combining HIPS

as much as this sounds a little over the top, I want to combine two HIPS programs. One a sandbox type (currently leaning towards defensewall) and the other a more pure behavior type, currently pondering between SSM, Prosecurity and PG.

Advise anyone ? is this sane to do ? what would be the best combination ?

 

If you are concerned that you need more than one why restrict to only two? If you think two HIPS can give you better security than one, think of how much more security you get if you use three or five

One good HIPS is enough. The chance of you getting anything that can get passed a (one) properly configured HIPS is so small that it is not worth the trouble. Unless you got a thing with popups.

Combining DF with SSM, GSS, PG or their likes, what will you gain? If defensewall has something sandboxed, isn't all the popups from the other HIPS useless since nothing can do any harm anyway?
It doesn't seem sane to me (remember, you asked )

 

Hi Guys,

I like the idea of a sandbox for internet surfing & process protection from PG or SSM. Seems like a good idea to me. I posed the question to SSM support when I was considering purchase. They replied no problem SSM + DW. For me if its automatically flushed away in the sandbox, then I don't have to reply to SSM's question. Then again perhaps nobody uses both together?

Or are you saying SSM or PG, become useless as they don't have anything to do, because DW flushed away the threat? If this is correct then isn't DW the better HiPs?

GSS - what do u mean AppDefend or RegDefend.

Does SSM have registry protection, superior to RD? Or would SSM RD combo be just redundant? I know the combo of RD + PG is supposed to be great.

Thans
rico

 

They are both good. But what is the point of answering questions from SSM when when eventual problem is already taken care of by DW? If it is sandboxed there is little use (other than educational) of the alerts from SSM.
SSM alone, well the educated user actually, can do as good as DW.
I know some are arguing that one HIPS takes care of what the other HIPS might miss, but then you might as well have five HIPS coz you´ll never know what new threats are out there
In my opinion it is more wise to learn how to use one HIPS well. If you know how to configure your HIPS then you´ll know that you don't need more than one.
But hey, everyone does as they see fit, just giving my two cents after been traveling that (rather paranoid) road for a while

Appdefend is Appdefend and Regdefend is Regdefend. GSS (Ghost Security Suite) is Appdefend and Regdefend together, maybe I´m wrong but thats how I see it.


Thans
rico[/QUOTE]

 

Hi Sukarof,

I agree about the one hip as opposed to multiple hips. DW + SSM lazy mans way, plus waste of $ on process protection.

You can purchase GSS separately I have RegDefend & was curious if it is does something if i install SSM. I don't see the need for RD & SSM to protect the same keys.

Take Care
Rico

 

Good and TIMELY topic. Thanks

Recently just like some others i been off again on again experimenting with various combinations of SHIELDING.
Theres a lot of INSTRUCTION.CODE ground to cover and the SSDT table is one of the more popular at the present.
Seems CyberHawk & SSM perform & compliment each other on my XP Pro SP1 system rather nicely with no ill effects to speak of. So in conjunction with my over-eagerness to push the envelope akin to erecting an additional OBSTACLE to forced/stealth intrusion, am also on-going with running WinPooch which makes my HIPS 3 for now.
That is somewhat overkill IMO but it's a configuration/setup i'm watching with interest as i turn loose some samples to test this trio and watch to see which is FIRST! to intercept malware signals/files, trying to message the system.
The layered approach is neither fantasy nor unwise when it comes to covering ALL areas of possibility, and as many as possible without internal conflict.
Mind you this is only a local experiment and not suggested to be taken as neccesary precaution. It's mostly a way to review interactions between the HIPS and their reactions when acted on by forms of rootkits/malware that might try to subvert their SHIELDING methods.

 

Wouldn't you get different results on your tests on which HIPS reacts first depending on their install order? I mean if you install HIPS A first it will be the first to react. Then if you install HIPS B first then it will be HIPS B to react first?
Just a bit curious since I reckon most of the HIPS hook them selves to the same things (API´s?) in windows.

 

I have found SSM & Cyberhawk to be a good combination.

However, you don't necessarily have to run two programs in order to get a two-pronged security protection. There are some HIPS-type programs that incorporate two or more modes into one program. Examples...

1 Prevx- If you put Prevx into A-B-C mode then it functions mainly as a community-based whitelist/blacklist. HOWEVER, if you ramp-up Prevx into Expert mode, it becomes a full-on, kick-ass HIPS-plus-blacklist/whitelist. In other words, Prevx in Expert mode can be viewed as being a bit like a TWO-headed hydra.

2 Safe'N'Sec + AV- Yet another double-banger is Safe'N'Sec in the version which includes BitDefender antivirus. BD is on-demand only. The SnS module uses a real-time monitor that combines blacklist (signatures) with behavior blocking. The SnS + BD version scored VERY high in a test by AV-Comparatives this past March. To read about that test...

+Goto http://www.av-comparatives.org/
+Click "Comparatives"
+Scroll down 3/4 of the page to the line titled: "StarForce Safe'n'Sec 2.0 with Antivirus March 2006" - on that line, click "Press Release (PDF)"

 

Hello,
If you must use HIPS - then DefenseWall is probably the best choice.
Mrk

 

I think we need a new acronym - CIPS + HIPS = CHIPS

 

Thanks for asking that question sukarof.

One would assume based on order of install that the First Responder so to speak would be the first installed. Not always so with SSM installed first then CyberHawk in my experience with them.

I found CyberHawk many times "first" to ALERT to possible attempts before SSM although i don't recall now just what those were at the time. I do know that CyberHawk was ALERTING to things that SSM either had not been ruled to cover yet or that CyberHawk was quicker on the draw due to it's SSDT Table Hook on certain windows instruction (ie NtSetValueKey

 

It, mostly, depends on load order of drivers. If you are loaded first- you will be the last in the SSDT hooking chain. Last driver will alert first. Also, CyberHawk is a very weak HIPS- most of its hooks that are critical for correct defense work are ring3 (application level) and could be easily bypassed.

 

Well the problem is you can't run *everything* sandboxed. Anyway I don't seem to get popups from the likes of SSM, GSS, PG when running in a sandbox an app that would normally cause popups.

Kinda of makes sense I guess