HIPS - necessary or not? which is the best?

I hit their site. yep, it would hurt the wallet later so I will pass for now.

So far except for the BOClean update. CH has been silent. It did not even ask about several other updates such as AVG.

 

I have come full circle as far as HIPs type security software goes. After trying out and using at one time or another, for the last two years, PG, SSM, Sana Security's Primary Response SafeConnect, Faronics' Anti-Executable, DefenseWall, RegDefend, RegRun -- so forth and so on -- and causing conflicts and registry problems on my system galore, I reformatted my computer and have gone back to basics.

I have one AV with firewall, one AT, one AS, one AK and LinkScanner. My machine is lean and runs quickly and well. I don't engage in file sharing or surf dubious websites. I have used ISR-First Defense but, as it conflicts with my RAID card and moved my boot sector -- so says my computer guru -- which caused my computer to freeze up constantly and to ultimately fry my machine -- I have parted with that protection as well. I rely on VERITAS for backup and ACRONIS for image creation, and there you have it.

If I ever feel it necessary to add (which also means if I feel brave enough to go with) HIPs' type security software once again, it'll probably be with DefenseWall and/or ProcessGuard/WormGuard/Ghost Security's RegDefend and that is emphatically that -- as those programs seem to have caused the fewest problems with my machine as far as I can tell and as far as I can recall, and also seem to get along well with virtually "everyone" (i.e., everything) else on my machine -- but I could be wrong.

Moreover, if I do add one or more of the above type HIPs security software, it will definitely be one program at a time and I will let the particular program run at least one week alone on my machine before adding others, to see if slowdowns or other problems or discrepancies occur.

 

Have you noticed when you run RootkitRevealer (Sysinternals) it creates a randomly named .EXE file in %TEMP%? (Just the fact of the <double-click> to run, not even clicking the <Scan> button.)

That must be why there is a slight delay while RootkitRevealer "starts".

For example...
04/18/2007 08:34 AM 580,480 SYW.exe
04/18/2007 08:36 AM 441,216 WEQOPYJVR.exe
04/18/2007 08:37 AM 428,928 NVYLG.exe
04/18/2007 08:38 AM 555,904 HP.exe
04/18/2007 08:40 AM 490,368 NJUEF.exe
04/18/2007 08:41 AM 437,120 CJNVVN.exe
04/18/2007 08:51 AM 592,768 LFAIOL.exe

Hmm, RootkitRevealer.exe is...
11/01/2006 01:07 PM 334,720 RootkitRevealer.exe

http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx

Mike

 

Hello,

Pedro, sorry for a late reply, didn't notice it. Steve Gibson implied it on grc.com. Have a look there. I'm merely passing the word in the context of the discussion.

Mike, the emphasis is on the word might. RKR starts so on purpose. But do read the other posts before, so you might understand what I meant with this claim. Specifically, when something is obviously wrong, there's little doubt, and when you think you're doing things the right way, you'll do them.

Mrk

 

Yes, very true... might!

I have read them.

I just discovered the temp EXE files, and thought, "Sheet! I have been forked!". But, after replaying what prog I was messing with, I thought I would let all the wonderful people here on Wilders know what I have discovered.

Mike

 

I am late to this thread so I will give my opinionated answers to the two questions it asks:

Is HIPS necessary? Yes. (HIPS are very effective against all types of malware, including zero-day & morphing schtuff. Signature-based security apps are less so.)

Which is best? System Safety Monitor-Pro (if you don't object to answering pop-ups from time to time) or Prevx1 (if you prefer to set it & forget it).

 

ESQ_ERRANT wrote , "I have used ISR-First Defense but, as it conflicts with my RAID card and moved my boot sector -- so says my computer guru -- which caused my computer to freeze up constantly and to ultimately fry my machine -- I have parted with that protection as well. I rely on VERITAS for backup and ACRONIS for image creation, and there you have it."




FD-ISR has now done a big update and moved out of the pre-boot sector so more programs will be compatible with it. Plus it added vista support. Might want to try to add the update and see if that doesn't help your computer setup. I can't imagine you gave up FDISR over veritas and acronis. Looks like you are taking a step backwards.

 

Have not heared from you for quite a while. Now Kareldjag and NicM are not testing anymore it is hard to get an objective opinion on what is the best.
Leaders in the classical HIPS field like SSM-pro and Prosecurity Pro?, Virtualisation aps like Shadowsurfer of PowerShadow? Point is they focus on stability, while a focus on rights is problably sufficient for most 'average' protection (DefenseWall/GeSWall). Behavior blockers like CyberHawk or EQSecurity? Or just a combination of all PrevX1 (behavior, black/whitelist and execution warning)?

In Holland there is a saying: "on politics and religion people will never agree with each other", in the digital days you could change this to "on security and Operating Systems pc-ënthousiasts will never agree"

Regards K

 

Way back a question was asked about the probability of the average user getting infected without any HIPS. Sorry if I missed the answer but HIPS - necessary or not ? can not be answered without knowing the habits of the user, the type of hardware used, the browser and so on.

Many who do not go looking for trouble will never get infected making any HIPS totally unnecesary. For others HIPS can be beneficial.

So what is the probability of the average user getting infected ? and really needing HIPS. if the user is careful then HIPS are probably not needed. If the user does not really know what they are doing then HIPS may help but will all too often simply provide protection until needed and then let the user down.

I would advise the average user concerned about security to stay away from HIPs and to use a little common sense.

 

If pinned down to only two those would have to be my selections also. Prevx1 is absolutely notorious in examining everything that moves, System Safety Monitor requires some tweaking for striking the right chord to perfect shielding. I didn't mind and still don't mind combining either Cyberhawk or EQSecure along with SSM. Covers a lot of internal real-estate and leaves less to chance than a single program.

You have to remember in the worse case scenario, and i been to plenty of virus sites over my stretch of years, writers of these intrusion wares focus on disabling the more popular AV's/AT's/HIPS's if they can, thats why i prefer to give them more walls to have to climb past than only one becuase once is all it takes.

Necessary? If you want to not gamble with sharper minds then ours who are able to devise techniques for forced entries and whatever else they have planned afterwards for your good machine.

 

HI Easter,

Can you list what techniques you are referring to?

I ask, because a group of us are re-configuring three systems from scratch, each with different minimal security -- one being Firewall + SRP (a la SpikeyB).

We've made a list of various "forced entry techniques" (apt expression!) and want to see if there are some we haven't thought of.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Some are listed on rootkit.com, mostly bits and pieces of code they are experimenting with to secretly introduce into machines, some even with security programs in place.

Others you could read about exist at offensivecomputing.com as well as sample which require registration. (member there)

Blackhat forums also can offer up new techniques being examined by those who mostly take interest in infiltrating by uncommon/undocumented means.

Some of those darker sites freely advertise their affiliates which lead to another, then another, then others..............well, you understand now.

REGARDS EASTER

 

Interesting new piece about code injection PoC... I noticed in a comment that KAV6 and zonealarm blocked it.

No new techniques here.

Yes, interesting, nothing has surfaced in the wild that demonstrates new techniques.

Most of the efforts of exploits in the wild at the moment are in refining the nature of the rootkit component, which still has to install by some technique. This is what I thought you were referring to when you used the word "technique." Techniques haven't changed much.

I'm not so much interested in what malware does when installed (although I've enjoyed watching some run in testing - like how the recent wincom32.sys hides itself and all Registry entries); rather, in preventing its installation. This is more relevant to people I help - the "average" user (whatever that means - for lack of a better word).

Most don't know what a rootkit is, or what kernel, ring-0, etc, mean. But they understand how to protect their computer from techniques that viruses (that word they know) use to get into their computer.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Correction- they only think that they understand it...

 

HIPS - necessary or not? No, but for me it's nice to have.

Which is best? I don't know. It's all about individual preference. I like SSM.

 

Agreed!

And one's confidence that she/he understands remains viable until proven otherwise (ie, malware gets installed).


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

I consider some form of executabe control that isn't dependent on signatures or reference files to be necessary with Windows. Whether that's HIPS, a sandbox app or whatever depends on the user.

I can't agree. There's too much being made of knowing how to answer each and every prompt. Yes, if you're prompted by malware and you allow it, you're infected. What isn't being said here is that without HIPS or something else to intercept or contain the malicious process, you won't be asked. The malware just installs, most likely without the user ever knowing anything new is running.

This isn't that complicated. If you're not installing or updating something and you get prompts for a new process, just say no.

Prompts when installing shouldn't be an issue either. There's no guessing game to play with the prompts. Your basic security policy should spell out what you do in different situations. There's only 2 scenarios here. The new process you're being prompted about is either solicited or it's not.

Solicited
If you're installing or updating, it's solicited. You expect to see new processes during updates and installs. Making a system backup before installing new software solves the problem of malicious or incompatible code in a software install or update. If this is made standard policy that's followed for installs and software updates, the problem of accidentally allowing something malicious or unwanted is easily fixed by using that system backup. Always give yourself a way to undo changes.

Unsolicited
If you're not installing or updating and you get prompts for a new process, it's unsolicited and should be blocked as a matter of policy. It's most likely unwanted and unneeded. Very possibly malicious. For those occasional instances where the prompt is for something necessary, an app for handling a filetype you're encountering for the first time on a webpage, make a system backup and treat it as solicited.

Some may argue that it's too inconvenient or too time consuming to make a system backup before each install or update. Some backup software can do this on a schedule, with no interaction from the user. With others, a single click and a few minutes time is sufficient. Is it really that big of a problem when compared to digging out registry changes that weren't performed by the apps uninstaller, or battling a trojan that defends itself? For myself, those few minutes spent making that backup is a small price to pay for knowing that I can undo anything that installer or malware does in a matter of minutes with no real effort, save for actual hardware damage.

Actually, HIPS is well suited to family PCs. Quite a few people use my PC with no problems. Again, this comes back to your basic security policy. When it comes to security, a family PC should be treated the same as a PC in a business or any other institution. In a business environment, the IT people are the administrators and the employees are users. The same should apply to a family PC. Young kids, novice or typical users, etc shouldn't be in a position to make administrative decisions. Your youngest sibling won't be installing a trojan, thinking it's a new game or a cheat for an existing one, because they can't do it. They should not be prompted with unknowns in the first place. No prompts, no mistakes. There should be one administrator who sets up and maintains the security-ware. If all parties using that PC are free to install software (and malware), you have much bigger problems that need addressing.

When I set up SSM on my PC, I finished the ruleset on my user profile. I then imported into the other user profiles as a starting point, made whatever changes were needed to accomodate their needs, and disconnected the UI. If the ruleset is complete, there's no need to run a HIPS in an administrative mode on any user account or profile unless you're installing or updating. That's the administrators job, not the users.

Some here might not like hearing this but it needs to be said. In this and many other "which is best" threads, people are neglecting the most important part of any security setup, a basic security policy. Security software is chosen and configured to enforce your security policy. It doesn't matter if it's HIPS, a firewall, web filtering software, or a trusted site list, sooner or later it all comes down to user choices. Without a basic policy as a guide, software selection and its configuration is piecemeal, addressing individual items but not the problem as a whole, or as others have already stated here, they're guessing how to answer the prompts. If you're guessing about how to reply to an unknown, you don't have a usable security policy. The result is a security setup that's overkill in some situations and weak in others. It's like building a puzzle that has no picture and lots of extra pieces. How do you know when or if it's ever complete? That's not the way to assemble a good, layered security package. Without a basic policy for a starting point, all you end up with is a pile of security apps.
Rick

 

Hello,
Agree with second part - security policy.
Disagree with first part - unsolicited process? Whenever that happened? Like I said, skill is needed to get infected.
Mrk

 

I think HIPS would be nice, if there was a HIPS for a power user of other programs, but not a power user of HIPS programs.

Let me illustrate:

- dev machine, hosts a local copy of a source tree (not major source)
- tens of thousands of file may be accessed at compile time (HD access is really bonkers)
- lots of software gets installed, tried, uninstalled and most of those use net access
- system already has several other ring 0 drivers, easily causing conflicts with other ring 0 security apps

On a system like this:

1) Most "set and forget it" HIPS sw fail (they block too much)
2) Most "pop up and ask" HIPS sw become way too cumbersome (no time to teach it or define all the rules, way too many processes/registry/file/net/etc rules to define)
3) Black/whitelisting could work, but is very cumbersome with new progs being trialed
4) System conflicts and odd crashes are really, really annoying and increasingly difficult to track down if one doesn't do machine code debugging and driver level development for a living

So, in a situation similar to above, HIPS would be nice (due to a high amount of risk factors), but practically very difficult to use.

As such, I see many of my colleagues do the following:

1. One resident strong AV with heuristics + maybe 2nd on-demand scanner
2. anti-trojan, anti-rootkit scanners
3. Disk imaging
4. Virtualization sw (like Virtual PC 2007) for trialing new sw
5. Web sandbox tools for quickly looking at software that gets installed on the actual OS (non-virtualized)

But even that is quite cumbersome.

I'm sure the virtual machine can be breached as well, but for most unwanted effects (whether dll overwriting, registry bloating or unwanted drivers / actual malware) it seems to be fairly useful.

And it can be, in some situations like above, much less hassle than a very difficult HIPS that causes way too many conflicts or way too many popups.

 

Halycon,

I agree,

Boxing a computer is only applicable when the user does not try out software (like my wife's), you can use a hard to configure anti-executable (SSM) or behavior blocker (EQSecure) to restrict the PC. First defense is a seamless sandbox (only policy/rights limitation, no file virtualisation).

For my Son this just does not work, you need a pop-up HIPS (like DSA) as second defense and a seamless sandbox as first. Still you are left alone in the dark, when closing your security layers to try out a new program. I will have a look at MS's virtual PC 2007, thanks

Regards K

 

SSM plus EQSecure is all the HIPS i need. I still favor cyberhawk although it seems to be losing attention for whatever reason but still is not a bad app.

 

I agree that Cyberhawk is "losing attention." CH folks used to post here regularly but lately they have become conspicuous by their absence. They have no forum of their own, & their website shows little signs of recent activity. That's okay for well-established security programs but (in my opinion) CH is not sufficiently well-established to become so seemingly dormant.

I am watching & hoping for some signs that CH folks are in it for the long-run.

 

In all honesty i found the very first beta release of Cyberhawk Xtremely formidable. No false keylog false positives or strains on system from their (4) active drivers like is resulted from recent versions. I alerted them to this and although the system instability seem to finally correct the false positives increased. Now if Cyberhawk could just take a few steps back and one step forward i think they might be back on track. It is one of the better behavioral blockers that won my heart hands down at the start so yeah i got something of a personal sentimental investment in it.

 

Thanks much for your reply Horus37 and for the helpful information. I haven't been reviewing Wilders for a few weeks now or I would have responded to your kind remarks sooner. I will contact FD-ISR to discuss my issue. RAXCO has first-rate technical support and I had given up on First Defense very reluctantly to say the least. If, as you say, I would no longer encounter a boot-sector problem with the latest version of First Defense, I will commence using the product again. Surely, VERITAS and ACRONIS are good products and each does what it is supposed to do very well but VERITAS is, after all, a backup device, pure and simple (if a very sophisticated one) for documents essentially, and cannot be relied upon to provide backup support for registry keys; and ACRONIS is useful in worse case scenarios to preclude the need for a complete reinstall of the Windows OS. First Defense is ideal in those situations, I have found, where a particular application software plays havoc with an OS but what is required is only to revert back to a state immediately prior to the application's installation to get the OS back to proper working order. Windows RESTORE cannot guarantee a positive and successful and complete restoration to an earlier state if registry keys have been severely damaged by particular software and may not even work properly to provide a successful reversion to a prior state as it, too, may be irreparably damaged by the very software that wrecked the OS overall -- thus the benefit inherent in and superiority of a product like First Defense which is immune to the effects of less than desirable software.

Accordingly, thanks for the info. I will give RAXCO a call shortly and let you know what they have to say.