Firewall with HIPS? Or Without?

Same here, if it does`nt agree with Sandboxie then it`s goodbye,farewell,goodluck and good riddance.

Regards:Eck

 

Now days i find HIPS quite stupid ,tons of questions at which the software responds by itself or to which the user says Yes just to get rid of the annoyance. Many questions are clueless or retarded and you kill legit processes leading to windows crashes.
Private Firewall does this often.
For example you start some day the PC and without knowing or forgetting that Steam has updated itself you see the alert and you block legit software from working after which you search like a nut in the leak settings to see wth you ve blocked.
Private Firewall has no log for HIPS if i am remember correctly and you are simply clueless for some minutes (time lost for ever)


As most malware uses signed drivers ,drivers that are usually on the trusted list of the HIPS ,i find HIPS useless.
It practically worked 2 times for me in 2007 i think when i was using Outpost Firewall version 4 and indeed in 2 situations it blocked a folder that was an exe practically and some malware content in an website.

Since then saying no to some questions killed legit software updates or installs

I may be wrong but malware if made properly will enter with HIPS or without this days.
W7 and W8 are much better than XP was by default anyway.

 

I used PFW for many years, up until just a few months ago when I began using a different security paradigm, based around (primarily) AppGuard. PFW worked just fine for me. Good protection. No crashes. Perhaps I was -- uh... lucky?

However, it's true that a strong HIPS can require a lot of user attention at first. But then -- so did AppGuard.

 

Have been using PFW for quite some time -- no problems -- works great! But probably not the best choice for someone just getting started, or someone who likes/wants carefree computing.

 

HIPS, especially those referred to as classic HIPS are definitely not suited to new or casual users. Even for those who can properly interpret the prompts, they're not always suited to the way the individual uses their PC. TomAZ used the term "carefree computing". If that refers to regularly installing and removing apps, HIPS are the wrong tool for that user. HIPS, especially the classic varieties can be viewed as anti-change software. On systems that don't change, they will fall silent when the ruleset is complete. On systems that constantly change, the ruleset is never complete and the prompts never stop. The problem here is that is a policy that's literally dictated by the vendors. Microsoft constantly releases patches that have to be allowed to execute. AVs never stop updating. FireFox is just as bad. The user has to decide if they trust each of those vendors enough to allow their stuff to execute without being prompted. That opens you up to other problems like the vendors servers being hacked or MS pushing out another version of WGA as a security update.

 

PFW has a learning mode.

However, if one totally detests HIPS, then I suggest using AppGuard (AG) plus frequent imaging for relatively carefree computing. AG logs everything it does & has very good context-based Help. Plus the AG support forum here at Wilders is very helpful & has several knowledgeable members who hang out in that forum.

 

Learning mode on HIPS has issues of its own.
The learning mode instructs the HIPS to create a ruleset that trusts everything that is running. If that system is compromised in any way, the HIPS will allow that activity and possibly defend it. That makes it very risky to use on an existing system. Learning mode produces very permissive rulesets. If process A and B are both trusted, learning mode generally allows them to interact without restriction. It's very much like the default rules created by internet firewalls. They allow the system to work but need to be tightened to make them secure. With the firewall and HIPS combined, learning mode will give you a lot to edit and tighten, especially if you want control over running services.

 

It also depends on how aggressive the HIPS is. There must be a good balance between usability and security, and I agree that a lot of HIPS fail when it comes to this. For example Comodo annoyed the hell out of me, with all kind of stupid questions. But I´m too paranoid to run without HIPS, plus it also gives you complete control over apps.

 

In other words, you should only use learning mode if you are 99.999% certain that your computer is clean. Suggested steps for installing & "teaching" PFW:
1- Full overnight scan of your computer by your resident AV
2- Scan with Hitman, also
3- Image your system drive C:\
4- Install PFW & be sure that its learning mode is activated
5- Run each & every one of the apps that you usually run weekly or more often.
6- Activate PFW's filter mode

 

IMO, HIPS should only be used by people who want to understand their system at a process and process interaction level. Even if one assumes good rules created by the learning mode, the user gains no knowledge about how their system works or what any of the rules do. When they are alerted to something new, they have no past experience on which to base their decision on any new prompts they're given. Sure, they could put it back in learning mode when they update or install a new app, but on what basis do they decide if that app is clean? They've learned nothing about the app, what it requires, and what it shouldn't have access to.

Call me "old school" but I firmly believe that if a user is going to employ rule based security software, they need to understand what those rules are doing and why they work.

 

Yes exactly.

A couple of notes about HIPS:

1 I see HIPS as a second opinion tool. Before you run or install some app, you always try to make sure that it isn´t malware. So AV is always needed. If the app behaves suspicious you can always block it.

2 In order to make good decisions about alerts, you need some technical know how. But it´s not hard to master it. Because of my experience with all types of software, I can now already predict what type of alerts I will get to see. I know what´s normal app behavior and what´s not.

3 If you make a bad decision, and trust the wrong app, then HIPS will most likely not be able to prevent the infection, and it´s game over. However, some HIPS like Zemana and SpyShelter do try to protect an already infected machine with the anti-logger function.

4 HIPS make a great combo with sandboxes. I always run new apps sandboxed (low privileges + virtualization) so that my system and data is safe. HIPS will then notify me if apps behave badly, and if so, I won´t install them on my "real" system.

 

Well said Rasheed ...but one mention only to
"4. HIPS make a great combo with sandboxes"
I could change it to "HIPS make a great combo with limited rights and system virtualisation" which I prefer much more

 

I ve used HIPS based firewalls for many years ,include here Comodo ,Outpost ,Private Firewall,Zone Alarm ,Jetico 2 ,Sunbelt (even though this one was weaker).
And since 2007 when Outpost Pro 4 helped me stopping some stupid evident malware files i have yet to see a question from a HIPS that helps with a malware behavior.
Apart from blocking legitimate apps to do something like opening a browser or something like that ,i ve saw no real advantage in using them.
Yes it s nice if you are a control freak to see whats happening when you are installing something ,but when you see that 99% of the time it blocks you from doing computing you feel the need to drop it and move on.
I ve chosen to avoid freezes and the useless spam from HIPS and i have yet to see a real infection.
Sandboxes are a good approach to complete the security.
Noob or not in HIPS i can ask you one question ,did it ever stopped a real unknown malware that you did not know about with this ,or the simple fact it passes a sintetic test is enough for you to trust it.

Having in mind the kernel patching in x64 OS-s i find really hard that a HIPS would really block an infection.
Back-ups and sanboxing seem to me more suited to do a better job.

Going from HIPS to non HIPS is hard for paranoids ,like i was ,but it is possible

 

To clarify:

With sandboxes, I´m mean tools like Sandboxie. Also, on Win Vista/7/8 you always run with limited rights anyway, because of UAC.

 

Totally agree. My primary security app is my imager. I image every 2-3 days & retain each image for ~2 months, LIFO.

 

The only situation I would think possible for me to install a hips software is after with clean computer. Second thoughts would be, I have this thing installed. How much to trust on this and is my computer now anymore clean? And it should be a community hips sort of and then comes up a question how much I can trust this community. Traditional hips with popping up everything, surely not my thing.

In my XP computer many years ago I liked Processguard, but it was a free version. Not providing so much protection I think, but easy. SSM did not work so well.
Nowadays I wont be installing any hipses, the only ones I like are on women and how they move

 

If you dont like pop ups why install a HIPS in the first place? Anyway the pop ups reduce in number after time making any further pop up worthy of attention.

Sandboxie + HIPS + Scanners + Imaging = Very Secure + Very Light.

 

Not that I would ever again try a hips, but to say it can be light with Sandboxie, my main security?

Your computer starts as fast as without the hips program you are using? The sandbox initializations are not slowed down? I understand if you can't reply my question if the hips was "corrupting" your computer before SBIE install and you never had a virgin no hips computer before.

Best wishes.

 

No slow downs at all.

Never heard of HIPS corrupting a computer but SBIE is onboard first before anything else.

Oh well maybe HIPS are not for you Jarmo.

Regards Eck

 

i remember Sygate back in the day when it was popular
Sygate was open wide to exploitation from most of the RATs of the time utilizing CreateRemoteThread
Sygate was regarded as about as useful as a chocolate teapot along with Norton antivirus lol

 

Chocolate teapot?

 

One that melts, presumably.

But yes, anything that can hijack an "allowed" application can bypass an interactive firewall. (Thus HIPS.)

 

According to a report at the time sygate didnt do too badly against process injection and CreateRemoteThread vulnerabilities.
-http://www.thehackademy.net/madchat/windoz/win32inc/defeating_windows_personal_firewalls.pdf-

 

If you insist on using AppGuard & ERP, then I'd say no to HIPS & SBIE, as they'd be a lot of overlap. Though personally I much prefer a HIPS & SBIE over those 2 types of apps. So yeah, go with a pure FW without a HIPS (if you can find one anymore these days).

I used to love Kerio too (still have a great legacy v2.1.4 of it), but doubt I'll ever use it again now. LooknStop is another great pure legacy FW, probably the best there ever was, but not free.

 

I insist! (yes, I realize that your comment was not directed toward me.)

Fantastic Three: AppGuard, ERP, Keriver (imager).

Beyond here there be dragons