If you are about to run a trusted program, which of the factors on this picture would you OFTEN set to "Ask" just to be on the somewhat paranoid safe side?
It depends on the program. Specify a category; for example - browsers. Also, the way a HIPS works is you are creating rules to protect the process, file, registry area, etc. against malicious activities by unknown or untrusted processes. Or you are restricting what a activities a known process can perform such as execute, create a child process, etc.. Conversely, a behavior blocker is monitoring a process for maliciously activities against other processes. Here a process's trust or reputation status would factor into what activities should be monitored. Likewise behavior blocker rules are global in nature whereas HIPS rules are specific.
Itman -- I understand that. What I am asking for is "IN GENERAL". For example, a very few programs should ever initiate a shutdown, or logoff, or write to a protected registry area, or terminate a process. So an "Ask" popup (not a "Deny") would be a stimulus for an occasional "pause & consider". A casual user of, e.g., Private FW (with HIPS) can easily get into the habit of quickly doing an "allow always" for, say, 7-zip, or his beloved email client, or any number of other long-used & trusted apps. An "allow always" puts every item on the list in the allow column, as shown (real example) in the picture. Unfortunately, those apps would then have big power to screw things up if ever they were contaminated. On the other hand, if the "allow shutdown" item was designated "ask" instead of "allow", then -- if I got a popup saying my trusted browser is attempting to shut down Avast" I *might* ask myself "WTF?" IMO, blanket "allow-always" can be a hazard if that option puts "allow" on every item in the list I have shown. In other words, WHICH items on the list should have to be intentionally placed in the allow list instead of automatically being placed there by "allow always"? To put it another way: Which are the most *dangerous* powers on that list?
Dusting off old notes... All. None. It depends. You'll get as many answers as people who used Private FW. For what it's worth, on Windows7 I paid special attention to: Terminate process Set hooks Promiscuous or raw sockets Adjust privilege Physical memory operations Write protected registry Manipulate protected file objects Terminate threads Set windows hook Initiate shutdown Installers, temp use, always a thing to watch. And I was always confused, so don't take my list seriously. OA and SSM and Outpost and Private all use different words. It's confusion galore in the HIPS world.
Private Firewall is a "re-bagged" version of the commercial Dynamic Security Agent product developed cira 2004 with certain commercial features disabled. It can best be described as a combo anti-exec and behavior blocker. When an undefined to it process attempts execution, you will have to specify what Windows API's you want to monitor for the process. Note that the previous posted screen shot of action descriptions correspond to Win API's; e.g. "set windows event hooks" corresponds to SetWinEventHook and "set hooks" corresponds to the SetWindowsHooksEx API, etc.. Per the PFW .pdf: I believe it has default predefined Process Inspection rules for Win trusted system processes, browsers, and other select app processes. I also believe the process "trust/untrusted" status factors into what default rules are created for it. All I will say is PFW is "ancient" software minimally maintained by the developer. By that, I mean it has only been updated for new Windows OS version compatibility; not so for apps that use new features in those versions. I also question its current API monitoring capability since numerous new API's have been created since the Win XP days. Again what you have here is a commercial product designed to be configured by system pros with Win OS internals training. Bottom line - they are all potentially dangerous.
HIPS = Host-based Intrusion Protection System. HIPS have dropped out of favor because they make you actually stop & think. @ trott3r- The picture I showed above is the HIPS component of PrivateFW (PFW), free at HERE -- its home base. The HIPS component is labelled "Process Monitor" on PFW's GUI. To view the list I have shown above, I right clicked any one of my computer's processes listed on the Process Monitor, & then I clicked on "Custom Rules". That Custom Rules list is PFW's HIPS. Over & above PFW's HIPS & firewall abilities, it has a rather odd but powerful component that looks like this... That panel used to be a stand-alone called Dynamic Security Agent. It enables me to train PFW so that it knows some stuff about the idiosyncracies of each & every process on my computer, such as how much cpu each process *normally* uses, & its normal thread count. PFW lets me set a flag as to how big a percentage deviation from *normal* should cause it to alert me. In the picture above, PFW is set to alert at a deviation of 60% or more. On this same panel, PFW also lets me view Parent & Process lists so that I can mess with allowing or disallowing access. (I have never felt competent to mess with PFW's settings here.) Finally PFW monitors email volume, sets norms, & tells me about major deviations. (I have never enabled that aspect of PFW's monitoring.) ~~~~~~~~~~~~~~~~~~~~~~~~~~ @ act8192 - Ah yes, OA (Online Armor) & SSM (System Safety Monitor) -- great HIPS they were. I still have a copy of SSM stuck away somewhere on my desktop computer. Also Dr. Solomon & a VERY old copy of Mcafee AV. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @ ITman -- still more words but no answers. Ah well, I see you do not worship in the temple of oldies but goodies. As I recall, PFW's last full version issuance was sometime in 2008-09. That's not exactly ancient (I, on the other hand, AM ancient. 87 that is.) PFW is not a rebagged verion of Dynamic Security Agent (DSA). PFW includes DSA as a tab, which I pictured above. PFW's HIPS component was never a part of DSA, and the FW portion of PFW is much improved & configurable, versus the invisible but competent FW included in DSA. I get it... you are an IT & know a lot more than me & you are not a fan of PFW. No problem. Actually, I wish I could find something as light & friendly as PFW, with a HIPS, but I don't want to pay the excessive price demanded by SpyShelter, & Comodo's FW with D+ is simply too manipulative in installing unwanted stuff even though I was careful to uncheck that stuff during installation of the FW. In any event, my main *SECURITY* app is not a FW nor is it an AV. It is AOMEI. With AOMEI -- not a cough in a carload... & Bob's your uncle. Aloha to all from Hawaii, Bellissimo
Emsisoft has changed a lot of things in the recent versions but I believe you can still create custom application rules. The thing to note is the monitoring options are by potential malicious behavior which is the correct way to do so these days:
There is also ReHIPS that a lot of Wilders folks liked. The current ver. is however $50 - ouch: https://rehips.com/en/ Appears the prior free ver. is also still available: https://rehips.com/ReHIPSSetup 2.2.0.zip
just for info, ReHIPS isn't a HIPS, it is a sandbox app with Application Control module. closest thing to Geswall.
That screenshot was from the Emsi firewall by the way which is no longer available. The latest EAM versions do not have all those options available under Behaviour Blocking ..Application Rules. The Application Rules allow you to either Trust or Block a selected file.
No...it's for sure from Privatefirewall - we can see that on comparison below (German page) https://subsetlines.wordpress.com/uebersichten/hips-features/
Hi bellgamin, I'm afraid you're making things far too difficult on yourself with an all-out HIPS. You'll spend more time toying with it trying to find the "perfect balance" between security and usability than you will just simply enjoying running the programs you use. I've gone down that road before rather extensively, before I came to my senses and realized they're a waste of time. A basic anti-executable is okay, even monitoring dll's such as what AppLocker can do, but that's the most I'd recommend trying to control. If you choose to install whatever programs on your O/S, then it's probably wise to simply allow them to run unfettered, as long as you don't install crapware. If you're still using Win XP, then please do yourself a huge favor and ditch it for something more modern, or even a beginners Linux distro.
+1 with @wat0114 1- check the downloaded file hash with the hash mentioned in the vendor site. 2- check it in VT. 3- install it if clean. then forget HIPS' crap and use SRP or anti-exe. i can't agree more, unless you live in a 3rd world country running intel pentium 2-3 machines, there is no reason to use XP.
It's very simple, just about ALL of those behaviors can be used by malware, but there are certain ones that may trigger too many alerts from trusted apps. For example, "open threads" and "open processes" are quite common and there is no way to know if it's going to be used maliciously or not. I believe he thinks it's fun, but I know what you mean. To me, HIPS should not be monitoring everything, only the most important stuff. For example, I often get alerts about certain registry keys being modified, without knowing just how risky it may or may not be, so it's pointless to monitor them.
You are right... mostly. Online Armor's HIPS was fun. So was System Safety Monitor's. PrivateFW's is still easy/fun to configure, & tames reasonaly fast. But NOT the HIPS in CommodoFW or SpyshelterFW. If one has the patience & smarts to fully & skillfully configure those two HIPS, then he or she is waaay ahead of me.
To clarify, I don't think it's fun having to respond to zillions of alerts, but I do think it's fun to have full control over app behavior. I tried to run without HIPS for 3 months but I felt insecure. SpyShelter is actually not that difficult to manage, but if it's too overwhelming, you should run it in "Auto Allow" mode which will make auto rules for signed processes from trusted companies.
Actually I only gave SS a 10 minute trial because matters arose that demanded my attention & I just never got back to figuring out SS. In the past ~5 years I have had just 4 infections. Three were quickly detected by AdInf, a simple file integrity checker, & the other was spotted by Herd Protect. All 4 were quickly remedied by restoring a clean image. Even so, like you, I feel more secure with a good HIPS in place. I shall give SS a more extensive trial. Thanks for the suggestion.
But weren't you bothered by the high price? And BTW, I was thinking that perhaps you should go for auto-blocking solutions. For example, tools like HMPA, AppCheck, SimpleWall and KeyScrambler. These tools will automatically block ransomware, keyloggers, and banking trojans.
Yes, their price is high. When they first began selling SS the price was quite a bit less, as I recall. I suppose they were hoping for a mass market. When the mass market didn't materialize, they raised the price to what a niche market (security experts & hobbiests) would pay. SS : BMW :: ZoneAlarmFW : Yugo. I am now running Webroot Safe Anywhere (WSA) on one of my laptops. With WSA + EXE Radar PRO + OSArmor I should be just fine (I keep telling myself).
I guess so, but I still think that sometimes you can make more money by offering stuff at a lower price, I doubt they made the right decision. At this price point I wouldn't buy a yearly license, especially because it needs to be improved a lot.
Not dead for Comodo, SpyShelter, & NOD32. Besides, there is no way to waste money on Comodo's HIPS adjunct -- it's free.
