Any HIPS that meet both of these requirements?

1) The HIPS must be able to prevent executables from running

2) It must be possible to turn auto-allow based on digital signatures off, because there is malware now that comes with a valid-looking digital signature (and never mind stuff like the Sony BMG rootkit)

3. Most importantly, it must be possible to update the whitelist en masse; i.e. to allow individual files in batches, rather than one at a time. I'm not talking about allowing everything in a given directory, which is grossly insecure, but rather the mass creation of hash rules.

Are there any HIPS or HIPS/firewall combos like this? Freeware would be a bonus, but IMO such a piece of software would be well worth paying for.

[tomazyk]

Malware Defender has first two options. The third option is not possible... One can only add folders and/or subfolders but not more than one individual file at once.

[blacknight]

Not sure, but may be this http://www.online-solutions.ru/en/pr...ity-suite.html

Quote:

Originally Posted by tomazyk

Malware Defender has first two options. The third option is not possible... One can only add folders and/or subfolders but not more than one individual file at once.

Why? I can't think of any reason the HIPS couldn't iterate through a set of executables and calculate hashes for all of them.

(And if it's a limitation of the Windows file selection dialog, then why not allow one to calculate hashes for all executables in a directory, instead of blindly allowing anything in that directory like e.g. SSM?)

[Kees1958]

Quote:

Originally Posted by Gullible Jones

1) The HIPS must be able to prevent executables from running

2) It must be possible to turn auto-allow based on digital signatures off, because there is malware now that comes with a valid-looking digital signature (and never mind stuff like the Sony BMG rootkit)

3. Most importantly, it must be possible to update the whitelist en masse; i.e. to allow individual files in batches, rather than one at a time. I'm not talking about allowing everything in a given directory, which is grossly insecure, but rather the mass creation of hash rules.

Are there any HIPS or HIPS/firewall combos like this? Freeware would be a bonus, but IMO such a piece of software would be well worth paying for.

Most HIPS can be tailored the way you want, out of the box those will do fine
1. FW / HIPS = Private Firewall, Online Armor
2. AntiExec = NovirusThanksRadarPro, SpywareTerminator

regards

Thanks... Unfortunately PrivateFirewall doesn't allow mass addition of executables, and neither AFAICT does Online Armor. I might try Spyware Terminator next.

(If you're wondering what this is about, I'm trying to create a whitelist-based setup that works reasonably well with development and CLI tools; because at the moment, whitelisting looks to me like the most sensible approach to Windows security.)

[tomazyk]

Quote:

Originally Posted by Gullible Jones

Why? I can't think of any reason the HIPS couldn't iterate through a set of executables and calculate hashes for all of them.

(And if it's a limitation of the Windows file selection dialog, then why not allow one to calculate hashes for all executables in a directory, instead of blindly allowing anything in that directory like e.g. SSM?)

MD does not use hashes to identify apps. It uses filenames with paths to identify an app. Modifying/replacing an executable is prevented with file rules.

When manually adding a rule only one executable can be added at a time. I usually put MD in Learning mode for a while and run programs that I use. After a while I put it back to Normal mode and check and edit all rules created during Learning mode.

I never had a need to blindly add all exes from a directory to my rules.

EDIT: OK I saw your post to late.

EDIT2: I think you can achieve what you want with MD. You can add whole dir with subdirs to whitelist. All exes in that folder will be whitelisted. File rules of MD will prevent modifying and adding new exes to that folder so untrusted apps can't be accidentally whitelisted.

Update: Spyware Terminator doesn't allow mass additions to the whitelist either. This is really quite annoying!

As for learning mode. I suppose that's doable... It seems to me like an excessively dangerous way to whitelist a few dozen files. Granted that you can prune the whitelist later, if you get compromised while in learning mode it's all over.

Quote:

Originally Posted by tomazyk

EDIT2: I think you can achieve what you want with MD. You can add whole dir with subdirs to whitelist. All exes in that folder will be whitelisted. File rules of MD will prevent modifying and adding new exes to that folder so untrusted apps can't be accidentally whitelisted.

Thank you. That is exactly what I am looking for!

(And if anyone knows of any other HIPS that can do that, please do let me know. The more the merrier.)

[Tsast42]

Why not SRP? It can deny executables from running and you can specify whatever directories/subdirectories you want to exclude. Virtually no performance impact and free (sort of).

Again, no en masse whitelisting, except through directories - which is either very insecure (as administrator) or very inconvenient (as limited user).

(Win7 parental controls do make LUA/SRP easier, but unfortunately seem to recalculate each and every checksum whenever adding a new application to the whitelist. When you have a MinGW toolchain installed, this takes a while.)

[acr1965]

Mamutu is more of a behavior monitor as opposed to a HIPS but has a white list that is updated. I had issues running it on my computer but others report no issues.

[Yanick]

SpyShelter, perhaps?

Again, thanks. I managed to set up what I consider an acceptable situation with PrivateFirewall, thanks to its training mode, but there's always room for improvement.

BTW, I also tried Windows Defender's HIPS mode briefly, I have a question about it. Supposedly one of the things it can watch for is program execution... But it clearly has a very extensive whitelist built in. Where does it get/keep that whitelist?

[Pedro]

I think Kees's sugestion, NVT EXE RADAR PRO could do what you're looking for.
You can select a folder to scan for applications for the whitelist (MD5).

Thank you, EXE Radar Pro appears to work exactly as I want. I'm not entirely certain it's trustworthy, but then I'm not entirely certain anything in the Windows world is trustworthy.

[kjdemuth]

EXE radar pro is an excellent program. Since I switched to it I've loved all its features. Its a very easy program to use. It has a ton of options to configure it. Its very light on resources and don't even realize that its running.

[Cutting_Edgetech]

I believe Online Armor is going to be your best option if you want to stay with a HIPS. Don't take my word for it; just try it for yourself.
-http://www.emsisoft.com/en/order/oa/

You may also want to look at Appguard from Blue Ridge Networks. Its an anti-executable. If you want to be extremely secure then you need to try this application! It stops pretty much everything in its tracks! -http://www.blueridge.com/index.php/products/appguard/consumer

[Noob]

Online Armor fulfills your first 2 requirements, not so sure about the third one.
Give it a try! (And has lots of other features)

Tried it. It does not fulfill the third requirement.

I'm kind of surprised how few HIPS/firewalls do actually. It should not be hard to implement, and is an essential feature for anyone using e.g. Cygwin.

[Yanick]

Agnitum Outpost Firewall Pro does 1) and 2) on 3) im not sure maybe half the 3). It's been sometime since i used it, but that hips is very clear and effective. Has lifetime license too

Mmm.. Il probably have to install it again

I just discovered Online Armor's install mode, which somehow escaped my notice earlier... Consider this problem basically solved.

(And I'm liking Online Armor Free. It is... very paranoid.)

Edit: Or not. OA adds some serious overhead when running small executables - several seconds per command. Grr!