HIPS/AE for Vista

Which free HIPS programs for Vista are available and which are most similar to ProcessGuard and AppDefend?

I've been using Online Armor, but it's too unstable. I haven't been able to find a configuration that does what I want without crashing regularly. The main features I'm looking for are anti-executable (whitelisting) and controlling applications' access to internet (outbound firewall).

 

comodo D+

 

@Noholygrail
You can use ThreatFire for it. It has two pre-defined custom rules to realise this. For your comfort edit the descrition and explanation of those rules.
see Outbound rule (use in combo with inbound windows FW protection) and Launch control custom rule.

You can change the launch control rule of threatfire by using the except clause (the user interface will assisit you to add this). With except clause you could allow all programs in windows and programs files directory to launch. For those processes you still would have the behavioral analysis/blocker part of ThreatFire to watch your back.

By head the launch control should read like

When any process
tries to access [execute] a file
which looks like an executable
except when the
[v] the process is in the system process list
[v] the process is in the trusted list
[v] the target file is in the folder
(Select this option, the first two should be on by default, now you are prompted to add folders, select windows and program files)
C:\Windows or C:\Program Files


The default outbound is OK, only give it a more clear description and name


@Jmonge,
Have you played with this variant?

 

Malware Defnder
Comodo D+ too!

 

kees which one?threatfire?

 

Yep, using ThreatFire as a smart ProcessGuard with outbound protection.

Funny thing is when you use TF as FW/AE it is easy to use, You just have to make ome precautions
A) in the settings select a windows restore point before Quarantaining
B) start an internet application (after you have activated the outbound rule, de-activate and re-activate TF to reread the rules data base) and kill it. Now start this application again: TF will ask you whether you want to quarantaine Explorer, set Explorer to allow plus remember. This is because you lanunched a just killed application, TF thinks explorer is infected also

Okay now you have a Deny Execute and Outbound warning, but most malware works like this

1. An executable is silently dumped as with some hidden executables

2. Through clickjacking or social engineering this executable is launched

3. The silently dumped executable moves the other executables (e.g. hidden as tmp file in TEMP dir of your Recycle = waistbin directory) to places it survices reboot

4. Another executable may be launched which tries to get one the executables into an autostart location. This launch is often an intrusion to get temporary elevated rights (e.g. injecting a process with enough rights to access autostart locations)

5. After reboot steps 3 and 4 may repeat to increase rights obtained until you are pawned, without knowing.

6. This programs uses you as a bot or runs away with your data


Analysis
a. By nature a behavioral blocker will at process intrusions, changing an existing executable in a suspicious way etc. So with TF and no custom rules you are protected against step 4 and 5.

b. With the extra outbound rule a you are protected from 6

c. With the extra Anti Executable rule you are protect from 2.

So steps 1 and 3 in the average intrusion process could have some extra rules

Dropper protection extra custom rule
When any webbrowser
tries to access [create] a file
which looks like an executable
except when
[v] the target file is in the folder
Enter your download folder

So now it is harder for malicious javascript to drop executables (protection against 1).


survivor - payload preperation protection extra custom rule
When any process
tries to access [write] a file
which looks like an executable
in folder (Recycle bin]
except when
the process is a system process or trusted process

Offcourse explorer and ccleaner are flagged once, just allow and remember them. Now you have protection against step 3 also.

Malware has a hard time busting TF with 4 custom rules (of which 2 ae predefined)


Cheers

 

yes i did tested before and i like it alot but it slowed my browser down but it was good when i tested againts malware it did very well

 

OSSS: Security Suite. Topic here. (You can get free license).

 

Using Comodo Internet Security as an anti-executable

 

Thanks for all the leads. Threatfire sounds ideal, I will give it a try.

Also, does anybody know if there a comparison chart somewhere? It would be pretty helpful to have a list of HIPS & Behavior Blockers, with info on OS compatibility, free/pay, and a list of features. Just seems like there's a lot of threads here where people ask for the program to meet their needs, get an approximate list given to them in pieces, and then people ask pinpoint questions to further narrow it down. Would save a lot of time to have a comparison chart.

 

You could try the AE in the Returnil version in my siggy.

The AE function is available through the start menu. Don't use it fulltime myself but have tried it and it seems quite robust and light. (and free)

 

Yep the Returnil Home version is a decent free disk partitioning application. Its features like AE and AV included are really great. I have had some contact with Coldmoon in the past about offering different levels of settings.

Something like a scale for the settings

None: all off
Light: Virtualisation OFF, AE ON, AV on exec + on write
Medium: Virtualisation on, AE off and AV on exec + on write
High: Virtualisation on, AE ON, AV on write only
Max: all maxed out
Custom: any combo you would want

Has that been implemented (yet)?

 

Returnil is like Deep Freeze, right? Is it possible to just use the AE feature?

 

Yes you can just use the AE feature and or slip into virtual mode whenever or not at all.

The version in my siggy is an older version with no AV engine.