Ring 0 HIPS Test

Oh, I hear ya. I guess I see alot of "tests" online for this and that and the minute people see a piece of security software fail for a particular reason,it's always I see people jumping ship

You'll never have an issue with ShadowDefender.I ran it for 2-years,even along side Geswall,never had 1-issue.

 

i heard good things about GesWall

 

So tell me what is the correct link because I'm using the link on the first page and see the results I have quoted.

 

The complete test has been pulled so there is no 'correct link' to use. The links were originally posted in post number 1, but they are now dead and have been for the last few days. If you're clicking on the links in post #1 and still seeing the results it must be being pulled out of your cache.

 

New results.
Now it looks like only OA, OSSS, Outpost and Spyware Terminator pass in default config.

 

Thanks man, have been waiting impatiently for those.

 

So Spyware Terminator actually has an underestimated HIPS, according to this test that is.

Defensewall, Comodo, Safe 'n Sec, KIS and Geswall also pass but require user-interaction.

I wonder about this sentence (via Google Translate) about Defensewall though;
"If the test utility, for example, were already on the hard drive before installing DefenseWall Personal Firewall, then they are trusted and not checked in this case, the test fails."

Does the test fail or would Defensewall fail? Or is it simply an error in Google translation perhaps?

 

DefensewWall trust already present executable/programs (except from built-in list of common internet facing applications) present on system. If you download malware while DefensewWall was not installed, but later you add it, DefensewWall may not protect you, as files were already present on system and hence are trusted.

 

Defensewall would fail. Defensewall has to be installed on a clean, malware free system.

 

Yes, a real surprise. I'll have to give Spyware Terminator a try out given this result.

 

That's what I thought also, just wanted to be sure I wasn't 'lost in translation'.
Then the question might be; Is a HIPS supposed to protect an infected system?

The revised test article, at least the Google translation, mentions for Comodo, that CIS offers to run the test file in the sandbox (which is actually more like OA's 'run safer' option; reduced priviliges, than a true sandbox right?).
If that option was chosen, CIS would succeed and the test would fail.
But is that a HIPS test or a (full) suite test?

 

It depends on the HIPS. Install a classical HIPS like Malware Defender and the user will need to make the decision whether to allow the malware to run (on the already infested system) amongst a potentially huge number of pop-ups given that it is a new install of the HIPS...and assuming of course that the malware hasn't embedded itself so deeply that the HIPS is blind to it. An intelligent HIPS such as Online Armor or CIS would be more likely to flag the malware as unknown (i.e. not digitally signed by a trusted vendor/not on a whitelist), and offer some level of containment if you wanted to run it. Again, this assumes that the HIPS is not blind to the existing infection.

The difference between Defensewall and a traditional HIPS in this case is that at least you'd have a chance of catching the pre-existing malware with a traditional HIPS. No chance with Defensewall - but that's not what it is designed for anyway.

 

That's correct.Also you're right that the test shouldn't involve the sandbox if it's purely a HIPS test.

 

Are the new results out?
I though it was going to be this week

 

Just look above at the burebista post.

 

Yep.
10Char.

 

LOL, sorry for my lazziness to read all the posts xD