CFP- Poor Pop up alerts by compared with other HIPS?

[aigle]

The thraed by underdog inspired me and I tested a special scenario with multiple HIPS. I wanted to see how clear, simple and user friendly are the pop up alerts given by multiple HIPS on a driver/ service instasll.

I tried three HIPS:

- CFP
- EQS
- OA

I am summarizing my findings here. I may be wrong anywhere as I am just an ordinary user with very limited knowledge.

I installed the trial version of virtual cd 9

http://www.virtualcd-online.com/vcd/...nload.cfm?lg=0

and looked for the pop up alerts generated by HIPS on drivers/ service install. This software install following drivers/ services:

1- VDRV9000.SYS( driver)
2- HH9Help.sys( driver)
3- VC9SecS.exe( service)

My observations are as follows:

1- Out of the three HIPS I tried, IMO best alerts are given by EQS. It clearly warned that a driver/ service was being installed. Pop ups were not few but they were not also too numerous to be lost. Look at the pop up alerts by EQS. Not all pop ups are shown, I am showing the relevent alerts only.

[aigle]

2- Worst type of alerts are given by CFP( ofcourse in my opinion only). CFP alerts are too numerous. It never tells you directly that a service/ driver is being installed. Rather it gives alerts about registry modification that many users wil not understand that it,s infact a driver/ service install alert. Moreover registry modification alerts in this case are so numerous that one might just lost in these alerts and overlook the registry modification alerts that actually indicate that a service/ driver is being installed.

Look at the alerts by CFP. Not all alerts are shown, I am showing the relevent alerts only. CFP gave countless alerts about reg modifications.

[aigle]

3- OA was inbetween( may be on top by some). It gave very few alerts. It clearly gave red alerts on driver/ service install but IMO alerts were not
so clear as they did not mention that a driver is being installed athough the red alarming color compensated it to some extent.OA howevre did not gave any alert about service install( VC9SecS).

Look at relevent pop up alerts by OA.

[aigle]

I could not try MD as I have no licenec for that. If anyone can try and post relevent alerts I will be thankfull.

Conslusion: CFP needs to make their alerets clear that a service/ driver is being installed and it also need to decrease the huge no of registry modification alerts( IMO).

I am posting very same thread on their forums if they can listen. Let,s hope. Let me know of your opinions.

[firzen771]

any chance ud be willing to try Outpost Firewall?

[StevieO]

Hi aigle

Thanx for the tests.

When a driver is about to be installed, i think a much more clearer warning should be given on all such Apps, as most people wouldn't even know what it was, or .SYS

Something like,

A potentially harmful piece of software is about to be installed, if this came from a reputable source, then it's probably ok. If in doubt, do NOT proceed make a note of it's name, and then use a search engine for more information.

[aigle]

I agree. OA gave red alerts atleast.

[aigle]

Quote:

Originally Posted by firzen771

any chance ud be willing to try Outpost Firewall?

Never used it and it takes a lot of time to try n understand anew HIPS. I spent almost a day already.

[firzen771]

Quote:

Originally Posted by aigle

Never used it and it takes a lot of time to try n understand anew HIPS. I spent almost a day already.

im not really interested on an indepth understanding of the HIPS. i just wont be home for 4 days and am curious of what Outpost HIPS alerts look like for this situation at default level and if that doesnt alert then at max (preferably the alert at max or w/e it is between middle and max). since im considering installing Outpost on my main machine.

[Creer]

Quote:

Originally Posted by aigle

I could not try MD as I have no licenec for that. If anyone can try and post relevent alerts I will be thankfull.

Conslusion: CFP needs to make their alerets clear that a service/ driver is being installed and it also need to decrease the huge no of registry modification alerts( IMO).

I am posting very same thread on their forums if they can listen. Let,s hope. Let me know of your opinions.

Aigle, don't forget about Conficker test:
http://www.wilderssecurity.com/showp...&postcount=115

Good job!

[firzen771]

Quote:

Originally Posted by Creer

Aigle, don't forget about Conficker test:
http://www.wilderssecurity.com/showp...&postcount=115

Good job!

lol so watever happened to the infamous conficker? wasnt it supposed to like cripple the world

[raven211]

Were all the software run with their respective default settings?

[raven211]

Quote:

Originally Posted by Creer

Aigle, don't forget about Conficker test:
http://www.wilderssecurity.com/showp...&postcount=115

Good job!

I'll always remember that topic in the back of my head - don't worry.

[Joeythedude]

Good test. Thanks.

They all did mention services or blah.sys which is good.

personally I'd only want to know how many *.sys files were being loaded , so
more alerts than that would be a nuisance.

[dw426]

I agree completely with your findings, I too saw mostly "registry modifications" in CFP alerts, which, well, to put it rather bluntly, are useless. Allow me to hop up on my soapbox again real quick, I won't be up there long: Imho, none of these apps you tested have acceptable alerts. Okay, so they say "if you trust this program", well, okay, so what IS that program? Just about every legit program I've ever ran has done "suspicious" things, it's simply the way programs work. If that's the case, how in the world are the "average" among us supposed to know when to answer allow and when to answer deny?

A lot of people here (and elsewhere too of course) are quick to praise these HIPS apps and recommend they be added whenever someone comes along and asks if their setup looks ok or they are brand new and wonder what they really need to be secure. That's fine, but right after we all suggest this stuff, how about we point them in the direction of a good "OS basics" manual, whether that be a post set up here, a website, whatever?

If people are going to answer these prompts right and have the apps work for them and not against them, and if HIPS is ever going to be more than just a "specialty", then these people are going to need to know WHY "injections" are occurring, and WHY files and registries are being modified. We seem perfectly willing to make pages and pages of posts on the intricacies of Sandboxie, even explaining why the configurations that we post in detail are suggested. We do that for Sandboxie, SRP, firewalls, anti-virus, but no one ever bothers to explain much about HIPS (unless I'm missing posts here).

Yet, with so little explanation, we cheerily sing HIPS praises daily, suggesting them to people that just want to make a secure environment for their small office, right down to people that admit they don't even understand the concept of things like Sandboxie...and then we want them to answer prompts about .sys files being modified and other cryptic jargon being spewed forth from these apps. *takes deep breath* All I'm saying is apply the same amount of knowledge and willingness to help towards HIPS as we do other security measures. HIPS might be the strongest security out there, but it isn't going to secure a bucket of chicken if one prompt is answered wrong.

[IceCube1010]

Quote:

Originally Posted by dw426

I agree completely with your findings, I too saw mostly "registry modifications" in CFP alerts, which, well, to put it rather bluntly, are useless. Allow me to hop up on my soapbox again real quick, I won't be up there long: Imho, none of these apps you tested have acceptable alerts. Okay, so they say "if you trust this program", well, okay, so what IS that program? Just about every legit program I've ever ran has done "suspicious" things, it's simply the way programs work. If that's the case, how in the world are the "average" among us supposed to know when to answer allow and when to answer deny?

A lot of people here (and elsewhere too of course) are quick to praise these HIPS apps and recommend they be added whenever someone comes along and asks if their setup looks ok or they are brand new and wonder what they really need to be secure. That's fine, but right after we all suggest this stuff, how about we point them in the direction of a good "OS basics" manual, whether that be a post set up here, a website, whatever?

If people are going to answer these prompts right and have the apps work for them and not against them, and if HIPS is ever going to be more than just a "specialty", then these people are going to need to know WHY "injections" are occurring, and WHY files and registries are being modified. We seem perfectly willing to make pages and pages of posts on the intricacies of Sandboxie, even explaining why the configurations that we post in detail are suggested. We do that for Sandboxie, SRP, firewalls, anti-virus, but no one ever bothers to explain much about HIPS (unless I'm missing posts here).

Yet, with so little explanation, we cheerily sing HIPS praises daily, suggesting them to people that just want to make a secure environment for their small office, right down to people that admit they don't even understand the concept of things like Sandboxie...and then we want them to answer prompts about .sys files being modified and other cryptic jargon being spewed forth from these apps. *takes deep breath* All I'm saying is apply the same amount of knowledge and willingness to help towards HIPS as we do other security measures. HIPS might be the strongest security out there, but it isn't going to secure a bucket of chicken if one prompt is answered wrong.

Agree unfortunately. The hips component can be the strongest part of your security arsenal but it could also be the weakest.

Ice

[subset]

Quote:

Originally Posted by aigle

It clearly gave red alerts on driver/ service install but IMO alerts were not so clear as they did not mention that a driver is being installed athough the red alarming color compensated it to some extent.

There is simply no extra prompt for drivers/services, everything comes as Autostart warning. This may be ok for standard mode, but in expert mode there should be an accurate information.

Quote:

Originally Posted by aigle

OA howevre did not gave any alert about service install( VC9SecS).

Some parts of Virtual CD may be excluded because of signatures or OASIS, so I think you have to disable the OA whitelist for this prompt.

Quote:

Originally Posted by firzen771

any chance ud be willing to try Outpost Firewall?

Outpost is very accurate, apart from 'driver or service'.




It's pretty much the same with PS/RTD, but here everything is a service.



Cheers

[aigle]

Thanks for the nice screenshots.

[jp10558]

Quote:

Originally Posted by aigle

3- It clearly gave red alerts on driver/ service install but IMO alerts were not
so clear as they did not mention that a driver is being installed athough the red alarming color compensated it to some extent.

One thing to notice for CIS is that it DID give red color alerts vs orange or yellow (see the top bar color), so this ought to be mitigation as with OA. That said, the content of these alerts were meaningless for me.

I do think that Outpost probably has the best alerts for this, but is it the pay or the free Outpost shown?

[subset]

Quote:

Originally Posted by jp10558

I do think that Outpost probably has the best alerts for this, but is it the pay or the free Outpost shown?

These are from Outpost Pro, but as far as I know there will be no difference with OP Free because the Host Protection is the same.

Quote:

Originally Posted by aigle

I could not try MD as I have no licenec for that. If anyone can try and post relevent alerts I will be thankfull.

These are the MD prompts.





IMHO also very accurate prompts with useful informations.
There are also all these prompts about the registry stuff, like with CIS.

Cheers

[Joeythedude]

Malware Defender & Outpost look the best to me. This was a great idea for a thread. Funny the way the different apps compare.

[Dregg Heda]

Quote:

Originally Posted by dw426

I agree completely with your findings, I too saw mostly "registry modifications" in CFP alerts, which, well, to put it rather bluntly, are useless. Allow me to hop up on my soapbox again real quick, I won't be up there long: Imho, none of these apps you tested have acceptable alerts. Okay, so they say "if you trust this program", well, okay, so what IS that program? Just about every legit program I've ever ran has done "suspicious" things, it's simply the way programs work. If that's the case, how in the world are the "average" among us supposed to know when to answer allow and when to answer deny?

A lot of people here (and elsewhere too of course) are quick to praise these HIPS apps and recommend they be added whenever someone comes along and asks if their setup looks ok or they are brand new and wonder what they really need to be secure. That's fine, but right after we all suggest this stuff, how about we point them in the direction of a good "OS basics" manual, whether that be a post set up here, a website, whatever?

If people are going to answer these prompts right and have the apps work for them and not against them, and if HIPS is ever going to be more than just a "specialty", then these people are going to need to know WHY "injections" are occurring, and WHY files and registries are being modified. We seem perfectly willing to make pages and pages of posts on the intricacies of Sandboxie, even explaining why the configurations that we post in detail are suggested. We do that for Sandboxie, SRP, firewalls, anti-virus, but no one ever bothers to explain much about HIPS (unless I'm missing posts here).

Yet, with so little explanation, we cheerily sing HIPS praises daily, suggesting them to people that just want to make a secure environment for their small office, right down to people that admit they don't even understand the concept of things like Sandboxie...and then we want them to answer prompts about .sys files being modified and other cryptic jargon being spewed forth from these apps. *takes deep breath* All I'm saying is apply the same amount of knowledge and willingness to help towards HIPS as we do other security measures. HIPS might be the strongest security out there, but it isn't going to secure a bucket of chicken if one prompt is answered wrong.

This is an EXCELLENT post dw426! It would be great if there was some resource which could explain to newbies such as myself how to answer HIPS prompts correctly.

[dw426]

Hi there, SSJ. I have to say I agree with what you say also, HIPS apps ARE like an AV with an awesome detection rate and horrible FP rate. I've never heard it put that way, but I don't think it could have been defined any better Now, on to your example of surfing the internet and having that ".exe wants to run" prompt...you're darned right that's a HUGE red flag....unfortunately that scenario is rarely played out, it's 99% of the time a GOOD program bringing up these alerts, and lots of times when you aren't surfing but just running/installing a program.

I wish I knew of a better way to make HIPS "smarter", and have these alerts not appear so cryptic yet still give enough information to evaluate the prompt. However, I have no such knowledge to do so. To me, HIPS products scare people more than help them. They run a simple game or something, and all of a sudden these red-bordered warnings with the words "malicious" and "execute" pop up, they're likely to freak out, even if they already scanned said game for malware/viruses beforehand (I use that example because it happened to me once before I knew a bit more about how things work).