comparison of anti-trojan programs and intrusion protection systems when dealing with

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

If you read what Wai Wai and Richrf are saying, they keep saying AV/ATs can be easily beaten blah blah blah , singatures are bad, so HIPS are needed.

And yet they and you go around praising KAV being able to detect 99.6%?? So are they really saying HIPS can cover the remaining distance?

Second, my doubts about the effectiveness of HIPS are independent of AV effectiveness. Any major AV not just KAV + user experience will cover enough such that the effectiveness of HIPS is in doubt. I'll already mentioned why I think HIPS (beyond that of winpatrol feature set of monitoring gabazillion features) is of limited use

Don't know what you mean.

First, look up arp commands. Or do http tunneling . Admittedly this is advanced , but as I said, HIPS is hyped up to be the next generation of protection tools, beyond even AVs. If your best example is that of DNS posioning, it's disappointing.

First off, if you read what I said earlier, I'm not against the idea of HIPS, some monitoring of system states and behaviors is not a bad idea for someone who cares.

Secondly You cherry picked a feature that is used only in ONE software package.

This is a feature that is seldom mentioned by the big HIPS supporters in this forum , what gets attention is exe protection, driver blocking, global hooks etc. Leaving aside that it's a singular feature in only one product, I suspect the reason why is that these are areas which they think can make up for the perceived gap in protection offered by AV.

As such I address my concerns to such features.

Just because online armor as this, does not mean that it will be a standard featurei in HIPS.

As you know install tracking is an existing nich already. I have a problem with calling everything HIPS. I see a new thread where someone points out as I have in the past HIPS/IDP are really vague terms. So I'm not trying to argue against ALL types of features that any product calling itself HIPS might conceviable add in the future.

Tracking installs, unfortunately does not go any way to mitigate what I think is the problem. HIPS advocates claim that HIPS is preventation not detection,
but if you are infected, using a backup to recover does not prevent any damage from being done during the period where the malware is active.

Basically what you have when you recover to the backup , is technically equalavant of someone installing something because his AV says is clean. And then hours later, after a antivirus update, is told it's a virus and the AV cleans it 100% up.

It's basically the same as a cleaning service of a AV. And some AVs already do this to add disinfection

Correct. I don't know the future, I can't tell if a feature added by a single company is going to be a trend, so I can only talk about current feature sets. Besides people are arguing that HIPS are a must have NOW!

That was merely a little hit back at the noobs here who see the word "signatures" and think that it's a bad idea (intelligence HIPS are basically signatures). If you look at the arguments of all those HIPS advocates their main argument is "signatures=bad".

I remember the reaction to prevx1, because it mentioned signatures.

You are welcome, though that is surprising to hear from you.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

I'm still waiting for an answer Richrf. You claim to understand why software is making a request for driver installs. Why not just answer the question , instead of making us go look for the answer? I have tried and I can't find the answer, so please teach me.

I claim for some of the fetaure set of HIPS is not merely too complicated but nearly impossible.

Here's a little test. If I ask someone what a certain windows tweak say disabling LMHASH does, I'm certain I will get at least half a dozen responses. Granted some of them are supposed to be "experts", while some are people googling the answer.

When I asked my question about what guidelines or rules to use to decide if something should have 'global hooks', I get deafening silence. I will get at best a quote that doesn't answer the qeustion.

You see what the difference is?

If you truly claim to understand , feel free to answer my quesions.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Yes exactly. And people are claiming they really understand why a program is asking for global hooks! That it is as easy as reading a manual or that you need ' a fraction of the time needed to learn how to use Windows XP' .

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Wai Wai, the opposite side of the coin is, 99 out of 100 users here , HIPS don't detect anything. I'm not even sure that ATS are better than HIPS in additional protection, I just suspect they are in most circumstances.

Actually the really knowledgable and technically competent people don't run all this kind of crap. At best they run a router, a AV , that's it. Some don't even run AV's except on demand and they are laughing at us.

Ask around, a lot of members here can tell you this is true of people they know.

But if we talking knowledgable as at say Rmus level, the same thing applies to a lesser extent of course. Most could probably do without HIPS. But the people here enjoy playing with stuff, even Richrf, who hates the term "hardening operating system", but enjoys testing and reading about new HIPS software.

About noobs, my point was maybe not clear to you. I was saying the feature set of HIPS that really works effectively would probably be useful to a noob, assuming a noob used the HIPS correctly. But they don't of course.

This is an overhyped line that is I feel repeated over and over again, without really understanding what it means.

Notice how easily the hype comes?

-proactive
-any possible attack
-new & unknown

Wow! How can any AV/AT compare to a software that can block any possible attack? Catch new and unknown malware? Got to get one of these!

When you come down to earth, you realise

1) This is pure hype

2) When new&unknown attacks are caught, it's caught because the guy using it is providing the brain power to detect it and not everyone has this.

3)The "any possible attack" claim is too silly to even answer.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

@ whereisthebeef: I truely love reading your posts .. why? cause that's simply the way I feel about all this propaganda concerning ids/hips/ips/... but I lack the knowledge of the English grammar.

as long as there isn't a parent and child process control there will be flaws in the concept of this hips/ids talking. that wouldn't be the only flaw but a major one.

like the exe protection will protect against execution of exe...hell are the only malware exe's these days? I didn't think so ... would pg protect against malware execution when surfing a site ? what if the malware is in html code or some script? what about that exe protection?

I tried at least three ids/hips programs and to be honest I was not positive about all that .. except when you like popups (don't get me wrong, I love popups) ...I'll lmao when I will read another post asking why prevx didn't stopped a trojan...that's the hype...

new and unknown attacks...just go to warez site, disable your security programs and let only your hips/pg work ... see if you are clean from infestations...

grtz.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

I've given you answers many times. I'm not going to keep writing answers if you claim to be looking for beef, but you are really a vegetarian.

Rich

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

LMAO

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Yes, you are right.
99.5% of KAV is only for ITW malware, not meant to be "all"

I have addressed the same issue in this post in the same thread:
https://www.wilderssecurity.com/showpost.php?p=539349&postcount=39

By the way, I think I have explained this to you in another thread, do you remember about that?

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

It may be so since I haven't used a-squared personally.
Would you mind epxaining these bits, so I can see if I have underestimated its IDS?

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

I said using a HIPS with a signature based application. An example would be using Process Guard(HIPS) with KAV(Signature based). I did not mean a program that is HIPS and also has signatures.

Hope that clarifies my meaning.

muf

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Hi Infinity,

I do not think that it is worthwhile to do this, since everyone recognizes that an individual HIPS product is insufficient to completely protect a machine. A HIPS product can, for example:

1) Prevent global hooks, which are often used by keyloggers. This absolute protection against global hooks, provides me with great peace of mind since it protects against a major source of information theft (many of my friends who have helped clean their machines, have had keyloggers on their systems).

2) Prevent the installation of any unauthorized driver/service which a signature based system will not detect. This has already saved my from any unauthorized file scan, that would have been attempted by a seemingly benign program.

3) Prevent unauthorized changes/updates to my registry that would instantiate products in my system, that I do not want instantiated. This capability has also been invaluable to me.

There are many other things that this category of products can accomplish.

No single HIPS product, at this time, is designed to replace all other security products. Each product category and product instance has its own strenghts and weaknesses. The argument that is being presented here, is that "HIPS are not valuable because they cannot protect against all types of security". This is a meaningless argument, since it could be used to describe any security product that has ever been developed and will ever be developed.

Regards,
Rich

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

just like I said, lets wait till pg gets finalized and we'll have the hips of the century again...

the things you mention what hips can do, I see pg in front of me...add regdefend and you have the perfect combo ...

could be true, but the way it is presented here by a lot of folks I get seriously the feeling that it would be the holy grail and then you see posts like will pg prevent trojans and why didn't it protect me against this and that.

if you don't feel secure now with what you have, you'll never feel secure for whatever that means.

sincerely,
Andy

sometimes I get the feeling everybody wants to see popups just to click when they are rushed that can be hips too my friend.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

you would create a monster I'm affraid .. an all in one application which is far less secure then the two apart.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Would you mind telling me why you have such a feeling?

In the manual, ProcessGuard simply explain how to use this products, the meaning of different options, and briefly how it works to prevent some major attacks.


By the way, I would like to know how people (who are against IPS) comment on Firewall. Follwoing their logic, they should not recommend people using Firewall since most users do not bother to learn, or they would not understand a lot of things about how to respond to the alerts.

So to them, are they going to use AV/AT/AS only?

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Hi Andy,

I think I have probably read most posts on this forum concerning all of the popular HIPS products inlcuding ProcessGuard, RegDefend, Prevx, Online Armor, Safe N' Sec, etc. I don't think I have ever read a post that suggested that HIPS will prevent against all trojans, nor have I have I ever read a post that HIPS can be used as a replacement for a top-tier AV.

I think HIPS has been presented as a positive means of preventing against common and very severe malware actions such as obtaining hooks, changing system files, injecting dlls, adding malicious registry entries, and others. These events would only occur when the signature based AV failed and thus some backup was needed.

To suggest that I do not need HIPS because it has not protected me against all types of attacks does not make sense. None of my security products has ever done this, and I am still using them. What HIPS has done for me, on at least one occassion, is preserved the integrity of my system by stopping an attempt to scan my whole file system by a seemingly benign program. This alone was worth the time and cost.

I feel pretty good with what I have now. I was very antsy when I was just running signature based systems, since I knew, via pure experience, how easy it was to get around and through them. With positive behavioral blocking (e.g. prevention of all global hooks), I feel my protection is much better now. However, Windows XP is very porous, and has new holes are discovered, I'll probably have to hire a contractor to plug-up these holes. C'est la vie.

Regards,
Rich

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

The link is broken.
Care to fix it?
Thanks.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

do you mind sharing what hips programs you have on your machine? Since you put Regdefend and processguard on the list (those are definately not hips too me...but what's in a name right?)

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Yes. This is of course true. The manuals for most products have lots to be desired. That is why the bookshelfs in bookstores are loaded with books on using products such as ... Windows XP.

Generally, people get a decent amount of protection by just installing a product with basic settings, and when something happens that they do not understand they go to a forum (and there are thousands of them on the web) and ask a question. This is the way it is.

I remember the first time I deleted an important file after getting a false positive from a signature based system. Totally hosed my system. Did I stop using signature based systems because the manual was inadequate. No. But I did look for systems that gave fewer FPS.

Cya,
Rich

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Hi Andy,

I am currently running ZoneAlarm Pro, Kaspersky 5.0 Pro, and Ewido as my primary lines of defense. To support these products, I have installed the following HIPS products: WormGuard, ProcessGuard, and RegDefend.

I am trialing Online Armor, but am currently undecided as to whether it will be a permanent fixture. It is an excellent product, but the additional functions may or may not be appropriate for my setup and I have a slight preference for PG's and RD's user interface.

Hope this answers your question.

Regards,
Rich

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Yes...I remember. My opinion is still that virtually all "tests" are at best anecdotal and most of the time useless.


Starrob

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

I have way to much security for my needs, you don't wanna know.

and what I would like to say: I have NOTHING against behaviour checkers (got rd, pg, tiny2005 *which is ips/ids/* - I got hardware firewall from amd64 which protects against a lot of other stuff the other players I mention don't do)

but what I don't like is everybody following everybody elses opinion...pfff...I feel secure and I don't need hips.

it's all in your head

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

in two years there might be idstsppx and probably if it has a new feature everybody would be talking about that...

I hate commercials btw

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Hi Andy,

Unfortunately, it is sometimes in computers also.

I feel as you do, that it is not worthwhile to simply install products aimlessly - e.g. signature based systems. Why keep installing more and more signature based systems, if they all have essentially the same signatures?

However, if someone comes on this forum and asks such a question:

"I was recently hit by a keylogger which somehow got by my AV, AT, and AS. Is there anyway to protect against keyloggers?". I think it would be fair to say that there are products such as SnoopFree, ProcessGuard, etc. that would provide additional, valuable protection. I think that is all. It is just some software that can be recommended when a given person has a specific security request.

Cya,
Rich