Modern HIPS; perspectives

I could have posted this in the anti-virus or firewall forum, but maybe this is a better place.

I'm getting the impression that you can't really rely on an AV for AV protection, and although my current anti-spyware software seems very effective ... it's going to be harder in the future. That's just the trend.

Many people use a HIPS. It's often touted as THE protection against malware. Recently someone on this forum stated that a HIPS would always intercept malware ! (Which doesn't seem realistic to me, but I know little about this category of software)

It's been quite some time since I tried two of them (I was less computer-literate then), one being the Kerio (now Sunbelt) firewall. Aside from the slowdowns in the Kerio case: I remember being confronted with questions like: do you want to allow <x> or not ?
I was often uncertain what to allow and what not. The correct response would usually have been to allow things.

But in a situation like that you don't get much extra security.
Are more modern HIPS much better ? I'm not a real expert, and in my past experience blocking things that shouldn't be blocked did sometimes cause problems.

And what about speed ? I remember the Kerio firewall slowing down my browsing more than I wanted to accept. My computer is a few years old, but it can still handle a lot.

I'm not for trying all kinds of software though ... installing and uninstalling security software doesn't help the stability of a Windows XP system.

 

HIPS can tell you of suspicious behavior but its up to you to stop it by clicking "block" and not "allow". You still need an av to get rid of the infection. I run Comodo and Avira on both my latop and desktop and get no slow downs what so ever. Even if you went with Online Armor and Avira or any other av you should be good. Think of it like this. A firewall with HIPS informs you of the attempt and you can stop it in its tracks by not allowing it to get out. Then by using your av you can delete the infection and be done with it. You have the best of both worlds by using an av and firewall with HIPS together.

 

i dont and have never felt the need for HIPS, its more like a preference for me (lately) as i do like some of the softwares that are available, so o0 why shouldnt i use it, if i like it?

having just switched to Defensewall, due to more guarentee of program updates and fixes, i can say its quite good.

i do still miss Prevx2, but i felt i didnt need the scanner and other such things that prevx has, i just needed a standard hips program.

people will tell you many things about HIPS, some will say you NEED it, some will say its preference and some will say dont bother, i will tell you.. that you dont need it, but if you like the software, why not use it?

you really wont know if its for you, unless you do start installing and trialling them for yourself.

 

I wouldnt be surprised if a good HIPS can catch aall malware, but that is because a HIPS catches about everything (security wise) that happens in a computer. Personally I have stopped using them because of allow/deny fatigue. It got tiresome to keep track on what could be good or bad, and since I never get any malware all I did was allowing benign processes.

 

The way things have shaped up in just the past year should inspire more users to turn to HIPS as either a suppliment to their choice AV, or if you have some experience enough to combat such aggressive potential risks with other means such as sandboxes/ISR's/Virtual Systems and Behavioral Blockers you can in reality relieve your system resources and potential conflicts by going the road without them, although i DO NOT make recommendations at all of NOT using an AV.

I install AV's for my most wisest clients irregardless of their experience because there is this undeniable safety factor which must be in place for them because everyone suffers a lapse at some point. A quality AV is a practical choice for the majority of computer users.

Now in some of our cases where some of us have delved deep enough into HIPS and realize their potential, we can of course side & trust more on alternative measures besides AV's, not in spite of them, and be more liberal with these alternatives and forgo them altogether. I know i do, but even so, since i regularly research malware and have seen AND experienced the potential disruptions that can lead to disabling systems myself, i still keep an on-demand AV at the ready.

HIPS are also very educational and can greatly enlighten any user should they set aside the time to study HIPS alerts, whereby AV's are meant to do all the work for us, which of course in reality they can unfortunately fall woefully short at some point, and therein lies a real and present danger.

Thats why i would add to the AV a HIPS/Behavioral Blocker etc. but never suggest to common users that HIPS is all they need, even if teamed up with Virtual Systems/Sandboxes/ISR's etc. The risk is much too great for them.

Once any informed and experienced user has finally reached that point of satisfaction and trust from transitioning over to a HIPS and away from an AV entirely, it opens up IMO the very best security in the world for these PC Users. Because HIPS are lite as a feather, jump up at the moment any file is signalled on, and immediately aborts any forward actions untill YOU the user has FIRST had the chance to review the findings and make your determination, which then can also be made a solid rule of enforcement either way.

Personally i am thrilled to peaches with HIPS because unlike AV's, they map the Windows internal code/file interaction points (many as they be) as well as take up residence in Tables that direct interactions between files and are more than capable to instantly stop suspicious activity BEFORE any actions can proceed at all, which in effect places the user in the drivers seat. AV's by contrast, dissect each file individually looking for packers and such as well as signature matches which is no easy task itself. Good as they are they have limitations which can prove disastrous should say a file infector slip thru. A HIPS will afford a user time to LOOK and conduct a SEARCH first by suspending such a potential danger.

I can go on and on but there are other members here who can really drive home the benefits of HIPS even better then myself and detail more precisely the perspective you're trying to arrive at about them.

EASTER

 

That's about the only benefit I've gotten out of a HIPS, albeit a fairly worthwhile one. They have never alerted me on anything dangerous, because nothing dangerous has infiltrated my pc's, except for the few times I've deliberately run one of those POC apps. Admittedly, I'm starting to grow a little weary of them. Yes they are powerful security apps in the right hands, but anyone using common sense, using fully patched, lua/limited accounts, tone down their browser's scripting, and use a good AV and decent firewall, as many in this forum do, probably will never need one. As one who's always been a huge advocate of HIPS, this is probably an admission that I'm starting to see the light.

>Comment removed. Keep the focus on software please. - Ron<

 

I have been trying out HIPS programs for the last little bit and I can see where they can come in handy. Some of them have a bit of a learning curve but like Easter says, you do get to know your system a lot better. One I truly like and don't think I can go without now is Defencewall. No major learning curve to it and I feel almost as safe using it as if I was using a LUA account or DMR. In my mind, with the way Malware is progressing, a HIPS is almost a must have.

 

Well Threedog, in all honesty, thats been my perspective all along ever since these HIPS entered into the security picture and right away proved out effectively capable enough to fill in many of those gaps where AV's long have been limited.

If any user spends much time on the internet at all, it definitely should be required learning.

I can't count all the times where like many, i relied soley on an AV to protect any forced entry of malicious files that might disrupt my internet/machine time and leave you sitting at a screen where the PC refused to boot or else dragged the system down to a slow crawl due to it's evading the AV's capture. Up untill HIPS came on the scene we were left to take our chances if something might slip thru or not undetected.

HIPS have dramatically eliminated such a risk & anxiety, not AV's. Not even AntiSpyware Apps either.

HIPS developers obviously seen this and then took creative innovative measures to fasten themselves well inside of the operating systems internal branches itself to set up camp if you will in the most critical areas where their programming could accurately & actively monitor against that behavior if an occupied area was approached or signalling a command to files.
HIPS enacted an even more clever method designed to immediately suspend those signals "BEFORE" they could attach to files or a systems directory and alert the user that an internal activity is been detected.

IMHO this technique is successfully enough squelched against sneak intrusions such as droppers/viruses etc.

Everyone knows by now my undivided confidence in the protection which HIPS can do to stop dead potential forced intrusions like that.

The learning curve indeed can be something of a task with a quality HIPS, but the benefits exceptionally far exceed the alternatives of what might happen should some malware gain entry undetected and unterminated.

 

No it shouldn't. HIPS are nice for those want to use them. They are definitely not must have apps, and most certainly not required learning.

What are you doing that causes you to encounter all these malicious files attempting to "force" their way onto your machine? Sorry, I'm just curious.

Oh, we most certainly do, Easter, we most certainly do

 

They are definitely must have apps. The reason is simple- according KL year report, the have caught two times more malware that the year before. This year, I assume, will prove this "malware doubling" trend. Maybe, it will be ever worse. Anti-virus labs are already under the DDoS attack. And there is no other way out- behavoiral protection is the future.

 

Which KL-year report? Please provide a link.

Since I haven´t read this report yet, I can only pre-define that there could be a number of reasons behind the statistical conclusion of "...have caught two times more malware that the year before...", and I´m curious regarding the variables that been used.

I´m looking forward reading the report Ilya.

/C.

 

I respectfully beg to differ with that single opinion and i further suppose to not be in minority to such a suggestion.

I actively research malware routinely but is NOT from my experiences alone, the forums are full of exploit/malware discussions which include forceful intrusions members have had to deal with at some point or another.

Then also consider this. I take a vested deep interest right now in EQS because it's a HIPS which is highly configurable, and some prefer THAT type of control and awareness of where key points are likely to be vulnerable IF NOT protected by monitoring.

Also consider DefenseWall, another but unique Brilliant HIPS that for all purposes requires no learning curve at all in comparison, but AUTOMATICALLY with very little to no intervention required to deal with potential risks since files rights can run as UnTrusted and newly added entries can be excused by a simple press of a button!!

 

Hi Ilya,

respectfully, I just have not yet seen evidence in my household they are must have apps. My wife and kids use their pc's for years with only software firewall and antivirus, all of our pc's sit behind a rouiter. They have never incurred malware. I run a bit heavier using HIPS (SSM) and have tried Sandboxie and currently use Jetico 2 and also Outpost at times (my other drive) which has "HIPS-like" functionality. Both SSM and J2 and, when I use it, Outpost firewewall with its built-in HIPS-like features has never encountered anything malicious. Once there was something suspicious but it turned out to be only a harmless Flash game requirement.

@Easter,

you make valid points but there still has to be some underlying reason why these people are encountering malware, something they might be doing wrong, perhaps? Why do my 9 & 6 year old kids and my wife who knows next to nothing about computers or computer security not incur malware? I do maintain all three machines with above-said apps and fully patched O/S, all of us use limited accounts (my own modified limitations) I check logs of the fw and av and never see anything untoward. The machines are all running terrific, no malware-induced issues. We are running off high speed cable.

 

I second that whole heartedly! I cant think of any technology that offers both Per process control and increased security so effectively!

Rootkits, or any malware in its Pre infection or pre active form if u wish is only an executable of one type or another and HIPS threat these effectively...

 

I don't dispute at all that your family's surfing habits are safe. I have clients who also practice safe surfing and have for the longest time never found a problem untill just RECENTLY.

And i think that's at the core of this finding...

What if any In-Depth utilities or tools have you used to completely affirm that confidence?

I'll add that i routinely also run SAS, and since i Google Search for many of my reading resources, SuperAntiSpyware always detects at least "tracking cookies", and IMO it only takes one landing from a google search page to a bugged page to open a stealthed pipeline onto a PC and completely unopposed by the latest AV.

A recent client of mine regularly kept his AV dues up-to-date as well as updates, and brought me a machine that was nearly crippled beyond remedy, even safe mode was affected. I had to go the external route to identify then pull the teeth of the offending files since once dropped & attached they easily evaded both firewall & AV and let in supporting files of the same nature.

Your LUA no doubt accounts for added protections, but then consider yourself in the minority of users who are relatively safe, the contrast and reality is that the majority of internet users take AV's & Window's Firewall alone on face value as being enough, and obviously nothing could be farther from the truth.

Regards EASTER

 

I thought it was common knowledge that the growth of malware was at an accelerating pace? Unless the AV vendors can develop faster and faster methods to add signatures to their databases, or improve their heuristics further, I don't see how they are going to be able to keep up. Hence some of them going down the 'behavioural' route, and if I read it correctly, KAV adding HIPS functionality into their next version (though I'm not sure if this is just their PDM renamed).

Whilst the vast majority of users probably never encounter malware, the social engineering mechanisms used to get users to install malware are getting ever more sophisticated. Combined with the growth in malware, I just don't see how, in the long run, an AV will be able to be used as the only solution for protecting a PC. It will become less and less effective.

The challenger with HIPS is how you deliver a solution to the masses - i.e. one that they can understand and operate as easily as they can their AV.

 

http://www.viruslist.com/en/analysis?pubid=204791987

 

I am far from a computer guru, hence the simple HIPS use like Defencewall or Prevx, but I think HIPS + Virtualization is the wave of the future. If you run into a nasty or an unknown you can stop it from running and then empty your sandbox or reboot depending on what virtualization software you are running and be rid of it. No dependance on signatures, no hours of cleaning up a hosed system. Computing life can almost be simple again.

 

I have a friend of mine- she constantly got malware I cleaned up twice. Right now I installed DW at here computer- will see on results. You see, not all the people in the world are the same- they are different. And for those of them who always got infected (like my friend)- HIPS are must-have apps.

 

But that assumes the user is aware that they've run into a nasty. I've only had to 'clean' a few PCs in my time but on each occasion the user wasn't aware they had malware/spyware/adware installed. It's a combination of having insecure apps on their PC (e.g. old Java) resulting in malware installing automatically and social engineering where the user installs the software themselves without realising. In fact, from what I've seen it's more the latter.

 

Well, you know, there is one more aspect here you forgot about- HIPS for the corporate environment. And, if HIPS for the masses are sandboxes and blacklisters, in corporate environment only sandboxes will lead the way.

 

So the question that immediately comes to mind is: "how and why?" What is she doing or not doing? She runs as admin? using outdated av? no firewall? surfs warez sites? opens any and all attachments? installs bogus security apps (eg: Winantivirus pro)? her Windows patches are behind on updates? or a combination of the above?

 

She's probably just a normal user. Unless you are 'security minded' you will probably:
- be behind on windows patches and other vulnerabilities
- install applications that look 'good'
- believe the popup that says "your computer is at risk from viruses, install xxxxxxxx now to protect your computer"

etc etc...and a lot of this is probably because of the blind faith most people have in their AVs.

 

The tracking cookie comment is interesting. I've never really taken them seriously. Can you elaborate some more or give me a link that explains it?

 

Mostly, visiting sites.

Yes, she does.

SAV with up-to-date databases.

WinXP built-in.

No.

Don't know. I suppose- yes.

No.

No.