Personal HIPS Tests

OK, I've decided to spend a few bucks on a good firewall (ZoneAlarm), a good AV (KAV - which takes care of a known, 99% percent of the malware - I'm not playing a gamblers guessing game here), a backup AT (Ewido) and a set of HIPS programs - ProcessGuard, WormGuard,and RegDefend. This probably gives me protection against almost all known malware. Total cost: less than one hour of my "time".

Others, such as yourself, can recommend "education" expeditions - as a hobby if people want. No objection to that. I read novels, others can read security software web pages and magazines. Everyone spends their time doing as they wish. I think my approach is by far and away a better approach for me. It may not sound as "macho" as running with no protection/monitoring software at all, but it is very efficient and effective. What's more it is concrete and actionable - as opposed to "user education" which sounds like a lifelong journey.

Most professional gamblers I have talked to (on forums) or read about, have claimed that they always play the percentages. They also readily admit that inevitably there are times when they go bust. It is part of the "game". I rather pass and play a different game.

 

True.

Rich

 

1545 posts and counting.

 

I have lots of time to kill ... and plenty to spare. C'est la vie. But if I am going to spend time doing something, I find exchanging information and helping people with security questions, a couple of the most rewarding ways. But I do many other things - including lots of volunteer work at schools, as well as personal hobbies, which are quite numerous.

But comment accepted. There are other things I could be doing - maybe I should be doing more of them.

 

There are a lot of assumptions here. The first assumption is about my security set-up. How does anyone know whether I have many or few security software on my computer?

Many have made guesses in the past and all of them have been wrong. One reason why I do not make my set-up known is that is just a extremely small part of my security. I doubt if a big-time hacker would come after me but if one did, they would have to do a little more work guessing my defenses.

The second reason I don't describe what I have on my computer is because I really like to hear the pros and cons of different positions. There are many people that have a hard time sticking to the pros and cons of their position and often like to make personal attacks if someone decides they want to give a different point of view or even if someone uses a different software than they use (or lack thereof). There are sometimes that I want to get caught up in personal attacks....it is because it is a ego thing. Most people want others to believe as they believe.....those that don't believe are branded heretics by the observer and many people have their egos set-up in such a way that they love to make personal attacks on the "heretics".

Do I get caught up in this game? yeah....sometimes. That is why I am glad that I have a job that takes me away from computers for 4 months. When I am out in the middle of the ocean, I am not even thinking about Wilders and it usually gives me a healthier point of view when I first return....I was much more a listener than a talker when I returned in May.....a listener is much more of a learner than a talker and right now, I can't wait to get back to my ship in September so I can return to a more listening mode.

I have never really given firm opinions on whether what people call "education" is better or "more software" is better. Whoever looks back on my posts can see that I have given subtle arguments for both points of view. The only thing I have really been consistent in is that every user should decide for themselves.

All life is journey........As it applies to computer security, some are on a lifelong journey on how to secure their computer with a minimal use of software and then there are others that are on a lifelong journey on educating themselves on the various uses of different security software and then there is those that use a infinite combination of both approaches. Just because soomeone uses a different approach does not make it invalid....It might just possibly be the BEST SET-UP.....for them.

Right now, I am looking at all these HIPS approaches because I am trying to decide whether it might be useful security or whether it is just another app to slow my computer down.

Probably the biggest reason for me to use some type of HIPS is for when my girlfriend uses my computer. She somehow finds things to infect the computer with in her casual surfing that I just don't seem to find. She did not infect my computer but I do know she ran across one dialer and one thing called "Clicktowin"....I just don't know how she found that stuff especially since she cruises mostly Indonesian websites but I guess Indonesian websites are infected too.

Ok...time to start my day....Shower time.




Starrob

 

Personal attack dribble by Guest poster --- removed.

The discussion at hand is Personal HIPS Tests.

 

Rmus,

I think it's clear you are now merely arguing for the sake of arguing.

In two cases, you even use erroronus logic.

Eg. I say all X are in Y. And you respond I'm not X, not Y as if that refutes the argument

In others when I clearly state I'm speculating, your response is to ask for 100% certainty. LOL


Last of all, you keep asking for scientific polls, of course I don't have them, like you I only do informal sampling, when people use my computers that have HIPS for example.

Of course, it's just my opinion, did I say otherwise?

Besides, as Starrob will tell you , there is no 100% certainty. Even with scientific polls. But we still have to make our best guesses based on logic ,deduction and informal sampling.

Well the term HIPS also comes from enterprise environments.
The word 'HOST' kinda of gives it away.

 

The simple truth is that it has been KAV that has kept my computer (and those of my friends clean. This alone provides me with almost 99% protection, and an average user can get equal protection with very little time spent on additional education. However, going forward, the viability of the "signature approach" is in question. That leads us to HIPS.

If a new user is looking for even want more security (KAV probably being more than enough for most users), I would recommend looking at the HIPS products. If I was to spend any time on "education", here is where I would recommend people spend their time. That is, if something unexpected is trying to run, don't allow it to run. It is rejection by exception. This does take a little getting use to - but it is quite reasonable, since every one in my family (who are decidely non-techy) as well as my friends who are using ProcessGuard, are quite comfortable with it.

This education path that I would recommend: Learn how to use a top-rated AV, and then how HIPS works. This combination provides exceptional protection.

 

Hi,

First of all, thanks for the feedbacks and the very interesting discussions.

There's no problem for criticisms (objective or not), but it's important to notify that the methodology for testing proactive security softs (behavioural approach) is quite difficult to elaborate and to choose.
Scanners (AV/AT/AS) tests are based on a malware database, and the goal for my tests was to track products behaviours in front of various attacks and situations.
In all case, testing is a hard job and is never perfect.

For more informations about IPS tests, the NSS group provides independant and very respectable test (for a corporate environment): if the test are unfortunately unavaibale (because they're paid), the site is interesting for the informations: http://www.nss.co.uk/WhitePapers/intrusion_prevention_systems.htm

Real HIPS/IPS are more sophisticated and are often designed to prevent network and web applications (SQL injection etc) attacks.
But here's some links for more informations about the subject:

http://www.infosyssec.net/infosyssec/intdet1.htm

http://www.sans.org/resources/idfaq/

http://www.windowsecurity.com/articles_tutorials/intrusion_detection/

http://is-it-true.org/fw/fwtips6.shtml


A few answers for some posts and subjects:

*Finjan products: Finjan is specialised in sandboxing solutions: SurfinGuard for instance provides a high level defense against mobile code threats and exploits, but it's a specialized soft, and not a general host protection.
That's why it was not integrated in the list.

*Ghost, i respect any comment, opinion and criticism.
And i understand that from your personal point of view, this test is necessary or not.
But as far as i know, Host based intrusion/prevention system solutions monitor activities in a single host and their goal is to prevent/detect that "unusual/bad things" are hapenning in this local host.
With this definition, all my tests are objectively necessary.

The "open/close the CDRom drive" test can also be done by email: then, when the CDRom drive is opened without user's intervention (mouse/keyboard/finger), it's an unusual activity.
Generally, it's a joke made by scriptkiddies when they had gained the control of a PC.
For more information, i suggest the alinea 6.7 of this next pdf ("detecting signs of intrusions"): http://www.awprofessional.com/content/images/020173723X/samplechapter/allench6.pdf

(........)

In all case, anyone can choose his own methodology and make his own test: there's about 120 000 malwares, many possible attacks and exploits...

For AbtrusionProtector, as it was discussed with the Abtrusion Security team, the impact of my tests is more limited because that which is not recorded is automatically blocked.
Fot the listing ports, it's just a personal point of view: the more i have listening ports and softs and services which are authorized to open connection, the more my host is vulnerable: the intruder have more possibilitied to hide ports/communications, there's more logs/connections to analyzed, more time to spend etc etc.
Good news: according to the team, a new version will be available in the future.

*Vikorr.
- for the collecting data, it's an ethical question: many people who take care about their privacy don't like this kind of surprise: the user must be informed CLEARLY.

-except Kapimon, all test files can be run from external drives: if you have a look at some screenshots, you can see that files are run from D and not C.
As it was said in the disclaimer, the tests are run as unknown files from floppy disks or CDRom: in this case, they can't be considered as installed.

-PrevX claims to protect against unknown attacks and threats: then if i was really severe, i should add more tests (cookies theft, denial of service etc).
I've just verified the efficiency of the Buffer overflow protection.

-some products don't claim to protect against Buffer overflows, but the test is applied, the same for registry, file access etc.
Testing several products requires to use the same methodology: it's the protocol!
If the user "omega" need a product with registry and B.O prtection, he can choose PrevX, because he was be able to compare what is capabilities of all the products etc.

PrevX is an interesting and promising product; i just find the marketing excessive and pretentious: that's why we can legitimately be diapointed by this product: there's a big diiference between what is supposed to do and its real effectiveness.

*Oday protection.

For our health, there's no vaccine against unknown diseases;
for our computers, there's no vaccine against unknown threats.
Oday is business:

-on the side A, there's hardware (firewall/VPN etc) and softwares (AV/IPS/Firewall) vendors who provide security solutions: all claim that their solutions are totally sure and secure: its their business.
But a job and a solution is never perfect.

-on the side B, there's security analyst who provide their service (audits/pentests/training): their business is to proove that the previous solutions are not 100% secure.
Most of them create specific tools (proof-of-concept) and are BlackHat speakers.

-between side A nad B, there's ethical and criminal hackers: their business is to find some vulnerabilities for the full-disclosure (ethical) or for penetrating systems (criminal).

Security is a "cat and mouse/catch me if you can " game since years and years.

*many people have different defenses which can satisfy them.
These 12 personal HIPS are not absolutely necessary (even if recommended in some cases).

And sometimes, what we know can be more important that what software we have.

best regards

 

Hi Kareldjag

Thanks for the info. I'll go back and have a look at your analysis

Also, I understand why you tested products for things they didn't claim to protect against. I called it a semi-criticism because people reading your test results may find the info somewhat misleading <but that said, I find it's still useful info>.

We can both agree that Prevx's marketting is pretentious. One look at the old Pro settings told me that. Same for it's claim to be a behaviour based HIPS - this isn't exactly correct - for the most part, it simply prevents installation, with a few extra's.

It will be interesting to see your tests on Prevx1 when it comes out of beta.

 

Hi Kareldjag,

Thank you for your comments. I learn a lot from them.

I was wondering if you would care to comment on some comments that you made on the Safe N' Secure forum, which seem to indicate that of all the personal HIPS available at this time, your favorite is Safe N' Secure. Would this be a fair representation of your preferences at this time? I realize that this does not necessarily mean you recommend it above others. Just trying to understand your preferences - and why? I am also looking forward to any reviews you may have of Online Armor, which appears to me to be quite a good product. Thanks for the thoughts.

Regards,
Rich

 

Interesting thread!

Congrats to Kareldjag for a great effort.

Good to have such open discussions

Out of interest see post 298 and 301 (some relevance to this thread's original post) here: https://www.wilderssecurity.com/showthread.php?t=83899&page=1&pp=25

No doubt good marketing but also a recognition of kareldjags efforts, and also a genuine attempt to grapple with exploits in a transparent way.

Congrats to OA for not bullsh---ing the test results.

Regards

can I say bullshitting here?

 

I think the proper word is manure.

 

Hi,

Vikor, yes, a short update will be available for PrevX pro, but also for OSsurance Desktop, SnS, Abtrusion Protector, SSM and perhaps Viguard (anti-rootkits/hooking improvements).


Rich: for Safe'n'Sec, i 've just said that it's for me the most effective product as an application firewall (point of view=subjectivity) and i've suggested to implement integrity feature which is an important function in intrusion detection ( http://www.sagesecure.com/nsi/mmedia/fileintegrity.pdf ).

Abtrusion Protector, Ossurance Desktop, Viguard, SSM and PG have this kind of function and have the ability to detect changes in any file.
The Star Force team uses the " IPS" terminology, but for me, SnS corresponds more to the "IDS" terminology.

The SnS effectiveness is only real on "total mode": if nobody knows what is the "pop up and mouse click syndrome", he'll be satisfied with SnS.
On "normal mode", it does not provide more effectiveness than PG, SSM, AntiHook and others application firewalls.

Consequently, SnS can be only interesting to combine with products without activity control features (Abtrusion Protecor or PrevX pro for instance).

In your defense (already very strong), SnS will be really too much: that which is not seen/blocked by PG will be seen/blocked by RegDefend in most of cases.
And in general, it's not a good idea (for system's security, the memory and also the wallet) to combine products which have similar features:
"over-protection" is not a guarantee of more security.

For my case, i have to be neutral as a tester.
I just have a favourable apriorism for products which use integrity features.

regards

 

Dear kareldjag,

Thank you for clarifying your views.

Regards,
Rich

 

very interresting threads, Kareldjad ; that should help people choosing for next Christmas .

Your tests show that Process Guard and Safe'n'Sec appear complementary, about their respective features: what can Process Guard do, S'n'S don't, or bad, and vice-versa. Could be nice to run both program along ( and then to protect S'n'S, which is weak by itself ).

Thanks for your efforts

 

I am not at the level of expertise of most of the posters here but this was interesting reading. I have PG, NOD32, Ewido, Counter Spy and I have added Online Armor. I chose it because it claims, that if I ok something I shouldn't have, it can remove it. I feel that there is a possibility it could catch something and I or my wife ok it.

 

Hi,

Thanks.
As i don't play video games, then testing is a just a way to have fun with a cup of cofee!

There will be an update for any new release, but in a short version.

For OA, i've sent my point of view to Mike Nash.
Then when the kernel driver will be implemented, it will be interesting to test it.

Finally, any consumer can found his right HIPS (beginner or experienced, in english, french or spanish etc).
If more users integrate this kind of softwares in their line defense, risk of being infected would be less important.

regards

 

This thread is really informative. Couldnt appreciate more!

I am a newbie as far as HIPS is considered. What freeware HIPS setup do you suggest to secure my system?

Also suggest a free registry protection application that can complement my HIPS setup completely.

I am currently running Avast Pro, Filseclab FW, WormGuard, MSAS, Antivir (Ondemand), Spybot, Spyware Blaster and Adaware free.

Thanks a ton!

 

Any ideas?

 

There's not many freeware ones that I know of :

Arovax Shield
Winpatrol
MSAS (has some realtime IDS functions)

Antihook
Prevx
System Safety Monitor (though only till end of the year, then payware)

 

Hmmmm....Planning to go for MSAS, Prevx home and Spybot TeaTimer! What do you say?

 

Well, to secure a system for free, if you are willing to put up with the restrictions, I'd :

1. Setup & use a limited user account
2. either harden IE settings, or switch to Firefox (with extensions)
-if staying with IE, use IE-Spyad, spywareblaster
-for either use a Hosts file
3. Switch email client to Thunderbird (mozilla)

To me those 3 would be more important steps than security software

I would then run MSAS and AVG antivirus (if you don't have an AV) realtime, and probably snoopfree (antikeylogger) or antihook.

Prevx home is fine if you know what you are doing with it , and are prepared to put up with numerous popups (or you could consider Prevx1 beta, which is currently free). I personally remember not liking tea-timer, but I can't remember why.

Of course you'd have some free on demand scanners too.

Mrkvonic wrote a really good article on setting up your system in a secure manner, over at Spywarewarrior.com Here's the link http://spywarewarrior.com/viewtopic.php?t=15281