Which is the best way to learn to use HIPS?

Hi

i have lots of free time.

many popups ask about things I don't know

for example, control set wants control of svchost

i say allow all but that's not the best way right? How to tell good from bad prompts?

THANKS

 

Thats the downside of HIPS. They depend on user choices...
Maybe you could start using a behavior blocker like ThreatFire. There are far less popups, it's easy when you don't have the experience.

 

Agreed.
I've tried many classical HIPS and Behaveral blockers, my fav though is the policy based.

 

i already have threatfire

how did you learn how to use hips... starting out?

 

RootAccess,

I think most of us started with an easy one like ProcessGuard, switching over to SSM free, EQSecurity, D+ etc.

After testing many I agree with LoneWolf, have a look at GeSWall or DefenseWall. The next version of DefenseWall 2.4 will be amazing with resource protection of classical HIPS to go on untrusted programs and lots of build in lists.

At current DW is one of the strongest. DW and TreatFire is a strong combo when you have a relative new CPU.

Regards K

 

I don't like security softwares with multiple-choice questions. If a software doesn't know the answer, why asking me ? I'm not the expert.

I have 50% chance to answer right, that's not security, that is gambling. If I'm wrong I infect myself, that's suicide.

Even ThreatFire was too much for me, that's why I use Anti-Executable, which says always NO.

 

My neighbor's daughter Kelli is taking computer science at our state university. Here is a summary of what her Computer Science professor recommended when she asked him about using a HIPS on her home computer...

A- To begin with, he recommended that she select a HIPS that gives good information when it pops-up an alert. That is, the HIPS should provide alerts that are very clear and detailed as to exactly WHY it has issued an alert. Furthermore, each alert should also indicate the "risk" factor of the type of action that it is alerting you to. (According to him, any HIPS that frequently leaves you wondering WHY it popped up, and WHAT to do about it, is poorly designed and shouldn't be used.)

B- Secondly, he told her to be reasonably certain that her computer is clean of malware BEFORE installing any HIPS. {Reason: when the HIPS is installed, it will be put in "learning mode" and, during that time, will accept all actions & processes as being "safe."}

*** Kelli told me that she did two scans before installing HIPS -- for the first scan she used her computer's installed antivirus. For the second, she used an online scan by Prevx CSI.

B- Thirdly, he told Kelli that, after installing the HIPS, she should put it into "learning mode" and then do each and every computer action which was part of her daily, weekly, and monthly routines. In other words, he wanted Kelli to show the HIPS the activities and programs and processes that are usual, normal, and safe.

*** Kelli told me that it took her a little over three hours to install & "train" the HIPS she selected. Since then, according to her, the HIPS has rarely popped an alert, and she has easily understood all of them so far. (Your mileage may vary, of course.)

P.S. Kelli selected her security AV and her HIPS based on her professor's recommendations. Without naming brands, I can tell you that Kelli's professor greatly respects the technical proficiency of two guys named Mike -- Mike, the antivirus guy; & Mike, the HIPS guy.

 

This case is useful only for classical and blacklisting HIPS. "Professor" is definitely unaware of sandboxes and whitelisting HIPS.

 

I would never consider my computer as clean, after running two scanners in an used system partition, that has been on-line.
A fresh installation from scratch is the only way to get a clean and unused system partition and you can do this only one time.

 

Scanning with two, four or more antivirus softwares doesn't mean you're clean even if they say you are.

 

Question : can you configure a classical HIPS in LEARNING MODE completely without internet connection (= off-line) For example : SSM ?

 

I believe the prof is quite aware of all types of security apps. In addition to teaching, he is a principal in 3 nationwide consulting firms.

The OP appeared to center on classical HIPS. That is what Kelli wanted & installed, so that is what I reported on. No slight was intended to other types of HIPS -- I have great respect for Ilya & for his superb security app (DW), as does Professor Gleason.

@Eric- Yes, you can. However, those HIPS that monitor connections (such as SSM & ProSec) would not be "fully trained" about that specific aspect of those processes that connect (e.g., Email clients, browsers, etc). Thus, after shutting the learning mode, one should still expect pop-up alerts when using the internet. Furthermore, some HIPS have databases of trusted apps - if an app was on the trusted list, it would not likely generate many (or any) pop-ups, even if it had not been fully trained.

 

Regardless to what any one says it sounds like pretty sound advice to me.

 

Ah, I see. She asked for a classical HIPS choice advise. Yes, this case it is 100% reasonable. I was just wondering why he mentioned learning mode as there are HIPS types that doesn't have it by design. Now it is clear for me. I just thought Kelli asked for overall HIPS, but she asked about special type of it.

 

Hello,

The best way to learn HIPS is to understand how the operating system works. Once you know what calls what where and when, then understanding the prompts becomes a simple matter.

Installing HIPS and then trying to figure out what happens is a topdown approach. I prefer bottomup. Get the fundamentals, everything else is easy.

I can say I've personally gone through this in Linux. You'll never fully control the system unless you understand the basic. And I'm getting more and more and deeper into the roots. And then, things that happen around feel simple and natural.

For instance, you can correctly guess registry prompts, but that does not mean much, if you don't understand the structure of the registry and what it does.

Mrk

 

Sound advice indeed.

There are a number of quick and dirty "cheat-sheet" methods that allow you to use a HIPS to somewhat reasonable effect without knowing just what the hell is going on, but to craft effective policies and wield such a tool to its full potential, one really needs to understand the underlying OS functions and malware principles.

 

This article gives a few guidelines: Using Intrusion Detection software.

 

Use one.