Whatever happened to 'classic HIPS'?

EQSecure was excellent, how come they've fallen by the wayside of late?
I know Comodo still exists but hey, you ever set it up from scratch?

BB's too, Cyberhawk/Threatfire, all but dead n buried.
Is Mamutu still going?

 

Yes Mamutu is still around. Some more here: -http://www.techsupportalert.com/content/probably-best-free-security-list-world.htm?page=0,6

I liked AppDefend and RegDefend as classical HIPS, but they vanished with Ghost Security. Not enough sales of HIPS type products to the public to keep them going.

 

They're still around, but as pointed out, they just don't "click" with the general public. There's a good reason for that as classical HIPS takes a lot of knowledge of the ins and outs of software, how software works, why it does or doesn't need to do something and more. To the average user, you might as well be teaching them the ins and outs of the Large Hadron Collider. Not to mention these programs get in the way more often than they actually protect against anything.

 

Malware Defender, Spyware Terminator and perhaps Micropoint are still alive, ThreatFire will be probably renewed in this year...from new "gamer" we have SpyShelter - anti-logger with nice HIPS - and IS from Online Solution (OSSS)...and many new apps like "anti-exe".

 

and VoodooShield.

 

This is the reason, I think, for Comodo is developing his sandbox faster than Defense+.

 

OA can be used more or less as a classical HIPS.

 

The only Classical HIPS that are currently being developed (Up to what i know) is D+ and OA.

Either of those can be used as a full blown Classical HIPS if you just take a few minutes to disable the cloud features, auto decision and so on.

 

Malware Defender is great classic HIPS application. It protects everything I need and most complete HIPS I've ever tried. It is only 32 bit but on the other hand it is also free.

 

Outpost & Private FWs include many of the checks & balances of a classic HIPS.

 

Most people consider classic HIPS to be too annoying, too noisy, always in the way, etc. Classic HIPS appeal to a very small percentage of users, those who understand the finer points of how their systems work, how processes interact, and want control over those activities. Since they work at a kernel level, it takes a very good programmer to make them work without causing problems for the OS. Microsoft has been making it harder for them by restricting access to the system kernel. They claim it's to protect the OS kernel. I think they don't want users to have that much control over the OS. Either way, classic HIPS are suitable for a small percentage of users. Since they don't depend on updates to function, they're a one time sale, not repeating income like an AV. Most have failed for financial reasons, not because of poor products or bad coding. That said, some of us think they're the best security apps made for Windows. One of the earlier classic HIPS, System Safety Monitor is still my primary enforcement tool for a default-deny policy.

 

SSM free or paid?...I read that free can be more useful in some certain situations.

 

Depending on the purpose of the OS, I use both. For general purpose use in support of default-deny, I've found the free version to be more intuitive, easier to set up, and still very effective. For setups that aren't as restrictive as a full default-deny, the paid version offers finer control over the amount of influence one process can exert over another. It allows the user to allow/deny specific command line parameters for individual processes. It works well, but to me feels backwards for lack of a better description at the moment. The paid versions registry rules can seem very convoluted and the interface isn't easy to work with. The free version is far less detailed with the registry protection but very self explanatory and straight forward in comparison.

 

@noone_particular
Thansk for explanations

I thought about those posts...yours posts
https://www.wilderssecurity.com/showthread.php?t=302118&highlight=SSM
BTW...unfortunately I think SSM will be not useful for me...my computers have Win XP with SP3.

 

And the new version 2.8.0.1 is released ！

 

The free version of SSM is limited to XP-SP2. The paid version works on SP3. It was in beta in regards to the pre service pack versions of Vista but won't work on anything newer.

 

Thanks for info. I will try it right away. Do you know where can I find changelog?

 

Download is slow as hell.
Wouldn't it be nice if it was now 64-bit compatible (just dreaming) !

 

http://bbs.kafan.cn/thread-1202481-1-1.html
but it is in chinese!

 

Thanx. Google translate solved the problem It looks like there were only some under the hood changes and no new features. Still, nice to know development hasn't stopped.

 

Translated changelog:

English download of updated MD: -http://dl.360safe.com/md_setup_en.exe-

Updates:
Kernel block access to the COM interface.
Kernel block access services manager.
Intercept the process added to the JOB object.
Intercepted by registering hotkeys to record keystrokes.
Parameters to solve SSDT HOOK improper handling can cause blue screen problem.
Notes displays an alert window to window above the rules.
Solve the performance problems resulting from a large number of logs, a second log does not repeat the same show.
Automatically merge contents of the log window and displays the count of the same log.
Within two seconds after the bubble does not prompt display shows the new bubble.
Fix some small bug.

 

thanks bellgamin

 

Classical HIPS evolve to less intrusive HIPS
- OA & D+ have extensive whitelists
- have sandboxes based on signing (D+) or ability to run safer (policy containment) of unknown (OA)

Newer intrusion protection programs evolve in the same way, like Spyshelter
a) allow signed and/or microsoft programs
b) also uses a build-in whitelist plus option to trust publishers (for other events also)
c) run risky (internet facing software plus USB) as a restricted user (a very strong and low CPU policy containment, a bit stronger than OA's run safer).

When you are on x32 the Spyshelter freebie is a good deal IMO (low CPU usage, low disk I/O)

 

I tried to install new MD...it was fast and easy - like always I don't remember how it was in the past, but now it seems to me a little bit "heavy" - in real-time work two processes - first ca 15 MB RAM, second ca 63 MB (on XP SP3 32-bit).
How in other computers?

 

On my computer it feels light. My RAM consumption is: 14MB and 1,5 MB on Win7 x86.