What is the best HIPS out there ?

Discussion in 'polls' started by IcePanther, Jun 9, 2006.

?

What is the best HIPS software ?

  1. Antihook

    1 vote(s)
    0.4%
  2. Ghost security suite

    31 vote(s)
    11.6%
  3. Online Armor

    60 vote(s)
    22.5%
  4. PrevX

    38 vote(s)
    14.2%
  5. Process Guard

    29 vote(s)
    10.9%
  6. System Safety Monitor

    54 vote(s)
    20.2%
  7. Other.... (please specify in your post)

    54 vote(s)
    20.2%
Thread Status:
Not open for further replies.
  1. tristantzara

    tristantzara Registered Member

    Joined:
    Mar 21, 2006
    Posts:
    78
    yes, ghostsecurity suite is my winner too
     
  2. dylanfan

    dylanfan Registered Member

    Joined:
    Feb 10, 2006
    Posts:
    187
    Hi...
    First of all, I'd like to correct something I stated previously. I do not use the learning mode in SSM. I had in mind that the way I use it can be called some kind of learning mode, but I just realize that there is a built-in function in SSM which is precisely called that way! Sorry.

    Anyway. I've just been PMed a question about the concept of interference between SSM and some AV. The question is: "is there any?" My answer: nope.

    How do you do that? I'll try and redescribe my way of doing things if I may. First of all, I install SSM on a clean system, i.e. one that I just installed and patched. Best way to do this, of course, is to use some imaging software to restore a valid backup of your choice.

    I also make sure that I'm physically disconnected from the net.

    Then I install SSM. Once that is done, and after I have restarted the system as demanded by the installation routine, I have the green SSM icon activated in the systray.

    I then rightclick on this icon. I "enable application rules" and "all the modules". Then I click on "preferences". I choose "options". I check "start automatically" and I also check "connect user interface at startup". Then I restart the system again.

    Right after startup, now SSM alerts me that some pilot is executing some action, and asks me if I would allow it. Since I know for sure that my system is clean (because I checked it with AV's and Spybot and so on BEFORE I installed ssm) I answer "always allow running of this application". Then it asks me if I want to allow this or that process or this or that AV to run, and this or that firewall, and each time I answer the same as above. It may be some 20 questions, depending on how many legitimate processes are running after startup on your pc. No big deal.

    Once it calms down with the questions, I restart the pc again. Some new question may arise again, but much less than previously. I again answer ok each time.

    Once that is done, I manually launch my Openoffice, and ssm asks if I want to allow it, and I say yes. I do the same with Opera. Then the same with FireFox, same with 7Zip, same with whatever application I like and currently use day in and day out. I could do this with windows update if I wanted to use it.

    This way, I know that ssm will allow these apps to function anytime they want to.

    Then I go back to ssm/prefences/options. And now I UNCHECK "connect user interface at startup". I restart a last time (or I could just rightclick on the icon in the systray and "disconnect user interface".) Now the icon is blue.

    That's it. All the apps I authorized can run as many times as they want to. Any other app or process or whatever that would wanna start or install or exec on my pc is stopped by SSM, without SSM even asking any question (since now the user interface is disconnected).

    If some day I want to allow a new app, I then rightclick on SSM again, "connect user interface", launch my new legitimate app, answer to the SSM question(s) regarding this new app and its components (it may be two or three questions for a single app, for instance), and then disconnect the user interface again.

    Hope this helps.
     
    Last edited: Jul 13, 2006
  3. dylanfan

    dylanfan Registered Member

    Joined:
    Feb 10, 2006
    Posts:
    187
    One can also locate the antivirus scanner executable file by "preferences/options/antivirus", this way teaching SSM where it is.

    Cheers
     
  4. marcromero

    marcromero Guest

    The one I'm not using... see no need for a HIPS on my computer.
     
  5. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    I have a question for all those that pointed to online armor.

    I am really but not really a big fan of creating a white list of trusted application.
    So I wouldn't use the feature to allow / deny program execution.

    Even with that feature disable is there anything that make OA stand out of the crowd (not considering av) ?

    ____________________________________________________________________________________________

    On another topic the best hipss ( what the plural of hips ? ) all miss one usefull feature.
    The one i'd like to see is something like track-and-reverse of Tiny firewall:
    EG have all the power to accept/ block program action but alwais be able to rollback our errors for this particular program only
     
    Last edited: Jul 13, 2006
  6. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,639
    well it does have a content filter for removing activex and advertising content.

    and OA does have a feature like track-and-reverse. when it prompts u to run a program, there is a checkbox "track this program". in the program section u can then delete the program and undo any changes it made.

    btw the plural of HIPS would stay HIPS because its an acronym not a word.
     
  7. herbalist

    herbalist Guest

    Learning mode is pretty much a necessity unless you thoroughly know your system and the parent/child dependencies of each executable on your PC. The early versions of SSM didn't have the learning mode, which made going to paranoid mode quite a project. Dylanfan mentioned it but it bears repeating. Make certain that you're starting with a clean system, easpecially in learning mode. The learning mode tells SSM to trust everything that's running or gets started by another process. If your system is infected with adware/malware or a virus, their activities will also be trusted.
    You can use learning mode and the paranoid setting together. When SSM rules are made in this fashion, the allowed parent processes are also being set. Using your media player for example, if you launch it using windows explorer, it becomes an allowed parent process. If you then disabled the learning mode and your browser wanted to launch your media player, SSM would block it. It takes longer to get everything set this way, but you get a much stronger ruleset. You just have to remember to start the processes you use with each expected parent process. I realize this sounds like a real pain, but the strength of SSM is its ability to control what each process can and can't do and what each is and isn't allowed to start. It's not just the making of a listing of allowed processes. I've run into a few instances where a process is a parent or child of another instance of itself. While you may want to use the registry editor or the system configuration utility (via windows explorer), you definitely don't want your e-mail program to be able to do so.
    When you do decide to stop using learning mode, I suggest you leave the UI connected for a while. You'll also want to reboot your system at least once after leaving learning mode but with the UI connected. This will help make certain that all the processes involved in bootup are covered, along with any "RunOnce" items used during startup. This also applies to shutdown. You'll find that you probably don't have rules made for all the executables, and you will need to be prompted about some of them. Office programs, CD burners, AVs, IM programs, etc are instances where you can run into this. Your CD burner may use different executables for burning data and music CDs. Run thru all the update processes for your AV/AS programs as well while the UI is connected. Some of them use several executables during the update process that will need rules made for them. Launch any scheduled tasks you have set up with the scheduler before disconnecting the UI, especially if you use a different scheduling agent. Run thru everything in the "Send To" folder. On my system, "Send To" is treated as a separate parent. If you use software that integrates with your AV like a download manager, IM program, or WinZip, use them to start the AV scanner so they're shown as allowed parent processes. If you use the file transfer or webacm components of an IM program, start them as well.
    It takes a while to make a tight ruleset. One more thing you might consider doing is to save copies of the ruleset as you go, in case you make a mistake and need back up a little. Since the default ruleset is named "global", use names like "global1" "global2" etc. Just take your time and ask if you have any questions.
    Rick
     
    Last edited by a moderator: Jul 13, 2006
  8. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    exacly :thumb: !
     
    Last edited: Jul 14, 2006
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Hi! I am using free version and there is no paranoid mode. However as I see it makes rules specific to parent and child, not general rules.
     
  10. Badcompany

    Badcompany Registered Member

    Joined:
    Nov 18, 2005
    Posts:
    757
    Location:
    RUNCORN UK.
    Hello Forum,
    I have been using SSM for the last 3 days with every few problem's. Now I have my Three Musketeers working perfectly together,Kis6 SSM, and Spysweeper.This is all you need.
    Badcompany.:thumb:
     
  11. herbalist

    herbalist Guest

    That's the version I'm using as well. Look under Options>applications, under "program behavior". It's listed as "block everything (paranoiac setting)"
    Rick
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    hi! It is for dosconnected GUI only.
     
  13. PierreF

    PierreF Registered Member

    Joined:
    May 17, 2006
    Posts:
    55
    I dont have it (jet). But saying whats best HIPS or Mediaplayer evertime will only make it easy for major players to snap up small softwaremakers with a good product.
     
  14. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    I didn't vote for any of them. I have been using PG for a couple of years but I no longer like it much and I can't stand any of the others. They are a million times more irritating than PG and have way too many problems. PG has too many problems also but it is not nearly as bad as the others. I only want PG to stop IE from going to WU without authorization or any other Microsoft crap trying to call home. I could do with a software firewall what I use PG for but I hate software firewalls even more than I do applications like PG.
     
  15. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    479
    Can't you do that by renaming iexplore.exe.

    If you have XP Pro, you could try the software restriction policy. A pain in the butt to set up but it works without a problem. Then again, PG worked without problems for me.
     
  16. herbalist

    herbalist Guest

    When in paranoid mode, UI disconnected, any activity or parent-child dependency not specifically allowed by the rules is blocked. When the UI is connected, you're prompted about anything not specifically permitted. The "block process creation" mode doesn't block other activities performed by processes that are permitted whereas the paranoid mode does. Nothing is blocked when the UI is connected unless it's specifically blocked in the ruleset. You're prompted for all unknowns and anything unspecified.
    When the UI is disconnected, "ask" means "blocked".
    Rick
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    u mean even if there are no rules before for these activities?
     
  18. dylanfan

    dylanfan Registered Member

    Joined:
    Feb 10, 2006
    Posts:
    187
    Man, the latest 2.1.5.580 SSM version sends cpu loads over 50% !! I think it's coming from the low level keyboard access control.

    I'll stick to the free 2.0.8.577 version for now...

    Cheers
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Not seeing that here with 580.

    Pete
     
  20. RipVanTinkle

    RipVanTinkle Registered Member

    Joined:
    Oct 20, 2005
    Posts:
    102
    DefenseWall - first
    Set it and forget it plus it has great support

    Process Guard - second
    an old faithful which deals with other concerns not
    covered by the former
     
  21. IcePanther

    IcePanther Registered Member

    Joined:
    May 28, 2005
    Posts:
    308
    Location:
    (nearby) Paris, France
    Hi again everyone,

    I settled with SSM after some testing, i got rid of OnlineArmor because it slowed down my download/email speed much and messed with my start menu (duplicate entries, no entries...)

    Now I'm using for resident protection, as you can see in my signature, Nod32+Outpost Pro+SSM.

    I've got two questions now (I know I'm annoying and undecidable but given I've to renew all my licences in very few days... :rolleyes: :D )

    1.Is there a way to configure SSM to control DLL's loaded by an application ?
    2.Is it more secure to use KIS (with all options enabled including applciation integrity control) or this current setup ?

    Thanks again for your opinions, votes, they were very useful to me :)
     
  22. herbalist

    herbalist Guest

    What I mean is that in process creation mode, a permitted process is allowed to perform any activity it normally does, like system hooks and starting any other permitted process. That doesn't allow it to launch processes that haven't been permitted by rule or anything else specifically blocked. In Paranoid mode, only what you specify is allowed.
    I use an older version of Yahoo IM. When started, Yahoo tries to set hooks for the keyboard and mouse. In the process creation mode, UI connected (used to be called administrator mode), they're allowed. In paranoid mode, you're asked first. With the UI disconnected (used to be user mode), they're allowed in process creation mode and blocked in paranoid mode. To carry the example farther, Yahoo IM also wants to start Regedit when launched. If Regedit is already a permitted process, this will be allowed in process creation mode, whether the UI is connected or not. In paranoid mode, UI connected, you'll be asked if Ypager (the main Yahoo IM executable) is allowed to start Regedit. It will be blocked with the UI disconnected if you didn't already permit it earlier.
    If I've missed what you're asking, let me know.
    Rick
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Thanks, a bit clear now. But still i am confused that when user interface is connected there is only one mode. Paranoid mode option is shown only in user interface disconnected mode( see OPTIONS> APPLOCATIONS> Programme behaviour).
     

    Attached Files:

  24. herbalist

    herbalist Guest

    When the UI is connected, only what is specifically denied in the ruleset is blocked. It's more of an administrator setting that's used during setup or rule modification and when accessing system components that you don't want accessed in a normal user setting. Treat it like you would the administrator and user accounts on your system. When fully configured, SSM normally runs with the UI disconnected, which ends all prompts.
    I'd have to reload a test ruleset to be sure, but I believe that the default action for parent or child (not sure which) on the advanced rule screen gets changed from allow to ask when the rules are made in paranoid mode. Hopefully I'll have time tonite to check on this for you. Right now, the temperature is going into the 90s with nasty humidity, and I have a friends PC to service, who happens to live on the lake. :D
    Rick
     
  25. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    DefenseWall

    Peace & Love,

    CogitoErgoSum
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.