Which HIPS?

Hi,

I just read through a HIPS comparison in CastleCOPS.
(http://wiki.castlecops.com/Host_Intrusion_Protection_System_-_Comparison)

And I was wondering if there is a HIPS (FREE OR PAID),

that you would recommend for a average user in VISTA Platform.

*SSM seems to take my interest, but is it good?*

Thanks!

 

Hi

I think if you want a HIPS that's non-intrusive you should get ThreatFire, PRSC, Mamuto or Prevx.

 

If you want something simple and effective then defensewall is the way to go.
System safety monitor is a great classical hips however the vista version is still in beta and has been for some time, i don't know when the final release will be. I'm also favoring online armor at the moment however their vista version is also still in beta.

 

Hi,

I have tried Malware Defender from torchsoft.com with Vista SP1.
It covers many areas and is neatly arranged at the same time.

If you are looking for a full featured standalone HIPS (with application- file- and registry-protection) and full control, then SSM or Malware Defender might be a solution.
Also Comodo 3 with its Defense+ HIPS, but it has a Firewall included.

Alternatively there are some others, like for example already mentioned Online Armor 3 Beta (mainly application-protection and registry-startup-protection), which are not full featured, but also offer a great level of protection.
With OA you can uninstall the Firewall part, if you like.

Cheers

 

Thanks for your replies.
I am already using DW on my other PC,
and I am lookin for a *STANDALONE* HIPS, (since I don't like AV,AS,AT active) that provides good protection.

Maybe when Vista version of SSM comes out, it will be the solution?

EDITED:
Nevermind. SSM seems too complicated to me.
It looks like it needs a lot of configuration to make it work.
Same goes to Malware Defender.

 

SSM works fine with Vista.

As for configuration -- simply put SSM into learning mode for a few days, & then "train it" by using your usual applications and doing your usual computer activites. SSM will watch, learn, and configure itself.

After that, turn off learning mode. This should result in a tightly secure SSM and few alerts thereafter. Once SSM is trained, when you DO get an alert -- pay careful attention to it before deciding whether to allow, block, etc.

There is a "pretty good" tutotial about SSM here at Wilders. The thread starts HERE but the good stuff doesn't begin until post #35 & thereafter.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

An alternative to SSM is Online Armor (OA). The Vista-capable version is now in beta, but it is VERY stable. The beta can be downloaded at HERE. Install it using the trial key given at the download site.

If you want to be an "Official beta tester" then send a request via Forum Private Message to Mike Nash at OA's support forum. You can trial the beta without doing this, but it's nice to help out if you feel so inclined.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Before trialing ANY security app, it is a good idea to make an image of your system disk. Security apps are complex. Even the best of them can sometimes cause computer problems. Just a suggestion -- no offense if you already knew this. Good luck!

 

'Beta Test Team' thread was closed when the public beta was released.
http://support.tallemu.com/vbforum/showpost.php?p=51269&postcount=195

Cheers

 

I also heard that development of SSM is slow...?

 

안녕하세요 Ohmy

Yes, development of SSM has slowed in the last 6 months or so, but it is at present a very mature product offering tremendous security for those willing to learn how to take advantage of all it offers.

 

Nice Korean.
Does SSM provides decent protection?

 

Would suggest Threatfire,which works effectively and simply with a minimum of configuration or popups.

This is a behaviour blocker which defends a PC by examining and monitoring the actual behavior of files, background tasks, and processes in order to block and prevent any behavior consistent with that of malware such as viruses, worms, trojans, or rootkits.

However it also employs a white list .

Download here

Read the review "editors choice" here

Freeware and being actively developed by PC Tools.Now version 3.5

 

I also think ThreatFire is a great choice, but I think the future is uncertain for it because Symantec bought PC Tools.

 

Protection provided by SSM is very good. It is a "classical HIPS" that provides broad-spectrum protection. Those apps in the same HIPS category as SSM include but are not limited to: Comodo FWP (Defense+ module), Online Armor (OA), RealTime Defender (RTD), EQSecure (EQS), DriveSentry (DS), Safe'n'Secure.

Threatfire (TF) is a behavior blocker under the aegis of PCTools, which has sold out to the borg (Symantec - see Note 1 below). Other behavior blockers include but are not limited to: Mabutu, & Primary Response SafeConnect (PRSC). Also, Prevx 2 is *mostly* in the behavior blocker category.

AFAIK...
1- Of the above, those with whitelists &/or "communities" are Comodo FWP, OA, DS, Mabutu, TF, & Prevx.

2- Those with blacklists (AV components) are Comodo FWP, & OA (optional at added cost), DS, TF. NONE of those AV components is a full-fledged (real-time) antivirus. They are primarily look-up & on-demand. Ergo, those HIPS AV components will NOT (99.999% certainty) conflict with your real-time antivirus.

3- Of the broad-scope HIPS: (a) SSM lacks file protection {reportedly will be added by end-of-summer 2008}, & (b) OA lacks file protection & full-scope registry protection.

4- Of the above, those with firewall components (in addition to their HIPS components) are Comodo FWP & OA. The OA firewall can be uninstalled if desired. The firewall component of FWP is not easily gotten rid of.

5- OA has the unique & powerful capability to specify & configure applications such that they will always "run safe" (limited user rights). OA can also be configured such that ANY unknown app will only run safe.

More schtuff...
For a comparison between HIPS (e.g. SSM) and behavior blockers (e.g. TF or Mamutu), go to...
http://antivirus.about.com/od/antivirussoftwarereviews/a/hips_behavior.htm

For a great discussion of behavior blockers, go to...
http://www.securityfocus.com/infocus/1557

If you're interested in learning more about security, & enjoy a bit of tweaking, you would probably like a classical.

If you prefer your security apps to be more in the category of "set it & forget it", you would probably prefer a behavior blocker.

WHICH HIPS (the topic of this thread)? I have used or trialed all of the above at one time or another, & they are all good. Best course of action is to try them (make an image first).

The only one I would NOT recommend is Safe'n'Secure because it has no forum, & the speed of its e-mail support is slow-to-never.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE 1:
Here is the long, sad list of Symantec's victims...
http://en.wikipedia.org/wiki/List_of_Symantec_acquisitions

How many of them are still existent? Aside from the Norton name -- basically: zero.

 

Lets wait and see-even if some major unfavorable decision is made,the current available version,due to its nature- could still work efficiently for a long time

 

I would love to learn to use classical HIPS.
SSM looks fine, however...

1. I think it's way too hard for me. (didn't know what to do after installing)
2. Final version that is Vista compatible isn't out.
3. Slow development, that makes me wonder if it is actually going to last long.
4. I had massive pop ups when I first used SSM. (maybe problem with default setting?)
Thanks!

P.S would you rather recommend RTD or SSM?

 

I thought TF doesn't have a whitelist?
How can the OA firewall be uninstalled? I thought you could only disable it.

Thanks

 

I think OA is a great choice. You can whitelist your existing programs to reduce alerts and it has the limited user feature.

 

In settings you will have that option:

 

OK. Thanks. This is available for all versions (free and paid) right?

 

You need to put system safety monitor into learning mode after you have installed it so it will automatically create rules for you. While its in learning mode you should go thru and run all the programs that you use and also do a few reboots. This makes it much easier to use and generates far less pop ups.

 

I can't give you an answer on this question because i never had been using free version of Online Armor.

 

Great post Bellgamin! A good explanation on HIPS and their differences


@Ohmy:
I would try EQS 3.41, with Alcyon's ruleset. VERY light, and good protection with few pop-ups. EQS can be tweaked a lot and if you are willing, you can learn a lot of how system works and get used to a HIPS.
I think EQS is one of the best HIPS out there, because of it's flexibility.

My other choice would be OA, beacause of the "run safer" option. Also OA's popups display good information.

 

Hi,
I don't see the vista version of EQS

 

TF has a community, & its AI uses it as a partial factor in deciding whether a possible "bad behavior" is being done by a "white app". In other words, I think TF's *community database* is mainly used to reduce FPs.

To uninstall OA's firewall - on OA's GUI, click "Options" then "Firewall" tab -- uninstall button is on right bottom corner of the ensuing menu. {as shown by Creer in post #18}

In my post I said that ALL the HIPS listed are good. You should try them on for size.

 

Hi, thanks for you help.
But which one is a all-round standalone HIPS?
Like a HIPS as my only protection.
SSM seems to be the solution,
but the slow development makes me wonder if SSM
is going to be sold to some random company,
just like PCTools.
Thanks!