HIPS programs: Who DOES NOT use them?

sure, if theyre different groups of people.

the two groups likely have different goals, philosophies, and they may treat their customers differently.

 

I've been a beta tester and user of System Safety Monitor since Max was developing it and have thoroughly enjoyed working with it. This is an interesting thread. I'm interested to see why people do and don't use HIPS. It does seem that the amount of user interaction they require is the biggest issue. Unfortunately, at their present stage of development, this is hard to avoid. SSM has added a learning mode, but it should only be used on a completely clean system as it makes allowing rules for everything that runs at the time. In their present form, they do require that the user knows their system in depth, and many people don't want to go that deep into their operating system. In automotive terms, it's the equivalent of requiring drivers to become mechanics.
This does come back to the Trust factor. For the typical user, the conventional approach to PC security is to trust the security apps or suite you purchased to protect you. You basically trust that your AV will recognize the next virus you come in contact with. The average user will trust the anti-spyware to keep them protected, though most users who frequent these forums know just how much anti-spyware apps don't catch or can't remove. Given the amount they miss, either from not being updated fast enough, an app not meeting their definition of spyware, or as has happened, being threatened with legal action into dropping detections, even with the best intentioned vendors, it's almost misplaced trust to rely on them. Then there's the rogue apps, spyware removers that are more spyware than remover. The average user doesn't know about the rogue anti-spyware program list.
That's the primary difference between the conventional approach and HIPS. HIPS programs trust nothing. An adware program and a critical system component get treated the same. The user decides. The user has to decide about every executable file, every system hook, and when configured to the extreme, what can be started or stopped by every application. They basically put the trust issue back on the user entirely.
It's been suggested that whitelists or blacklists be added to HIPS software. Unfortunately, that brings us back to where we started. Who decided what will be on the list? Is it up to date? Do you trust the vendor? How do you keep the lists updated? Is the update process or the server its kept on exploitable? No easy answers here, especially when you also consider just how nasty and nearly unremovable malware is getting to be, not to mention how intrusive some operating system software can get. Windows genuine advantage checking your systems legality comes to mind.
Until the vendors of HIPS software come up with secure solutions to these problems that are feasible for the average user, HIPS software is mainly for those who like to really dig into their systems. It will likely be intrusive and inconvenient for the average user for some time yet, especially those that install new software on a regular basis. I'm not sure a complete solution is even possible, but if someone does find one, Microsoft will release another operating system and it will all be obsolete anyway and we'll start all over again.
Rick

 

Also, depends on peoples approach to actually putting software on the machines.

I don't install much, what I do install I run on a spare - non critical machine (usually a spare server) and test it for a week or as long as needed, knowing I can quickly reimage the machine if things go wrong - I also know there is not a single thing on that machine that is critical (or private).

I've seen a lot of people who like to download software on their main/only machine - infact I would put money on it being the norm - a machine which has ALL their documents/files etc on, probably not even backed up (regularly), without a thought as to the consequences as what will happen to the machine (the OS/files on it) if things go pear shaped - these are the people who are going to benifit from HIPS.

As mentioned above, the problem is the average user does't have the smarts to correctly evaluate and decide if to trust a program.

One thing I really think would help with a HIPS - is the ability to have a state of not fully trusted - and the HIPS logs/monitors activity (registry and files writes/reads) so that if there is a problem, atleast that log can be sent off to a forum or HIPS authors and actually use the info to help remove the damage.
Then after 2 weeks or whatever of being run in a part trusted mode, the software can be run in fully trusted.

This could really help with people who really like to evaluate a lot of software.

 

Too late. LOL.

True, though I think some of it is purely in their mind. Now imagine these people being further restricted ......

I doubt they would ever be perfected. Someone in this thread wrote

Exactly, the very thing you guys love about this (trust no one), is the very thing that makes it impossible to use for others*.

White lists and blacklists are nice, but they will never solve the problem 100%. White lists reduce instrusiveness. Blacklists turn it into a kind of AV. But the rest?

I don't see how there is any way around that.

*Sometimes I wonder if the citeria for using such tools hinges not on computer knowledge, but rather paranoia! The more parnoid you are, the better!

 

Wanna buy a tin hat ?

 

Paranoia does have it's limits as IMHO this author illustrates in Security for the Paranoid

 

Am I paranoid about security? Yes. However, the real question is this: Am I paranoid enough?

/s/.... bellgamin
~~~~~~~~~~~
Last night someone broke into my computer & replaced all my files with exact duplicates. When I pointed it out to my IT, he said, "Do I know you?"

 

That's perfect.

So the question to be asked is:
How much is too paranoid?
So where should someone draw the line? Take the Sony CD rootkit for example. Just how many people would have expected a purchased music CD to infect their system? If someone had mentioned this concept a couple years ago, paranoid would have been one of the milder labels they would've received. Now it's a reality. How many more are in the games?
A few years ago, if someone would have said that your PC was going to check all your music and video files to see if they're legally obtained, that would have been called paranoid or worse. Did anyone really think they'd see their operating system doing this very thing a few years back? When anti-spyware apps first became popular, did you think you'd ever see spyware disguised as anti-spyware? Just how many of them do we have now? Did anyone really think a spammer would be able to take out a security company a year or 2 ago?
When was the last time M$ released an operating system that had fewer holes and vulnerabilities than the one it replaced? If I've read correctly, the beta versions of Vista are 3.5 and 4.1 GB in size? Just how many vulnerabilities do you think can be in nearly 4GB of code? Anyone looking forward to removing the next generation of rootkits from the DRM components of Vista?
What some call paranoid, I call facing the reality of what the internet has become. It was intended to be the "information superhighway". In reality, it's more like the demolition derby. The vast majority of PCs are compromised or otherwise infected with something. Those with clean operating systems are a small minority. I don't call it paranoid anymore. I call it necessary.
Rick
What was unheard of just a few years ago is commonplace now.

 

I don't use any HIPS aswell simply because I don't recognise the majority of alerts I get, whence the dilemna of whether to block something or not.

Having said that I've never been infected with a virus or anything and this comes from someone who has used PC-Cilli internet security 2002 for a year before I trialled other AV's.

When I started to visit wilders forums I got extremely paranoid and have trialled all the leading security software (inc. H.I.P.S) but now I'm sane again. All I test now is alternative software (i.e freeware and opensource) not the security stuff.

My advice listen to Mrkvonic his opinion on HIPS make absolute sense

 

yes indeed betauser2 .. if I would make Wilders as my homepage .. I would probably not get infected either lol ... that is not the point at all .. people who do visit risky sites/warez/...do want to be protected cause not every member is as safe as you .. lol .. .. .. signature scanners aren't always up to the job and if my HIPS programs weren't active (and indeed I am a risky user) I would have to format my C-drive every week with an atitude like this ... with all the respect though!

 

sometimes listening to my boss makes sense too .. but what does he mean and why

 

Hello,
Infinity, boss here! Now back to work!
Mrk

 

damn, I knew they were watching me ... Hi boss