Types of HIPS

@Blue

Yes got it: agree.
From the AV-C web site, I got the impression that was the set-up and the samples went straight through.

Lbd.

 

My experiences with Anti-Executable were very good. You can't even install legitimate softwares on your computer with AE, unless you turn it OFF.
I keep AE on my computer along with Prevx1.
Unfortunately my trial period of AE is over and all the links to buy it are dead on their website.
I will send them an email about that.

 

Hi,folks: Erik, link to purchase AE? try these: www.deepfreezeusa.com/ or www.faronic.com/ click purchase tab, then click online store. This will take you to order form. Good luck.

 

Something I really didn't understood is if PREVX warned about an unknown process trying to run.

If yes, to me PREVX did already its job. The fact that a process is unknown is already an indication of suspicioness considering that PREVX database is huge for a normal user using everyday applications.

And even if allowed it would have been targeted by the automatic/manual analysis within a certain period of time (and not instantly). Moreover, if I understood well all changes from unknown processes are monitored by Prevx in order to rollback once the application has been determined as BAD.

Am I missing something??

Cheers,
Fax

 

I think you got it. If it does perfectly, i don't know.
But sometimes it doesn't recognize previously allowed programs. Right now it doesn't recognize SSM. Maybe because of the update.
Still the concept seems to be the best. But in prevention i use GeSWall alongside ComodoPF.

 

Thanks for the links, but I already tried these several times.
The link "ORDER ONLINE" and "Online Store" don't work. Maybe it's a browser issue (IE and FF). Don't worry about it, I will fix it.

 

You can't have a frozen snapshot in a different partition. FDISR works only in the partition where it is installed, usually the system partition [C:].

I know that FDISR is NOT a security software, but that doesn't bother me.
FDISR will work as long it isn't compromised by malwares and if that happens, I have something else in the background to fix it.
I studied my image backup and archived snapshot solutions also, 6 months before I started using frozen snapshots. I have a plan, but I can't do it all at once and finding the right softwares to do the job isn't easy either.

 

Couldn't have said it better myself.
You understand it perfectly

 

I'd say there is still quite a bit of misconception. Some people expect it to be a full-fledged AV, others expect it to be a full-fledged HIPS, expecting either (to their entirety) will lead to disappointment and questions about the how's and why's. The main feature of Prevx1 is the community database with the live reporting, lookups, and automated analysis, yet most of the questions revolve around behavior blocking... when the point is to see more malware than traditional analysis procedures and to have that info and detection available sooner (if further explanation is needed here, just ask). I mean that's fine if someone really likes the behavior blocking aspects of Prevx1 for what it does. It's also great if you want to use Prevx1 as an alternative to a traditional HIPS, but it's not, by far, the main purpose or extent of it; just one aspect.

Of course, and much more, but like I say this is also what the community database is for (and Prevx1's primary feature). Any time any Prevx1 user goes to one of those sites, the info is reported in realtime (and often reviewed in realtime, depending). Getting the perspective of 100-1000 visits to that site is more valuable than just one researcher going there manually, especially considering some of those sites will drop downloaders that will distribute different sets of malware each time, and especially considering the inevitability that a user will have found the site first. The researchers don't rely solely on the community database, but that is where the majority of the info comes from anyway.

It can't be set to block everything, just unknowns (which should be very few).

It could be tested, just not the way that antivirus software is normally tested. For things like having detection added sooner you could actually search for the newest malware files that Prevx1 detects, or perhaps reports of new malware that nobody else sees, and compare.

Those interested in the difference between Prevx1 and behavior blockers may want to read HERE and HERE.

I won't "defend" Prevx1 here, and even as much as I have tried to remain neutral on the subject some seem to feel my presence has been too much so you'll likely see less of me here, but I would encourage people to come to CastleCops and to give due consideration to the links above to gain some insight about what Prevx1 is actually meant to do when considering the purpose of this thread; classifying different kinds of "HIPS" - that is if Prevx1 is to be included.

DisclaimerDisclaimerDisclaimer: This post was not made as an official representative, and should not be considered an official response to subject matter in this thread. This response was made out of my own personal interest. If you wish to receive more official answers to any specific questions, please feel free to ask them over at CastleCops.

 

Prevx had 5 misses, but Prevx did NOT fail.

In my opinion, a behavioral HIPS &/or a whitelist/blacklist HIPS cannot fail -- in the strictest sense of the word -- unless it doesn't notify the user that an unknown or suspicious action/process is impending.

I am quite certain that Prevx DID do its job of alerting that the 5 missed malwares were either unrecognized or suspicious or both. It is true that Prevx missed 5 malwares -- that's a database issue. In light of Prevx's alerts, a *prudent user* would have queried & waited for Prevx to respond. Not a tester -- a USER. Not just any user -- a PRUDENT user.

Ergo, IMHO it is absolutely NOT true that Prevx "failed" in any programmatic sense.

You might not agree with me but I firmly believe that, once a HIPS issues a pop-up alert, it is the USER who might fail, not the HIPS. By the same token, if a user answers "block" to a HIPS pop-up, it is the USER who passed the test, not the HIPS.

AV-Comparative's tests demonstrated that the Prevx community had not yet encountered 5 of the particular malwares used in AV-C's tests. This isn't surprising because I would expect that the majority of those who comprise Prevx's community are security conscious -- else they probably wouldn't be using a program such as Prevx -- so they aren't as likely to pick up all the various flavors of malware in the first place. Even so (as I said earlier) -- a miss is a miss is a miss.

When an exploit succeeds against a HIPS-protected computer, it is nearly always the USER who has failed, not the HIPS app itself. There is an altogether fascinating give-and-take discussion of this issue in an on-going Wilder's thread about a relatively new *classical* HIPS called ProSecurity.

The discussion about saving users from themselves begins at Post #73 on PAGE 3. Keep on reading that thread down through post #80, with special emphasis on posts 74 & 75 & especially 78. The illustrious Stem plus other security gurus are involved, so it's a real eye-opener. At least it was to me.

P.S.- There are some HIPS that are developing ways to ***save novice users from themselves***. Prevx & Cyberhawk are in that group. In a way, so also are all the sandbox-type HIPS such as DefenseWall, BufferZone, Sandboxie, et alia.

 

.
Isnt that observation a little unsettling?
Surely users of the other utilities tested at AV-C are security conscious yet their data bases and effectiveness were up to scratch for that sample at least?

PS I hope the coders at ViGaurd and PrevX have made a substantial donation !

 

Said from you I take it as a compliment!
Fax

 

VERY few if any of the other apps in that test obtain their malware data primarily from its community of users. Prevx, on the other hand, does. So the degree of security consciousness on the part of the users of the other apps is of lesser significance than it is, perhaps, for Prevx.

Prevx is largely unique in applying a *community concept* as a primary source for obtaining whitelist/blacklist info. However, as I understand it, Prevx is by no means totally dependent on its community for malware info. It has other sources, as well, so I'm told.

In any event -- although I am not a particular fan of "let-us-do-the-driving" security apps -- I will lay odds that Prevx will ace the next test. Me, I still prefer to drive a stick-shift.

 

Bellgamin,

I like your humorous comments and you have lead us to info (like AV-comparatives) at least I had missed.

In this case I disagree with the statement you (and a lot others) are making.

-1-
When you state that a simple warning of a 'unknown' executable is launching is sufficient to pass a test, then Windows XP passes the majority of the tests because XP warns you that you are launching an unknown program for the first time.

-2-
The test IBK performed (of AV-comparatives) was to find out how strong behavior based protection and virtualisation protection was. Therefore he did not allowed some contenders to use their black list data base. To purpose of the test was to check whether the malware slipped through the virtualisation or the behavior anomalies criteria of the applications tested.
Testing with this purpose in mind PrevX failed 5 and CyberHawk failed 1 test.

Closing remark:
The positive feedback you are giving developers of security software (like you did on DefenseWall) on useability and consequent design principles is very professional. In fact if it was not for the fact that you are problable a pensionado (the kind of language you use) and live in Hawai, I would have tipped a recruiter of my former company (a market leader in the area of software testing) on your capabilities.

Regards Kees

 

well, as Prevx had online access, Prevx had also access to its blacklist database (and if a file would have been reported as such, it would be blocked/reported and exceptionally counted as such).
A db of 18+millions whitelisted files isn't that big. There are also other tools available which work on whitelists of files which have over 3billion files included (and still flag many applications as unknown).
for example, if prevx has a large english-speaking user-db, a french user which wants to install french software or a version that is not added yet will be told to do not let it run because its unknown (which could be considered as FP if you want to count that as detection).

 

Obviously Yes, but there is a big difference between uknown to your computer and unknown to a whitelist/blacklist database with million/billion of entries!

Good point!

 

Re: Introduction to HIPS nuances

Currently HIPS are taking up popularity. With some critical remarks (on f.i. PrevX) it might look that I am not fan of PrevX, but the contrary is the case. To explain why I am positive on the PrevX approach I first need a lengthy explanation.

When you look at different HIPS, they can be characterised by the basic approaches they use. HIPS often use different approaches in one solution. That is why it is so confusing to understand them.

At the highest level there are 3 main approaches (1, 2 and 3) with each some sub-approaches (the A's and B's).

1) Using signature based reference lists.

A) black list approach
This is common in most AV and anti-spy applications

B) white list apporach
This is common part of classical HIPS applications (like SSM, Antihook, Dynamic Security Agent, ProSecurity, Process Guard, Appdefend, et cetera).

2) Using intelligent pattern recognition

A) heuristics or code patterns recognition:
These actively or passively scanning parts of code for potential malicious activity, the idea is to recognise code patterns in a intelligent way whether the code has good or bad intentions. Heuristics is becoming an important add-on to AV-programs. Some have even artificial intelligent rules engines to eveluate those code patterns.

B) behavior blocking or application/process behavior patterns.
This type of security software recognises potential dangereous behavior (like dll or data injection, or adding a hidden process/registry entry). The intelligence and limitation of this type of security software that an anomaly (strange behavior) is not per se malicious. Most of the classical HIPS also use this as a part of their security approach (e.g Antihook, SSM, PG warn/prevent when software tries to inject dll into another process). Some firewalls (like Comodo) apply this on network level and some innovative AV's have extended their heuristics with behavior blocking.

3) Seperating the execution environment.
These fall into two main classes (with each two sub-approaches). The classification gets 'blurred' because the term Sandbox and virtualisation are used together. Therefore in Netherlands we use this type of classification.

A) access right restrictions ("sand boxing")
This approach is aimed at restricting the rights the user has to perform. This type of protection has two main differences:

- The ones which only affects "privelage restriction" of programs.
Examples are DropMyRights and Amust Defender, this are also called "Sandboxes". The down side of these privelage restriction is that it also limits the user in functionality.

- The ones which also effect the "privelage restrictions" of files which are created by those programs.
Examples are GeSWall and DefenseWall. They remember the trusted or untrusted state of the files created. The advantage of this type of programs is that they use "seamless security": no restriction in functionality and no seperation of file and or operationg system. Seamless is sometimes also called virtualisation (one of the reasons for confusing).

B) Virtualisation.
This approach is aimed to allow the user to make bigger changes in the registry and file system because they do not really affect the underlying system.

- Virtualisation affecting the file system only
This type of programs seperate the virtualised applications from the file systems. So they make the changes in a seperate file layer. The changes can be turned back afterwards. Examples are Sandboxie and BufferZone. This type of programs also apply rights restrictions (in side and out side the virtualised file system).

- Virtualisation also seperating the OS-system
This type of programs seperates the virtualised system including OS from the protected system. Some applications require n another OS in the virtualised system (like VM Ware), others seperate snapshots of the same OS (First Defense ISR).

Continued . . .

 

Re: Types of HIPS nuances

At last making my point.

To reduce the user interaction of security applications, hence making them more suitable for novice users we see some innovative combinations.

1. AV-programs combining heuristics and application behavior. A pity is that the really good ones are paid.

2. Smart behavior programs like CyberHawk. The CB team is able to cross the bounderies of what specialist had not thought was possible with behavior blockers. The general ideas was that to reduce false positives the behavioral blockers would only be able to protect against generic threats. Hence the level of security would not be that strong. The CB-team is doing a remarkable job in user friendly and strong protection.

3. Intelligent use of white list protection. PrevX uses the community to set up a large data base with white listed programs. When the behavior analysis part of PrevX discovers some thing abnormal it first checks the community data base. This is an intelligent way to reduce the required user interaction and to reduce false poistives. To limit false NEGATIVES (e.g. missing a malware), they added a black list. In this way they compensated for the traditinal limitations of a behavior blocker.

4. Poilicy/access restriction software like DefenseWall is doing a remarkable job on easy to use protection within its class. Once installed novice users do not get any pop-ups or have to mess with settings. GeSwall is also doing a great job (and its free), but requires more knowledge. But defenseWall is ahead of GesWall in user friendliness.

Erik (Albert), see I can be positive about PrevX.

Regards Kees

 

Looks like the same old arguments about the right testing methodology for HIPS... Discussed here dozens of times already.

It occurs to me that With cyberhawk type products doesn't have this problem, assuming that the FP of cyberhawk is similar to that of antivirus products, one can just treat cyberhawk exactly like an AV, and trust it's warnings explicitly. But you need to test for FPs like normal AVs too of course.

I'm also curious about one thing, the test says cyberhawk, KAV , Prevx1 etc blocked malicious actions of malware, which I presume means it ran for a while first, tried to do something malicious, which cyberhawk spotted and stopped.

In practice is this as good as the resident shield of an AV? My understanding is that the AV would block the malware from even running. I also guess that you must have some criteria to decide what actions are considered malicious?

 

For me, the more you explain the more confused I get. Maybe you should stop explaining so much. Differentiating yourselves from the competition is good, but I think when most of your core audience gets confused about what your product really is about, you should probably reconsider your strategy on how you position Prevx1.

 

I cant really debate the different methodologies of utilities
@Bellgamin:

From IBK:

)

I am paid up PX user and intend to stay that way.

This is exactly what PX users have been waiting for:
An unbiased recognised respected tester to put it (PX) through some paces!
OK so it wasn't perfect. Nothing is.
No blather about not real world testing, unfair, yaddah, yaddah...
Heh; no complaints from any vendor who got %100 !
The vendors were told of the test results prior to release of the results and have responded.
PX needed a quick reality check.
Many insightful users have been posting some concerns for a while
All good.

Personally i will be doing everything I can to send as much malware as possible


I are grateful to IBK for helping to make a hopefully good thing better.

@Bellgamin, heh, stick shift V auto eh.
Just want some extra security on the information superhighway
I Would never have used PX alone.

Regards.

PS database of ~18 mill sounds good but there are bigger ones.
The comments re languages opens another huge window.

 

Devil's Advogate please have look at my previous post (HIPS categorisation)

An common Av uses a black list. It will protect you earlier than a behavorial blocker WHEN it is in the black list. For zero-day attacks (not in the black list) the AV would problably fail (some paid AV's have strong heuristics and behavioral analysis also),
The nice thing of Behavorial Blocker is that you have some form of protection against zero-day threats. Meaning as soon as the (dormant) malware does some evil, the Behavorial Blocker kicks into action. In such cases a Behavorial Blocker protects you earlier than the AV (only).

Regards Kees

 

I glad you like my warped sense of humor. But all kidding aside, my main point was this -- when a HIPS pops an alert, it is the USER who is being tested, and not the HIPS.

To a great extent most HIPS are protective TOOLS. To illustrate -- A hammer is a tool. You can use a hammer to put bars on your windows so as to keep intruders out. The hammer doesn't install the bars. You do. A HIPS doesn't stop intruders. You do.

If a HIPS gives the user *options* (such as block, allow, query) when it spots unknown or suspicious schtuff, then only its database/rules can be tested. The user has the last word.

On the other hand if there is ever a HIPS which actually MAKES the decision (such as block, allow, query), rather than allowing the user to do so, then the HIPS itself can be tested.

 

I agree with Bellgamin. Except the HIPS that pops the query has to "see" every action that is critical. In order to give the user the option to block. Step by step. Nothing can get through without the user's consent/ set rules.

 

I still prefer Anti-Executable. It creates a whitelist of all executables on your actual harddisk and blocks anything else after that. A simple and very effective solution, which is very easy to understand.

AE won't protect me against malwares that use whitelisted executables to do their evil job (= exploits).
So I still need a software that protects me against exploits, which one I don't know yet.
Is that enough or do I still need something else