Firewall with HIPS? Or Without?

No, I don't think that HIPS is superior to AG + ERP. I believe that even AG alone can be stronger than a good HIPS though it depends. I just feel comfortable answering incessant questions of HIPS of OA or CIS.

 

1 I have to disagree with this, AG is anti-exe combined with memory protection (anti-code injection), but HIPS protect against more suspicious actions.

2 I´m using VirusTotal, if this service can´t identify malware, I´m sure a standalone AV won´t be able to do this either.

3 Thanks, but I´m feeling a lot better now, and it´s nothing life threatening , so not to worry.

 

It´s not superior, but it´s yet another layer. What if anti-exe gets bypassed? I wouldn´t be surprised if HIPS can still save you, because malware will always need to trigger suspicious behavior, and that will get caught by HIPS.

 

AppGuard also has features like write protection for system-space folders, private folder protection, ActiveX protection, write protection for key parts of the registry, etc. Describing AppGuard as anti-exe combined with memory protection isn't an accurate summary of how AppGuard works. AppGuard should not even be classified as an anti-exe; it is policy restriction with anti-exe features in relation to user-space.

 

Thanks for correcting, I´ve read the AG whitepaper, but it´s still not really clear. The main focus of AG is preventing exploits without using advanced methods like EMET. That´s why to me it´s an anti-exe app, with limited HIPS capabilities. I say limited, because for example Comodo and SpyShelter cover a lot of more stuff.

 

"More stuff? Such as?

Also, in your opinion, how does Private FW's HIPS stack up against that of Spyshelter?

 

So additional layer to HIPS? It's a nice idea. I should consider using AG + HIPS (OA or CIS). Won't it be excessive?

I guess the Registry protection is here.

 

Two reasons why AppGuard is different from an anti-exe: -

1. It should be possible to configure an anti-exe to block execution from system-space if desired. With AppGuard, there is no whitelist and system-space executables can't be prevented from running, but they can be guarded.
2. An anti-exe wouldn't normally continue to monitor a whitelisted application after the decision to allow execution had been taken. With AppGuard, guarded applications are continuously monitored for policy violations while they are running. Any behaviour that violates policy will be automatically blocked.

It isn't helpful to call AppGuard an anti-exe because it invites false comparisions with true anti-exe's, such as NVT ERP and VoodooShield for example, which could potentially be misleading. AppGuard has more in common with DefenseWall (policy HIPS) than an anti-exe, which is why I consider it more accurate to classify AppGuard as policy restriction.

 

This is exactly the same thing what I thought about AppGuard, it truly reminds me on DefenseWall the way it protects computer from malwares-too bad DefenseWall cannot be made for 64-bit versions, just too bad, thank goodness and thanks to Barb C that we have AppGuard-simple, but extremely effective solution for quiet protection against all kinds of malwares.

 

An HIPS - a good HIPS - is anyway superior to AG + ERP or similar combination: a real HIPS monitors every action happens in the system: programs, processes, services, activities, registry operations... and gives the power to check and settle what can do what, where, how and when.... it gives the total control of the system.

 

Perhaps in theory. In practice a hips may conflict with a lots of software, like for example with Sandboxie that is my other cornerstone security together with AppGuard. And keeps our system more silent one with no popups. A hips uninstall may also need a system reinstall. In my opinion many cases a sort of false security feeling and I stay away!

I am not a gamer or a heavy installer of software.

 

Thank you. It reassures me to go on using HIPS.

I agree that usually HIPS give more trouble than other approaches. Instead of reinstall I use snapshot time machines (Eaz-Fix or CTM) so no problem here.

Though I believe that it gives true feeling of security - a feeling of 99.99% security - things can happen.

 

I can't speak for other combinations on XP, but in my experience, SSM and Sandboxie got along quite well. Sandboxie didn't require many accomodations. The combination made it possible to implement a hybrid security policy in which the sandbox could operate with a more permissive policy while the rest of the system remained default-deny. I haven't tried the combination with the Invincea versions of Sandboxie. If they haven't made any major changes, I don't see why the combination wouldn't work now.

 

I am not a gamer.
- conflicts: it depends on what you combine; I never had conflict with the old GesWall for exemple, neither with Returnil or other softwares.
- popups are the other side of HIPS security: if you want check your system, HIPS have to alert you.
- heavy programs unistalls: disk image software exist for this.
- all us know that a complete, absolute IT security is an illusion; HIPS are a very power component of a multi layered defense.

 

Very glad to hear your good news, Rasheed.

I was wondering if my setup of Sandboxie, Reboot Resore RX, NVT ERP free plus on demand HMP scans is enough ? (I like windows 7 firewall).Do I really need UAC ?

Plus just a thought, I have never had a problem with any HIPS and Sandboxie. I just wish there was a stand alone version I could use with WIN 7 64 bit.

 

Outbound firewall detection is not as important to me as good inbound blocking.

The AV-Comparatives report on inbound firewall protection sort of scared me off of using a lot of these third party software firewalls. Link here: http://www.av-comparatives.org/wp-content/uploads/2014/03/avc_fw_201403_en.pdf .

I remember several years ago, before anything like the windows firewall, where you'd get worms just by being connected to the internet. That has largely stopped since the advent of router firewalls and the windows firewall itself. If a firewall cannot provide effective inbound protection to a user, it's worthless. I don't want a slide backwards towards that era of being easily infected remotely. Wasn't cryptolocker spread through airport wifi using remote administration and insecure passwords, how would it have managed to do that when the user was running firewall or security software? Maybe they exploited the same bugs in personal firewall software that AV-Comparatives outlined. Outbound protection is needed in the case where the user tends to execute files without verifying the safety of said file. But if the user has a tendency to do things like this, he will also have the tendency to just hit allow when the firewall prompt pops up asking to be allowed to connect to the internet. If your firewall is providing less than stellar inbound protection, as shown above by AV-Comparatives, you cannot trust them to secure your computer. Even if the program can be hardened by user settings, if you're getting as good inbound protection using the windows firewall, there is little point to running a strict outbound firewall. You're getting as good security, and probably better if you believe the AV-Comparatives report, running something like appguard or an anti-executable and a good inbound firewall like the windows firewall. If a malicious process can't run, it can't connect out, and these AE or software restriction apps don't fiddle with the strong inbound protection of the windows firewall.

Do you know what every instance of SVCHOST should be connecting to, or the plethora of other windows files and services? I'm an experienced computer user and even I find these prompts annoying. And if you're using a firewalls white-listing technology, you can still be owned if you get hit with an exploit for that specific trusted application. Or if the malware author has managed to acquire a digitally signed file, your firewall may allow that file to run with elevated privileges anyway. You sort of have two choices with outbound protection, the whitelisting approach, or the approach that generates thousands of pop-ups when any program tries to use explorer or something legitimate tries to launch something through another process. Is this instance of SVCHOST.exe supposed to be running something through another process? I'm not sure. What's this new process that's running since the latest windows update, why has this digitally singed Microsoft file changed?

 

I guess you´re right, but I was mainly talking about the method AG is using to protect against exploits. It´s using anti-exe combined with some HIPS features. But I will ask for more info in the AppGuard thread.

 

Thanks, I was also a bit relieved. Now I can watch the World Cup 2014 in Brazil more relaxed.

About your question, it´s really up to you. It depends on how paranoid you are. And if you´re not using HIPS, I would leave UAC enabled.

 

I know what you mean, but that´s a whole other discussion. And like you said yourself, inbound protection is already covered by the Windows OS and your hardware (modem/router). So powerful outbound protection provided by third party apps is indeed very important to me.

 

I have to disagree. I have used HIPS for 10 years on both Win XP and Win 8 without any problems. Of course not all HIPS are compatible with each other, it´s a matter of testing. And you can´t compare behavior blockers with anti-exe and sandboxes, because HIPS are watching for suspicious behavior (they can alert or auto-block) something other types of HIPS can´t do. And making good decisions about these alerts is not that hard, it´s not like it´s rocket science.

 

With more stuff, I mean more filters. And SS seems to cover more things, but from what I´ve read, PFW is also quite powerful, with almost the same protection options. So depending on how paranoid you are, PFW is probably good enough.

 

I think it should be pointed out though that AG will block any new application that attempts to launch from the userspace in Lock Down Mode. In Medium Mode of protection AG will only allow digitally signed applications to launch from the userspace, and in Lock Down Mode AG will only allow applications that are on the guarded apps list to launch. Any application the user allows to launch from the userspace will continue to be monitored for policy violations as Pegr already stated above.

 

In your sig I note that you mention only the following realtime security apps: OA (w/HIPS operational?), NOD32 (AV), & AG. Are those the only realtime security apps you run? When do you run ShadowDef -- all the time or only at "certain times"?

 

I use OA with it's HIPS enabled. I also use NOD 32 AV only, and AppGuard. I probably operate in Shadow Mode 98% of the time on most machines. I only disable it to install new software, and update software. I use Shadow Mode on-demand as needed with a few machines that i'm using to do project work on. I use VoodooShield as well, but there are some bugs that are preventing me from using it at the moment. I'm working with the developer to fix the remaining bugs in VS 2 beta. I also test a lot of other software.

 

That should be also enough to use. Regarding some previous post from another member about preferring hips software, I can say for sure that when I tried OA, it conflicted with Sandboxie. Slow login to user account, slow sandbox initialization. OA and SBIE just did not play together well on my Windows 7 computer. It was a year ago, so can't say if that is still the current state of things.