Download a copy of Knoppix, burn it to CD and use it in place of windows. You can't get much more secure than that. Rick
Agreed. It's unfortunate, but malware has evolved to the point that the average user will not be able to adequately secure their system unless they take the time to understand how it works. Rootkit technology is getting to the point that it takes a very skilled user to remove them and even that is getting questionable. (new paragraph for D.A.) Windows is an open system. Windows design basically permits everything to run and allows anything to start and/or access anything else. It's files are accessible and modifiable. That's why it's so vulnerable and gets compromised in so many ways. At the other end of the spectrum is Knoppix on CD. It's burnt to CD, unchangable, making it immune to attack. (new paragraph for D.A.) HIPS is an attempt to undo that basic Windows design flaw by limiting what behaviors each executable is allowed to perform and what other executables they're allowed to access. It effectively begins to convert Windows to a semi-closed system, governed by the rules made by the user or the learning mode. The user has these choices: Secure windows with conventional security-ware, practice safe hex, and keep backups of your system made when it was clean. Use a closed system like Knoppix on CD which is immune to attack, but has problems of its own. Learn how your system work, what belongs there, and secure it with HIPS, a good firewall, and content filtering. HIPS requires knowlegable input from the user. No way around it. I doubt any learning mode will ever be good enough to really secure all the different apps and software available to the user. Until the time comes that someone releases a truly functional operating system that can't be modified or installed to that still satisfies most users, those are the choices. Don't hold your breath waiting for that operating system. Rick
Win XP here. Confident but it doesn’t mean I will never screw up. After all, I’m only human So far, so good…no screwups yet. Besides, it is a constant learning process. We can’t know everything, but if you are interested in this stuff and enjoy learning about it, then it isn’t that difficult. If you don’t want the hassle dealing with pop-ups and trying to figure out what they mean, then it is best not to use a HIPS or any kind of security app that requires considerable user input. A set-‘n-forget type app is probably the best if you fall into the latter category.
Singing SSM praises here with BOTH! Win XP Pro (AND) Win98SE! VERY IMPORTANT! As already explained, Windows in raw form is an open system that allows most anything & everything to access, run, or remove files, settings, etc. A good solid HIPS in fact TIGHTENS your property lines as an end-user by filling in like a middleman, and intercepting live signals that carry those type of instructions. It also compliments anti-virus and firewalls nicely even though some like myself have long since abandoned "resident" AV's for Online one's. Like herbalist already hinted at, untill an Operating System is constructed which already includes such secure safeguards or one is made which severely limits malware interactions with it's core base code, you're better off to use Knoppix or something on that order. Otherwise take the learning initiative and discover what many of those Windows machine instructions (and files) actually do and where they go and why they transfer where they do and all that.
I did. Just put the note in the empty line for your benefit. There's no way I'd ever begin to claim that I won't make a mistake. If I ever make one that severely compromises my system, that's what system backups are for. So far, it hasn't happened but that doesn't mean it couldn't. That said, when the user configures SSM to the point of specifying parent-child dependencies, drivers, etc, most of the time it will take more than one mistake to get you in real trouble. Considering that a very large percentage of the malware a user is likely to run into will be some form of an installer, it's likely there would be several prompts. I've installed SSM on quite a few systems from 98 thru XP. It works great on all of them. I just prefer Win98 over XP and intend to continue using it, at least until I sufficiently understand Linux or BSD. Rick
It's rather a snooty remark, wot? My net uses SSM & all are on XP. ~~~~~~~~~~~~~~~~~~~~~ If some folks find SSM a bit complex, Cyberhawk & Prevx & Online Armor are jolly good HIPS that are much less demanding. So also is DefenseWall (a different flavor of HIPS, with a sandbox)
What I find surprising is that so far no one voted for pass leak tests. I mean if you look at threads here, what is the first thing people do when they try a new HIPS...? "I tried HIPS X and it passed all the leak tests, I'm impressed!" I guess this means that people expect them to pass so it's a minimum requirement and not a deciding one?
Definitely a minimum requirement. Any HIPS that can't intercept the leaktests process and hook is defective. I also think that most of the people here know the difference between the legitimate uses of leaktests and using them for advertizing purposes. Rick
My criteria when choosing a HIPS (or any other tool that I will be using a lot): - GUI (look and feel) - resource usage - features - ease of use In no particular order but if the GUI sucks it´s game over. And of course I always test the apps myself first, if it claims it can intercept stuff but it doesn´t, this tells me that the app sucks!
Btw, a little correction, if an app can not intercept a couple of things it does not have to mean that the app is garbage, no app is perfect, but it must not miss a lot and it must be quickly fixed/improved, of course.
Installed SSM on my VPC (XP installed), and went visiting the 'dark' places of the web - worked a treat - but really only suitable for users who are aware of what is legitimate and what isn't. So now it is running happily on my main XP box
That's what limited user accounts and security policies are for - dont allow a user the option in the first place - if only ms did'nt ship windows with admin access as default, we probably wouldn't even need hips.
Thanks everybody for your views. I too found it interesting that no one has voted for "passes leaktests" since if a security software, for what ever reason, (and there are some valid reasons imo) doesn't pass the leaktest tends to get a lot of heat here and elsewhere I think RL malware experience is more valuable than leaktests (ie a security app doesn't/does protect as promised in live conditions). But I do think they are great tools for us geeks to help us understand how windows works, but thats about it. But maybe herbalist is right that communities like this has passing of leaktests as a minimum requirement. peace
That plus the all-too-easily exploited background services and applications (*cough* Internet Explorer *cough*) which either have, or can easily gain admin access.
Actually, if you find that there is a difference between what people say and what they do, always take what they do as a more reliable indicator of what they really believe. Aside from the cynical view, I suppose while ideally, you would like to see how well HIPS do against real malware ("proven in combat"), most people don't have access to such malware to test , don't have the time, or don't dare to do so. So they just do leak tests which are faster and safer (though almost impossible to interpret!!!). Also the option "evaluate,actually use..." was a bad option to throw in IMHO, because obviously that was the number 1 thing unless you were really really short of time. People make their decisions on information they have, rather than what they want to have. So I believe when it comes down to it leak tests (which is information they have) have a much greater determination on people's choice of HIPS, then this poll seems show. I suspect the poll was answered based on an "ideal view point", ... I.e Given that I have access to the following information..... what criteria would I use to choose a HIPS.... PS I prefer leak tests (or more accurately technical test) to malware tests.
based on current wilder's trends and fads. Classic HIPS : Prosecurity or SSM with the former being hotter because it is the newer kid on the board Sandbox : DefenseWall Behavior blocker: Cyberhawk or Prevx1, with Prevx1 losing some support because of one poor performance in the AVcomparitaive test. The answer might change next month and certainly will change in 6 months, but that is currently how it stands if you want to keep up with wilder's trends.
Really? I'm interested to know on what facts this is based. I've been using SSM since 2004, before the term HIPS was thought of. SSM was called an application-firewalling tool then. I also know for a fact that others have tested it with live malware, drive-by sites, etc as well. IMO, you're badly underestimating many of the members here, if you believe that most choose their defenses based on what's popular here. Except for using newer versions of some software, my core security package is the same as it was when I first started posting here. Quite a few members here have been using the same core security apps for some time. For anyone who's interested. Web Archive of Max's SSM page. Interestingly enough, the page's alternate download link still works. It'll bring in version 1.96b2+ for those who want to see what SSM used to be like before Syssafety took it over. This version expired in Dec 2005. It functions but won't save a ruleset unless you change the date on your system to one before the expiration date. It won't import a ruleset froma current version either. Interesting to check out on a test unit though. Rick
Facts? I said i "suspect", so it's just a hunch.... Not sure what the relevance here is with you citing your own experience. Unless a sample of 1 is considered sufficient. After all you are hardly typical, few of us use win98 machines. So even if you were tempted you were stuck with SSM. So no temptations.... In any case yes, SSM was one of the first ones, I starting using it in end 2002 or 2003, for a while it's only competition was ProcessGuard released in 03. The paranoid among us, used both. Another one that we used to kick around was abtrusion protector . It was simpler days then, lol... IMO I think you are taking this too personally, particularly I find it interesting the way you feel compelled to defend yourself using yourself as an example of someone who doesn't follow fads. Nobody is saying *you* follow fads (not that you could if you wanted to given your choice is windows 98 bit that's besides the point). I'm not even saying every member follows fads of course, but some do obviously. If you put your ego aside, I'm sure you will agree. Hint look at threads where people post their security setups. IMHO fads *do* determine to some extent what people chose here. Certainly, interest generated by a product that garner's long threads, comments by perceived 'experts' all contribute to someone deciding to give it a test drive.... And that's the first big step.... Throw in some vendor made test that only the new security tool passes, some good comments by members perceived to be competent, add a dash of some vendor techno-babble or sexy technical talk about how good his product is compared to rivals, and who can resist? Anyhow someone asked me what I recommended, since I have no special insight into the matter that I feel is worth sharing , using the 'wisdom of crowds' , crudely proxied by interest displayed by posts seemed to be a worth a shot. Did anyone say *you* followed fads? BTW my post was definitely not aimed at you, so I don't know why you seem to be taking offense. I'm just reflecting the realities of this forum, in another 6 months, we will be talking excitedly about yet another new product that currently doesn't exist. And many (not all or even most) will be testing it, some will be won over etc... New tests will lead to rise of new favorites and fall of old favourites etc... I've seen it since I started reading this forum in 2002/2003. in recent years, this trend has accelerated because the barrier to entries of HIPS seems to be very low compared to AVs and ATs which tend to be the same ones. Never said otherwise. Though we are both guessing at what "Quite a few" means. But quite a few people are using the same core security, would imply that quite a few aren't either. It would be foolish to deny that. And some who follow the fad are perfectly aware of what they are doing and are doing it for fun, as a hobby etc... This is pretty old ground rehashed dozens of times already.... Here's a interesting post if you are interested in SSM history https://www.wilderssecurity.com/showthread.php?p=8092&highlight=SSM#post8092 The very first post drawing attention to SSM version 1.0 back when the forum was but a babe (look at the date!!!!). Seems like ancient history... I wasn't reading yet of course.
LOL. You make it look like fashion! Of course it does look like that sometimes. But that's not necessarily true. I give my own example, but i think it applies to others. I registered to this forum to check out what i could add in security to my pc. I found alot could be added, and learned alot. Still after some point i didn't change much, at least the core. I just like to test/ check out what's new. Like i did with SSM free. Uninstalled already because of stability issues (1 HIPS too many). I'm using GeSWall now, but i know that in future i'll install Sandboxie because i think it's alot safer. Or CPF3 which will have a sandbox module. I use GeSWall now for pratical purposes. I'm in this testing period, lol, which i know will fade out. I just want a External HD to back up what i want, reinstall Windows again with my chosen set-up, to set and forget. Your perception of trends could be true, but maybe it's just the news arriving (tests) and people wanting to test them. For the fun. If they are like me they'll reach some kind of conclusion and settle (sort of). Not following trends, but opinions from others and themselves. Others yes, they'll do what is on "MTV"
I didn't take your posts as being aimed at me. They struck me as derogatory to the membership in general. The first appears to imply that the responses are more imagined than real. The statements about fads here when the question was "so what do you suggest/use" implies that people use what's popular here instead of forming their own conclusions. After these and statements like what kind of response were you expecting? If I've mistaken the meaning of your statements, I apologize, but that's how they looked to me.
