HIPS or AV

Av's are much longer and wider in use and hips aren't. Av's haven gone trough serious tetsting against many millions of malware and done pretty good for the majority. I still haven't seen one serious test where a high number of malware is tested against hips and the ones (avc, nicm) that i know of didn't come out flawless. I need to see more facts before i can believe hips stops 99% of malware. For me a combo of av and likes of threatfire,prevx.antibot would be best. Firewall with outbound protection included so 3 security tools would be about it. Oh yer av's and hips are getting better everyday especially the heuristics. If you're a safe low risk surfer one anti malware tool plus firewall would be gud enough. You can always add other stuff such as sandbox,etc.

2 awnser ur question instead of rambling my simple joe's thoughts if i had to pick only 1 out of those 2 it would be a hella strong av.

 

A strong AV and something as simple but effective as Sandboxie would suffice for about 95 percent of PC users. The reality is, Chris is right about our fear of infection. We lock up protection for our computers better then we do for our families.

I agree with Long View that it would be nice to see some type of criteria based on user/habits/protection=results.

Matching the product to the individuals needs is the key.

 

I use my own HIPS only.

 

All I can say is: dear lord.

Blacklist scanners miss at least 60% of zero-day malware, and I already think that's a very conservative estimate. AV-C's retrospective tests have stopped reflecting reality since a very long time ago.

As for asking to see proof of HIPS stopping 99% of malware, that's like asking to see proof that the air you breathe really contains oxygen.

 

Hi trjam:

Good question, should make members think.

Your question is like this one, "which would you choose breathing or water?" Either way you are dead, one in 70 days, the other in 70 seconds.

So, clearly we need both and the same is true of HIPS and AV's.

Another thought is it depends on users risk profile and definition of "solid" for HIPS and for AV's. I doubt their is a 100% HIPS or AV out there so again both are best. This is from a believer in the layered defense of course.

For me I want/need? a solid AV that does defense work heuristically as well as scanning against a current signature data base. I want it to scan I/O email, attachments and memory and files as they are opened.

If, a parasite exe slips through, my HIPS should catch it and prevent it from running.

Of course the main tool is missing from your question, a "solid" FW.

That's it

 

some offer both.

 

LOL - "clearly we need both" - ok "and the same is true of HIPS and AV's"

You may or may not be correct but could you please explain the logical link between the first part and the second ? otherwise you might just as well have written " as far as I' concerned we need both"

(which would you choose - being burned at the stake or hanged,drawn and quartered ? Clearly you would prefer neither and the same is true for HIPS and AV's )

 

Hi Long View:

I was replying with my opinion for the OP and will continue to phrase things my own way

I would prefer hanging over the fire method as it is faster! You may want to do me in some other way!

Happy 2008!

 

Have a look at the process list below. what do you see

That I have surfed the intranet for nearly three hours and that took (OPERA) 1 minute and 29 seconds to process.

DefenseWall
That the core service of DefenseWall (HIPS core = defebnsewall_serv.exe) actually used the lowest anount of CPU time. On the other hand the user interface of DefenseWall (where you arrange the settings and the programs that displays "DefenseWall Status: Untrusted" in the windows of Opera used the highest amount of CPU cycles = 16 seconds CPU for only reminding DefenseWall is running (mind you the core is so efficient it uses very little CPU cycles). (HIPS)

Comodo
Comodo V3 with D+ enabled but cut down (less file protection, more registry protection, D+ does not look at memory violations, setting hooks, process terminations, Windows Messages, Direct Screen and Keyboard read. All existing applications are set to be trusted (clean PC = D+ looks only at new arrivals) with Image Execution control off. In this way tDW and D+ overlap on low level disk access, driver installation, registry items and file system protection on admin level also overlap. But what the heck it only cost 6 seconds on 2.51 hours of surfing, downloading, reading mail etc. (FW + IDS)

Avast
I have enabled all relevant instream data. Avast now checks instream data of web pages before they are executed (WebShield), Network Shield (known worms), Internet Post Shield (mail attachements when they are downloaded with Pop3) and P2P shield (checks the LimeWire instream data). All Avast service use together 2 seconds of CPU Time.
Next all Avast modules only take about 2 seconds. WebServ can spike up, to al littel more of DefenseWall (so it would have been maximum of 18 seconds al together (worst scenario opening a lot of web pages with active content) Avast is my AV with trimmed back checking.

Conclusion
My security cost me about 30 seconds CP time on nearly three hours surfing, downloading files and checking mail. That is 0.3 percentage of my working time. It is an Athlon64 3900+. So who cares?

 

If I had to choose, I´d go for HIPS. I really don´t know why the AV section is one of the most popular sections, I mean don´t we all know that there are perhaps about 5 scanners with the best detection rate/heuristics, and that they probably still miss quite a lot? What´s so exciting about that?

Call me crazy but I believe I have a better chance to identify malware based on their behavior then to trust blindly on some scanner who can´t spot all malware. For example, let´s say I download some Notepad replacement called Notepad2000.exe, my scanner tells me it´s clean, but my HIPS tells me it wants to inject code and terminate my firewall. Who do you trust?

 

Good point. You know what to look for in these situations. But what about everyone else who is not cautions/aware.

My vote would be, HIPS for an educated user, AV for a less educated user.

 

This is why I am so enamored with PREVX since it is the embodiment of the best features of most great ideas in security. Signature based scanning but with a dynamic live online database coupled with powerful client side reporting and a full blown H.I.P.S. driven half by AI and half by user intelligence.

What could be better than improving on this concept? I cant think of anything besides what Comodo is doing with it's firewall and the new Defense + Integration. In fact we need more Intelligence built into these products but always with the users in full control to bolster understanding and confidence in the technology...

What fascinates me is how well Comodo Firewall 3.0 and Prevx complete each other... It's beautiful to watch in action.
I think it will be exciting to see where these products will be 5 years from now. I think I should count threatfire in this as well as they are all very similar conceptually...

 

As a well seasoned veteran of sorts in this i have to agree with Rasheed187, what is all the crow about in the AV forums? At least i guess it does very well in the post numbers count and there is been some really challenging engagements plus statistics between competing products, but really, what's so terribly exciting about them IMO compared to HIPS. For pity's sakes since i turned to HIPS i don't even use them anymore except for research purposes and then only on-demand or online.

My theory and results have proven that is it's safer for the end users when groups that develop HIPS, by making better use of time & resources studying windows code and then implimenting methods to intercept signals/code that translate into identifiable paths/files which show up on the screen as prompts while at the same time ABORTING commands, untill YOU the user has had a chance to make your determination. Some HIPS are even better equipped at running automatic then some AV's i've used in the past where i would have been hammered if not for my firewall alerting to an "outgoing connection attempt".

My choice obviously, for these few reasons and many more is HIPS, and i wouldn't hesitate to recommend the same for anyone else unless of course they are totally new to using the internet, which IMO is what drives these AV's to be as popular as they are.

 

Given my current skill level and work habits, I would feel safer with HIPS if forced to choose only one.
AVs are just dumb database clients.

 

Am just using Threatfire on one computer-no AV-nothing except the Windows Wall-goes much faster than a speeding bullet-no problems !

 

I wonder How comodo Antivirus will be It also Has Hips Still In beta2

 

Recently, there have been a number of viruses sent to me by people on MSN Messenger... I was disappointed to how long it took many of the good AV programs to detect these. It highlights how an AV may struggle to keep up with malware, & that having an AV does not substitute for common sense & safe computing. Of interest my HIPS did pick these up (although I readily recognised them as malware). I'm beginning to think that if a HIPS is good for zero day malware... why not for all malware... & keeping an on demand AV like Avira Free to check occasional files, & to run a hard disk scan from time to time.

 

I would vote for using HIPS. Only drawback for me atm is that i cant find a free HIPS that provides full fuctionality - both SSM and Prosecurity have disabled features in the free version which is off putting. Are there any very good HIPS apart from comodo defence + and online armour that are completely free?

 

ok Easter, this ones for you. On my laptop it "had" Threatfire and Sandboxie. My 16 year old son was on it last night and I see where twice TF alerted to something and of course he just clicked allow and kept right on rolling. That is my issue with TF. I love it, but it is the "other user" factor. That is why I also like Antibot because it allows you to set it to react instead of hesitate for action. My issue with it though, is that I dont feel it is up to the level of other HIPS. Suggestions?

 

SSM free works fine for me. You can control what executes, and who can (disconnect ui).
For full featured free, other than CFP, i think there's only EQSecure (never tried it).

Then there are sandboxes, limited but as safe as the paid versions (GeSWall and SandboxIE).