AI Malware vs AI Anti-malware

I setup my OS tight and have safe habits, the risks are minimal.

if i use an HIPS i use all features available , if not i don't even bother using an HIPS. on MT i wrote my Comodo settings (paranoid mode). Then when i discovered Appguard, Comodo went to the trashbin.
I was a avid user of Comodo FW, then Online Armor (best to me) and even Spyshelter (but i dont like it much), all are way too much hassle for little security compare to what i use now, i dont need my apps telling me what it should do, only auto block everything i don't allow.
We don't need HIPS (obsolete last decade technology), we have better solution, like Appguard or similar SRP (Smart Object Blocker, etc...), far more effective and no prompts.

That is the point; do research before using a soft.

If i don't trust an apps , i don't install or even use it...i use mostly portable apps from vendors i know since ages and where i can check the hash/checksum (not MD5 which is obsolete).

 

No, you missed the point. Both tools are legitimate, but without HIPS I would have never known about this risky behavior.

Correct, but link 2 and 3 were about legitimate tools that came bundled with malware, without HIPS most people wouldn't have known about it. But of course, HIPS should be able to block stuff without leaving the decision to the user. That's the biggest problem, and perhaps in the future we will see HIPS/BB combined with AI. I also hope that AI will make it easier to spot suspicious network connections.

You can't compare AG with HIPS, because HIPS are meant to alert about suspicious behavior, something AG can't do. And yes, HIPS can become annoying, that's why it's probably best if they alert only about the most risky behavior. Also, most HIPS have got an "auto-allow of trusted signers" feature, that will reduce alerts a lot, but I don't use it.

 

good point.

HIPS aren't for the basic users whatever the vendors say.

indeed because AG doesn't care of behavior, it just block everything not allowed.

neither do i , that is the one of the weaknesses of common solutions, i always delete and reconstruct the TVL myself.

 

Correct, that's the biggest challenge for HIPS developers, in the future they might be able to make all decisions while reducing false positives. Apparently, most AV's already offer an "auto-pilot" feature. Did you ever test this with AV's like Avast, Kaspersky and Bitdefender? About AG, it will also block code injection and other memory manipulation, but it doesn't block keylogging, service/driver installation and other stuff. Without HIPS I feel naked, but I agree about the annoyance factor, especially during app install.

 

In the past , and those 3 brands are exactly the reason why i quitted using signature based softs

https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-54#post-2369750

Did you tried AG ? because if yes you wont care about keylogger and services/drivers when their execution can't even start (aka Lockdown Mode). If you can use it for among a month or two , you will ditch your HIPS right away and say as i did "why i was so stupid using this annoying HIPS when AG block all i don't want without even disturbing me"

for example, every type of exe i didn't put on the whitelist can't even start. Additionally i customized it to even block many of the most vulnerable processes. (msi.exe, etc...).

Same as me until i replaced CIS by AG and ERP, now AG + ReHIPS. I could easily go without any 3rd party apps , but i will be bored ^^

The installation factor depend of the users, personally i don't install much apps i have maybe less than 10 installed, most of the apps i use are portables or the Win10 universal apps; and if i install one app, it is one i know since ages and is reputed as safe (of course i cross-checked it before installing it , in case of).

 

The problem with this approach it's a yes/no alternative without the capability for "maybe its OK, maybe it isn't." Anti-execs assume anything running is system space with system credentials are OK. Problem is, some are not

 

I meant if you tested them against malware. I wonder if they are really able to block malware with BB, with no questions asked. But of course I know these AV's have got other issues.

How many times do I need to keep explaining the same thing? I personally don't fully trust ANY app, so AG alone won't help me. That's why I can't simply ditch HIPS.

Then you probably indeed don't need HIPS, but I always need to know what apps try to modify, even if I wouldn't install that many apps. I already gave examples of how HIPS can help decide if you're willing to trust some app or not (EagleGet and Maxthon), and I even block Firefox from trying to "accept incoming connections", this is probably some bug, but very high risk behavior.

 

That's why, in AppGuard, there's Guarded Apps list and User Space toggles for System Space applications. For those apps that are known to be vulnerable, especially internet-facing applications, but are needed to be run, then they should be Guarded, so that they can't compromise the system while running. Switching the system space status of some exploitable Windows .exe to user space also helps in protecting the system. So, at least with AppGuard, it's not totally true that all system space applications are allowed to run unrestricted.

If one isn't confident in the integrity of the system while AppGuard is running, then one can always have an AV or an on-demand scanner to help him/her decide.


As for the topic, I think that if ever there would be an AI malware, or at least a machine-learning-generated malware, it would only be developed by a State, or some wealthy group. So, if one catches that kind of malware, there's a good chance that it's heavily funded.

 

Indeed there is no room for "maybe" , AG's users don't want "maybe" but only "No" to everything they didn't personally allowed.
it is more like "i don't open my door to strangers whoever they are; only people i know."

the basic principle of AG is the User and System space separation:

- system space is Windows and Program Files folder.
- user space is everything else.

Yes because AG and any SRP /anti-exe based soft are assumed to be installed on a clean system (just after installation of the OS) then the system is locked-down with them.
So from there, everything executed from User Space is blocked (unless you "personally" whitelisted it). Also you can shift various type of exes from System Space to User Space (as i did with msiexec.exe, powershell.exe and other vulnerable processes).

SRPs or anti-exe are not softs for people liking to try and play with dozen of apps a day. We setup a system , we lock it, we are not anymore annoyed by prompts or infected.
It is the principle i want and prioritize. it is more a corporate-style attitude than a home user one ,but it is the safest one to me.

 

Yes exactly, so AG alone is not good enough. You need a HIPS/BB to monitor all suspicious behavior, not just a few of them. My motto is to trust no app, I even monitor security tools for weird behavior.