An HIPS for Windows 10

The " FP " alerts are useful, because they help you to better configure the HIPS. You see the program or the process and you can set a rule.

 

We can't talk about "fals positive" when we talk about HIPS alert! This means that detected action/behaviour of process it's not known for HIPS and there is no created rule for it. That's by design because HIPS don't categories actions and decides what to do...it only informs and the rest depends on user decision.

 

Well said In a manner of speaking, we the users, were the AI making the decisions, the HIPS was just interrupting one of many preset mousetrap-like contact points or vectors preprogrammed in it.

 

That's the thing, like others already have said, there are no false positives with HIPS, since it's up to the user to decide if something might be suspicious, similar to the app permission system on smartphones. But I understand what you mean, things can get annoying sometimes if HIPS monitor too many things.

 

This is actually a great example of how behavior blockers might help certain targeted people from getting hacked. Hackers were using zero day exploits in Chrome that allowed them to bypass Chrome's sandbox and run spyware on their machines.

As we all know, AV's can be bypassed but HIPS would be able to block the malware from running. And even if the Candiru spyware was allowed to run, HIPS could still block certain behaviors like keyboard/mic/webcam spying, cookie/password stealing and driver loading.

https://blog.avast.com/candiru-targeting-journalists-middle-east
https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/

 

Does a user need a HIPS to warn what's happening under C:\Windows\System32 or even C:\Program Files? I would hope not.

OTOH, under something like C:\Users\johndoe\AppData\Local\Temp...then sure, this could be very beneficial. That's why it's easiest just to monitor the typical, initial attack vectors used by malware, and it won't even realistically result in reduced security.

As for the topic itself, it may not be a HIPS - it's a kind of anti executable - but the built-in SRP utilized by Simple Windows Hardening or Hard_Configurator does a nice job, with virtually no micro management required by the user.

 

Windows and Program Files are under the hood of Windows itself > UAC.
user accounts are managed also from windows and need concerning rights.

no uac and working as admin = big fail.
HIPS is reaction, not prevention.

 

Let's assume one has updated Windows and do not worry about 0-day escalation bugs.
Then it all depends on user account. The safest is standard user account.
Second relatively safe option is limited admin account on latest Windows 10 build with UAC on highest level. I still prefer standard user account, but in recent Windows 10 builds Microsoft tamed most UAC bypasses, so yeah, UAC on highest level might cut it.

 

Really not the case. UAC pretty much ignores a sufficient amount of malware to the extent that protection by UAC is more of an urban legend than an actual fact.

 

I didn't mention running SUA and UAC at max, my only focus was on the HIPS, but of course this is the recommended way to run Windows, even though not everyone agrees. But as CS mentions above, and demos in a Magniber video in another forum, malware can blow right past UAC at Max completely undetected.

 

I don't have a link to video. I read that Windows had 0day vuln classified as both RCE and LPE that this malware used. First fix reduced vulnerability to "only" LPE, but I don't know the details and how this patching story developed later. I suspect this was 0-day used, and I wrote that I assume we are not talking about having protection against 0-days.
For at least 0-days protection HIPS must protect everything on filesystem plus some more non-filesystem things. In this example it would be good to protect against access to printer service.

 

To clarify, I was talking about HIPS in general. So yes, anti executable would probably already be enough to stop the malware from running. But let's say AE was somehow bypassed, then HIPS can possibly stop malicious behavior from the malware. These journalists were browsing their favorite sites and not being click happy and they still became infected and I assume their AV was somehow bypassed.

 

I'm reluctant to link to the video as doing so could be frowned upon. At one point in the video it is mentioned, and I partially quote: "Please note that this Magniber was modified just a bit to run under the radar..." So I guess that made it a zero day variant.

I would respectfully disagree the requirement to protect against everything on filesystem; protect against everything in user space, script interpreters including Powershell, and Sponsors (LOLBins), as SWH and H_C can do, especially if enhanced configuration is used, then sure I agree. Of course HIPS can obviously be set up to do all this as well, and then some. The problem with the latter approach is it requires considerable skill from the user to set up.

 

Good discussion and intelligent back n forth opinions from results. I really haven't been at liberty to examine SpyShelter myself lately, maybe this fall, but in absence of that one HIPS program in particular, which seems highly touted enough to draw attention to, you can see in comments that layering is still very alive and well in most members PC security and for good reason. No one AV or HIPS these days can avoid the river rapids of malware releases coming at us from all directions in a myriad of forms. In preparation for a new machine with 11, and just when I thought my zoo collection couldn't possibly be topped, I finished scooping in a whole new set of baddies this weekend and am anxious to test a new setup to drop them on. Once I deliberately unleashed a series of 3 simultaneous ransomwares AND Sality file infector virus at Ransom0ff and it wasn't overwhelmed as I expected. The PC was a little in shock but I had Shadow Defender running underneath it all as a safety precaution.


A thoughtfully carried out HIPS sequence of preventing Windows being slicked has also always led to adding third party coverages to supplement such. For sake of topic I won't divert too much mention of Comodo FW although it also employs a HIPS of it's own. However the containment feature rules the day when in use on this end.

Back in the 32 bit only days of HIPS there was a lot of development focused on those and a few good one's proved stunning at holding at bay many of that period's worse infections once (as stated) properly and skillfully configured.

 

By 0-day I meant 0-day vulnerability in Windows (Print Spooler component) and accompanying exploit, not 0-day variant of malware.
I don't know if Microsoft patched LPE-side of vulnerability... It wouldn't be only a UAC bypass though, but also standard user account also....

 

Link was already posted in WiseVector thread I think. It's not direct linked but you get the picture.
@cruelsister like myself and others can easily take captured samples and safely hex edit modify them to test various other capabilities and gauge the security programs we use as to if they can pick up on or not differing behaviors. It's really a confidence lift when your personal security solution can actually still lock in on malwares with various changes the bad actors might at some point in the future try to adjust in their crap builds.

 

You're right come to think of it. My reluctance was due in part to not wanting to steer this thread OT anymore than I already did

No better way to test than what you two are able to achieve

As for getting back to HIPS for Windows 10:

1. Comodo FW: Ultra powerful HIPS that requires some ability to tame, otherwise it can bork your system, especially in Paranoid mode. The Cruel Sister variation for containment is probably the best by far; "no fuss no muss" and it just works!
2. Spyshelter: never used it but many favorable comments on it. Looks to be an excellent HIPS.
3. ReHIPS: never used and some favorable comments on it.

@reasonablePrivacy,

sorry, earlier I misunderstood your post #86 but all clarified now

 

When I use Comodo Defense+ I don't use the containement: in the past it could be bypassed, even if I don't know now; I believe that in the past cruelsister too said that Defense+ in Paranoid mode without the containement is safer than using the containement. But the most important thing is that HIPS exists to monitor all run in the system, also C:\Windows\System32 , giving the chance to configure the whole system. This is the fun !

Anyway, I'm very glad that someone like again HIPS !!

 

No, No, Never! Quite the opposite, actually. The strength of Comodo resides in the Sandbox and not the HIPS. A HIPS defense, even at Paranoid mode can be bypassed as there are certain things that would just be ignored (and this failure is not specific to Comodo).

 

Yes exactly, you have always said that Comodo's containment feature is pretty good and should be able to block or contain most malware. However, when it comes to HIPS, it will still rely on the user and correct configuration.

 

The unmanaged Symantec Endpoint Protection suite has an IPS module built into its firewall. You can run it along Kaspersky Free with System Watcher. Windows already has native anti-exploit and application protection management.

 

Agree. Which makes CF Containment FEATURE one of the (in my opinion) (as well as numerous @cruelsister vids proving it's capabilities) most reliable Novel designs, which i haven't seen in any other like it.

 

as to the original post, i have CFW installed on multiple computers and never had problems with windows updates...

 

Its not compatible with Memory Core Isolation turned on.

 

HIPS is nowadays usually a part of security suits. I don't know if there's a decent standalone HIPS application today. Btw, ESET has one of the best HIPS in their AV.