Types of HIPS

The BlueZannetti model of software security pretty much preaches

* AV
* AT (memory scanner)
* Firewall
* HIPS

However since he wrote this almost a year ago, the 'HIPS' arena targtted at home use in my view has split into at least 3 different and fairly distinct classes.

So this is my model and theory of how the HIPS market looks now for wilders members... Don't get me wrong I admire Kareldjag's far more detailed HIPS classification (anomaly detection, white listing, virtualization etc), but I think my way of looking at things might perhaps be more useful to users and also seems to be a better match to how people are perceiving things.


1) 'Classic' HIPS , System firewall ,dumb behavior blocker

The first class is represented by ProcessGuard, Appdefend, SSM, Prosecurity etc. Some call it 'classic HIPS' , 'system firewall' or even policy based behavior blocker. You know the drill, you set the rule to monitor a certain system state or behavior and when it occurs you are alerted and given a chance to block it.

Of course the article above was in the context of an administrator of a network system, in the home user context such a HIPS results in a lot of popups.

The pros are obvious, full control to user, the computer can't fart without your permission. The cons are equally well known, Too intrusive with many popups, too difficult to use for beginners.

The next two classes of HIPS can be seen as different attempts to solve the problems of too many popups and simplify use for beginngers (though historically the concepts they are based on are very old of course).


2) Sandboxing (with or without virtualization)


The second class is represented by Sandboxie, Green Border, Bufferzone, Defensewall etc. Called 'Sandbox HIPS' , these security programs allow you to run untrusted programs 'isolated' from the rest of the system, so even if something goes wrong it cannot effect the rest of the system.

I personally feel Geswall and coreforce are also sandboxes.

I think Notok (or it could be some one else) was first here to make a distinction between sandboxes with virtualization and those without and this might be yet another split among the sandbox products. Ilya argues that Defensewall has virtualization (process virtualization) but not file system virutalization. Of course this is if we buy the sense 'virtualization' is used in the first place of course as compared to 'real' virtualization in vmware. We could make further distinctions but I don't think it is productive.

Sandbox advocates like Ilya argue that Sandbox HIPS are superior because
they are easier to use, they typically don't popup warnings at the user, and if the sandboxed process violates one of the rules, it is just blocked silently.

The disavantage of course is that for most part, if some app you are trying to run sandboxed fails, you can't do anything about it.

3) Behavior blockers , the smart ones

The last class of HIPS is what some have taken to call behavior blockers (though I personally feel all HIPS except sandboxes are behavior blockers, SSM is just a dumb behavior blocker!). These are 'smart', expert-based systems that do not alert on just any behavior, but only if it is likely to be malicious. This article explains it thus

That sounds a lot like cyberhawk doesn't it? Also see Safe N Sec with its 'Intelligent Decision Maker'. To some extent also Prevx and its heuristics settings.. And perhaps KAV 6's PDM. Panda's TruePrevent (to be removed)?

The line between a smart expert based behavior blocker like cyberhawk and a
dumb policy based behavior blocker like SSM is not always 100% clear though.
After all the 'smart system' is made up of a couple of simple rules in sequence, or just a well chosen rule. At times SSM reacts exactly the same as Cyberhawk (to a dll injection for example, both react 100% each time).

One thing I notice is that most of these smart behavior blockers tend to have hidden rules. This kind of makes sense, since you don't want the bad guys to easily find out what is being detected and hence work around it. On the other hand, some (like the A2 squared author) have argued that with the right IDS rules it doesn't matter if the rules are made public.

The pros of this class of products? Much fewer false alarms (arguably the concept of false alarms makes no sense with other types of HIP!!), much easier to use. The cons? Lack of control, uncertainity about how effective it is. Some of this uncertainity is because users here just can't test with a leaktest (arguably the most common form of 'testing' here) to judge it's effectiveness.

Other considerations and trends

Arguably, there can be a 4th class to account for execution control, process filtering, or whatever you call it. Kareldjag calls products like anti-executable ,Abtrusion Protector that only do this, HIPS pure white list.

In my classification, there is no need to create a special category for anti-executables, as they will fall into the first class of HIPS. Might not be historically or technically correct, but i think not worth making a big point.

There's also a new trend with Notok/Prevx is driving with the buzzword "community". Trying to distinguish themselves from their rivals, Prex1 coined the term CIPS? They hype themselves as not just a behavior blocker! Community based warning systems are not new, but from what I can interprete from what Prevx1 is saying they have pretty muched licked the problem of automatic analysis of malware samples with little or no human intervention!!!

Time will tell if this will result in yet another HIPS class.

And there also seems to be a trend towards combining approaches which makes sense of course with HIPS adding blacklisting (despite huge protests by a certain ErikAlbert).


So dear wilders members which of these 3 types of HIPS do you favour?

Knowing most people here they will end up with all three!!!

Already I see people recommending the free Cyberhawk + SSM! Why stop there? Add Geswall or Sandboxie!

 

Nice start

Only the model gets more complicated: Classical HIPS are often devided into white list and black list protection. So according to you there are four classes: classical black list, classical white list, virtualization/sandboxing and behavior. In more understandable words: blocking the bad ones, allowing the good ones, seperating treath gates/risky aplications from trusted applications and aplications which detect anomolies or abnormal behavior.

To complicate the above, a lot of security experts make a division of network level and application level

When you start categorising applications you soon find out that a firewall like comodo has a white list approach (allow only the good ones), blocks known internet attacks/tricks and warns when modified (good) applications try to connect to the internet. So it does a nice job at the network level.

At the application level Comodo does not protect f.i. calculator to get injected by Zapass (but then it is a network firewall and not a application firewall like Antihook).

On the other hand a behavior HIPS like CyberHawk is using sniplets to faster recognise mal-ware. Since a lot of malwares are variations on a thema. With a part of the coding (sniplet) you can recognise the bad one. Is this a fulll fledged black list? According to the CyberHawk tread two different members of CyberHawk support had a different opinion. One said CB still is a behavior based HIPS (true), the other said CB also used a black list.

Kareldjag advises not to use overlapping HIPS, so a categorisation which helps with setting up a layered defense should be useful. I think it is a brave try, it will be difficult to setup a common terminology (still I reward the effort).

Regards

 

I have moved on to the third category from the first. I still have sandboxie that I use occasionally.
I have been using different flavors of HIPS for a couple of years and have learned that they are extremely good at blocking leaktests and other malware testing tools and learn you about what happens "behind your back"
I have no reason to think that they wouldnt the same good job with real malware.

But I have done the math; I will have to click about a million times (well at least it feels like a million clicks ) on popups that are not reporting anything malicious before I encounter live malware. That´s why I am leaning against category three (Prevx1) where the behaivour is analysed rather than whitelisting everything.
And yes, they require some trust from the user. But from my experience I can do that since malware is hard to find if one uses even just a little common sense. The community is probably much better on deciding what is good or bad than me, who got tired of the popups with every install so I turned them off while installing, and "life" is sooo much easier now

 

I favour Sandboxing HIPS over others. Easy to use, less pop ups and good security. Only HIPS for novice.
On the other hand classical HIPS are favourite here at wilders, partly because these were the first ones to be introduced and mature.
Regarding development of HIPS- classical HIPS aree rather mature, behavioural blockers are still in neonatal period and Sandboxes lie in between.
To me terminology does not matter as long as u understand the nature of the software.

 

Well, I will need one or more of these softwares as a temporary protection until the next reboot and I will take the easy ones of course.
I wouldn't trust them as a permanent protection. Too many different malwares on the internet. I need something stronger to make sure my computer is clean.

 

That something might not exist!

 

I use a hybrid Sandbox/Behaviour Analyser. http://defence.net.nz/solutions/finjan_guard.asp
Shame they discontinued it. I still use it and it still protects. I also use Prevx1. Minimum user interaction is my goal.

muf

 

Currently, I don't like HIPS or Sandboxing.

Today I changed my limited Behaviour Analyser, the SnoopFree Privacy Shield (Keyloggers), to try a bit a more complete Behaviour Analyser, the Cyberhawk.

 

VERY interesting analysis VC. Well thought out.

I also like the categorization done by CastleCops at...
LINK.

 

I plead guilty , but let me expand for those who don't go back too far (see here for one somewhat dated example post). I tend to view this as a gross hierarchy. Correctly configured, these 4 areas (together with a router) should be about as secure as anyone could stand and much more than most need. Each layer brings both intended and unintended consequences. Average users should neither require nor desire to implement the entire package listed above.

The key words here are probably "at least".

Devil's Advocate covers the descriptive part well, so let me just cut to the chase....

I've noticed this trend as well, and it does beg the question of what everyone is trying to protect themselves from? I realize the answer is a generally nebulous "stuff out there" and it is difficult to turn a critical eye on this area without sounding as though one is all too casually advocating reckless behavior, and I'm not.

I've said it before and will repeat here - if a multifaceted security package (i.e. layering) makes your online existence more secure and productive or enjoyable, then by all means go for it. However, layering is not piling on one application after another. There is an element of rational design required, and that requires some level of understanding how all the pieces fit together as well as their primary function.

As I noted before, to me an AV (or suite) and a router are a basic cornerstone for the average user. That's where I start. I start there since average users generally are not equipped to render a cold assessment of whether a piece of software is malware or not before the fact. Practical experience shows that the average user's record is dicey on this count even after the fact. Most casual users should stop here and learn how to use these tools effectively, together with some modicum of operational file system hygiene (periodic cleanout of temporary file locations). One irony of the market is that as the primary AV's (KAV, NOD32, and so on) get better, more and more security add-on products seem to appear on the horizon. There's a disconnect here. It naturally begs the question "Are they all needed?"

At this point, most users seem to ask, "What else can I add?" rather than "Where are the potential gaps?". Addressing the second question is a little more difficult than the first since the gaps will be very dependent on a number of user and machine specific variables. However, I included a memory scanner since, in my estimation, if there was a gap, one of the more likely routes was via repacked/obsfucated malware. One can debate the merits of that recommendation or whether it is relevant today, but that is why it was there, to address a specific potential deficiency.

From a security perspective, a firewall is a purely recovery measure. If it is needed, some level of compromise has already occurred. I use a firewall, but not as a security measure per se. Rather, to me it is a control measure pure and simple and I use it at the application level. Some applications are allowed to communicate to the outside world with impunity, others are not, end of story, at least for me. I don't do rules, I don't scan logs, I answer an allow/block prompt for new and/or changed applications and call it a day. There is a lot of merit in learning the details of firewall operations, it's just not something I wish to pursue.

Which brings us to that last layer, HIPS. I've tried a good number of these products for both short and extended periods of time and, at the end of the day, have found most of them wanting in either some or many respects. They certainly haven't evolved as quickly as I had hoped they would, nor have many gone in a direction that is really suited to the mass market. Most work as advertised, so that's not a problem. However, how many times does one need to say yes while launching old applications? Sure there are learning modes, although I would personally prefer a blanket local whitelisting scan before use.

In the hands of a novice, some of these applications can be as dangerous as the malware they try to reign in. All of these applications work if positioned properly, whether they're needed is another question. My own quest is to have minimal intervention of the other family PC's by myself. This is why I focus on average and/or casual user needs. In this segment very minimal user interaction is generally the goal.

One reality is that the coverage scope of "AV's" has expanded significantly over the past many months. As that has occurred, the need for multiple products to address specific gaps has lessened. A little over a year ago, a thread was started asking You can only have 4 Anti-Malware apps: What would you run? In the ensuing year, the options available to a user have certainly expanded substantially. On the other hand, based on some of options available today and assuming you do want some level of backup, I do believe that it is worthwhile asking if you really need more than two anti-malware apps running. If one of these two were a HIPS, I don't know which class it would be, but it would be a quiet one for me. Of the current options, Prevx probably provides the closest to my ideal. As for multiple applications in the HIPS class, I really can't imagine this being a stable or recommended approach.

Blue

 

i favor CIPS like Prevx1. it adds a layer of protection without the need to answer many pop-ups.

 

Nice effort DA
As per Blue's observations:
There appears to have been an explosion of HIPS/IDS/virtualization tools.

Not counting "suites" from every purveyor of security apps.

Convergent evolution in action.

Hard to keep it all in perspective and v.hard to do standardized tests with global relevance for basic users (like me ) to gain perspective.

Tongue in cheek: Now all you have to do is decide which is "the best"

So many options...

Regards

 

Nice work, DA!

Some addition (as I am sandboxing advocate as you said!). Sandboxes are the most approximate "set and forget" HIPS solutions. Also, within corporate environment it means less IT stuff load (and less TCO) as other type HIPS.

P.S. DefenseWall has a very limited registry-level virtualization, because its main aim is not a virtualization itself but user's protection. I've already posted here some disadvantages and problems of the full virtualization technique.

 

So in addition to virtualization DefenceWall relies upon what? Some rules for applications, restrictions etc?

Can u mention briefly?

Thanks

 

Policy restrictions.

https://www.wilderssecurity.com/showpost.php?p=803400&postcount=4

 

Didn't you ask him that question before and he answered?

https://www.wilderssecurity.com/showthread.php?p=803953&highlight=virtualization#post803953

Anyway, as far as I can see from his answer, I don't think there is anything really wrong with file system virtualization, as long as it is backed up with sandboxing , restriction of various privileges etc which they all do. I mean something like Altiris® Software Virtualization Solution™ (SVS™) for example which seems to be pure virtualization without any restrictions (beyond the normal limitations of the technique) would be closer to what he means. Probably rollback solutions like Shadowsurfer etc.

These don't protect you from anything the malware does in session before it is removed. But stuff like Bufferzone and sandboxie are not like that.

 

Ya, I do remember now.

 

Thanks. Just forgot an older discussion!

 

*** Hear, hear ***
Kareldjag also states that it is best to look at the specifics of HIPS: black list/white list - sandbox/virtualisation - behavior on both network level and application level.

For instance when you use Antihook (application level) you could disable the process modification protection of Comodo (which works at a lower level - the network). When you use SSM you do not nee'd CyberHawk's dll/data injection protection. When you use a AV with strong Heuristics (KIS or AVK) I doubt you will need CB, et cetera.

***
Regards Kees

 

*** Agree
Putting a lot of effort into a outbound firewall is like a bank worrying more on how the thiefs can escape than on preventing the theft
***

 

*** True, but . . .
For people using a free AV (like Antivir) CyberHawk is a great add-on. For a novice PC user black list and behavior protection are suitable. A white list approach requires to much knowledge and user intervention.

That is why PrevX due to its combination of approaches suitable for novice. A pity it scores not that good on test (Karelddjag and AV-comparatives). When I checked it it also slowed down surfing a little (maybe because it consulted the community data base).

Seamless security applications like BufferZone and DefenseWall providing virtualisation/sandboxing might also be suitable for novice PC users.

 

The Prevx used in those tests was a very old version, it even has that ugly black GUI, that doesn't exist anymore in the new Prevx1. Prevx1 is totally re-programmed and has many new features.

 

Erik,

Check out AV-comparatives, test of october 2006.
Click on the side bar tab comparatives, scroll down and click on a report-PDF of "Comparative of various protection tools"

(thanks Bellgamin for posting this info)

BufferZone, DefenseWall, GeSWall, Sandboxie, Viguard, Safe'nSec and KIS did not mis a single threat. CyberHawk missed one and PrevX missed 5.

Off course CyberHawk and PrevX stated that they would take counter measures.

Still PrevX is a user friendly ap and uses a combo of approaches. When you use other freeware like Antivir (blacklist plus some heuristics) plus CB (behavior plus sniplets) you have also user friendly protection.

Regards Kees

 

If one of my security softwares and Prevx1 is a part of it, misses one or more malwares, these installed malwares will be removed by my frozen snapshot during the next reboot anyway.
Of course my wish is to BLOCK as many as possible in order to prevent the installation or execution of malwares.

Prevx1 missed 5 of them, but this test is too small to prove anything.
A test bed has always winners/losers, but the same winners could be losers in another test bed. As long they can fix it, I'm not worried.

 

One of the things to consider here is that any test of Prevx1 reflects the status of the online database at the exact moment that the test is run - assuming the test is run online of course. It bears absolutely no relation to the status of the online database 1 second after the test, let alone now.

You should always bear in mind when looking at the test performance of Prevx1 that the database normally makes decisions after it receives data about a file. If it has never seen a sample before, or it hasn't yet been marked Bad, a query will be raised to ask if you want to execute it - if you say no, you are protected, something you don't get with your traditional AV.

It is also quite possible that the database will determine a file as Bad a few seconds after that first query. Prevx1 can't keep the user hanging on while every file is assessed fully. So, it's possible that a shortly after the first test a second test of the same file would yield different results.

As the report states, those 5 misses are now detected. And unlike traditional AV, you don't have to update you signatures/product to get them. Prevx1 always has the latest from the online database. As soon as it changes there, all Prevx1 users are protected.