To those of you who use HIPS software: - Has it ever blocked any malware, or other intrusion attempts? - If yes, what sort of configuration were you using at the time?
i use comodo internet security and i turn off the HIPS and use the BB.I hardly ever download anything new on to the system so even if they were turned on,it would be a rarity to get an alert.
Nope, i have never noticed any weird pop ups from OA or any of the HIPS i have ever used (OA, Comodo, Outpost, MD etc). I have seen it work in my amateur tests in a VM (A long time ago) but i have never caught anything in my real machine.
I don't use the type of HIPS you're referring to atm. However, when I did use CIS, I had configured it to run in the 3 different manners as mentioned in your first 3 choices in the poll (AE, max+learning mode, policy sandbox) at different points in time. I didn't come across malware/intrusion attempt so they had nothing to do in that sense.
AE + = ProcessGuard AntiKeylogger + = Zemana Some people, no names mentioned don't seem to realise that both those Apps do a LOT more than just AE & AK As an anti-executable (i.e. notify on unknown program launch) Hundreds + of .EXE/.SYS etc, both Malware & All new stuff. Plus PG can do these Z also Alerts/Blocks to Driver install attempts & code modification attempts etc. Along with it's ALL it's Anti capabilities. With "maximum" settings, and learning mode as necessary Yes for both.
When I used one, all it ever really did was interrogate me about every breath I and my system took. Nothing ever sounded any alarms over malicious activity though.
I have mine (SSM) set to silently enforce policy during normal usage. I'm not prompted to allow anything or alerted when something is blocked. On a few occasions I've found activities attempted that my policy doesn't allow recorded in the SSM logs. Most of these are either attempts to launch unknown files or attempts to use a permitted process to gain access to another. Regarding the poll question: "How was your HIPS configured when you saw it block an intrusion attempt?" I never actually saw the attempts, just the record of them in the logs. As for the configuration/policy, it's strict default-deny applied to the processes, their activities, internet access, and their access to other processes and system components. All rules are based on file hashes.
Nothing that I can say with certainty is malicious, but it could have saved me from having a ton of info. being sent to who knows where from blocking certain events. And the same goes for my outbound FW. I run a pretty tight/clean ship here, so my chances of intrusion/compromise are very low. So it's more privacy/anonymity that I aim to curb.
I did once out of all the years I have been using Online Armor. I turned on Shadow Mode, and hit a whole lot of porn sites in an attempt to find some malware in a real world environment. NOD 32 went nuts lol Online Armor stopped something that I was sure was malicious, but I don't remember what it was since it's been years ago. My HIPS has made me aware of many programs installed on my machines that I did not want to communicate with the internet or did not want installed on my PC to begin with over the years. I do like HIPS for it's anti leak functionality. I have uninstalled, disabled, or blocked internet access to many application that my HIPS made me aware of.
Whenever I'm updating my system or applications or installing something new, I connect the UI on SSM, which effectively changes its default behavior to "ask". On quite a few occasions, SSM has intercepted and alerted me to undesirable actions by the installers and application updaters. On a few occasions, SSM alerted me to the installers attempting to install a toolbar even after I deselected it. On other occasions, it prevented the installer from changing default handler settings I didn't want changed. On others with built in updaters, it's alerted me to the app calling home even though I'd set it not to check for updates. On different occasions, the activities SSM intercepted were enough reason for me to either skip the new version or replace the application with something else. It's not always because the activities themselves are malicious. Often they show a change in the attitude of the vendor where they no longer respect the wishes of the user (much like Windows).
Actually, after reading the above post I concur. I've also seen such activity. Phone homes from installers... or pings, which CCleaner would do every time it updates. Heck, I don't know what it's transmitting. Many apps people in here regard highly, I've seen do some shady looking things, namely a certain PDF reader. It basically asked for a blank check to take over my computer. So I don't place full trust in anything. People saying to only download from trusted sites/sources... that doesn't always cut it. I'd rather not be oblivious to what's really going on on my box.
I was using ProcessGuard many years ago (among other things) and attended a lan party. I had set it somewhat aggressive (you know, a prompt for everything) but I did see some activity. A guy brought in his dads pc which had a virus on it and was attempting to spread across the lan. In all my years using such things, thats the only truly legitimate thing I can recall. True that. I like to get files from sources I trust, and would say its an overall good practice, but who are we fooling really? There are so many things you would want to download that won't come from someplace like majorgeeks. I don't use a hips often any more, but do start new things in a sandbox and watch the processes, and maybe turn on my firewall. If its really sketchy I install it into a VM thats setup with many tools for "sleuthing". Sul.
I've had it false positives when running applications for my school. Some of the "show me the answer" or "show me how its done" gets flagged for certain behaviors like hijacking my mouse. Unfortunately, its been a while since I've had an infection on my system that I am aware of. More recently, I've had to work with file types that my system flags upon execution. I know they are harmless because I'm the one creating them. Hopefully this is indication of how my system would respond to an actual threat. I'm running maximum settings and add temporary exception when needed. I didn't bother with learning mode at all.
Your use of the terms "false positive" and "hijacking" when describing mouse or keyboard hooks shows the real issue. Users have been conditioned to view hooks as malicious when in reality, they're a tool. Part of the fault here lies with the vendors. That is one of the problems with HIPS, especially classic HIPS, making decisions and rules for activities the user doesn't properly understand. When I get prompted regarding a keyboard or mouse hook, I normally deny the action the first time and see if it breaks or adversely affects how the app works. If the app functions properly without the hook, I make the blocking rule permanent. If blocking the hook breaks a function I need, I'll allow it for that app.
@noone_particular Terminology is often adopted and modified across different industries and fields of study. I'm curious what these terms mean to you, as people often have different perceptions based on their own experience and knowledge. Based on your description though, it would seem we both react to keyboard and mouse hooks in a similar fashion, but maybe not for the same reasons.
To me, as they relate to computers, hijacking means taking control of an application or system without the owner/users approval. False positive means incorrectly identified as malicious. When I see a prompt for a keyboard or mouse hook, I try to determine why/if that hook is necessary, and for what. During some of my beta testing of SSM, I was working with Yahoo Instant messenger (circa 2007). On startup, SSM prompted regarding the Yahoo executable, ypager.exe wanting to attach idle.dll with 2 hooks, WH_MOUSE and WH_KEYBOARD. As far as I could determine, the only function that relied on these hooks was message archiving. Everything else worked normally whether I blocked the hooks or not. Message archiving was not a "feature" that I wanted so I made the block on those hooks permanent. Yes, message archiving can be shut off via the settings. It can also be turned back on via an update if the vendor doesn't respect the wishes of the user. IMO, Yahoo is such a company. With the hooks blocked, archiving remains disabled even if Yahoo decides to re-enable it. Behaviors like this are one of the reasons I use classic HIPS, specifically SSM. More and more, software (and OS) vendors regard users as a commodity to be monetized. Things presented to the user as features are often used to spy on them or record their activities. Although the apps are regarded as clean, I consider some of their behaviors intrusive or outright malicious. While not an ideal solution, HIPS often does make it possible for the user to disable undesirable behaviors when better choices for the user apps aren't available.
