Are answering prompts in hips really that obvious?

[LUSHER]

People always say it is obvious how to respond to hips prompts...

The one example always mentioned is ones involving driver installation. The streotypical comment would be "if my notepad like app try to install drivers I will stop it)...

This example always comes up, when someone doubts the viability of users (even users as exalted as the likes of people who read this place religiously) answering the prompts correctly...

But i have never ever seen anyone give other rules of thumbs... I wonder is this because the driver rule is the only fairly clear one.. (and even that rule doesn't help if you are trying to install say a anti-rookit)

Basically i'm looking for something like this...

Prompts about X should be blocked unless <insert condition 1>
Prompts about Y should be blocked unless <insert condition 2>

alternatively you could phrase it as "should be allowed unless" for perhaps the less dangerous actions...

Of course you can say condition 1 = if you feel it is safe, but that is kind of pointless....

Once you write down your "decision ruleset" on how you decide how to respond, one can then see how well it works on a range of software (both safe and unsafe). What is the "FP rate" ?

It's kind of interesting that when you do this, you are manually going through what stuff like TF tries to do, but with different information (you probably know stuff TF doesn't and vice versa).

Another interesting experiment i can think of is someone to arrange a test with say 50 apps of different types (security tools, word processors, messaengers), among which a number (unknown maybe even zero) are or have malware... How well would you fair in such a test?

The aim here of course is to have as much functionality as possible without getting nailed.

Of course some fans will say anti-exe functons are all that is needed and if they are unsure they won't even let it start, and if it does start and it is malware, it's game over already...


But if such people are also big fans of HIPS like SSM, surely they must think the other HIPS functions are in principle usable. and these functions are usable only if users can react correctly...

[trjam]

I consider myself a average but unstable, user. I really cant tell if the prompts are good or bad. I mean one comes up and says serv.exe is trying to connect, I have no idea what it is, but do have a 50/50 chance of getting it right.

[solcroft]

Let's put it this way. If you don't know how to answer prompts, what're you doing with a HIPS anyway?

It's like going to buy a bicycle because everyone keeps talking about how it's faster and easier than walking... except that you don't know how to ride one.

[Peter2150]

There are degree's in this. A lot of users might know not to let a program run. But how many average users would understand the SSM pop up, that a piece of malware gave when it tried to change a registry key disabling all registry modifying.

When I did that Evaluation of the Erik Albert thread, I had OA and SSM turned on, but I allowed everything and then looked at what protected the user.

Then there is the second problem. How does the user know something bad actually happened?

[trjam]

Quote:

Originally Posted by solcroft

Let's put it this way. If you don't know how to answer prompts, what're you doing with a HIPS anyway?

It's like going to buy a bicycle because everyone keeps talking about how it's faster and easier than walking... except that you don't know how to ride one.

I am not argueing your point solcroft, you are right. But that is why it is important for anymore to take all of this into consideration when choosing. Hell, you can end up worse then you were if you choose wrong.

And I can ride a bike, its called a Fat Bob.

[solcroft]

Quote:

Originally Posted by Peter2150

There are degree's in this. A lot of users might know not to let a program run. But how many average users would understand the SSM pop up, that a piece of malware gave when it tried to change a registry key disabling all registry modifying.

Once upon a time a missionary went to a tribal native village and decided he ought to teach the villagers about birth control. Summoning all the men in the village, the missionary handed out condoms, and demonstrated to the men how to use it, by putting it onto a straightened index finger. The village men nodded in understanding, and went home to their wives.

However, the number of pregnancies in the village failed to decrease at all. Thoroughly baffled, the missionary cornered one of the villagers, and asked if he'd been using the condoms, only to receive an affirmative answer. Even more puzzled than ever, the missionary asked the man if he'd followed the usage instructions - whereby the villager said that he'd faithfully put a condom on his index finger each time.

Can anyone tell me what the moral of this story is?

[trjam]

"That his finger will never catch an infectious disease."

[Peter2150]

Quote:

Originally Posted by solcroft

Once upon a time a missionary went to a tribal native village and decided he ought to teach the villagers about birth control. Summoning all the men in the village, the missionary handed out condoms, and demonstrated to the men how to use it, by putting it onto a straightened index finger. The village men nodded in understanding, and went home to their wives.

However, the number of pregnancies in the village failed to decrease at all. Thoroughly baffled, the missionary cornered one of the villagers, and asked if he'd been using the condoms, only to receive an affirmative answer. Even more puzzled than ever, the missionary asked the man if he'd followed the usage instructions - whereby the villager said that he'd faithfully put a condom on his index finger each time.

Can anyone tell me what the moral of this story is?

ROFL. Yes, you have to understand the "attack" vector

[C.S.J]

ok, lets take prevx 2.0 as an example

------------------------
windows vista updates
------------------------

not sure, BLOCK IT!



description makes it pretty simple to understand what it is, right?






you can always check or allow it later on

however, if in ABC default mode... it will automatically allow all activity determained to be good, and stop all the nasties, but my preference is to query all, as i like to know what it is doing.

[jrmhng]

D+ seems reasonable too. It will give you the option to check out the properties of the executable, tell you what is happening e.g. "is trying to access keyboard directly" and gives you an explanation on why programs may do this "keyloggers often use this technique" etc/ (I'm just going off memory so don't quote me).

Classical behavior blockers makers are trying to make things easier. But I do think the issue is that to most users, it will be hard to make a decision.

[ErikAlbert]

I don't like security softwares with multiple choice questions, like Yes or No, Allow or Block. That's not security, that is gambling and I have 50% chance to answer correctly or I'm infected.
Security softwares are supposed to know this, that's why they are called security softwares. If a security software can't answer that question, they better don't create it.
A less-knowledgeable user will always say "Yes" or always "No", because he doesn't know what he is doing, including me.

I use whitelists all the way, they don't have these annoying questions and no false positives either.

[C.S.J]

Quote:

Originally Posted by ErikAlbert

I don't like security softwares with multiple choice questions, like Yes or No, Allow or Block. That's not security, that is gambling and I have 50% chance to answer correctly or I'm infected.
Security softwares are supposed to know this, that's why they are called security softwares. If a security software can't answer that question, they better don't create it.
A less-knowledgeable user will always say "Yes" or always "No", because he doesn't know what he is doing, including me.

I use whitelists all the way, they don't have these annoying questions and no false positives either.

prevx on default settings will make the choice for you, its only my preference to know what its doing, and to put me in control a little bit

[pojispear]

i've started using Prevx 2.0 and like it. i have the floating window on too that appears each time an application opens or close

[Threedog]

Pop ups drive me nutz so I just let the software do what I paid for it to do and leave me alone. There are times when I have been known to surf while in a slightly enebreated state and am pretty sure if something pops up wanting to know if I want to let something run or not I am not going to know what the heck its talking about anyways.

[innerpeace]

Quote:

Originally Posted by solcroft

Let's put it this way. If you don't know how to answer prompts, what're you doing with a HIPS anyway?

It's like going to buy a bicycle because everyone keeps talking about how it's faster and easier than walking... except that you don't know how to ride one.

That's funny, I learned how to ride a bike by using the bike itself. I also didn't start with a 10-speed either. In other words, while I would like to try SSM, I started with WinPatrol and now OnlineArmor. But I'm still using "training wheels" such as an anti-virus and Sandboxie.

My system is fairly static with many things disabled and I do everything manually. If I get a pop-up from my HIPS, it is unusual and my first instinct is to deny the action or allow once. I don't know exactly what's going on and can only assume from what info is given. I really hope to learn something from this thread and hopefully it will be worth bookmarking.

[solcroft]

Quote:

Originally Posted by innerpeace

That's funny, I learned how to ride a bike by using the bike itself. I also didn't start with a 10-speed either.

That's good.

I was referring to the people who rushed to buy the bike just because it was the latest rave in town, and then start badmouthing it when they discover they can't stay on it for more than five seconds without falling down.

[aigle]

A good way of using classical HIPS for beginners whose system is static( doesn,t change often) is to install it on a vclean system, make rules by allowing everything they face( or by using learning mode) and then putting the HIPS in locked mode( silend Deny All mode).

Really if u use HIPS for a period of time and also play with malware off and on, only then u can know somewhat how to answer the pop ups. U can always Deny if in doubt.

Some things are obvious, if u are not installing, updating anything and some .tmp exe tries to execute, or some thing tries to execute from a tem folder, or from browser,s cache folder, I will always Deny it unless I am sure about it. HIPS with file protection will prompt u even earlier with pop up about the creation of an executable in these folders that must be denied. Also in above scenario( no ongoing install, update etc) if I get a prompt about an executabe being created in Start up, Windows Directory or esp system 32 folder, I will deny it.

Many HIPS have nice features like giving u details about the prperties of the executable and some even give u option to locate/ explore to the executable via the pop up menue.

In all fairness, answering HIPS pop ups not a straight forward issue at all! I am sure if we get malware attack each and every day, many will answer wrong. Fact is that I almost never get a malware on my system in daily life, so infact i don,t know how good I will prove myself if I get a real malware. Playinh with malware is something else as I already know what I am doing at that time.

It,s a good idea to supplement classical HIPS with a Sandbox and a Behav blocker!

[innerpeace]

Quote:

Originally Posted by solcroft

That's good.

I was referring to the people who rushed to buy the bike just because it was the latest rave in town, and then start badmouthing it when they discover they can't stay on it for more than five seconds without falling down.

Ok, I understand. That happens with all security software, but it is a good point. It's hard not to catch the HIPS fever with all the talk lately about not running AVs and all. Especially when those comments are being said to obvious newbies (which I'm only one step above myself). I'm not referring to you by the way.

Cheers

[Kees1958]

Quote:

Originally Posted by trjam

And I can ride a bike, its called a Fat Bob.

Yep, but you have problably square tyres and sunglasses and a big smile.

[simmikie]

Quote:

Originally Posted by trjam

I consider myself a average but unstable, user. I really cant tell if the prompts are good or bad. I mean one comes up and says serv.exe is trying to connect, I have no idea what it is, but do have a 50/50 chance of getting it right.

your answer is precisely why it puzzles me when certain people object to running a pure behavior blocker alongside of a 'dumb' HIPS program. it is a very small percentage of PC users that can consistently, with a high degree of certainty of being correct, answer HIPS pop-ups.


Mike

[C.S.J]

Quote:

Originally Posted by simmikie

your answer is precisely why it puzzles me when certain people object to running a pure behavior blocker alongside of a 'dumb' HIPS program. it is a very small percentage of PC users that can consistently, with a high degree of certainty of being correct, answer HIPS pop-ups.


Mike

i disagree,

a n00b can operate a HIPS.

deny ALL.

if you find a program you want is not working, allow it.

if you have no problems on deny ALL, then all is well.

the option is always there to change your mind, but first things first... if unsure, DENY/BLOCK.

[Hermescomputers]

I think there is no specific right answer to this rather complex question, as too many variables are at work during such a dynamic process as what takes place within a system as windows and applications operate within.

The only viable or perhaps the lesser evil is in building the HIPS with a comprehensive database of behavior characteristics accessible within each prompts. The more detail available with appropriate user guidance, the better the user will be equipped to make an appropriate choice when confronted with a troublesome prompt.

I think most hips are trying hard to implement this simple but obviously necessary component within the system with varying degree's of success. Either way it will always boil down to the users mindful interaction with the utility.

[Coolio10]

Comodo TC (ThreatCast) is suppose to help a bit.

Sounds similar to Prevx...community assistance type alerts.

Quote:

ThreatCast

This is a powerful new service where we have Servers capable of collecting Attack Vectors analyse them and report back advice to end users.

Remember alerts like: Program XYZ is trying to make love to Program ABC, what do you want to do, allow, deny etc etc.

Even though V3 has reduced the number of alerts, there is still some and with this new service you will know how other people have responded to same/similar alerts. For example if you register for this service then the alert will have information like: 60 people said Allow and 2 people said Deny.

Now the alerts you get will have the statistics with it to make it easy for you. Of course this is only one simple basic benefit for the Techically Challenged! There will be many other benefits that we will release as we go along. Thanks to Comodo, security will be much easier. Pls do join The Cult of "ThreatCast"! This service is scheduled for early Feb.

thank you all!

Melih

[Peter2150]

Quote:

Originally Posted by Coolio10

Comodo TC (ThreatCast) is suppose to help a bit.

Sounds similar to Prevx...community assistance type alerts.

That approach isn't without issues either. Used to annoy the heck out of me when Prevx jailed an app I knew was good, but it didn't.

The only fool proof way to fool proof a computer from a fool is the on off switch.

[C.S.J]

Quote:

Originally Posted by Peter2150

That approach isn't without issues either. Used to annoy the heck out of me when Prevx jailed an app I knew was good, but it didn't.

The only fool proof way to fool proof a computer from a fool is the on off switch.

prevx - right click program in jail, click Probation, this will allow the program.

double click the program, and disagree with their determination, they will check the file and get back to you within 24 hours with a fix.