I installed "Malware Defender" recently. I had trouble making it conform to criteria #4 (ability to whitelist an application and not be alerted to its actions again). Until a solution is provided in that regard, I am rejecting it.

Thank you for the other suggestions.

 

Have you tried putting said application into Malware Defender's - Trusted Application List - should be the same as whitelisting if I remember correctly.

 

Online Armor or Comodo.

 

LoneWolf,

I will re-install the software and look for such an option within the Malware Defender GUI.

Though, I am fairly certain that the MD alert pop-up had no such app-whitelisting option. To me, that is also grounds for rejection because that means I would have to deal with the "action" in the pop-up...then navigate to the GUI to whitelist the actual app. Very inconvenient.

Of course, that is all speculation on my part. I will have to get hands-on to be sure.

 

To all,

I am testing Online Armor (free edition)...and I have come across a rejection-worthy problem.

I went into the options and set OA to alert me for as much as possible (hopefully disabling automatic decision-making).

Yet, when I was installing the software "Hide Folders 2012"...the installer produced an error message saying it could not register an important component. It offered me the option to "retry"...but I kept pressing it to no avail.

When I checked the OA "history", I discovered that OA was automatically blocking this action:

So even though I have set OA to be as interactive as possible...it is making blocking decisions on my behalf without alerting me and seeking permission.

Until a solution is discovered, I will consider "Online Armor" rejected.

 

I think you could test ThreatFire...I know it's already abandoned but after ticking 5 level of protection, after enabling advanced settings and some additional rules like registry protection, internet connection, port listening, protection of some folders chosen by user, after disabling option of trusted publisher...you can will waiting for a tone of pop-ups
Or...you can install SpyShelter Free (or Premium if you pay) an chose level "ask user".

 

Try Comodo in Paranoid (you can install CAV, CFW or full CIS - all have D+). And maybe it's better to disable the autosandbox.

 

Solarlynx,

Thank you for your help configuring Comodo. I used the free "anti-virus" edition.

It met criteria 1-4. It seemingly nabbed everything, and gave me the opportunity to decide what to do. Slick GUI, detailed alerts & decision options...10/10.

Unfortunately, as it is bundled with the Comodo Anti-Virus package...there is obviously alot of overhead. Hence, it fails at criteria #5.

If I find no other comparable product, I will settle on this. But I hope I can find something that matches it...without the bloat.

Thanks for your input!

 

If you want to use Comodo without AV then the only choice I see is to try Comodo Firewall - it goes with the "Defence+" which you actually need. Unfortunately there's no separate edition with the Defence+ only. If you install CF then you had to use its firewall and switch off the FW you had before CF.

Another decent choice is AppGuard. I guess it can be configured to maximum granularity and verbose alerts, though I've never tweaked it so much.

 

On minimalist setups I sometimes ran PE Guard 2 instead of a realtime AV or HIPS, but it may be a dead project. It was super light though and alerted you about all executables. You could block or allow, and of course a whitelist was available too. I don't think criteria 2 was met though. If PE Guard is still being developed then it's worth a look. Even if dead, the old version may be worth using on old XP machines in place of a realtime AV or firewall HIPS, or on modern machines as an extra security backup measure only to be turned on if you suspect an infection. I haven't used it for a over a year though because I now run Comodo Internet Security on my main systems, which includes D+.

 

Thank you for this excellent suggestion! (re: Comodo FireWall)
AV installations (even if components disabled in options) can be very invasive, and cause competition between software. Less chance of that with a firewall installation.

 

Solarlynx,

In case you are still around, I was wondering if you could help me with the following in Comodo...

Even though I disabled the Comodo Firewall module...I see in the Comodo GUI that it is tracking and monitoring my internet activity.
In the advanced GUI, it is displayed as "outbound" & "inbound" activity. Clicking this brings up the "View Connections" window which displays a live feed.

I looked in the options and could not find an option to disable this behaviour. Am I missing something obvious? Or is this best dealt with by Comodo staff?

 

I'm not so knowledgeable in Comodo to help you with this. I would advise to use it completely with enabled FW (having disabled your other FW if you have it). Unfortunately there's no install of pure D+ so you have to use it with AV or FW or with both. IMHO if you somehow manage to disable its FW you would have it in your RAM anyway. BTW you can ask at Comodo forums - they know it much better than me.

 

I don't think you can make the firewall part totally disappear like you can do with the AV. Why don't you want to use the firewall?
Anyway I don't think either that having the firewall installed but deactivated will impact in your computer performance.

Are you using Comodo in paranoid mode?

 

SolarlynX,

I am content with my current firewall solution, which is why I disabled the Comodo firewall module.

As for the persistent "live monitoring" of internet activity (even with the firewall module disabled), Comodo staff have informed me that no option exists to disable this monitoring.

...

guest,

I have a firewall solution already. I would rather keep it, working alongside an efficient Comodo HIPS.

As for the toll of having Comodo's live monitoring persisting - even though the firewall is disabled...I figure it's a bit like having "WireShark" running 24/7. I'm sure that has some impact.

All that said, I'll still settle for it...as it excels at the most important criteria.

EDIT: Yes, guest, I am using Comodo Defense+ in "paranoid mode". I have configured the HIPS to my satisfaction, and have no complaints in that regard.

 

Are you sure you configured OA properly?
You have to disable cloud features and other things such as block unknown programs, block suspicious file names etc.

 

You can see the settings I used in the attachments (images 1-5).

 

...and if you would like to re-produce the problem, try installing:

Code:

http://fspro.net/hide-folders/

During installation, OA asks user permission for various actions. But near the end, you will receive this error message:
http://i41.tinypic.com/2nrcydz.png

And when you check OA history, you will see it has taken it upon itself to block the action...without alert or consent:
http://i43.tinypic.com/68hdzl.png

 

WOW, two questions
a) What happened to you living happily in the digital wordl without a HIPS wanting to know EVERYTHING all of a sudden (what incident changed your mind)?

b) Popups without contextual knowledge is just data, where did you find the knowledge to turn this pop-ups into information (please post a link when you found one).

Interesting to know, thanks in advance

 

Windows_Security,

I am not sure if you are being sarcastic. But I am sure that you are making incorrect assumptions about *how* I will use this functionality.

Yes, I want thorough detection & detail. But more importantly...yes, I will use such functionality in certain instances & contexts.

a) Like most, I have had infections sneak up on me...on top of that, I have discovered odd behaviour from supposedly reputable or innocuous software. As a result, I am curious about what software is doing on my computer...in certain instances & contexts. An action-alert software that meets my criteria gives me a *complete* & *real-time* understanding (when I see fit to enable it).

b) If I am told what the action consists of (like X will affect Y), I can judge for myself or seek support elsewhere. I have long created & reviewed logs of software I install. Hell, I even infect my virtual machine to get a sense of what malware does. Over time, you get a sense of what is standard & what is questionable.

I hope this satisfies your curiosity. Though I hope this does not turn into a debate that distracts from the purpose of this topic.

 

Another suggestion - if you can configure DefenseWall (not DW Personal Firewall, but only DW) to be chatty then you can definitely get what you want - pure HIPS in talkative mode. DW is a very decent HIPS. Though I don't know if it is possible to configure it to be chatty.

 

I dont think DW fits the bill. He is looking for a Classical HIPS.
Keep in mind that when you install OA it whitelists most of the apps on your PC. That could be the reason why there were no pop ups for some programs.

Although it is indeed weird that it didnt ask you.

 

Agreed. Nor does AppGuard which is a policy restriction application, similar to DW. Neither of these appear to meet the OP's requirements, as stated above.