Hips or Behaviour blockers?

[jmonge]

which one will be a better choice to block malware a chatty hips or high level Behabiour blocker?if i decided to use an antivirus again which one will you choose and why?thanks in advance for the advise

[Brocke]

id say a HIP's but havnt really used a BB.

[jmonge]

i see do you think that a BB with high level of security will give as much pop ups as a hips?

[Brocke]

Quote:

Originally Posted by jmonge

i see do you think that a BB with high level of security will give as much pop ups as a hips?

hmm i wouldnt think tho im not really sure tho. i dont like TF interface never really used it.

[jmonge]

did you ever compare mamutu in paranoid mode and a hips program?

[Kees1958]

Quote:

Originally Posted by jmonge

did you ever compare mamutu in paranoid mode and a hips program?

I did with one of the first releases. Some Proof Of Concepts cheat because they sign the executable or associate the PoC with their trusted vendor state. Often this will surpress a pop-up in normal mode, while most (classical) HIPS will throw a pop-up.

In early Mamutu there was some noticeable difference between Intelligent False Positive reduction and Paranoid. I have the impression that the increased maturity of false poistive filters these settings have less differences nowadays.

Regards Kees

[jmonge]

thanks kees for explanation

[jmonge]

i have mamutu and in paranoid mode it feels like a real hips program even when attempted to run malware the pop up information is more clear and informative than the one from a hips program and this is my own opinion

[firzen771]

id go with a BB

[jmonge]

firzen can you please give a litle sermon please

[Gen]

I vote for a classical HIPS.

Man > machine

I want to know exactly what's going on, what's installing what, what's modifying what. If it's a program i trust and i can't be bothered with popups, i put it on learning mode to avoid all popups, if it's a new program, I keep the paranoid settings. I prefer to wait 15sec more than a user without a HIPS while knowing what a new program is modifying/doing, be it a malware or not.

[m00nbl00d]

It depends on which HIPS or Behavior Blocker you're looking at.

Most behavior blockers work more like a light HIPS, though it is possible to increase the number of alerts, pretty much making them work like a HIPS. I won't be referring any, since this thread does not talk about it.

But, there's at least one, which I consider to be a pure behavior blocker, which will check what the processes are doing against a database of known behaviors.

If a piece of malware exists and does xyz steps to achive its goals, but such behavior has not been noticed before, the user won't be alerted. After all, that's what a behavior is, a pattern.

If a piece of malware exists and does abc steps to achieve its goals, and if such abc steps have already been noticed on other pieces of malware, then it will block or alert the user according to preferences.

This is the sort of behavior blocker I prefer.

[kjdemuth]

jmonge.
You using a good BB right now. I'd stick with mamutu. Of couse you can really be redundant and add OA with Emsisoft AM.

[Konata Izumi]

Quote:

Originally Posted by m00nbl00d

If a piece of malware exists and does abc steps to achieve its goals, and if such abc steps have already been noticed on other pieces of malware, then it will block or alert the user according to preferences.

This is the sort of behavior blocker I prefer.

ooh. this one is threatfire :>

[m00nbl00d]

Quote:

Originally Posted by Konata Izumi

ooh. this one is threatfire :>

Actually, no. Nice try, though.

For what I can remember of that specifically tool, upon installation it would be set in level 3, which is the default level. Not to many alerts. It would act like a light HIPS. But, if set to superior levels, then it would act nearly has a HIPS.

But, there's been a long time since I've last checked it out. Maybe 2 years, so I wouldn't know how it works now. If it works as you say, by detecting known bad behaviors and alert the user for malware, then it was a great improvement for those who would have no idea how to answer to all alerts.

[Escalader]

Quote:

Originally Posted by jmonge

which one will be a better choice to block malware a chatty hips or high level Behabiour blocker?if i decided to use an antivirus again which one will you choose and why?thanks in advance for the advise

Both. After learning mode, use a non chatty hips (I use OP FW pro) and a high level behaviour blocker, I have (Nod32 4.2.40 64 bit version.)

A new HIPS may be chatty at first but should learn as you reply to it's prompts.

[nikanthpromod]

Both are same.Only difference is A host intrusion prevention system monitors each activity a program attempts and prompts the user for action.But Behavior blockers monitor the whole program behavior. When a collection of behaviors tips the scale, the behavior blocker will alert the user or take action.

For example Mamutu is a good BB with HIPS .

[Konata Izumi]

Quote:

Originally Posted by m00nbl00d

Actually, no. Nice try, though.

Comodo BOCLEAN?

[Brummelchen]

Quote:

Originally Posted by nikanthpromod

Both are same.Only difference is A host intrusion prevention system monitors each activity a program attempts and prompts the user for action.But Behavior blockers monitor the whole program behavior. When a collection of behaviors tips the scale, the behavior blocker will alert the user or take action.

For example Mamutu is a good BB with HIPS .

So HIPS is a user driven setting and BB a community driven setting?
i remember a slider in mamutu with gives the option in % when bad/good.
with malware defender i can allow/deny certain actions.
some HIPS like online armor have both - decision by OASIS2 or user driven.
i would say it depends on users experience: less -> BB, more -> hips.

[jmonge]

wooo all this coments are very nice coments thanks now what do you guys think which one will fit better a hips+antivirus or BB+antivirus?

[Konata Izumi]

A HIPS is always better than BB if its in the hands of a knowledgeable person.
so basically HIPS are not for me.

[jmonge]

but a BB in high security level will respond similar to hips programs so is a BB blocker smarter?

[Noob]

Mamutu is kinda pop up-less after you set it (I mean after you have ran all your applications, it's almost unnoticeable)

[jmonge]

yes i noticed that NooB no pop ups now at all,only when installing stuff or bad behabiour

[jmonge]

noob a link for you man
-http://www.youtube.com/watch?v=4RtqOBm6PA4&feature=related-