Comodo Antivirus

At the end of the day, how you use HIPS is not based on how much you know of your OS and programs, although that certainly helps.

Let's take an example. You download and install a program you know and trust. Let's say this program is uTorrent, obtained from the developers' website. Your HIPS inevitably pops up a flurry of alerts during the installation process. Since you know and trust both the program and where it came from, you click allow to all the prompts, or perhaps you tell your HIPS to automatically trust anything else this process tries to do, or even turn off your HIPS entirely when installing.

Another example. A friend, or stranger over the Internet, tells you to download some program called IceSword and use it to fix some computer problems you're having. You google for it, and find it on some Chinese website poorly translated into English and festooned with dubious ads. You download the program and run it anyway. Instantly your HIPS pops up warnings: unknown process writing files to %system%. Unknown process adding an autorun entry and trying to load unsigned drivers. You deny everything in alarm, and wipe your brow in relief that your HIPS just saved you.

Yet another one. Browsing the Internet, you chance upon a webpage that warns you of malware infection. At its recommendation, you click on a link to download an antivirus program and clean your computer. The downloaded antivirus begins installing. It wants to put files into the Program Files folder. That's normal enough, and you allow it. It wants to add an autorun entry, for its resident shield, and some required DLLs. It also wants access to the Internet, to download the latest defs. That's fair enough, so allow allow allow. And then BAM.

To get to the point, a large part of how HIPS works, security-wise, depends on your own common sense. Prompts are allowed and denied, often not based on the nature and information of those prompts themselves, but based on how much trust we place in the program and its origin. Take example #1. If you believe the www.utorrent.com website utterly, HIPS would not save you if a hacker uploaded infected binaries to the website. Everything utorrent.exe tries to do would be allowed, or the process itself added to the trusted list entirely. At any rate it would be impractical to review every single action it tried to perform; you'd likely go through a few hundred clicks before you're done.

If you do not trust the program and/or its origin, however, then everything becomes suspicious, whether the file is actually malware or not. Every action I described in example #2 is actually legitimate as far as IceSword is concerned, no matter how malware-like they seem. This is why some people "test" HIPS against malware, and come out crowing that their HIPS utterly won that round. It's one thing when you know you're running malware, and are prepared to click deny on everything that pops up. Unfortunately that's not a scenario that holds in reality. The catch about HIPS is that they tell you WHAT a program is trying to do, but not WHY. IceSword is trying to load an unsigned driver. Pretty suspicious, but that's how it detects rootkits, and 100% legit. HIPS informs you of the action, but not the intent. That intent may be malicious or not, but you'd never know unless you know the program's innards inside-out. And herein lies the catch: if you had that knowledge in your grasp, you'd hardly need half a dozen HIPS prompts to tell you whether that program is malware or not.

So Comodo wants to focus on HIPS. That's all well and good, but unfortunately ONLY ON PAPER. It works well at tests like Matousec, perhaps. And when it fails, the fans are quick to point out – rightly or wrongly – that the fault lies with the user, while the software is forever blameless. There's a whole lot of test-passing super-strength there, but unfortunately it's all theoretical, and all it takes to turn that theoretical super-strength into absolutely nothing is one wrong click. This is why HIPS is useless.

... Whoa. I can't believe I actually I wrote a whole page on what should be common sense in the first place.

 

Very heartfelt posting there but highly selective.No mention of drive-by downloads and other non user-initiated code execution.No mention of rootkit infection,DDA compromises,memory based threats or processes exploiting unpatched security holes within Windows or 3rd part applications,etc,etc.

 

With Firefox, Opera, Chrome, Safari, Ephiphany, Midori, Konqueror etc., a thing of the past. With automatic Windows Update and Protected Mode, even IE7 is highly resistant to drive-by downloads these days. UAC helps even more, but you can leave it out of the equation if you're uncomfortable about that; it doesn't really matter.

Turn off autorun. XP users need to follow some instructions, but Vista makes that incredibly easy.

In case nobody told you yet, throwing about buzzwords and fancy jargon doesn't build your case very well. Besides, why on earth would you need HIPS and its gazillion prompts to give you a false sense of protection from those?

 

There's no point continuing this line as clearly you're completely sure of the assertion that the technology is useless.You're right and the vast majority of the security industry,Secunia,thousands of IT techs and Wilders members are all wrong.

 

HIPS is useless imo. Behavioral analysis are the way to go. I really wonder why they haven't gone this way. Basically all you have to do is to define rules on top of HIPS and you have a behavior blocker.
HIPS is as smart as user in front of computer and a real treat for all popups addicts. For others it's just a pain in the ass.

 

Well, you are most welcome to post evidence/arguments to the contrary. That's what a discussion is for.

At best, HIPS is a utility for teaching you about your system. Mistaking it for a security tool is a phase we all go through. My security mania started with installing half a dozen scanners and anti-whatevers on my computer. And then I moved to HIPS, creating stricter and tighter rules as I went along. Some time later I realized the stupidity of it all, and ran Windows with only an AV, a limited user account (no tampering with SRP/group policy needed), and Windows FW, and later not even the AV. Right now I'm using Ubuntu Intrepid with ufw as my only protection, though I still have a Vista as a second boot OS, which is waiting to see if Comodo can get its act straight with its AV.

 

Behavioural analysis is a very under-exploited technology I agree with that.

 

I could see the discussion descending into a slanging match which isn't what I come on here for.

 

HIPS is noway "useless", its the strongest way to deal with spywares trojans and such,comodo has the best HIPS out there probably.

Once you has configured CIS or any HIPS, the popups will be close to none and you will have the best protection there is.

Some like it others don't apparently Eice is a hater. But HIPS is the strongest security solution out there PERIOD.

No way useless to guys like me, Its like saying that a sandbox is useless since some users ****up and don't configure it the right way and the virus slips out.

 

HIPS is the best way to protect against drive by downloads..
PERIOD.

A BB is nowhere near as bullet proof as a HIPS. But there is also the usability part, I could agree on that, Its a tool that needs some knowledge, but very little in my opinion, as I know some very none technical people that can handle the CIS alerts.

 

I love Comodo, and for the most part really like CIS, but I prefer Behavior Analysis over HIPS. Between the firewall warnings, Threatcast, and D+, I find the latest version of CIS too noisy for my tastes.

 

You got to love those threads..

Bash and talk trash on the stuff that really protects you from everything and really has proved itself.

And then praise the stuff that fails a lot of the times and offers noway near the protection and get everyone to believe that those are the best..

A HIPS is really outstanding, but its personal if you "want" to use it, thou I firmly believe a normal computer user can use CIS without problem!

 

If user education would work (for example where to select what and what not to click) we wouldn't even have a big malware problem. As you see it didn't work... It all boils down to one thing: The user just wants to use his system without getting interrupted and/or has to answer 100 dialog boxes that are not really necessary.

 

i guess I am pretty much a charter member of that great tribe,
known as "average users".
I know a little about security,and even though I do not know
how Windows works,I about half way know how to work Windows.

As far as HIPs,when faced with a pop-up that states:
spodeeodeedll is attempting to chat up Suzieq.exe .Allow? Deny?

I am guessing. pure and simple.


Yes,you can try and Google the pop-up's,but you will spend a lot of
time Googling.
Sometimes you will be doing that Googling when the correct thing to do would be close all browsers and stop all traffic.
You will either become Hips-Fu Master,or you just start hitting
"allow" for everything. (or turn settings down to about WinPatrol levels.)

I like the sound of "Take Back Control Of Your Computer!!"
I like the sound of "Take charge of your own Healthcare!!"
But handing me an absolutely accurate, lab blood chemistry test result
sheet,is not going to help.
I do not know what to do with it.

 

Isn't "block and see what happens" still a pretty good strategy if you are not very sure of what to do? Don't know/trust the application, don't have a behavior blocker to help you, a whitelist, or some really solid information on the consequences of what others have done? Most impact has been a need to unblock and do it over. Block and remember usually even suppresses the rest of the popups. Don't have any time critical flight systems or such, so
If I allow and am wrong, likely to get a malware that can be a lot of trouble to remove, may do some damage before it can be removed. If you can't be right, be careful.

 

From My evaluation of Rising Antivirus Free posted before I read this thread.

 

What you guys need it CIS v4.0 coming out this year!

Then anyone can use CIS while still maintaining prevention as first line of defense.

Alert language should be changed to in CIS 4.0, will be done.

Cheers.
Josh

 

Problem is not with the jargon of the alerts. It's something more fundamental, as I've explained in post #26. You can improve a product to become better at its job, but if its job is a useless purpose, the end result will still be the same.

Inspector Clouseau puts it more succinctly. "If user education would work (for example where to select what and what not to click) we wouldn't even have a big malware problem. (Let alone the need for HIPS.)"

 

That's just your opinion, not a fact.

What if you're installing a program?

 

HIPS is only as strong as the knowledge of the user.
What good is HIPS if user doesn't know what's good and what's bad?
They could just as well clock Allow for everything malicious and block for legit programs and make more damage than good.

 

It's discussions like this that have made me make a poll:

https://www.wilderssecurity.com/showthread.php?t=231534

Exactly. HIPS will always require a certain level of knowledge. You can add Threatcast, but it will still require a user decision. STILL, in many occasions, for reasonably knowledgable users (not necessarily AV experts, but power users), the HIPS is the most secure solution. Blocking drive-by and malware embedded in simple exes is very easy. The main problem with HIPS, is when you have to install something. But for drive-bys and clicking on infected files, classical HIPS doesn't require an AV expert. Just a security aware user. Simply because you will get a pop up, when you shouldn't expect it. Even if you don't understand it, the fact alone that the pop up is unexpected should be enough to block it (some users made this custom policy since the SSM era, with the "disconnect user interface".

You browse and you see a pop up? Why allow it?
You dowloaded a file from p2p and instead of opening like all other similar file types, produces a pop up? Why allow it? You clik on a no-cd patch and you get a pop up that wants to put a startup reg key or modify system files or make a new folder in system32? Why allow it? You click to a nice attachment on your email client and produces "weird" popups? Why allow it?

If you install software from trusted vendors, the classical HIPS can take care of all other threats (if you are a security aware user). Even with installation of new installers, for more advanced users, the HIPS can give hints of malicious behaviour and block.

For the masses? Yes, classical HIPS will never be a viable solution. Behaviour blocking is the way. But for security enthusiasts and control freaks? Sure, classical HIPS can be the most secure solution. (Tiring maybe, because of pop ups, but the most secure).

 

As a security-aware user, you keep your system patched and Protected Mode turned on in IE7. Or you use an alternate browser. What popup?

As a security-aware user, you notice that the mp3 file you downloaded somehow has an .exe extension, and you delete it immediately. What popup?

As a security-aware user, you download and use only official patches from trusted sources, or not at all. What popup?

As a security-aware user, wth are you doing clicking on "nice attachments" in your email?! What popup?

What you've listed happens to be behaviors of users who are NOT security-aware. HIPS takes care of all other threats, if you're a security-aware user. Unfortunately, users who are really security-aware wouldn't need protection from those threats, because they know better than to expose themselves to them.

 

I will only comment this part. The rest i could comment simply with a "what?"

Excuse me, but even security aware users, do use no-cd Patches, do receive mails from friends that may have infected attachments that you can't know if they are intended or not, because their friends aren't security aware, may browse to an internet site and have a drive-by attempt, may download files from p2p that contain exploits, other than mp3s with double extensions etc.

Security aware doesn't mean to live in an aseptic world.

Anyway, since what i described is according to you only things that can happen to non security aware people, i think you can now see the use of classical hips even for such people. In their case, they must use common sense and deny an unexpected pop up.

P.S: You can trust IE7, i can't. There's another difference...

 

A reminder on how otherwise security aware users, with fully patched windows, got infected:

http://antivirus.about.com/od/virusdescriptions/a/wmfexploit.htm

http://www.sophos.com/security/blog/2008/05/1446.html

Pray your AV to have the signature:
http://www.theregister.co.uk/2007/10/24/pdf_exploit_in_the_wild/

http://www.channelregister.co.uk/2006/11/16/movies_gets_malware/

http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=73252

HIPS users, would pass this with flying colours.

 

It doesn't. But it does mean having common sense, and knowing what and when not to click blindly. Which brings me back to my original point. A catch-22, don't you think?

As for the exploits you listed, only Flash was of any real concern. WMF was stopped by DEP, while the others required the user to walk into being infected themselves (pdf arrives in malformed emails, wma takes you to a site inviting you to download file and run).

Ironically, IE7 with Protected Mode defeated that particular 0day Flash exploit (the only one of concern among those you listed, since it was truly "silent"), and it was Firefox (without NoScript) that got pwned.

PWN2OWN is also another piece of evidence as to IE7's security. It's not what I or you trust that matters, it's what the facts say. To put it bluntly, I'd wager that default IE7 on Vista is even more secure than default Firefox on XP.