The Perfect HIPS ?

That sounds worth paying for

 

I don't think calling the AV to scan and letting it pass if the AV says it's okay is a good idea.

After all, the whole idea of HIPS if I remember the hype is to get past traditional signature based approaches. If HIPS is going to use AVs to decide whether to run something or not, I might as well just stick to AVs.

Mike, let me check my understanding. Wouldn't OA react with (1),(2) or (3) even if it was an action that was "advertent".

Say I choose to run a batch file.

 

Hi -

I think the AV function will get eaten by products like OA. Here's why - OA is doing behavioral type stuff, monitoring stuff - and it already contains a whitelist. BUT included is also a signature file of "bad" programs, primarily so that if we say sskbho.dll is trying to install, the user can know "Its Surfsidekick, and here's what it does".

With that in mind, as OA's base of legitimate *and* illegitimate signatures increases, what is the purpose of the AV? It can already do realtime monitoring, it can already see what apps are doing - and it can already check signatures. The "only" thing lacking in a product OA against an AV is the size of the sig database. As we start to implement more checks and analysis of programs and what they are doing, the AV component becomes redundant.

Of course, a big AV player could turn the tables on that. Lets see what happens

Yes, you are right, OA would alert on each of those events. The reason for my edit is that OA does not (yet) alert on writes to Windows\System directory and I didn't want to have something that wasn't correct up there. However, it will in the next version so my slip I hope can be excused.



Mike

 

Personally, I would prefer to run BOTH a product like Online Armor AND an Anti-Virus. I don't really see one replacing the other, but rather complimenting it. What one doesn't have in it's current database, the other very well may...and that added protection could prove invaluable.

Besides, I don't believe that products like OA "scan" like an AV, per se, so if you received or downloaded something and wanted to run it past an AV before execution, that could always prove useful as well.

Having said this, I would HATE to see OA or any other HIPS program incorporate any kind of "AV" into their software (i.e. - Prevx). The firewall idea for OA sounds like a winner, but IMO AVs should remain as a stand alone specialty type product....and focus on their job at hand.

 

Hi Mike/JR.

I suppose I haven't explained what I've been thinking clearly, when I say incorporating an AV into a HIPS...only realised that when I read what Mike said...

Pretty much that a decent whitelist, combined with either AV signatures, or a decent blacklist would work for the HIPS.

The only possible problem I see with a blacklist, is that Malware could evolve into producing randomly generated names, to bypass this feature (but it would still presumably be caught by other features of the HIPS).

 

Hi Vikorr,

Unless I'm confused, I think I understand you well. I still think OA has the potential to "eat" AV if you look at the features that will be added.

As far as I can see, the role of such a product is "Keep stuff off the computer that does not belong there." Whether it does it with a firewall, signatures, heuristics, behavioral analysis, whitelists, blacklists - or a combination of all of the above.

Your previous comments on this thread indicate - at least to me - that this is the sort of product that you are looking for.

I can forsee OA, noting that a site you are visiting is considered "Dangerous" and not downloading executable content at all; If that is overridden the next step would be to compare the downloaded content using one or more types of signature scheme prior to execution; Finally, if that gate is passed and execution of the process is requested, monitoring to see what it actually does.


Mike

 

Hi,
I think a really good HIPS should prevent the USER from doing bad things. 99% of malware comes down to user interaction, either by downloading cracks in p2p, clicking links in sites, not protecting the machine properly etc.
When it comes to a popup alert by a program, an average user does not know what to answer. What's hooking, api, kernel or dll to an average computer user? To make you understand what I mean, what are eigenvalue, trace, determinante and graham-schmidt process? Someone with good mathematics will know this, but for 99% of users it's gibberish.
If you KNOW what to answer to a security popup, most likely you KNOW what to do in the first place and what to do and what to avoid, and vice versa.
Good HIPS should under-privilege the machine, that is password and encrypt all processes and access to them. But, Windows is not configured well enough to work smoothly as limited user, so good HIPS, aside from watching the registry, hosts file and everything you mentioned, should also allow easy accessability to system tokens (like Run As ..., only more smartly). In simpler words, HIPS should be a good negotiator between admin and non-admin.

On a funny note, good HIPS = Linux!

Mrk

 

I would disagree completely with that. Parental Control programs are for preventing people from doing the 'wrong things'. HIPS are for letting people do the 'wrong things' <as you put them> safely.

 

The way I would describe it would be like this:

1) HIPS alerts when an "exception" to normal processing occurs (e.g. a new script or process has started on a machine).
2) A user can then decide whether or not to allow this "exception" process to continue with whatever work it chooses to perform.
3 HIPS, can also, track and alert users as to whether the process is attempting actions that may be considered "dangerous" or abnormal (e.g. install a driver/service/rootkit).
4) The user then has an opportunity,at these points, to prevent the process from continuing.

This stuff is really great, and for users who want to put a little time into understanding what is going on in their machine and regaining control of their machine, nothing can beat this paradigm.

Rich

 

I would hope that the perfect HIPS provide comparable protection for alternative browsers such as Firefox, Opera, rather than assume everyone uses MSIE.

The antidns spoofing in online should extend to firefox too.

Maybe some other monitoring of minor firefox/opera functions.

 

Hi

Anti DNS spoofing works on all browsers for protected sites. Definitely agree that monitoring of more FF and opera functions is needed - right now we only worry about FF and IE homepage, but we'll be changing that in a subsequent release once we rework the registry protection to be more powerful.


Mike

 

The perfect HIPS to me would not alert the user merely because a certain event occured, but rather if a sequence of events occured that is likely to be unusual.

It would for example keep a record of the past few event alerts, and make decisions based on a logic engine.

Certain sequence of events would be considered normal, others wouldn't

This would lead to fewer alerts, an the user is alerted only when something truly unusual occurs.

Users could also help give hints by giving certain processes special rights, which is actually a package of behaviors allowed.

Update rights
- To Connect outbound through firewall
- To Start or stop files/processes within same directory
- Maybe certain rights to change regitry, install drivers.

Uninstaller rights

Install rights



I'm not sure but I suspect Prevx1 and Safe N sec, are already evolving towards that.

It would also have a flexible rule based system that allowed advanced user to tinker with the rule set and share them with others.

For those of you familar with email rule filtering, you could process a email via several nested rules, to find decide if it was spam. Eg If it lacked a 'from' header go to rule 2.

Similarly, the event in question could be processed by user defined rules before finally deciding on an action , Whether to allow, deny, or ask for instructions.

I doubt it would ever occur though, since it could be very complicated to do and might be computationally expensive.