Why cure when you can protect?

Discussion in 'other anti-malware software' started by Kees1958, Mar 24, 2007.

Thread Status:
Not open for further replies.
  1. EASTER.2010

    EASTER.2010 Guest

    Disagreement! HIPS programs of choice (mostly) are not fashioned only to inform but are designed to also SUSPEND! which in my book also equates to PROTECT! or perhaps one of us interpret a different description from that term then is commonly meant to suggest.

    Heck for that matter and i don't know about the rest of you but i found CyberHawk a pretty good TERMINATOR too after given the deny command.
     
  2. Metal425

    Metal425 Registered Member

    Joined:
    Mar 20, 2007
    Posts:
    188
    Location:
    Southern California
    Agreed,like Prevx1. It has a jail.
     
  3. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I think HIPS is more of a monitoring tool, and control tool. Also protects, but this is all inside job, covering things already in.

    Yes, or as IceCzar mentioned, a tripwire. Up to the user to interpret, with some exceptions (Prevx1, CH...)

    BlueZannetti: thanks for the post. You sure know how to summarize things.
    But regarding my questions, about the usefulness of these tools defending against an attack from some bad hacker, how do you fit that? (i don't even have a clue how anyone could fool a NAT router, lol, but lets get the other scenarios).
    I think this is on topic, since this is about the ability to protect.
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,215
    Hello,
    Easter, if you allow malware - what's protect about that?
    If you deny legit stuff - what's protect about that?
    HIPS prompts you to take action - that's INFORM in my vocabulary. Up to YOU to make the protect / not decision.
    Mrk
     
  5. EASTER.2010

    EASTER.2010 Guest

    I like this description best (personal choice). Pretty much sums them up without going into detail even though there is a lot of detail that goes into them, hence why they are quite capable of PROTECT! as you mention, and so much more.
     
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,215
    Hello,

    I have yet to see one person - take any of my regular co-workers for instance, people who have never heard anything except Microsoft, IE, Norton, Outlook - handle the simplest of simple HIPSs.

    Then, I have to see a single geek getting infected, with whichever setup you choose, Jetico, Outpost, LnS, Comodo, Sygate, BitDefender, Prevx, SAS, Spybot, you name it. It does NOT matter what you run. That's the magic. Once people figure that out....

    Like cars. BMW M5 does not make you a driver. It's the other way around. So it comes as no small wonder that when the light turns green I leave cool cars like Mazda 6 or Honda Civic some 500-600 m behind, in a trail of smoke, in my humble rocket '97 Citroen AX.

    The same applies to software.

    Mrk
     
  7. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Pedro,

    These tools don't thwart an attack per se, you do, and therein lies the rub.

    Recall how these programs function. They basically filter a set of vendor chosen OS system function calls - the specific calls could be anything from a file open operation, to a process create, you name it. You can assess the specific calls hooked, as well as all of those available, using tools such as Rootkit Hook Analyzer or the equivalent.

    These programs give you the ability to explicitly approve a current and/or all future occurrences of this operation by a specific program. For example, you determine whether Program X is allowed to execute, be it from a deliberate launch you've just executed, to an autostart operation, to another process launching Program X. If Program X is already running, you can control whether or not it can create or alter a registry entry and so on. Now, the primary problem with this is that oftentimes valid programs were written with the assumption that these operations will be allowed as a matter of course. If some of them start to be blocked, unpredictable results can follow.

    Can these tools be used to defend against an attack? Sure, but how does one differentiate between an attack and normal program operation when it involves that neat little utility you just downloaded? (I know, not always recommended, but let's consider real examples here)

    You've probably seen comments that, at their current state of development, these programs can be rather noisy immediately after installation. That is basically due to the user explicitly allowing all forms of routine program activity. It's the type of operations a program could use to malicious ends, but those are also the operations that a program uses in everyday use or when being initially installed.

    The structural issue is that the key alerts come when a program is installed, and if a user is installing that nifty little utility, they're expecting alerts and will just blow through them because they are expected. Unfortunately, most examples of these programs working involve blocking activities in the course of a test or after the launch of known malware (.... to see if the HIPS program works....), which is a remarkably uninformative result.

    Blue
     
  8. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    479
    I see two ways that you can infected.

    One is surfing the internet and going to the wrong site. A HIPS will protect you because it will stop executions. That's the end of it, you don't need to see any more prompts because if you are not installing something why should something be executing.

    The second way is when you deliberately download and install a programme. This time you will allow the execution. However, will you allow that simple note taking programme to install a driver? I wouldn't and the HIPS would have protected me by informing me that something odd was going on.

    Would I allow Daemon tools to install a driver? Yes I would and if it wasn't really Daemon tools then I'd be screwed. The HIPS would not have protected me.

    In some instances the HIPS would protect and in others it wouldn't.
     
  9. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    The way I see HIPS:

    First of all, IMO they are a whole lot sexier than scanners :D and they can both protect and inform.

    Protect: They should be able to protect you from (zero day) "drive-by" attacks, you know, malware that gets installed via flaws in the OS or other apps like IE, MS Office etc.

    Inform: When manually installing an app yourself, a HIPS should notify you about possible malicious behavior, of course it´s up to you to decide if it really is malicious or not, this requires some knowledge.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    @ DA

    I never respond blindly on alerts, otherwise what´s the point of using a HIPS? The thing is, when I look at all the apps that I´ve installed (and are allowed to run on my system), I see that at least 90% of these apps don´t (need to) do anything possible malicious, so normally it´s not really that hard to spot malicious behavior for me. But I´m not trying to say that I will get it right everytime, I´m no expert.

    To give an example, just last week I downloaded some app, and I executed it in my VM (KAV labeled it as clean). But I saw that without any good reason it wanted to do stuff related to Winsock (modify or install an LSP) so I immediately thought this was bad stuff, and blocked and terminated it.

    After this I scanned the file at VirusTotal, and to my surprise AntiVir, KAV and NOD32 could not recognize anything, but Ikarus, AVG and CAT-QuickHeal identified it as "Trojan-Dropper.Win32.Joiner.aj" (Panda labeled it as "suspicious") so I don´t think it was a false positive. So a HIPS + some knowledge basically saved my ass.
     
  12. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,215
    Hello,

    Spikey et al, you can get infected via drive-by when you visit a site only if you use the inferior IE. This will not happen is you use normal browser. Sure, sure, some geek at the University of Utrecht has written a PoC that shows this can be done, but you need to time it with the Assyrian moon cycle to work.

    If you exclude the inferior, default-shoot-yourself-in-the-foot MS thingies, all that you are left with is deliberate suicide, which can be as easy to avoid as real-life suicide.

    Mrk
     
  13. EASTER.2010

    EASTER.2010 Guest

    Very! valid points coming down the list of replies here and equally interesting results made. I'm straight in observation mode right now.
    Topic discussion like this is when i'm extremely grateful for Wilder's and all the membership here.

    (really good reads) :thumb:
     
  14. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    479
    Hi Mrk
    I appreciate that but I prefer to use an inferior browser. And I can't block active X etc because it winds up my wife and daughter because pages don't load like they want. So I can't install FF with NoScript and I have to use other methods.

    Also, I have never ever noticed an ActiveX installed on my system that I hadn't put there. But I have noticed that randomly named .exe's in the root directory and TIF have been blocked from running.
     
  15. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    If I may ask, where did you download it from?

    Very good point, but I have seen several, random examples throughout your posts where you make endorsements to Linux, as if to suggest everyone using Windoze drop it and adopt Linux instead. Hopefully you don’t actually mean that (I don't think you do, just wondering), because realistically it is not, for obvious reasons, going to happen.
     
  16. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,388
    I am spending way too much time on this forum lurking in the background and reading up on these issues. I have gained some insight and have progressed from the "standard" browser , the "standard" AV and the "standard" Firewall to the less "famous" more sophisticated or effective programs. I even use a program monitoring running processes and registry. I am sure you are all very impressed now :cautious:
    Despite this I know I have only a very basic understanding of many of the isuses involved and think while the OP's suggestion may be suitable for some, the percentage of users on the net being able to follow is miniscule.

    I believe earlier in the thread someone made a similar comment about monitoring any changes to drivers, registry entries being made by programs intentionally downloaded from reputable sites. The idea is to evaluate everything first in detail before allowing it to run normally.
    As a normal user (who already frequents the Wilders Forum) this suggestion is completely unrealistic for almost everyone except those who make IT their living or total hobby.

    As Blue said earlier there are limits as to what the average or even above average user can do to protect themselves. I will continue to read up on isuses here, try the odd program but will have to rely on these programs to be user-friendly, to hold my hands and not expect me to be a supergeek who can write and analyse code. Having said that I am happy for you guys who can do all of these things, just don't assume this will be the solution for the anyone but a small minority.;)
     
  17. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549

    Exactly! The question is the number of times you don't get it right, is it higher or lower than the number of times that the AV will miss it? OF course, in reality it's not either/or , but you get my point.

    People seem to like to focus on the upside of HIPS (potentially catching all),
    at the same time focusing on the downside of AV (potentially missing unknown).

    More specifically the question is how many times does your AV fail, when your judgement doesn't (assuming you use both)? That is the value of your HIPS.

    People like to talk about blocking driver installs as the obvious decision to make, which convienetly forgets that 1) Most HIPS do a lot more than that and if that was all they did 2) You can achieve the same by just running limited accounts.
     
  18. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Feature wise like the much cited http://wiki.castlecops.com/HIPS/IDP_programs/services ? So you get this table, what next? You pick the ones that has the most ticks? And then you move from product to product depending on who gets the most ticks?

    I'm sure most HIPS vendors will be glad that this mentality has taken hold.

    At this rate, you will end up being prompted a hundred times before you even start pressing the on button!

    And as i said, you want to worry about really skilled hackers (lousy ones wouldnt be a threat anyway), features ain't going to save you.
     
  19. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    DA, you totally missed me. When i say feature wise, i mean feature wise. I can't repeat myself over and over that it is up to the user. That's not possible, so i'm not going to.

    What i asked was if the HIPS can detect everything some hacker might do. I do not put the user in the equation. Repeating what the user has to interpret, or comparing to an AV is beyond my question.

    If you prefer, assume an expert user, running by choice a non hardened OS, with some HIPS like SSM or PG.
     
  20. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Dear members,

    Some start to discusssions about the decisions a user has to take when using a HIPS. Please have a look at the pop-up frequency of DefenseWall and Primary Response Safe Connect (or even PrevX1, but that also uses blacklists). Hope this will end the user discussion.

    With the setup of my wife's PC no pop-up emerges DefenseWall is quite by nature, SSM-free runs with user interface disconnected, SensiveGuard either allows or blocks (deny's).

    As for the question how many times I had to make a decision compared to the automated decision, that is easy. I used CyberHawk during the training period of SSM-free as a second reference. I never had to make a decision when SSM and CYberHawk popped-up both.

    For over a year my AV did not pop-up. This proves the point some of the members are making: Yes I had to make at least a two dozen choices more than my AV made for me. Decisions User versus AV = 24 - 0.

    POINT IS: THE AV DID NOT INTERCEPT 1 MALWARE (Noppes, Nada, Null), so this is also proves my point, why cure when you can protect. Obviously there was nothing to be cured from, so why use a medicine? Especially when th emedicine does not cure against zero day treaths?

    http://winnow.oitc.com/AntiVirusPerformance.html

    Regards K
     
  21. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    If you have to remove malware on your computer, it's too late when the malware has done its evil job already between two scannings.

    You better try to prevent the installation of malware or stop its execution if the malware is installed. That's the security I need to save the day, because I've already a 100% REMOVAL of malware, better and faster than scanners can do and without f/p's.

    Scanners ask too much time of the user and it will get worse and worse, because the bad guys make the blacklists longer and longer every day.
     
  22. herbalist

    herbalist Guest

    If the HIPS is configured to allow only the processes and applications the user needs and also limits the activities of the allowed processes to only those needed to function (hooks, parent-child settings, etc), then HIPS will alert to most of what a hacker might try to do. This is assuming that the HIPS is part of a well designed layered security package, not a solitary line of defense.

    Too much is being made of how a user might respond to prompts. Once the HIPS is configured, there should be no prompts during normal usage. If a user is not installing something and an updater is not running, there should be no prompts. If there are, they should be denied. Ideally, the user interface should be disconnected during normal operations so the user doesn't get prompted at all. No prompts, no mistakes.

    HIPS are designed to prevent changes in your system, and are best suited for systems that change little if at all, systems which are equipped the way the user wants them. On setups like this, HIPS can effectively protect from most any malicious code, whether it's malware or sent by a hacker. HIPS is a less than ideal choice on systems where the users are installing new apps regularly. The more software a user installs, the more the systems integrity depends on the users decisions. Constantly installing software is high risk behavior, not just from the increased chances of contacting and allowing malicious code, but also from the increasing chances of conflicts and unwanted changes, plus any new vulnerabilities introduced by the new software.

    HIPS does not address every possible attack vector. It needs to be combined with other security apps that address the other attack vectors. When combined with a good internet firewall and content filtering of the allowed traffic, HIPS is very effective.

    Regarding what some hacker may do, no matter how good he or she might be, they have to start with gaining access to your system, either thru or around your firewall or via traffic that's already allowed. There are no magic doors they can enter. There are no secret codes that take down all the firewalls and open ports. While all security software can be defeated, each app is different, with different strengths. When properly chosen and configured, the components of a layered security package monitor and defend each other. It's much harder to kill a firewall when HIPS defends and/or restarts the process. It's hard to inject a "kill" command when HIPS won't allow the code to run or to get it past a firewall that only accepts incoming traffic from specific locations. It does little good to kill a firewall only to find there's no open ports available. It's hard to get an autostart entry into the registry when the system components that can edit the registry are blocked from running and attempts to use them result in the users being alerted. It's very hard to rootkit a system when the installer won't run on its own and the user won't start it. When all of it and more is blocked by both security apps and system configuration, it's very difficult to compromise such a system. When the system has regularly run integrity checks, it doesn't do an attacker much good when, even if he succeeds, the user restores the system to a clean state.

    An attacker doesn't know what your defenses are or how they're configured unless you or your system advertize it, like many here do in their signatures. Nothing like giving an attacker a roadmap. He doesn't know if his probing a likely port will result in a firewall alert on the desktop. What one users configuration allows causes an alert on anothers, warning the user of the activity. If you start with securely configuring your system, no unnecessary open ports, good system policies, etc, then add good traffic control, application control, and content filtering, you can get very close to bulletproof.
    Rick
     
  23. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    Before going online
    1st-Clean install of OS with all the programs you will use and trust.
    2nd-save settings with imaging software and other restore programs, having more that one option of restoring is a good thing.
    3rd-Install your HIPS and let it learn. Some HIPS are better at this than others.
    Save settings with imaging software and other restore programs again.
    4th-You ready to rockNroll !

    A good HIPS, after it has learned your setup, will make alerts only to the unknown, new stuff.
    Depending on which HIPS you have, there could be settings that block unknown new stuff silently, or prompt for user action etc. etc. etc...
     
    Last edited: Apr 2, 2007
  24. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    It's not so much how..., but as to what is that basis of a response given.
    That road can be a harsh mistress to the unwary. It's not that I believe these tools cannot be used, rather I believe that the arms race in feature set creep starts to render them potentially more insidious than what they will propose to cure.

    If one wishes to go this path, a simple and pure run whitelisted processes/deny all else/do not try to finesse the situation by tweaking with a processes inner workings would seem the best route.

    Blue
     
  25. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Exactly, that is why my son still uses his AV (GeSWall Pro, CyberHawk free, Regdefend liteware with Toni Kleins ruleset and Antivir free with heuristics set to high). I did not want to claim a one size fits all with this post, just to stirr up discussion.

    Regards K
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.