Firewall with HIPS? Or Without?

@ Ichito - the fileforum link has a broken download. I dug some more in my archives & found a copy of SSM 2.4.0.621-beta (yeah, I was one of SSM's beta testers, back then when dinosaurs still roamed the earth). I may give that old beta a spin when I get around to it.

@ all - In my archives I also found copies of oldies such Dynamic Security Agent, Cyberhawk, Bugbopper, DigitalPatrol, Stream Armor (can't remember what that one did), NeoSafeKeys (what?), RTDPro (double what?), one of the early Prevx, A-squared (a precursor to Emsisoft), one of the earlier versions of Tall Emu's Online Armor, plus etc. etc. I'm thinking that if ALL of these old security apps were simultaneously installed & executed on someone else's computer (not mine) they would attain the heretofore unattainable -- namely, totally impenetrable security!!!

I still run PFW on one of my partitions. I have not, however, stayed current with security matters for quite a long time.

If anyone asks me to recommend a Firewall, PFW is still my #1.

 

hi
I guess that bellgamin has enough experience to have already his shadow's answer...
In 2005, i have used a white list HIPS (Abtrusion Protector) with a system expert HIPS (SSM), and by this way, from the IDS mantra, "that which cannot be detected should be prevented, that which cannot be prevented should be detected"...
But malwares and threats has evolved, like security products...and a lot of HIPS or firewall are now security suite or complete antimalware (Private firewall, DW etc).
From my point of view, a personal firewall is nowadays not absolutely needed, even in XP.
With simple system hardening and a sniffer, it is not difficult to catch suspicious sockets.
The main defense is to prevent or detect any malware before...
Then i still believe that the HIPS is necessary, and packet filtering features abilities do not matter for my concern.

As an alternative for XP users, i can suggest Core Force, A system hardening HIPS that has firewall features
http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=project&name=Core_Force

But there is no absolute answer of course, as each user is himself a world...

Rgds

 

I´m using v1.0.0.1 Beta 3, you can´t download it anymore I think. NG offers a couple of more filters than SSM.
I´m going to buy a new machine soon and it bugs me that apps like Zemana, SpyShelter and Comodo are not as user friendly as NG.

More info: https://www.wilderssecurity.com/thre...-9-spyshelter-firewall-3.360052/#post-2353110

No conflicts whatsoever.

 

Hmm. In other words, Abtrusion Protector is mainly an anti-executable program, right?

What if a keylogger somehow sneaks by? A FW might prevent it from calling home, right? And a keylogger that cannot call home is like a castrated bull, right? Of course, a keylogger could never get on my system. I have posted a sign on my monitor: "No keyloggers allowed!"

As to Core Force -- I tried it long ago. Waaaay over my head.

@ Rasheed - Have you tried Private FW instead of SSM + NG? PFW is FW + HIPS + Dynamic Security Agent. For all that PFW guards against, it is VERY light. On my PFW partition, Windows has run over 45 hours. During that period, total cpu time by PFW was just over 1 minute.

 

You are 100% correct. A firewall may not be needed, as in a requirement, but they add an undeniably sound layer of security when used set up correctly.

 

You can call me silly, but the GUI is just way too ugly, I´m very picky when it comes to this stuff.

I do believe that it´s probably quite a good HIPS/firewall.

 

hi
Regarding Abtrusion, it creates a database of files during its install, and any .exe or .dll for instance that is not already in the database is not allowed to run (It is the principle of whitelisting).

As i said, malwares has evolved, and it is not serious to fight them with obsolete firewalls/HIPS installed on obsolete/unmainted OS (and being an expert user does not confer immunity too).
Kerio with no doubt can not catch the latest generations of rootkits and bots, as some of them use explorer injection techniques, and install their own TCP/IP stack and file system, like Rovnix
http://blogs.technet.com/b/mmpc/arc...volution-of-ronvix-private-tcp-ip-stacks.aspx
Know your enemy before, and base your defense after...in this case, good protocol analyzers that relay on Winpcap library, and not only on NDIS should detect most suspicious packets.
For the keylogger/password stealer/trojan banker, the main goal is to prevent it from installing on the host (reg key, write on .tmp directory, install hooks and attach dll etc.) with the HIPS.
If the firewall detects for instance that steamkey.exe tries to use the SMTP protocol, it means that there is already big holes in the line defense: the main goal is to prevent the cougar from entering in the farm, and not to detect if this last one is going to go away...
CoreForce is interesting for hardening and restricting an XP host, that can take 2 hours or configuration...
There is enough product and technologies to keep desktops clean of malwares, it is just a question of right equation between the user and the product.
Rgds

 

Oh those reasons, then maybe not Sygate.

Thanks for the links act8192, an interesting read.

 

Good morning, kareldjag!

You may remember that the Conficker worm (6 years ago!) had some interesting techniques for bypassing firewalls:

http://tools.cisco.com/security/center/viewAlert.x?alertId=17121

http://mtc.sri.com/Conficker/

http://mtc.sri.com/Conficker/addendumC/index.html#firewall-disablement

Of course, this is all a moot point if:

----
rich

 

Thank you. But are not redundant ?

 

Either use Kerio with NVT or Private FW without NVT (just do a performance check e.g. startup of aps with AppTimer (e.g. time it takes your browser starts). Have a look at CPU % and peaks with process explorer and choose (Kerio with NVT ot Private without NVT). In theory Private should protect against more stuff as Kerio with NVT.

 

hi
Yes Rmus it is true that malwares authors did not wait for eastern Europe bootkits tricks to bypass firewalls (Matrosov/Eset litterature is excellent about them)...and i remember Conflicker as it has infected the French Navy by an old infection vector, autorun via external devices!
And as pointed out by WindowsSecurity, PFW is more reliable than Kerio.

Rgds

 

No, of course some functions overlap each other, but NG offers a couple of more protection options compared to SSM. I use SSM mostly for the anti-exe function + registry monitor, and NG for behavior blocking.

 

No doubt true. BUT - given the fact that PFW includes a powerful HIPS (whereas Kerio is simply a plain FW) - would replacing Kerio with PFW be advisable in view of the fact that I am presently running Kerio + ExeRadarPro + AppGuard?

In other words, would PFW's HIPS feature add anything useful to ExeRadarPro + AppGuard?

 

Both ERP and AG don´t have any behavior blocking capabilities. So why not go for PFW?

 

Well, I believe AppGuard + Exe Radar is already a bit excessive. So if you add a HIPS then it would be definitely excessive.

So in your case I would go on with your current setup. AG + ERP + Kerio FW.

If you want to give additional protection to XP then you would better add EMET to your current setup.

 

EXE Radar Pro is an anti-executable/HIPS program
AppGuard is more like SRP software which put some restriction depend on configure.
I most time always prefer to keep on system typical standard HIPS with Firewall + other addon security like sandboxie
In this situation i prefer you 2 ways...

1)Stay with AppGaurd with NVT and instal stand alone firewall
2)AppGuard + FW & HIPS like Online Armor(paid), Comodo

For a long time i used AppGuard with Online Armor"paid"(FW+HIPS)
But changed Online Armor for SpyShelter FW and added sandboxie (paid lifetime)

I sugest you also add Sandboie http://www.sandboxie.com/

 

I use Shadow Defender. It does the same simple job, but (IMO) in a much less convoluted way.

 

It depends on what you´re preferences are. If you think that anti-exe and anti-exploit is enough, then you don´t need HIPS. But if you think that you don´t need a HIPS, then you´re automatically assuming that your AV will catch all malware, and we all know they can´t do that.

 

1- EXE Radar is an anti-exe, But AppGuard is much more than a mere anti-exploit. It does all that a HIPS does, & more.

2- I do not run my AV real-time. Haven't done so for several months. I only use my AV for on-demand for downloads & for full system scans at night while I am asleep.

3- VERY happy to see you are still able to post. God bless you!!!

 

I've been using Online Armor, and AppGuard together for years. They work great together. Online Armor is really simple to use, and it rarely ever prompts you for anything. I wouldn't recommend using it with ERP though, and I would say that is a deal breaker for you.

 

Of course, pure AV cannot catch all malware.

This is why I believe that ERP + AG is a bit excessive.

 

Perhaps you are correct. However, in view of my intent to stay with XP, I like having layered security. And YES, I am an ERP fanboy.

 

ERP definitely deserves to have fanboys. Though I'm prone to have any combo with HIPS or EMET/MBAE.

 

Do you consider that "any combo with HIPS" is superior to AG + ERP? If so, why?