HIPS Crazy

In my opinion it best to have HIPS + AV/AT/AS scanners. Of course that's just my opinion.

 

Nice to discuss AV versus HIPS now this is still possible,
you might expect (and see this already) that ALL AV's are going to be in Suites, some of them with HIPS already, others are planning to add this in the near feature.

with other words, the earlier AV's now Security Suites, are adding HIPS
an NIPS at this very moment. + AntiSpam , Firewalls etc. etc.

Look at CA buying TinyPersonal Firewall (with hips) and making a suite
Look at Kaspersky Suite

Look EVEN Symantec that has released HIPS
http://www.symantec.com/region/reg_eu/resources/2006/smb_article_01.html

So what about the fact that your AV hasn't got HIPS?

If you are running a HIPS only,
there is always the fact that the (average) user has to decide
if he 'allows' or 'trust' the software, just like every user can decide this,
and knows which software contains malware?

This is what i see more and more, that users have added software
even after a popup warning and placed it in their HIPS 'trusted' zone,
just because friends are using the same software as well.

Ok, their friends have problems with their pc, but who hasn't?
that is what they tell me.

But i agree that finding malware just by adding it to the AV's sigs
is not the way to go.

The problem is that with sigs only AV's they can't find all malware
and HIPS give you so many warnings, that in the end they will be ignored
or not taken serious when really needed.

At this moment (jan. 2006) i prefer a combination of these.

 

I'm a big fan of behavior blocking software, but I don't think it's necessarily a good idea to make blanket statements saying that you need to have HIPS.

AFAIK, there's only been one place that has gotten statistics on how effective HIPS are at protecting users in real world environments, and that was the old PAWS data from Prevx Home/Pro.. and those statistics, while very enlightening, were not optimistic. At least half of the users were allowing malware to infect their systems when prompted to allow or deny the actions taken. Combined with the fact that the rate was about the same for legitimate applications, and it was evident that the vast majority of users (something along the lines of 99%) simply guessed at alerts that they didn't specifically know the answers to before hand.

You can do all sorts of leak-tests and trojan demos to prove that the behavior blocking features do actually work as advertised, but these tests say absolutely nothing about the effectiveness of that software in real world situations. If the user installs the software and relaxes even more because they feel protected, then the chances are that user actually has less security than without the HIPS software.

After all, would you feel as secure adding a security program that routinely only detects 50% (or less) of the threats it's made to stop, just because it has the potential to stop more?

Yes, in the face of growing amounts of malware that the AV companies may find harder and harder to keep up with, they may be adding this kind of functionality to their scanners, but meanwhile the only company (that I know of) to actually find out the reality behind this kind of software has scrapped that model for something entirely new because the plain old HIPS simply wasn't working for practically any of it's users.

Like I say, I'm a huge fan of behavior blocking software, but the cold hard truth of the matter is that if you want the highest amount of security that can be achieved, then it's going to be up to you to gain the necessary knowledge to make the right choices (in every regard).. and I won't trivialize it to call it "common sense" because there's nothing common or sensical about most of it. After all, who would think that opening a piece of mail could get you infected? When was the last time that you opened a snail mail letter and got so sick, because of it, that you had to go to the hospital and stay there overnight? We all have to start somewhere, and those that aren't technically minded don't deserve any less protection just because they haven't had the same opportunities to learn about computers as we have, and this world wouldn't be what it is if everyone thought the same way (physicians do NOT make good techs).

HIPS are great programs, but only in the hands of someone that is knowledgable, or at the very least familiar with their own system. People that are not technically saavy can find greater protection in other solutions, but those solutions have to be based on that person's particular needs.. but, for some of these non-technical users, they may be more protected with just an AV, FW, and AS than you will ever be loaded to the gills with the best of the best.

So yes, enjoy the HIPS programs, they're awesome, and sometimes useful in more than one way.. but don't lose perspective, be aware of what these solutions really actually can, and cannot, do for you. Don't take it for granted that because some site shows that "Product X" can stop "Leaktest Z", that you will be completely protected from all threats that use methods employed by "Leaktest Z"... and as the AV companies adopt these methods more, expect more and more confused visitors to forums like this one looking for help

 

On Malware clicking - we had pretty similar results to you guys - although, because our users came predominantly from Wilders and as a consequence were slightly more savvy than the average bear, we found only 25% of users let malware infect their system. I reckon that most of those guys who let themselves be infected were people who just found us on download.com though

Just a second data-point for those who may be interested.

What to allow programs to do (or not) - or which ones to run is a hard problem. Hanging around here you can see all kinds of different approaches - HIPS/Virtualisation/Sandboxing. All have their merits - and all have their drawbacks.

Oh for the good old days when you could surf the internet in relative safety. *sigh*.



Mike

 

that is still possible , with FreeBSD, Solaris, HP-UX, Apple etc.
Bad sadly not with Windows.

A complete redesign of the OS, would be the best solution.

I am using Unixsystems for over 20 years now, never
had a Security Related problem on one of them.

In the meantime, you need to spent more money on security software
then on the most expensive OS there is out there (XP Pro).

Because of my job, i am a licensed user of about 40 AntiMalware products,
there is a lot of overlap (of course you can't use them all at once),

But there is still no product that prevent all malware for Windows.

But of course there is a best Antivirus
and a best Anti Syware
best image backup software
best 'freeze' your system state software
etc. etc.
and except work, it is a nice hobby as well :>)

 

Well, maybe I didn´t post it in the right thread, sorry for the confusion, I´m not trying to say that AV/AT/AS signature/heuristics based scanners are obsolete but personally I would not want to spent money on (one of) these tools since they will never be able to identify all malware. I mean who needs one scanner if you can scan files on Jotti or VirusTotal?

I rather spent money on a good non intrusive HIPS, that was my main point. At the moment I use no realtime AV/AT, IMO these apps can sometimes even become annoying because of warnings about malware which would not be able to install in the first place. And of course I agree about the part that non advanced users will still be able to get infected even with an IPS. Heck, even advanced users can get hit.

 

@rasheed187

If you read thru this thread again, you'll see that the HIPS-only's
are not always full-proof.

See the post of Jason and P2K.

So, don't bet on one horse...

But how do you know, if you are only pc protection is a HIPS only?

You 'allowed' or 'trusted' a program but on what did you conclude that
the program was totally safe?
And that it was not infected by a trojan etc?

If you download freeware or shareware on a website,
how do you know if it is not containing malware?

It wants Internet-Access ? Perhaps for updates?
It wants to write to registry ? oke
It wants to auto-start ?
etc.

A good example is the FAKE Anti-Spyware progs that only harm your computer.
Malware like Spy-Sherif , Trojans and rootkits.

etc.

 

I think this is quite misleading. HIPS particularly those that lead the decisions completely in the hands of the users can't 'identify all malware' either. I would argue they don't even indentify malware at all! You do it!

What exactly does the HIP tell you? They actually tell you event X occured that looks suspicious. Is that malware? It's up to you to decide.

Obviously, they can 'catch' a lot more , if you don't care about all the prompts about harmless things.

But if you don't mind these prompts, an AV can also do the same, by creating broad 'paranoid' heuristics, they will be a lot of false positives sure, but that isn't any worse, then your HIP warning you of a dozen events happening, most of which are harmless.

Of course, HIP can be made 'smarter', but ...

I'm not an AVnut, but I read that on demand scans can something fail to pick up things as compared to real time scanner....







I rather spent money on a good non intrusive HIPS, that was my main point. At the moment I use no realtime AV/AT, IMO these apps can sometimes even become annoying because of warnings about malware which would not be able to install in the first place. And of course I agree about the part that non advanced users will still be able to get infected even with an IPS. Heck, even advanced users can get hit. [/QUOTE]

 

LOL saw this very funny bit

It's abt AVs but it applies to HIPS too really.

The very last version is what we call a HIPS!

http://members.aol.com/drasolly/perfect.htm

 

Thanks for my morning chuckle, DA

Now all I have to do is figure out a way to shell those batch scripts from within OA and my work is done!

 

i wonder about this too. With the new kerio there were a few alerts i wasn't sure about, esp when the alert says, "Could be normal or could be a virus, worm, trojan...

one thing that i saw today said a DLL injection was starting up for nVidia. i thought about it, but since it said nVidia 8.98.xx and it looked like the version of driver i had just installed recently (and this is 1st day trying the new Sunbelt kerio 4.2) so i let it go. not only that, but i checked the box and made a rule, allowing it to continue.

For these instances, i can only hope that KAV 2005 and BOClean will catch anything if it is weird

 

The detection of HIPS is based on the abnormal behavoir of the system. The under-lying assumption for the use of HIPS is that the user knows the normal behavoir of the system, which can be achieved with two approaches: 1)system has been running under a CLEAN condition for a while and the user has accumulated the experience of how the system should behave. 2) the user has very strong background in computer security, and knows how every program should behave. For most users, the second approach is not practical. This is because different programs behave differently, and it is often quite difficult to judge the nature of a behavior even for an expert. So the usage of HIPS should fundamentally rely on the experience of normal computer behavoir instead of user knowledge, although user knowledge can be a great help. The user should let the HIPS run on a CLEAN system, and make rules for program behavoirs. Once this is done, it is not that difficult for a user to make a sound judgement if something strange happens. Say, application A never connects to the internet. But one day, one pop up appears all of a sudden and shows that application A is trying to connect to the net for no obvious reason. At this point, it is quite possible that the system is infected. For a system that is already infected before HIPS is installed, the behavoir caused by the virus/Trojan would appear to be normal to HIPS. For such an infected system, HIPS can really do little. We quite often install new applications with no experience on how the new application should behave. At such time, AV/AT would be a great help. Although they can not detect unknown virus or Trojan, a good AV/AT can detect around 90~95% of the known ones. That's good enough.

Nothing is perfect. The problem with HIPS is that the users can not recognize all the abnormal behavoir of a system, while the problem with AV/AT is that the AV/AT companies can not recognize all the nasties in the world. HIPS can be used to detect unknown nasties that AV/AT can not find, while AV/AT can cover up some of the user's deficiency in the knowledge of system abnomalty. The combination of AV/AT and HIPS will not solve all the problems, but it will cover more ground.

 

To be honest, I don't think that 1) alone is sufficient, unless you keep your system is a pretty much frozen state, you don't install or run anything new. For many people, this isn't realistic. They install new programs.

Whenever you install something new, all bets are out of the window unless you have some of 2) .

Personally I think this is a poor example since for even beginners, the action of trying to connection outwards is a pretty understandable event. So most people would accept or reject this based on 2) rather than 1).

A much more difficult to understand event for example would be install drivers, or 'hooks' whatever they are. PG users for example occasionally notice opera trying to install drivers. Why? Beats me.. Is it normal? God knows..?

HIPS are nice, but I notice there is some kind of double standard against AVs.

Fans of HIPS who think AV sucks because of the rare FP, are the same ones who don't care if HIPS constantly prompts them on harmless events. In their eyes, this is not comparable because HIPS prompts do not say for sure that they are warning of malicious behavior while AVs alerts tend to be more definite.

Let's say we grant that view.

But then they turn around and give credit for HIPs for being able to catch so much more malware then AVs. How do they do that? Simply by saying that any prompt generated by HIPS that happens to be a true warning counts as a 'hit'. Never mind the other hundreds of warnings that are wrong.

Anyone else see the doublestandard here?

For HIPS

False warnings are disregarded and don't count against the product, while the rare real warning is taken as a hit.

FOR AVs

Any false positive counts against the product, while any misses count against the product.

No wonder HIPs look so wonderful.

My advise to AVs companies is to create broad heuristics, that will tag every file as 'suspicious' and let the user decide if it really is dangerous. That's pretty close to what HIPS at least some of them are about anyway.

 

It all depends on the user's practice. It has always been suggested that one should only download trusted software from trusted sites. The more the user follows this suggestion, the less the user needs security knowledge to make judgement on prompts. Well, I do agree that the user's knowledge is always a great help.

Yeah, that is a poor example. Maybe I should change it to a code injection or whatever.

For such a case, I would just let HIPS block the driver installation first, and see what's going to happen. Say, if a video/audio can no longer be played by Opera because of such block, such installation is likely needed. Otherwise, such behavoir can continue to be blocked or further investigated.

Many users complain that HIPS has a lot of prompts. This is not really true. The use of HIPS is charaterized by two stages. The first stage is the rule making stage. At this stage, the user do gets a lot of pop-ups. It is extremely important for the user to keep the system as clean as possible at this stage, so that the user can simply make rules to allow those pop-ups without any investigation of the behavoir. This stage is tedious and some decipline is critical. What often happens is that the user is continuously trying uncertain applications at the rule making stage, and expect HIPS can catch the nasties like AV/AT for them. That is not the way HIPS should be used! At the rule making stage, HIPS is nothing more than a system monitor.

The stage following the rule making stage is the real usage stage of a HIPS. And only at this stage, HIPS should be expected to catch nasties. Well, the condition is that one has made correct rules at the first stage. At the second stage, HIPS is silent, and there are actually few prompts. If there is any, it is indeed something should be investigated.

So if used correctly, false-positive is not a problem for HIPS. At the first stage, all the pop-ups are actually needed for rule making. And then at the second stage, a pop-up is most likely a problem. Used in the right way, HIPS is easy to use and powerful, although tedious at the very beginning. Used in the wrong way, HIPS will only lead to the complains, such as, it is too difficult to make judgement with HIPS, too many popups for HIPS, HIPS can not do anything but popups, and so on....

 

Even someone who does not use HIPS, should follow these rules (which are by no means clearcut), but their AVs give them a chance to protect them if they fail. This is a big class of threats that HIPS use as outlined by you don't cover.

Further investigation would mean what? Right, knowing what you are doing.
And let's not forget the cost of investigating it, would be as bad as a FP.

I think this falls into the trap of giving HIPS a free pass. I consider this a very big negative for HIPS. As you point out this requires a lot of discipline and the knowledge that his system is already clean. How many people can say that?

As for whether this is true or not, it definitely is true if you install a lot of new programs. Even if I know the new program is fine, it's still troublesome to click on the prompts and say okay.

I personally think that there are 2 kinds of nasties.

1) Software that you install yourself that actually has a unpleasant surprise in them

and

2) Software that manages to install without your permission.

The use of HIPS as outlined by you, only catches nasties of the second nature not the first. For you, the HIPS cannot catch nasties of the first kind, because the user *already knows* they are clean. This is a very big assumption and highly limits the power of HIPS.

While I would not underestate the importance of 2), my hunch is that for more experienced users with tight security settings for browsers and email, are far less likely to fall for 2), barring the rare zero day exploit.

If you define them away, then yes they are not a problem!

What you should appreciate is that The cost involved of handling popups does not disappear just because you know they are harmless. And in most cases you don't. But let's assume you do.

Calling them 'stage 1', 'learning mode' whatever does not make the problem disappear. It's still a cost.

The point you are missing is, even used in the "right" way, the popups don't disappear! That cost is what HIPS supporters just want to sweep under the carpet.

HIP fanatic (upon first installing HIPS) : Wow, what a blizzard of popups, let me click yes, to everyone of them. Altough it takes me a lot of time and effort to do it, this doesn't count as a FP or as a cost.

HIP fanatic (after going through learning stage, but meets a popup that he hasn't seen before) : Wow, that's unusual. *after spending time researching realises it's okay, just a rare windows system operation process*. No, this doesn't count as a FP or as a cost too, because it helped me learn more about my system.

HIP fanatic (after installing a new program) : Wow, what a blizzard of popups. But again this doesn't count as a FP or as a cost

At the end of it, he comes to this board and says "popups? what popups? I don't see no stinking popups, you must be a newbie who doesn't know how to use HIPS"

Indeed with the right frame of mind, you hardly notice them lol.

 

Please do not take me wrong. I do agree that those popups of HIPS are annoying sometimes. But like it or not, as you have said, that's the cost of HIPS. No pain, no gain

My concern is that users do not realize the stages of the use of HIPS, and are always trying to judge a single popup at the first stage. That's not the the way HIPS is originally designed for. My another point is that, although those popups are annoying, it should be the phenomenon of the rule making stage instead of the whole life time of HIPS. I do not have any personal preference between AV/AT and HIPS. I use both of them on my computer. I just feel that the better understanding of the mechanism of HIPS would lead to a better use of HIPS.

 

Quite right - otherwise the saying would be:-


"Physician heal thy stealth"

(sorry - saw it and couldn't resist). Great thread all

 

All by all, i am very happy with this thread.

It gives you a good idea what the Pro's and Contra's are with Hips
and Av's.

That is a very good thing, because lots of my customers and friends have strange or wrong idea's about those two.

But as i've mentioned before, this will be usefull only for 2006
to make that difference, because i expect (and see) all major AV's
adding HIPS this year as well.

And i wonder if the heuristics of NOD32 in particular can be defined
as a sort of HIPS, because it also have proven to prevent your system
of malware without the need to add sigs in al lot of cases.

Like the last WMF exploit etc.

The current problem for me is, that HIPS-only's are difficult to compare
at this moment, because it is often unclear to me how all their features
work 'under the hood' .

Things like:
The use of user level or kernel level protection?
Registry protection?
Process injection?
Processes or DLL's started by an trusted program (JAVA).
Example in ProcessGuard if i allow Firefox, Java can't be stopped.
Detection Abnormal behaviour.
Detection of (unknown to the user) trojans that are in an trusted/allowed prog.
Detection of Internet access for a prog?
Protection of (system/prog) files (change of..)
etc. etc.
What happens if you made the wrong decision for a prog,
is there a roll-back function like in Regrun,Tiny Personal Firewall or Online Armor, or Shadow user etc.?

I am testing Online Armor at the moment, and am a licensed user
of all the above and all Ghost Security progs. (it is my job)
The only one i didn't test yet is Defense Wall ....

 

LOL

 

Sometimes?

Don't get me wrong. I'm a fan of HIPS, I'm just aware of how annoying they are, even if you know what you are doing.

I'm against people who try to trivialize the amount of effort needed or the number of popups it will generate or gives lectures on how to use HIPS on the assumption that they are the only ones who know how to use it.

For example when you say something like this

A fairly misleading statement if not qualified.

It is important to note that The 'role making stage' as you call it, never really ends. You don't just spend a few days in this stage, and leave that stage forever.

Install any new software, run any new process, and the popups appears and you are back to the "role making stage". Update any new component , and guess what, popups because the hash changes.

The cost of setting up HIPS is not a one off set up cost that you pay once and you no longer have to pay. Users have to understand that. And others recommending it should be careful not to imply that either.

Neither do I. But I'm having doubts about HIPS (at least the 'stupid' ones) in the hands of lesser skilled users.

The cost is steep, and the benefit is fairly low since the use of HIP as outlined by you, means they are not protected against software they choose to run themselves, while an AV could conceviably spot that and stop it.

 

I would have to say that HIPS is not that suitable for a system that is under significant changes. Instead, it is good for a 'stable' system. This is determined by the mechanism of HIPS, i.e. normal vs. abnormal. If the system is always under significant changes, no way for one to tell what is normal or not. That is the reason why HIPS is more suitable for the enterprise environment instead of home users. Anyway, companies are trying to get money from home users now. Many users, including myself, are trying to cut the rule-making stage of HIPS. That is not right or wrong, but it does depend on the user's knowledge of computer security and judgement, and it is not HIPS originally designed for. The two stage mechanism of HIPS is not my invention, but it is the HIPS original developer's intention. Well, things are changing. I do not intend to give a lecture or whatever, but I just want to point out something that is basic, but is often neglected. Enough is enough, I will just shut up on this topic.

 

For 2. HIPS or AV will help.

HIPS has a steep learning curve when starting from scratch with your first HIPS product. I agree, the initial setup of the HIPS and the number of prompts is generally under exaggerated but I also believe, you are over exaggerating the number of prompts afterwards (based on my personal experience of Process Guard and using the Software Restriction Policy in Windows XP Pro). I believe the setup time can be significantly reduced by using something like Anti-Executable or Abtrusion Protector.

With HIPS you are correct, the user has to make the decisions but it will stop 100% (deliberately quoted to 0 decimal places) of malware. Whether you decide to override is up to you.

For HIPS you don't have to update and you don't spend time scanning.

An AV doesn't have a learning curve (relative to HIPS) and the number of prompts should be significantly reduced but it will only catch 90+ % of malware (very rough estimate but definitely not as high as a HIPS). The AV also makes the decisions for you. You can set it to update and scan automatically or do it manually which is time consuming.

For 1. neither the HIPS nor the AV will protect you. Obviously, with the HIPS you'll overide the prompt (which some people think makes the HIPS useless). With the AV, you have a chance to catch the nasty. In reality, I've seen too many infected computers which have an AV installed to believe that an AV will protect you adequately (perhaps the AV could be conceived of as being useless). Nothing is going to eliminate 1.

So what does one want to do, stop 100% of malware, spend more time making decisions/answering prompts and no time updating and scanning or stop 90+% of malware, spend less time making decisions/answering prompts and more time updating and scanning.

Decisions decisions.

 

The problem is that HIPS are NOT stopping 100% of malware.

As mentioned in other threads, and here, there are holes in it.
As proven in other threads, it can be that a program which is allowed
like Java, or even Excel start doing things you really don't want, there is no protection for that.

And is your HIPS working on user-level protection or Kernel level protection?

Download a wrong P2P program, and allow or 'trust' it and it WILL infect your computer.

Worse, on a daily basis i help people with infected pc's that have Antispyware programs installed, that are the worst kind of malware themselves.
Of course they are allowed to use all system resources,
AntiSpyware programs need that don't they.



I've Regrun Platinum running together with another HIPS program,
for every Regrung update ALONE i need to answer > 60 popups!

So again, HIPS don't decide if software contains /or is malware
a GOOD AV like NOD32, or Kaspersky and tools like Ewido
A2 Squared, SpyBot Seach and Destroy Spy Sweeper, CounterSpy
Ad-Aware etc. can do that.

And we did not even discuss here that the maker of the HIPS decides
what he wants to protect.

There are HIPS that don't protect you against tracking-cookies.
Something that i don't like as well.

-----
And another simple thing, how do you know if your system doesn't contain
malware if you are using HIPS, and none of the tools i've mentioned?

Please try to run 'SpyBot Search and destroy' and the free version of 'Ewido' once, and see what happens!

Up to now, i've not seen a 100% protection in all the HIPS i've tested.

 

Let's just say that our usage patterns such as rate of installation of new programs might differ, different software have different features to ease popup fatiage and hence it depends....

Then there are stuff like PG's learning mode, Online armors/AP, whitelisting of existing exes, Prevx1's centralised whitelist, or perhaps some people turn off HIPS completely when installing new programs .... All these methods will reduce the popups yes, but with tradeoffs to security. But it's still early days to see which one is best.

We are really arguing semantics. I would say it really blocks Malware, if you know or guess it's malware and block.

Also I should also point out it doesn't block 100% all malware, just those that trigger a warning by making a change in an area it's monitoring. Even if we restrict ourselves to that area, i caution against the warm fuzzy feeling of thinking that it is perfect in that area, it is only so, if you are perfect yourself.

Of course, you could adopt the block everything that comes approach, which would certainly block everything in that area. If you think about it though by doing so, You are in effect converting your HIPS warning to AV warnings, since you take all it's warning as true.

But such an "AV" would certainly produce cost of FPs . Of course normally at this point a HIP supporter would tell me , that it isn't a FP... Call it what you want, the cost remains

Of course AVs don't always give definite warnings, something it says "possible downloader". Here we approach the case of an AV approximately a HIP, altough in most cases, even heuristic warnings by AV seem more reliable then HIPs warnings.

>For HIPS you don't have to update and you don't spend time scanning.

Another misconception, HIPS doesn't need updating of rules. I suppose real time online scans slow your computer done by what? 2 miliseconds maybe?

There seems to be an assumption here that HIPS will block close to 100% of malware. This is wrong of course. It is possible to fool HIPS by carrying out actions that do not trip off the HIPS rule, so even if you were a 'perfect user'
you could still be fooled.

And of course, who among us are perfect users?

If AVs will give you a chance to catch the nasty why do you say neither HIPS nor AV will protect you? I suppose someone who thinks he is cleverer than his AV by thinking it is a FP (but is wrong) might overide his AV and get nailed, but I think this is a far cry from someone using his judgement to decide that a HIPS prompt is harmless , since HIPS prompts force you to make judgements.

Well, I should note that this doesn't prove anything.

I suspect The reason why you seldom see HIPS users with infected computers is not because HIPS is really protecting them, but users of HIPS are generally above average in experience and knowledge in avoiding both threats 1 and 2.

HIPS users who are infected exist actually, as info from Prevx and Online armor shows, they just dont come here....

Sure nothing will eliminate 1. But only AV can give you a decent chance. "Dumb use" of HIPS will give you 0%. Which are you going to take?

And a lot of hip users who are pretty clued in don't really need to worry above driveby download (threat 2) etc anyway barring the rare zero day. If you agree with this analysis, it seems AVs are much more important then HIPS....

Of course, "smart" use of HIPS might offer some protection in 1.

I do enjoy watching people make the implict and unproven assumption that HIPS can stop 100% malware.... I suppose that's possible if the HIPS prompted you on each and every CPU cycle instruction

I think HIPS has potential, but the 'dumb' HIPS which are popular here, that leaves everything in the hands of the user, is never going to go beyond a niche market.

1)They generate way too many popups and each popup looks more threatening the less technically skilled you are, and the less you care for 'security'. If popups look like a blizzard to me, they will be even more intimidating for the masses IMHO

Ways for handling this as already being discussed above. So far, I like the centralised whitelist approach, this cuts down the popups fatiage quite a bit.

2) They rely on the user too much, so that the dumb use of HIPS as advocated by Yahoo where you set a baseline then block everything else, makes them useless to prevent threats that involve self installation of programs.

This can be solved partly, by creating 'smart HIP' that has rules for detecting likely malware behavior, rather than merely monitoring each area indidivually, and leaving you to decide everything.

Prevx1, Safe N sec already do something close to it. Neova Guard also looks interesting. You can set each violation to a certain score, and you can set it to warn/block only if the accumulative violation score exceeds a certain amount. In reality these rules (informed by experience of Malware analysts) would have to be updated by the vendors.. Though it would not be updated as often as AVs.

It won't stop you from being infected of course, but at least it gives you a chance to realise that something you installed is not playing nicely....

The HIPS use advocated by Yahoo which assumes all software installed is safe, gives you zero warning at all.

 

Process Guard works at kernel level. I don't know about the Software Restriction Policy.

I totally agree. It also happens to pcs with AV's installed.

You have a serious amount of patience my friend. I would definitely have to find a work around for that one.

I agree. However, I don't think you need a HIPS to protect against tracking cookies.

-----

I used to scan with the tools you mention and many more before I changed my protection strategy. It was all that scanning and updating of numerous products that made we want to find a better way.

Have you tested Process Guard? If so, how did it let you down?