Personal HIPS Tests

Re: How to test HIPS

LOL....Yes, I love to hear from those that believe they are experts. Both their accuracies as well as their snafus educate me.

 

I think it's been in the public domain since Win9x days. In a group of computer users I meet with regularly, this topic came up recently.

Prior to the advent of the many security programs we have today, security-conscious people had to learn the ins and outs of Windows, and how to configure various tweaks to the system to protect ourselves from its many vulnerabilities. Our primary sources were the various newsgroups, and books such as Windows Secrets by Brian Livingston et al.

One of the tweaks was controlling script behavior, and the tweak was to change the default action of various script types (.vbs for example) to "Edit" instead of "Open" (run). This was especially necessary for .reg files to prevent inadvertent d-clicking from running the file, or preventing its execution from a command line. So, you changed the default action from "Merge" to "Edit" and the resulting action would be to open the file in Notepad. To actually run any script, you just r-click on the file and select "Merge" or "Open."

As the security business evolved, more and more products did away with the need for lots of these tweaks, but I and others agree that many we speak with install products without really understanding how they work. Take script prevention, for example. Two recent products - Script Sentry and Script Defender. Both work on the principle described above, except that instead of changing the default action to "Edit" the HKCR/Shell/Open/Command for each script type points to the script program which then brings up an alert box, and its several clicks/prompts/more clicks before you can permit the file to run. If for some reason you want to reset the default action of a particular file type, it's a real pain to do so. In the manual tweak described above, you

1) export the HKCR/Shell/Open/Command key for each type to a folder and name the key "Run"

2) change the default action to "Edit" and export that key to the folder and name it "Edit"

Then, just merging the particular .reg file changes the action.

(One of those script block programs cautions (and it applies to both) that you have to follow carefully the instructions when uninstalling the program. If not, you have a real mess in the registry on your hands. Some type of roll-back or registry backup is a necessity.)

You can argue that it's simpler to have a script program that automates everything. Agreed, but I would argue that manual tweaking when possible forces the user to understand the problem and create a solution.

Having said that, when we (in our group) work with a user, and come to this topic, we explain what a script file is and how it's often used in worms. Lately, we've mentioned Worm Guard, which is a more elegant solution than the above script block program, in our opinion. In WG, you have to create a list of the filetypes you want to block from running, but the program does everything else. So, depending on the user, we'll do it manually or use WG.

Whichever solution to this "first line of defense" intrusion one chooses, starting with an understanding of the problem and what the solution is, makes for a more knowledgeable user.

regards,

-rich
________________
~~Be ALERT!!! ~~

 

With the way you can configure browsers today, and if you are knowledgeable about how to handle emails, there is really no reason for this to happen.

You have to make a decision.

First one has to get back to the basic question, what is the probability of this happening? In security parlance, what is the risk assessment?

If the decision to add another security product is arrived at after careful thinking-out of the problem, and seeing how it will fit in with your current security setup - that's one thing. If to just jump on the bandwagon of the marketing ploys of the companies-- "You need this to prevent this threat" -- then that is quite something else, and you often end up with what you and others have referred to as a hierarchy of products that overlap and sometimes interfere with each other.

regards,

-rich
________________
~~Be ALERT!!! ~~

 

This is the conclusion that I have come to. I have started to really assess whether I actually need a lot of security software or not.

I have been recently in the mode of wanting my computer to run faster, so I am not big on adding lots of applications that slow my computer down just to add something that protects against something that has a remote possibility of happening.....but really it is to each his own.

 

Re: How to test HIPS

Hey, People who believe they are experts raise their hands!

*Looks about for raised hands*

No one? Better luck next time Starrob.

 

Re: How to test HIPS

I don't believe in luck....but in education and this has been a interesting thread....especially for ones that don't take themselves too seriously....LOL

 

I would change "may not be " to "is not" in your statement.

-rich
________________
~~Be ALERT!!! ~~

 

Well let's say very little reason. And it's not just emails. Browsers too. Media players etc.

Some exploits will work even in all but the most restricted settings.

But I agree with you 100% really. Richrf's first line of defense is not that important.

The problem lies with deciding to run the wrong program. And even that can be countered by being very very careful.

The point I think is if you are very careful, and have excellent judgement, you can probably do without many tools. I'm not disputing that.

Exactly!!! You are my hero!

 

Totally terrific stuff. This thread so far has given me lots more insights into current issues and how security protection may evolve.

One thing for sure, ZoneAlarm has tremendous market penetration, and the fact that they will be introducing various new HIPS technology, with ZA 6, into their user base will be very revealing and informative. While the "average ZoneAlarm user", may not reflect the "average user" (my guess is that the average user is using Windows firewall by default), its user base is very large and more diverse than the current crop of HIPS users. I am trying to monitor discussions that may be occurring on other forums regarding OSFirewall/SmartDefense. If anyone comes across any discussions, I would be most interested in a link.

Thanks all,
Rich

 

Re: How to test HIPS

Since I don't know to say, let me give you a quote.

Education is wasted on the educated -Some famous dead guy

Trolls generally don't. Not that I'm saying you are one of course.

PS Is the popcorn tasty?

 

Re: How to test HIPS

Yes, very tasty. I am very amused but I was expecting to be entertained more....I like Edutainment.....but I am bored now...time to turn on CNBC and see how my stocks are doing

 

OK, I'll go along with that, but I really feel if yout tighten up your script-type actions, you can prevent most everything.

I didn't say that; I stated that you need to consider which of the two solutions he described, you want to employ in a first line of defense.

regards,

-rich
________________
~~Be ALERT!!! ~~

 

What do you think of Noscript in Firefox?

 

A user cannot make a decision, unless the user has an opportunity to make a decision. This is fundamental. Not surprisingly, once a basic whitelist is created, there are very little decisions that have to be made and usually the decisions are quite obvious. Sometimes (extremely rarely) they are not, and that is where some advice is handy. That is the whole purpose of "putting a guard at a closed the door" and alerting whenever something tries to come through. It is a pre-requisite. Otherwise, it is a whole different ballgame.

As to your question, about the number of alerts. It is negligible. My routine is quite straightfoward. I read email, I do some local home financials as well as some remote financials. I do some word processing (rarely), and I browse some common sites for research work. Right now my main concern is that companies, such as Google, are collecting information about me without my permission. I have no idea what the average user is doing at their home, but based upon discussions with my friends, it is not much more than this, and in most cases a lot less. People don't have much time on their hands to play around on the Net nowadays, their days are pretty full with life-sustaining obligations.

Rich

 

I don't use Firefox, but have heard great things about it. There are a number of good solutions today for script-controlling.

-rich
________________
~~Be ALERT!!! ~~

 

Yes. And as Rmus is arguing that leaving aside the amount of FUD being spread about the holes in Windows XP, a properly secured system will seldom lead to a circumstance when the decision is taken away from the user.

A exact figure would be better. What is negligible to a somewhat with your 30 years worth of experience and skill with computers would not be negligible to someone less skilled such as myself.

And you test drive security applications?

Well privacy is another matter. A lot of it is a fear of the unknown. A better understanding about the technology involved allows a much more rational evalution of threats.

I don't know about average people, but my friends and co-workers seem to enjoy downloading every crap they hear about.

And lots of people here seem to enjoy downloading the latest security software posted here. Though I doubt they are average users.

 

There are two approaches to white list programs: those that prompt you for the action to take, and those that simply block *any* attempt to run. Anti-Executable falls into the latter category. This is my preference: once a white list of executables on the machine is created, nothing else will run. The user shouldn't have to say "no" to something not already authorized, and would not permit something to execute that is not authorized, so a prompt is not necessary. It's bullet-proof. Naturally, you need to make sure that the machine is clean before installing such a program.

I've put this on a home computer where there are four users. Dad is the only one who can download/install programs, or open email attachments. Any attempt willingly or inadvertent is blocked.

To install a new program requires turning off AE. After installation, turning it back on auto-updates the white list.

I hope some day that Worm Guard adopts this approach in creating a white list of script types.

-rich
________________
~~Be ALERT!!! ~~

 

The my circle of friends, associates, acquaintenances is substantially different than what you describe. That is why, only large scale tests of concepts, in a very diverse group (e.g. ZoneAlarm 6) can really test certain hypothesis. It will be very interesting to see if there is an "uproar" concerning the complexity of OSFirewall/SmartDefense, or whether there is geneal acceptance. So far, based upon the discussions I have seen, it is been basically a muted reaction. But it is too early to say.

Yes, I agree. The average user is probably totally unaware and disinterested in this. They have much more important obligations in their lives that they have to fulfill. It therefore behooves a vendor, to come up with very simple solutions that solve the most substantial aspects of the problem. If the DeepFreeze/Anti-executable model is most correct, it would indeed change a lot in the way the "problem" is perceived and addressed.

 

Personally I think it's much easier for someone to do without his "first line of defense". As you have already eloquently argued that this can be migitated in many ways.

To do without his "second line", you will have to be always sure everything you install is 100% safe. This means one who never installs programs except from the most trust-worthy of sources.

I don't mean you only download from big sites like majorgeeks, I mean you only install programs from entities that can be held responsible for them.

This means no freeware in most cases. Only big corporate entities who have something to lose if anything goes wrong. And even then you have to watch out for adware !

As a user, I find that by far the second scenario is much harder to achieve. And even if achieved is too limiting.

 

Indeed, this may ultimately be the most efficient approach for the vast number of users. Your experiences have been very positive so far. I would be most interested in the experiences of other users.

Thanks for introducing me to this conceptual framework. It is most intriguing - though for vendors, the recurring revenue model may be too limited.

Regards,
Rich

 

I've always assumed that this was SOP.

This doesn't have to be. I've downloaded tons of freeware/shareware. I always correspond with the author, or dl from a reputable site. I've never had a bad program. To the freeware authors, I always send a contribution if I keep the program.

-rich
________________
~~Be ALERT!!! ~~

 

If people carry out only a restricted set of behaviors, don't download and run programs, they are generally within the low risk group of users.

Given the proper education on how to secure their computer, it would seem that they would be almost as close to bullet proof as you can get, even without all the latest gagets.

I would say that the zone alarm group is a very self selected group of users. People who are willing to spend time and money on a software firewall would have at least some skill with a computer.

Of course, a few of them might have just being scared by FUD into paying for the product.

Besides for someone who can handle a network firewall, a system firewall a term some use for HIPS, is just a logical extension.

The question though I think is not one of ability for them, but of desire. Will they be willing to pay the cost and effort of operating this feature?

I believe a lot of wilders members who have the skill, have chosen not to employ such software.


A far less select group I think and hence closer to the average user would be say users of Norton Antivirus or whatever major antivirus vendor.

If the experiment was for the free version of Zone alarm, I think the results could be a little more generalisable over the general population. But even then it would not be a complete fit.

 

This was my thought for a long time. Recently I discovered that two people who work in the computing world use Norton System Works w/firewall:

1) my brother, whose security setup I had never inquired about. He's a software developer and small business computer consultant in another state. He's used those products at home and for his clients for years and has never encountered an intrusion.

2) a friend who is a systems administrator for a company, uses the same Norton setup at home, and has never had any malware get into his computer

So, you never know, and it's perhaps futile to generalize and try to categorize people.

-rich
________________
~~Be ALERT!!! ~~

 

Unfortunately, while intrusions are rare, they can be and have been extremely distructive and worrisome. A better solution than "ongoing education" is required for them.

 

I've been following this thread with a mixture of emotions. I enjoy hearing about peoples personal experiences with events and solutions to them. But i feel that making snipes at people doesn't really help anything or anyone.

Also discussing various possible means for avoiding intrusions, including maybe avenues that havn't been thought of before, or aired widely. So these are always welcome as this advances our understanding, and we are then in a better position to defend ourselves against the unknown.

I don't think there's anything wrong with having as many Apps as a person desires. If they don't feel it impedes on their performance, and actually has proven to be of some benefit, then why should it bother anyone else. If they then pass these tips onto others, then others can choose to take the advice or not.

I have tried out many peoples tweaking ideas and suggestions for different Apps over the last few years. Some were over rated or slowed me down or didn't work properly etc, and others have been a complete blessing and continue to help protect me on a daily basis.


A possible solution to downloading fake Codecs/Programs etc etc, could be to have all things like this released with an md5 etc signature. A simple to operate for Everybody out there little App could be devised which would check the DL sig against a Trusted Central Database that vendors etc uploaded to. The vendors could pay a small fee to fund the operation which would enable staff to validate them and the uploads. This way people could have confidence in the scheme. I'm sure it could be done if people wished it to happen.


StevieO