HIPS or a behavior blocker

Discussion in 'other anti-malware software' started by Tara_Turvi, Mar 2, 2009.

Thread Status:
Not open for further replies.
  1. Tara_Turvi

    Tara_Turvi Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    4
    Hello guys!

    I’ve been going through this forum for quite some time, but I still haven’t found what I’m looking for. So, I decided to create an account here and ask you to help me decide what would be the best addition to my security setup. Right now, I’m using Avira AntiVir Personal, together with SAS and MAMB (both free) and CIS (firewall only). Apart from picking up several techie expressions while reading the posts here, I’m far from being computer savvy, so I don’t know whether I should choose a HIPS such as CIS D+, or a behavior blocker such as TF and/or DS. As I understand, while using a HIPS, all decisions come down to the user (but D+ has got a TC now as a mean to show how other users replied to the same question while installing the same software, right?), while a behavior blocker does its own analysis (checking the data in the cloud?) and asks the user only if not being certain what to do. If I chose a HIPS, would I have to hit allow/deny button every time I install a new program and how would I know what would be the right answer? On the other hand, are TF and DS just as good as D+ but question free?

    I would be very grateful if you could help me.

    Tara

    (Windows Vista, administrator UA)
     
  2. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    You should get a behavioural blocker, it is much easier to use. ThreatFire is one of the best free ones.
     
  3. Tara_Turvi

    Tara_Turvi Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    4
    Thank you for the reply. :) But in which way is it better than DS?
    (if I'm violating the "vs" rule, please erase this post)
     
  4. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Well DS is quite good but I personally prefer ThreatFire, because DS has an unproven AV integrated and is more resource intensive.

    Edit: I haven't tried the latest version, so I would go with what firzen771 said.
     
    Last edited: Mar 2, 2009
  5. trio

    trio Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    15
  6. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    far from it. new version recently released of DS is light and quick, and ive had maybe 3 popups since installing it (thats how good their white list is), plus IF u want, u can add folders and file types u want to be protected, or u can leave it at default and still have good protection. as for their AV, u can just disable it and use there other protection module, and use the scanner for on-demand use if u wish or not use it at all. From my own use, this new version of DS is lighter than TF, that IMO.

    PS. Their AV isnt completely unproven, it got a checkmark from WestCoast Labs.
     
  7. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    I agree that behavioural blockers are quieter and easier to use than classical HIPS.

    I like and use PC Tools ThreatFire myself. Some people at Wilders have reported problems with ThreatFire quarantining parent processes along with the child process that triggered the alert. I haven't experienced that myself, but it's something to be aware of. It's probably best to configure ThreatFire to create a system restore point before quarantining.

    I also use Prevx Edge, which provides a similar level of protection against zero-day threats as ThreatFire, so is also worth considering. Unlike ThreatFire though, Prevx Edge is a paid product. You can trial Prevx Edge free of charge for as long as you want and it will monitor and report any threats it finds, but the real-time blocking is disabled unless you pay to register it.

    I have Avira AntiVir Personal, PC Tools Firewall Plus, and Returnil all running alongside ThreatFire and Prevx Edge without experiencing any problems, conflicts, or slowdowns. Of course everybody's experience is different, so you will need to experiment with what works well for you.
     
  8. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    Mamutu n Prevx are also some other good options.
     
  9. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    Yes, Mamutu is also a good option. Like Prevx, Mamutu is also paid software. As Mamutu is a cut-down version of a-squared without the signatures, you might want to consider the paid version of a-squared as well.
     
  10. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    yes a-squared has good shields guarding the system in real time the only thing is that it is 39 bucks litle pricy;) i am not a cheap guy but you know:D
     
  11. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    I can't speak for other users satisfaction but my own with many units i employ explicitly for surfing and especially testings, but i do impliment both MAMUTU + EQS and they've proven over time to relieve any anxiety of cautiousnous although occasionally they both will alert to the same potential threat as the other when put to the grind.

    Personally, i would recommend BOTH as an extra precaution. But then if you want to avoid this dual defense, there lies in wait virtual systems AND sandboxes that also serve as a shielding grid against those potential malicious malicious possibilities.

    EASTER
     
  13. Tara_Turvi

    Tara_Turvi Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    4
    Thank you all for you replies, but I'm still in the dark I guess. :doubt: I asked only about the D+, TF and DS. :cool:

    I've been trialing D+ these days and I guess I'm starting to understand its certain functions. The thing is to switch to installation mode while installing the products from trusted vendors, right? Yet, in my case, this means coming down to only a couple of them. :cautious: I've got my common sense of course, but what happens when I decide to try some other products not built by world-known vendors? And let's face it, the independent guys are starting to become really great nowadays. :)

    So, should I have another layer of protection combined with the D+ while in installation mode, or should I just drop D+ completely and start using TF and/or DS? Are they compatible, all three of them?

    Have a great day!:)

    Tara
     
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Hi Tara

    Take patience and continue to go over posts & topics content/results and pretty soon you should be able to arrive at just the right combo you desire. Mine was only the pair which is worked best for me, yours could be substantially different but every bit as dependable for your own confidence.

    You're on the right track for certain. DW i might add is an incredible asset to any security set up and i have experienced it's protection first hand myself, so it could be a vital important and safe option for you without a doubt.

    As far as TF goes, no one, and i mean no one is been more full of anticipation over it going all the way back to CyberHawk from Novatix. Although since it's changed ownership, the features most desired by many have seem to been put on the back burner for now, such as a DENY option. But they done a marvelous service when adding the ability for users to add rules to it in the way thats available now. And only time will testify if they decide to buckle down and really enhance it as the high quality Behavioral Blocker it can be or not. That project is still in active development slow or not.

    D+ is a machine thats entering a noticable upturn of reliability with plenty of safeguards built in, so i would be watching it's development and subsequent releases with confidence too.

    All the best in whichever combination that you finally decide on and realize the RELIABLE PC security that you can believe in.

    EASTER
     
  15. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I'll try to keep this as simple as I can ( I don't know a lot about all this HIPS stuff either, so that shouldn't be difficult). If you don't understand a little bit about Windows processes, you WILL run into issues with any HIPS or behavior blockers, not just the 3 you mentioned. There's a catch 22 with them:

    A: You can find one that automatically denies/allows an activity and doesn't give a cryptic popup for you to answer. However, if the HIPS/Behavior blocker denies something that turned out to not be malicious, you might have a program break and not have an earthly clue why.

    B: You can find a HIPS/Behavior blocker that asks YOU what to do, and you either get it right or wrong. If it's right, you're in the clear. If it's wrong, you just allowed a malicious activity and who knows what happens next, or, you run into the same problem in option A, and block a legit activity and something breaks. Though in that case you may have an idea why and go back and change the block to allow.

    Vendors can make the clearest, simplest help files for their products, and have the HIPS/Behavior blocker do as much as possible to avoid confusing you, but because of how these programs work, you will still run into the issues I explained above. You can avoid all this by just doing some simple things:

    1. Don't open attachments. Even if they are from friends, scan them with your antivirus and antispyware applications before you even fall asleep and dream of opening them.

    2. Scan everything you download before opening/executing them.

    3. Use a different browser. This is not because IE is some horrible monster that will eat you, it is because it is the most attacked browser on the planet. I'm not going to get into the Active X issue and all that. Either Opera, Firefox, or Chrome is ideal. My choice is Firefox because of Noscript and Adblock Plus. Adblock Plus, contrary to most beliefs, does more than just "not show the ugly ads". It also blocks ads that are scripted to execute malicious code in the browser and attack you (drive by downloads). There are a LOT of these ads around these days.

    4. Use an antivirus with a web scanner. Some will tell you they aren't worth much, but when you start surfing websites and your av starts screaming at you that it blocked a malicious script (websites can also cause drive by downloads just by visiting them), you find out differently.

    5. Use some type of virtual system. Let's take for example Sandboxie. Sandboxie allows you to run your browser as is in a virtual environment. Whatever happens in the browser, only happens within that environment or "sandbox". Once the browser is closed, anything, good or bad, is wiped out, never touching your real system.

    This can cause issues with legit things you download or bookmarks, however, all this is solved with the function called "recover". This allows you to recover anything (good or bad) before the sandbox is wiped clean. This function can be done manually or set automatically (which should never be done for obvious reasons). There are also others such as Returnil, which sandboxes not just the browser, but the whole system. When done with your activity, you simply reboot, and Returnil wipes out anything and everything done in that session.

    6. Use an imaging application. Did all of those protections above fail you and you now have a virus/malware chewing away at your system? Well, not only are you extremely unlucky to have all those fail you (and that's a heck of a virus/malware too!), but, you are also saved! Use your imaging application to bring you back in time (break out the Delorean!) to an absolutely clean system with all your files and goodies left untouched.

    There, see? You didn't need HIPS/behavior blockers afterall :) Happy surfing!
     
  16. Tara_Turvi

    Tara_Turvi Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    4
    EASTER and dw426,

    Those are actually the answers I needed! :thumb: Thank you both for your detailed explanations and advice! And above all, thank you for your time. :)
    I will definitely follow your suggestions. :)

    Tara
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.