I need a good, free HIPS

hi, i am new to this forum. it's good to know that there are so many experienced people here that i can learn from. does anybody know of a good free hips that i can use? i am using windows xp on a system that is capable of running most things. the most important features to me are the blocking of rootkits and keyloggers. aside from that, all i ask is the ability to disable specific parts of the program to make it less noisy. for example, suppose i wanted to allow the execution of any program. if i uncheck a box somewhere then all programs will execute without asking. if i'm missing something important like access to physical memory or preventing the reading of other processes etc etc, i'm taking suggestions, but please know that i am still inexperienced and learning so excuse my ignorance because you may know a lot more than me . i've actually tried a few hips myself but my experiences are out of date and limited. here are some of the ones i've tried:

antihook 2.6: very noisy and caused lots of problems with windows.

processguard free: this free version did not protect from driver loading which i think is one way rootkits can get onto a system. besides i think diamondcs has ceased development of their products now?

SSM free (latest version): this one does not block driver installation. i tested this by installing hardware drivers and they were not blocked. besides the free version is always based on obsolete versions of the commercial product. this might prove to be its achilles's heel against some new attack.

prevx: i don't even think this is a behavioral blocking based hips. it just seems to detect what the community knows to be malware. true more settings are available in advanced modes but i'm not particularly fond of this one, at least as a primary HIPs.

eqsecure: it is very hard to get support with this one because the site is in chinese, though its features do seem promising. if only more english documentation was available.

winpooch: this one does not seem to stop drivers.

i may have tried more, but i can't seem to recall any at the moment. so there you have it..any completely free hips or even a commercial one that has a free version would work for me, as long as it's got the right features. any suggestions?

 

COMODO V3

 

ProSecurity

 

When testing, what method did you use to install these drivers?

Just remember that most of the time a rogue application will need to execute in order to install drivers.

Also, Winpooch can be configured to monitor almost anything, even driver installs. It may not protect itself very well, but it adds an excellent layer of security when configured correctly.

Did you take a look at: http://wiki.castlecops.com/Lists_of_freeware_behavior_blockers

 

Neoava Guard
a different HIPS with its own features

 

HI,

Give ThreatFire a try, combine this with returnil or safespace personal for dodgy browsing and you have adequate protecton.

Regards

 

Dynamic Security Agent. Free. easy to understand & use. Test info HERE and HERE.

 

Another recommendation of DSA here.
It's just as Bellgamin says it is.

 

If you want a quite HIPS you might consider a policy based HIPS.
GeSWall and DefenseWall are both excellent. IMO.
DefenceWall is paid only but GeSWall has a paid and a free version.

 

Welcome to Wilder's jetfighter

I think your views are pretty much on target. I recently migrated ALL of my systems to "free" EQSecure 3.41 for a single HIPS shield. It's full-featured, very light-weight and surprisingly strong w/ file protections/registry(drivers)/program. It's as tight a HIPS as i seen since SSM first came out IMO.

What surprises me most is that it doesn't hook 200+ entries in the SSDT table like SSM but protects very well in most respects & even better in my experience since changing over to it.

I agree it's lacking in ENGLISH support docs and would benefit users with a help file even if in brief, but with that limitation (temporarily?) it's one well worth accepting in exchange for EQS's protection as i see it.

Best of Luck in your Decision.

 

How about Online Armor Free!

dja2k

 

I'll tell you another preventitive feature that EQSecure offers that SSM always wasted keystrokes and effort for a user to correct.

I'm often multi-tasking like most of you, if you accidently click on a wrong program which you didn't intend to open and you selected NO in SSM, a lotta times you had to open up the program settings (application rules) and reset the rule for that program back to open or at the very least on the next program you always had to tick the radio button back.

In EQS, it's Very Forgiving and even helps a user in mistakes like that. When you click a program unintentionally you simply press "Block" on it's alert box and click OK to the ensuing Windows box, and go right on to what you wanted to do in the first place. The other program mistakingly open remains available without a user either having to reset it's permissions again or re-tick the radio button in the alert rule settings unlike SSM.

I can't count the times i done this before and still do but for EQS it's no problem at all.

 

Of that list, WinSonar is one I haven't heard of before. Seems like a small app. that would go good with TinyWatcher...

 

Pro Security, one of the best rounded HIPS.

 

Online armor all the way ^^

 

Couldn't put it better myself!

dja2k

 

Just curious if Online Armor Free has the same HIPS protection as the Full Version does? I thought I read that Mike Nash said it did.

 

Hi,

OA free as the same HIPS protection level as OA paid

MaB

 

Thanks.

 

I have been trialing the Webroot Firewall and it has the HIPS program Dynamic Security Agent in it, and I had previously been using Online Armor Free. I liked the simple and easy use of OA Free and although Webroot isn't that difficult to use, it does seem to be more advanced. Since I don't really need anything like that. I was thinking of going back to OA Free, and was wondering how good of a HIPS protection it provides.

 

Hey dja2k

I see although your an OnLine Armor team member you've listed ProSecurity alongside OLA AV+.

What benefit do you see in supplementing OLA with ProSec?

 

In my opinion from using both OA and WDF, they both let you use as advanced or as simply as you want. WDF's HIPS protection is off by default but it does have a learning-mode. OA's HIPS are on by default but may inquire as to the unknown apps. Both are very user-friendly. Both developers post here. Both would be rated as very secure. So really, it boils down to which works better on your pc, and which you feel more comfortable with. You can't fail with either one IMHO. I've tested both and it's a tough decision. They are both "tops" in the FW/HIPS market, free and pay. The difference may be what their "pay-versions" offer, if you're so inclined...

 

One of the best and completely free HIPS is using a limited user account

 

I wouldn't say it has the same protection, since according to their own comparison it doesn't support detection of certain keylogging mechanisms (kernel, other?), while the full version does.
http://tallemu.com/comparisons.html

 

EQSecurity 3.4 is tight a HIPS as you want. It covers file protections/registry associations/program rights etc. It's very light but M I G H T Y ! in it's capability to prevent intrusions of most any sort. A good, free HIPS and then some.