"Advanced" HIPS features

I have some doubts about the usefulness of some "advanced" HIPS features that are triggered on almost every program. If I consider them as suspicious actions and believe Comodo, notepad is a keylogger and installed a rootkit while I saved a document, as well as 7-zip, Irfanview and many other programs. lol.

 

Classical HIPS will drive you nuts if you don't want to invest a good amount of time to learn them. Better switch to other HIPS approaches: whitelisting, behaviour blocking, sandboxing.

 

That's why I absolutely hate programs like that, firewalls or HIPS, anything like that just drives me crazy.... it's ok if that's all you want to spend your time doing on your machine, but otherwise it's insane. If I do run a HIPS type program, it is something much less annoying like a behavior blocker. That's about all I can tolerate, and all I need as well...

 

If its asking permission for notepad, I would not be able to live with that kind of intrusion. Brings me back to the nightmarish days of Tiny.

 

Noble as it may seem from every security product maker, from firewalls to antivirus, the truth is plain to see.

If a user desires an efficient HIPS, then they must turn to those best equipped to produce them.

The same applies in every field IMO.

No one expert in a single field of expertise should be expected to fashion another program as well as those who have had more experience in them with proven results.

 

I look at the pictures, and i understand them. 3 out of 4 tell you it's legitimate, the other advises you how to proceed.
HIPS or not is another discussion. Here i don't see the confusion.

And you can tell D+ to learn safe..

 

I know that notepad is safe and comodo knows that as well but not every program is in comodo safelist.
The point of this thread is not about Defense+, it's about Classical HIPS(or firewalls with execution prevention and other HIPS features) in general. IMHO they have 3 kinds of features:
1) Features that add much security but are very noisy (e.g. execution prevention).
2) Features that add some security and are less noisy than 1 (e.g. driver installation prevention)
3) Features that add some security and are very noisy. They often trigger alerts when they are not expected and cannot be considered indications of suspicious activities.

The point is how we can deal with prompts caused by the thind kind of features:
A) Create a global allow rule/deactivate the feature. This is the approach with lower risk of problems but also the less safe.
B) Allowing the behaviour when we trust the program and block it when we don't trust it. However as our HIPS has execution prevention it's likely that if we don't trust the program we didn't let execute in the first place, so it's almost the same as A but with more prompts.
If we answer the prompts as C (deny) we also have the same disadvantage as C, but troubleshooting is easier.
C) Create a default deny rule: It's the safer approach but some applications may crash or fail in more subtle ways and we have to identify the cause of the problem.

Sorry if my english is not good

 

I also found Comodo 'noisy', but I would prefer a 'noisy' HIPS that checks every 'unknown' program to one that's 'quiet' and makes a risky assumption about whather a program is safe or not.

Assuming the HIPS correctly remembers your accept/block choices, the 'noise' will subside. With patience, you should be left with a system that is both quiet and secure.

I abandoned the non-stop Comodo trialing rodeo due to compatability problems, but I never doubted that Defense+ was secure.

 

It's not the confusion or lack of it that bothers me, the alerts are easy enough to decipher. For me, it's simply a matter of whether I want to see popups for everything that happens for the next week or more after installing something like this. Maybe I'm biased, but I hate popups, so I won't use apps like this. I'd rather spend my time actually doing something on the PC rather than answering endless (and usually pointless) questions... Most HIPS or apps with HIPS features quiet down some in time, but usually never completely, and that's just something I don't want to live with. I'd rather use my brain and be smart about keeping stuff off the PC to begin with, which I have pretty much done for a decade or more so far with success...

 

I certainly understand that, and that this thread is actually about HIPS in general, but do realize the difference here: known good applications do not generate pop-ups unless you want to. Plus if you know your system is clean, there's that also.

If you want to answer for all programs, and it's still noisy, turn off what you don't want. If you want it all, you can not complain. It's doing what you asked, save bugs.

For a built policy, this is not it. Sandboxes are. Of course they don't intercept executables, only "contain" them.

 

4) Features that add much security, but are less noisy??

Hmm, the fact that you don't think 4) is possible, makes me wonder if the concept of HIPS is doomed....

 

For me, it depends on what HIPS are using. Even though they might be advertising on paper the same features (say that OLE thingie) , I notice they pop up on very different circumstances.

Some popup conform to my "understanding" and I go... "Ah.. i can see why the hips is creating a prompt", other hips make me wonder "why in the heck is it prompting"....

These HIPS are really quite weird and unique.

Weird, I know a lot of people here who enjoy answering prompts. How else can you prove that you are working hard to protect your computer?

Congrats. Too bad lots of people here have being infected at least once, which sparked their current interest in security... I wonder what's your excuse?

 

Well, they can exist but there are other features that can intercept the malware before, so I included them in 2). Of course, that depends on the limit between "much" and "some" and there are varying degrees of protection and noise included in 2)

 

With classic HIPS, it's more than learning the software. The software itself is pretty straight forward. The time consuming part is learning the system, software, and their interaction on the system it's installed on. The images in the original post are examples of that. Classic HIPS doesn't assume anything and doesn't trust or allow anything until you tell it to. That's what they're designed to do. The user builds their own whitelist of executables. This whitelist can be as simple as a list of processes than can run or as complicated as the settings and "advanced features" will allow. In simple (and not completely accurate) terms, HIPS inserts itself into the command paths of the system. It intercepts the commands and checks them against the user defined whitelist of processes and their allowed activities. If the activity has not been specified as allowed (or blocked), the user is going to be asked. The more low level activities controlled by the HIPS, the more the user gets prompted and the more confusing the prompts get for the average user. If this is pushed to the extreme, you wouldn't be able to touch the mouse without triggering an alert.

Most users don't realize just how much activity there is in Windows during normal operation. Pick up a copy of Filemon by Sysinternals, start it up, then launch a process. Anything will do. On my 98 box for instance, FileMon recorded 147 separate events just from launching Notepad from a desktop shortcut. If a HIPS were designed and configured to intercept every command that went thru your system, launching Notepad could have resulted in 147 prompts. I'm a control freak when it comes to windows but I couldn't begin to tolerate that.

Expecting vendors to supply and maintain safelists or whitelists of common executables or even just those from windows brings its own set of problems. Topping that list is the large number of executables contained in windows. Most users don't realize how many there are. Enter "*.exe" without the quotes into "Find" on your PC. Win98 has far fewer executables than XP, but just on my "C" drive, there are 457 of them.

The next problem is the sheer number of versions that exist for each executable. How many versions of "explorer.exe" have their been? Don't forget the different languages. It's not unusual for Windows Update to replace executables. If you add the more common applications to this list and include digital signatures for all the versions, the list is getting very large. It would also be constantly changing, almost daily. Add updating to the picture, with versions of files unknown to the HIPS or the vendor. The HIPS only has 3 options to choose from, allow, block, or ask.

Wanting HIPS to rely on vendor maintained whitelists re-introduces the very problems that HIPS were designed to avoid, relying on lists that are never complete or completely up to date, then applying these lists to files and processes that are already part of the system and possibly critical to its operation. What happens if it's a critical process that's being updated, one the system can't run without, but the new version is not on the list?

HIPS, whether it's very basic or has every imaginable feature, does not add to security. HIPS does not protect you. HIPS empowers you to protect yourself. This may sound like picking at words to some, but this fact is being lost in many of the threads here about HIPS. HIPS empowers the user, giving them much greater control over their system. Whether this enhanced control results in improved security is completely dependent on the user. Advanced features are only as good as the users ability to understand the prompt and the requirements of the application they're being prompted about. The user is building system policy from scratch. If you don't understand it, how can you make rules designed to secure it?

As for HIPS being doomed, conventional HIPS has never been a good option for the average user. It targets a pretty limited set of users. It's also debatable how useful HIPS will be in future versions of Windows. M$ doesn't appear to want users to have that kind of control.
Rick

 

I marvel at how some people can write hundreds of words to say what is already said in the thread.

About whitelists and the HIPS vendor maintaining a list of thousands of variants of the same file, comodo *thinks* they have an answer. Their solution bypasses most of the problems that have being mentioned (though there are other problems).

 

Yeah, but try looking at that another way.

Theres a lot of useful and factual information and now is a good time to copy/paste vital info like that into a document or other file to keep as a nice handy reference for times when posts get smothered pages back.

I've compiled quite a handy guide from a lot of herbalist's posts from firewalls to HIPS to about everything in-between and makes for useful reading and better understanding in case something important is been overlooked.

 

I started off here a few years ago with an interest in firewalls, rule creation, etc etc.. I loved experimenting with all of them, particularly Kerio 2. Then I became more interested in AVs and later some of the HIPS programs. But all this interest is mostly a hobby for me. I enjoyed testing them all, and finally deciding on a few that I liked best. I still enjoy reading about and keeping up with the latest software. That's my excuse...

But.... I don't think most of the people here really need all this crap. Especially a HIPS that gives you more interaction than your regular programs. I particularly hate the popups now. 99.99% of the time they are both useless and meaningless.

I believe lots of people here who have been infected or bitten by malware have been instilled with some fear and paranoia, rather than what you call an "interest" in security. With a little common sense, it's entirely possible to steer clear of the bad stuff, for years even, and get by with minimal security apps.

Anyway, that's my point of view at the moment. For me, most HIPS programs are way too annoying... YMMV...

 

Theres a tradeoff with HIPS, and that is, it's expected that the user of such a STRONG security measure also exercise some diligence to familiarize yourself with the chosen one that's a proven performer, next comes patience; you MUST go thru the initiation period of answering the prompts (correctly of course) and fine tuning your rules, after that the HIPS will cease from what most newcomers find as too much hassle with them.

In return, you have a well-oiled shield of resistance that will respond only when something either unknown or potentially an intruder comes to do harm to the system/data.

That's a users personal choice. If you're more inclined to an automated set up, i don't know of any HIPS or Behavioral Blockers for that matter that can offer such a high degree of accuracy without interaction at some point.

It's definitely a trade-off well worth the trouble at the start IMHO.

 

Easter, it's fine for people wanting to go thru all that initial training.. I'm not so sure it ever really ceases with some of these apps, but I'm sure it diminishes to a great extent. At any rate, it's just not for me nowadays.. There was a time when I did enjoy experimenting with them, but no more. Best compromise for me now is something like Threatfire, which I do like, it bothers me very little, and that I can live with...

 

Understood of course. There are other alternatives also like virtual apps in RETURNIL & sandboxes also like SandboxIE etc.

HIPS is a different security breed entirely and not so easily accepted in this day and age where most expect safety software to do most everything for them, and i do lean in favor of that idea to a degree, but still have found HIPS worth the trouble whereas others prefer not go thru what they consider a hassle of setting them up and/or dealing with subsequent pop up alerts where some questions can arise that might prove confusing or even disrupting .

 

I have to agree with the OP. If a HIPS (or HIPS equipped firewall) is shooting off warnings all the time it is worthless. After a while the user gets numb and will give the wrong response when under attack. For me Comodo 2.4 was perfect and 3.0 is a total miss. I wish they did a maintenance release of 2.4 instead of this new monster.

If you want to place important parts of your computer off limits, run LUA. That's what I do.

 

IMO the best choice for any product is the one that specializes in that particular field. HIPS are no exception of course.

 

It gets worse, people are now convinced that they need to run *all* sorts of crap. It used to be you were supposed to run just ProcessGuard class product with AV/AS and firewall. Nowadays not only are those type of products much more complicated (compare prosecurity or Defense+ with PG to see) but many here run something like that plus Threatfire class product + sandboxie class product + retunril type product and maybe a specialised antikeylogger.

No doubt, the next thing is this bufferoverflow protection thingie...

Why? Because you need "layers" and they "don't overlap" and you shouldn't trust suites because you want the "best of each breed".

Definitely. For example, there's a guy in this thread , who has admitted being "hacked" twice. You can't tell me this isn't a factor in how he sees the world.

I love the way how some go on and on about how blessed they are , and how enlightened they are because they are the ones who take responsibility and feel "empowered". I would bet that such people feel a very warm glow of happiness whenever they answer a prompt, because they think they have done their duty in protecting their systems... The more I can see myself doing something (whether it is helpful or not), the better i feel

 

Unfortunately for Windows users but to the benefit of security vendors this endless cycle of "that they need to run *all* sorts of crap" users will always be faced with, in spite of the best do-all security suites man can devise, adding this or that to address one then another and another area of potential intrusion. It's the nature of the way $M drew up plans to begin with.

That is to create & spread these new security developments to fill in for the gaps left open for exploitation.

More on topic though. I see an advanced HIPS as one that is mapped out the most important areas of possible exposure to forced intrusions by malware writers who equally have researched the internal workings of these O/S's and make it their duty to maximize best success to wedge their code into the system, concealed when possible. Of course theres many others that are content to not even try to hide but still able to gain some foothold on a system long enough to cause havocs/delays that send users scurrying to forums for help if they don't have a backup plan handy at their disposal.

It's a revolving door that keeps the wheels spinning for both sides in this classic cat & mouse game.

 

I´ve said it before, I still like classical "dumb" HIPS, but a little bit less noise would be nice. And yes, there are certain things that can be done to make them less noisy. At the moment I think I have to click between 5 to 10 alerts when I´m installing some tool, it can get annoying sometimes. On the other hand, total control is also nice. But obviously, this Comodo v3 app is totally out of control, why does it alert about something like this? It knows that notepad is safe, and still wants to bother you?

Exactly, either you like them, or you don´t. I personally think that they can be very useful, they basically give you a second opinion and it´s a nice way to have control over trusted processes, which may come in handy sometimes.

Believe it or not, but I have about 2200 executables on my system , of course, I probably use only about 80 of them (day to day usage).