Ambush IPS, an HIPS for the paranoids

I have taken a look at this project one or two month ago, and was wondering about the real need of such monitoring system.
Home page http://ambuships.com/ Detail http://ambuships.com/details.html
Devs blog http://www.scriptjunkie.us/2012/10/hoarder-hips-bypasses-and-ambush/

Efforts of Scriptjunkie are appreciated for the developpement of an HIPS that can dtect malware behavior but also attacks via shellcodes frameworks like Metasploit.
On the other hand, the history of HIPS market has shown that system expert HIPS (SSM, Comodo, Online Solutions and co) are only devoted to a very small niche market that targets the 5% (?) of experts users.
More over, the evolution of most security softwares (AV suites, firewall, HIPS) tend to restrict users interaction, and by default to provide a kind of install it and forget it, silent and automated security.

Then using an HIPS like Win/HollyDbg, monitoring everything, checking thousands of log alerts lines could become nightmare for every day use.
I have already give such opinion on the Linux area
https://www.wilderssecurity.com/showthread.php?t=341800

When security tends to be an obsession, when learning about Insecurity increases paranoia, then we could legitimately consider the need of a computer: is it used for real desktop need (music, video, chats etc) or for a cyberwar against hypothetical malwares and hackers?

I guess that its client/server deployment and the solid background required to check the alerts will not help Ambush to become very popular.
Anyway, bravo for its devs. efforts and motivation.

rgds

 

I don't understand - sorry, but I didn't wacht the video - does it work also as a classical HIPS, or his work it's entirely BB based ?

 

interesting reading it sounds like a silent hips

 

It's my doubt: I like better classical HIPSs.

 

same here i am a control freak

 

As i have said, it is a client/server side IPS (in this case, the Host is the client side), and its installation is more similar to OSSEC IDS for instance than standalone HIPS like Malware Defender or DefenseWall...

There is a good install summarry here
http://www.sysforensics.org/2012/08/ambush-ips-part-i-install.html
And on the devs repo
https://github.com/scriptjunkie/Ambush/blob/master/HOWTO_setup_clients.txt
https://github.com/scriptjunkie/Ambush/blob/master/HOWTO_setup_server.txt
A set of basic signatures can be found here
https://github.com/scriptjunkie/Ambush/blob/master/exampleSignatureSet.yml
It is up to anyone to add his own signature, but it could be a fastidious task to list all possible malwares behaviour (task done by BusterBSA since years...).

As it is mostly API hook based monitoring system, it is possible to get similar results for a special system target with Hook Analyser for instance
http://hookanalyser.blogspot.fr/

And i understand that most users here are more tempted by more popular and classical HIPS...
Sorry for the typo mistakes on my first post

Rgds