Some unique HIPS features

[Kees1958]

Quote:

Originally Posted by Peter2150

Hi Kees

My comment wasn't based on a test, but on the assumption that gw was just changing rights/policy, and that doesn't work. The problem to me was not just worrying about special folders, but even text files on the desktop got nailed.

Pete

Okay, I understand

But Aigle tested this in his confidential folder, to which untrusted programs are not allowed to write. That is why I asked Aigle to test again, because
a) Confidential implies extra policy containment
b) You have to explictely specify such a folder (in both GW and DW)

So your comment was valid when this should be the case

[Dark Shadow]

Quote:

Originally Posted by hammerman

Totally agree. The only programs effective against GPcode so far are GW, DW and Sandboxie. They have proved their worth. Nothing as far as I know detects the actual encrypting behaviour.

When a program is busy making all your data files unreadable, I would have said that was suspicious behaviour worthy of a response! When needed, Mamutu was wondering what to do next.

I need to think about a new setup after this. Paranoia is setting in again.

Na your Avira detects if I am not mistaken,Sanboxies contain it correct? and returnil washes away any ways.I would think no need for paranoia.

[aigle]

Quote:

Originally Posted by Kees1958

Okay, I understand

But Aigle tested this in his confidential folder, to which untrusted programs are not allowed to write. That is why I asked Aigle to test again, because
a) Confidential implies extra policy containment
b) You have to explictely specify such a folder (in both GW and DW)

So your comment was valid when this should be the case

No, condidential folder was juat a part of other folders that contained text files. GW stops its damage to ANY file , folder on ur HD. It allows read to all files, folders but denies encrption/ modification by malware. In confidential folder it even denies READ also.

[hammerman]

Quote:

Originally Posted by aigle

No, condidential folder was juat a part of other folders that contained text files. GW stops its damage to ANY file , folder on ur HD. It allows read to all files, folders but denies encrption/ modification by malware. In confidential folder it even denies READ also.

I believe this is the same as Defensewall. An untrusted application cannot change any file (with a few exceptions as pointed out by Ilya). If files/folders are in the Secured List, they cannot even be read.

Quote:

Originally Posted by djohn

Na your Avira detects if I am not mistaken,Sanboxies contain it correct? and returnil washes away any ways.I would think no need for paranoia.

I only use Sandboxie for browsing. If malware comes through e-mail or other route, I am only protected by Avira. Don't use Returnil much apart from testing.

I really want to include Defensewall as part of my setup so that all internet facing apps are protected and anything recovered from the sandbox becomes untrusted. Big problem I have is that Sandboxie will not run correctly when I have OA and DW installed together. I'm thinking that changing my firewall is only option.

[aigle]

I will not suggest to combine SBIE n DW. Use one of them.

[hammerman]

Quote:

Originally Posted by aigle

I will not suggest to combine SBIE n DW. Use one of them.

I have used these two together before and I like the setup. Sandboxie for browsing only with all other iinternet facing apps covered by defensewall. Sandbox folder added as untrusted in Defensewall ensures that anything recovered from the sandbox becomes untrusted in Defensewall.

[Ilya Rabinovich]

Quote:

Originally Posted by hammerman

An untrusted application cannot change any file (with a few exceptions as pointed out by Ilya).

On contrary- untrusted may change files but the ones included into built-in extension protection section group (.exe, .jpg, .txt, .doc, .rtf and so on).

[jmonge]

aigle i use both with no problems and feel xtra secure.

[hammerman]

Quote:

Originally Posted by Ilya Rabinovich

On contrary- untrusted may change files but the ones included into built-in extension protection section group (.exe, .jpg, .txt, .doc, .rtf and so on).

Thanks Ilya, I didn't realise that.

Aigle
Is this the same with Geswall or are ALL files protected from modification by an isolated application?

[Dark Shadow]

Quote:

Originally Posted by hammerman

I believe this is the same as Defensewall. An untrusted application cannot change any file (with a few exceptions as pointed out by Ilya). If files/folders are in the Secured List, they cannot even be read.


I only use Sandboxie for browsing. If malware comes through e-mail or other route, I am only protected by Avira. Don't use Returnil much apart from testing.

I really want to include Defensewall as part of my setup so that all internet facing apps are protected and anything recovered from the sandbox becomes untrusted. Big problem I have is that Sandboxie will not run correctly when I have OA and DW installed together. I'm thinking that changing my firewall is only option.

If I remember correctly you also can check emails sandboxed to be sure there safe and save the ones you want or recover, rather then soley rely on AV email scanners.Example what if avira Detects nothing with a infected email you open,In the mean time you check them outside the box and no Returnil on or session lock.You would be infected with out knowledge with out the chance of Sanboxie containig it or Returnil to rectify the changes.Please correct me if I am wrongly thinking here.

[hammerman]

Quote:

Originally Posted by djohn

If I remember correctly you also can check emails sandboxed to be sure there safe and save the ones you want or recover, rather then soley rely on AV email scanners.Example what if avira Detects nothing with a infected email you open,In the mean time you check them outside the box and no Returnil on or session lock.You would be infected with out knowledge with out the chance of Sanboxie containig it or Returnil to rectify the changes.Please correct me if I am wrongly thinking here.

I have never used Outlook Express sandboxed. Sandboxie is great for browsing but I think it's inconvenient to keep having to recover mail from a sandbox. 99% of e-mails I want to keep. The setup I use also needs to be wife and teenager-friendly. If I ask them to recover e-mails from the sandbox, I think I may get an old-fashioned look.

Back on-topic, I have now installed DW 2.44 and will check it against GPcode just to satisfy myself that it protects and to see if it misses any particular file types.

[Dark Shadow]

I see very understandable and congrats on DW Good choice indeed.best of luck

[hammerman]

Can confirm that DW protects against GPcode out-of-the-box with no special settings.

GPcode attempted to delete .jpg, .dwg, .txt and .doc files without success. Original files were retained alongside a new encrypted version. The only files not protected by DW were .bak files and these were deleted by GPcode.

[Peter2150]

Quote:

Originally Posted by hammerman

I have never used Outlook Express sandboxed. Sandboxie is great for browsing but I think it's inconvenient to keep having to recover mail from a sandbox. 99% of e-mails I want to keep. The setup I use also needs to be wife and teenager-friendly. If I ask them to recover e-mails from the sandbox, I think I may get an old-fashioned look.

Back on-topic, I have now installed DW 2.44 and will check it against GPcode just to satisfy myself that it protects and to see if it misses any particular file types.

Hi Hammerman

Don't know about Outlook Express, but the way I have Outlook setup, I don't have to retrieve email out of the sandbox. Outlook stores everything in PST files and I leave them outside the sandbox. So if an email contains something evil it is in the pst and harmless. But it does something while open, that action is sandboxed.

Pete

[MrBrian]

Quote:

Originally Posted by aigle

3- GPcode trojan- A malware that encrpts many files on infected PC( like text files) causing data loss.

...

I have made thread on Comdod forums to add such filters in CFP. What are your thoughts?

You can already do this (protect against GPcode) with CFP 3. Add those folders that contain your personal data to the protected files/folders list.

[aigle]

Quote:

Originally Posted by hammerman

Thanks Ilya, I didn't realise that.

Aigle
Is this the same with Geswall or are ALL files protected from modification by an isolated application?

I am not sure but I think it protects all files by default.

[aigle]

Quote:

Originally Posted by MrBrian

You can already do this (protect against GPcode) with CFP 3. Add those folders that contain your personal data to the protected files/folders list.

I have no special folders for that. My data is scateered all over my three non-OS partitions.

[hammerman]

Quote:

Originally Posted by Peter2150

Hi Hammerman

Don't know about Outlook Express, but the way I have Outlook setup, I don't have to retrieve email out of the sandbox. Outlook stores everything in PST files and I leave them outside the sandbox. So if an email contains something evil it is in the pst and harmless. But it does something while open, that action is sandboxed.

Pete

Thanks for the tip Pete, I have done the same as you by sandboxing Outlook Express. I decided to use registered version to contribute to a fine program and to use the Forced Programs feature to ensure browser and OE start sandboxed.

[Kees1958]

Quote:

Originally Posted by aigle

I will not suggest to combine SBIE n DW. Use one of them.

AHHH, another valued member opposing this strange idea that double is better, thanks Aigle

[EASTER]

With keeping OT i will suggest some "unique" features that i personally feel "ALL" HIPS should impliment without delay or question, and i think i mentioned a few before, but for subject's sake and comparison from other users of this type of security protection, it might be worthy of some comments of their own.

It should be and cannot be denied in usefullness if all HIPS made provision for auto-restarting any running processes that might suddenly and/or without notice either be forcefully terminated or crashed as sometimes can be the case with Windows. Users shouldn't have to go on a hunt to add this additional prevention to their security programs IMHO. They should have already been implimented, and in at least one instance i'm aware of, System Safety Monitor was the first (correct me if in error) to offer this useful feature in it's first HIPS version.

Sorry, but i dunno about Prevx or Comodo or others, because i tend to concentrate on a choice few or couple of HIPS when determining needs.

MD5 checksums are implimented in some HIPS. How dependable are they really? Windows is much too vast for a single researcher to examine this Redwood Forest of so many aspects of the Windows operating system, so i would be all eyes in reading other's opinions to this, but it would appear another useful aspect of verifying the content and integrity of files without relying on connecting to microsoft's database thru internet connection to assure a perfect match, although i am not against this practice, it's more favorable in my experience to operate from a local database instead. Just a personal preference, thats all.

Theres been much debate over Behavioral Blockers/HIPS that rely on checking an online database automatically. Theres probably as many in favor as opposed to this approach because if i read things right, not even AV's/AS's go to this extreme, but again some may, i could be missing those that actually do.

I must attest with my sincerest testimony however that with the introduction of HIPS, i've personally and in research have realized a positive net increase in security and much less drive-by hijacking compared to when all that was depended on was an AV. I know their not perfect, and they are vital in so many ways as well as have stepped up their own research and improvements with Heuristics and the like, and with that they can confidently make a positive case when matched up to a Classical HIPS, so theres no tipping of the scale in either's favor on effort.

Lastly, i would like to see HIPS expand deeper (where possible for stability) and set up UNMOVEABLE hooks in both the SSDT Table & Shadow SSDT as well. SSM fills up that first table when observed via deep explorer tools, but the key IMO is to prevent from beng unseated
by any Table unhooker (if possible).

Tall order? I think not, but then i don't clock into their Labs every day like they do and go over notes and reports.

So, whatta ya think?

EASTER

[Hugger]

I've been reading this and some of the other threads and am wondering about HIPS with other security software.
For example, if I buy Defensewall or Geswall for my new pc do I still need to run a firewall?
Or a full time AV?
Same question for on demand anti malware/spyware.
HIPS seem to have come a long way over the past few years. But they have a long way to go too.
Am I missing the point with these HIPS?
Just curious.
Thanks.
Hugger

[EASTER]

Quote:

Originally Posted by Hugger

I've been reading this and some of the other threads and am wondering about HIPS with other security software.
For example, if I buy Defensewall or Geswall for my new pc do I still need to run a firewall?
Or a full time AV?
Same question for on demand anti malware/spyware.
HIPS seem to have come a long way over the past few years. But they have a long way to go too.
Am I missing the point with these HIPS?
Just curious.
Thanks.
Hugger

No, your right on-target, HIPS as extremely formidable as they are at present, need improvememts to cover not just what i suggested but they have the where with all to advance even more in the way of near total security, and their not quite at that level just yet.

[Someone]

Quote:

Originally Posted by Kees1958

AHHH, another valued member opposing this strange idea that double is better, thanks Aigle

Hi

I don't really get what's wrong with it if there's no conflicts.

A user can use DW for ALL their internet facing apps, and Sandboxie just for their browser in addition to DW. In this case, Sandboxie can be used primarily as clean-up tool as everything is gone, including if there is any inactive malware.

Thanks