Classical HIPS &/or behavior blocker?

Kees,

That would be the biggest "bell and whistle" to date, if they really did that.

 

I think that Kees is talking about a suite with Threatfire integrated. Adding a firewall, AV to standalone Threatfire is pointless.

 

Yep Lucas,

They shoudl replace the dumb application protection in their firewall with TF's intelligent behavior IDS. The AV is just a smart way to nail down the known malware. An AV only triggered by an intrusion uses less CPU than a resident AV.

 

That's an interesting claim, seeing as how reports have been rife about TF generally consuming more CPU cycles than the average anti-malware protection product. I haven't seen it myself, but the number of reports from other users make me inclined to believe this is true.

 

Solcroft, please

The statement "AV only checking on intrusions consumes less CPU cycles than an AV checking reads/writes, executables and dynamic libraries loaded" is irrelevant to TF's CPU consumption itself.

But an integrated (COmodo like suite) has more gains compared to seperate applications: current FW + TF + AV realtime versus future FW (without application protection) + TF (without network module) realtime and ad hoc AV.

The development team of TF rightfully claims that CPU consumption is only a matter of time, before it becomes irrelevant (due to strong dual or quatro cores).

I think the highest gain on a FW/TF/AV suite would be the marketing of the user friendliest FW/HIPS combo available.

Regards Kees

 

It's a good point. However, I do not use a firewall, as such. I have a SPI/NAT router for incoming, plus ProSecurity covers outgoing adequately for my needs. So I do not need a software firewall... do I? (That is a sincere question. No strings.)

In other words, for the mid-term future, I don't foresee that I would find use for a FW/HIPS combo.

 

Bellgamin,

I agree with you, although a lot of hardcore FW fan's would argue that a NAT router has Statefull Packet Inspection at best, no Deep Packet Inspection, so you are at risk

When behind a router a HIPS with outbound traffic initiation detection (like SSA, PS) will do. It is my believe that FW and HIPS will integrate, because most people use software FW for outbound protection and you need IDS to pass the leaktests. So FW/HIPS integration has a marketing reason (leak tests) and a functional reason (network and process level intrusion protection benefit of the same white list).

To me leaktests are a bit silly, because the primary function of a FW is to keep intruders out, so enjoy the user benefits of an integrated FW/HIPS (OA and Comodo are the examples), like Chris states in this post https://www.wilderssecurity.com/showpost.php?p=1200713&postcount=97 .

Regards Kees

 

I'm absolutely agree with Kees- outbound netwotk protection is a HIPS job. Two years ago I thought other way...

 

Ilya,

Ever thought of chartering Aigle and Solcroft as beta testers. They do a lot of testing (Aigle for GeSWall and Solcroft for ThreatFire). Would make the best Policy Sandbox (no Digital Rights Problems and Total Untrusted File Control) and easiest to use HIPS better for sure.

Regards Kees