comparison of anti-trojan programs and intrusion protection systems when dealing with

(Updated v2)
v2
Add more aspects to compare:
- convenience
- protection while installing your programs


Hi.
Read the following article: it is about comparison of anti-trojan programs and intrusion protection systems when dealing with trojans.
Comments are always welcome.

==================================================
Q: How do anti-trojan programs and intrusion protection systems perform when they are dealing with trojans?

Introduction
Anti-trojans
They are signature-based and use memory scan. It is convenient to use as the same as AV since you don't need to make any decision. However it weaknesses are:
- There are prices for convenience. It provides lower protection for both known & unknown trojans, especially true for unknown ones (comparing with intrusion protection systems).
- memory scan may not be as reliable as someone might think. It still has its own problems when detecting some types of trojans (anyway every product has its won weakness

Intrusion protection systems
I select ProcessGuard to explain. One protection it offers is to lock the access rights of physical memory. In fact, only a few system file needs to access to the memory. It is uncommon a program needs such kinds of access. So you don't really need to open the access rights (it's like the case in ports. It's stupid to open so many ports). So why not lock it up? It's much safer than relying on an AT to identify trojans, in which trojans still have good ways to hide themselves in front of an AT memory scan.

To have a clearer picture of both kinds of programs, I'm going to compare the pros and cons of ProcessGuard(PG) and Anti-trojan(AT), instead of just showing the positive sides of either AT or PG.

Difficulty to use (learning curve)
Case 1: Noobie
Draw or AT slightly wins
PG
If the noobie is so stupid (don't bother to read the manual), he thinks PG is install-and-forget, then he may be in trouble. Anyway it seems PG also has automatic way to turn on learning mode and turn off when it first set up. So he may still be protected.

AT
The same stupid thing can apply to AT. The most common problem is he doesn't update its signature. One may be stupid enough to misconfigure the AT.


Case 2: Beginner who is willing to learn/bother, not no need to have good computing knowledge
ProcessGuard will win
PG
As I say, you don't really need to try hard to learn PG. What you need to do is:
1) read manual - know how to use learning mode
2) use your friends - "search engine"
3) use your other friends - "forums"

- It can help you in most of the cases.
(again remember, there're still chances that you may not get helped in a few cases does not disfavor you to use PG. Only if the chance of PG coudln't not helping you < that of AT, then PG is not worthwhile. It's a common invalid argument which is used to disfavour a product)
- Really few alerts (unlike firewalls).
- Much higher protection: stronger trojan protection (known + unknown) & many other kinds of protection. (Take it for grant at this stage, it will be explained later)

AT
- A bit easier to learn is not an advantage for someone who are willing to spend some minutes to learn, when the former cna protect more advantages.

Convenience / Ease of use (bothering or not)
AT slightly wins
PG
At first thought you may think it's going to pop up many alerts for you to select which annoys you much. However it is not the case. PG is suitable for beginners due to its simple design & the "learning mode" function. When you first run PG, PG will try to record your system activities and learn from it. Close the learning mode and feel free to use computers without bothering.

Afterwards the alerts will drop by much (eg 80-90%). When the time it comes to alert you next time, it may be your malware calls

AT
This product, like AV, is used to run automatically under background. Sure it will alert you in some cases, but I think you can bear that kinds of annoyance?


Protection method
PG largely wins
PG
One protection it offers is to lock the access rights of physical memory. In fact, ony a few system file needs to access to the memory. It is uncommon a program needs such kinds of access. So you don't really need to open the access rights (it's like the case in ports. It's stupid to open so many ports). So why not lock it up? It's much safer than relying on an AT to identify trojans. I know trojans still have good ways to hide themselves in front of a memory scan.


AT
You don't need to make any decision (to protect yourself), At will do it for you, but so does PG.

However the problem is you depends on its signature base to identify trojans. the shortcomings are:
1) its signature base is far weaker than AV (I don't expect it can detect wide range of trojans alone)
2) It will become vulnerable when it faces Zoo trojans. ProcessGuard are still solid strong to prevent ITW and Zoo trojans.
- Incidentally, remember a lot of AT is really bad. If you use AT, you need to know how to choose.


Protection while installing your programs
AT largely wins
But in future, when PG has installation mode, it will be a draw

PG
up till now (24 Aug 2005), it hasn't support installation mode yet. When installing programs it is advised to turn it off.

You may try to still switch it on when installing. However the problems are you need to make quite a few clicks, and risk the possibility of messing up the installation.

So here's the current workarounds:
When you install any program, you shouldn't online. If you are afraid your system is not clean at the time you do the installation. Run AV/AT/AS scans first. Then temporarily switch PG off. But remember to switch it on after the installation. Don't forget!!

To sum up, the problems are:
- bothering to switch it off & the measures to keep it safe at that period
- may forget to switch it on once in a while
[Note: "No protection for the time being" will not be a real problem when you have implemented/considered my workaround]

Note: Up till 24 Aug 2005, it's the problem of PG. For other Intrusion Prevention Systems which have installation mode or its similar, the above problems vanish completely.

AT
You don't need to switch it off at all.
No bother, no pain, full protection.


Possible conflicts with AV
PG wins slightly, or it depends
PG
Its design does not conflict much with AV since they provide protection in different layers. Try to imagine PG is the bottom layer of protection; and AV is the upper layer. There are far lower possibility for them to conflict by design.

AT
Its design is to work in conjunction with AV, and it may be possible AV & AT conflicts with each other (it may be so obvious as to crashing or shutting down or non-obvious ones like insidious nullification of some protection, some mess-up etc.) Try to imagine AV is one layer of protection while AT is materials added on that layer. There are higher possibility for them to conflict by design.

Apply to both PG & AT
However it doesn't eliminate any possibility that there can be some non-typical conflicts with AVs. Indeed every program cannot be fully compatible in theory. Every computer is different.
Also I am talking about conflicts with AVs only. It is possible for both PG & AT to have compatibility issues on your computer/system. The chance varies depends on the programming ability, structures, design of the program, just to name but a few.


Security design of the product itself
PG largely wins
PG
ProcessGuard is a kernel-based product. It is much harder for a trojan to attack/modify/terminate/nullify this product.

AT
I don't think AT is kernel-based, so they are subject to invasion by malware. A malware can simply nullify your AT AND deceives you that it keeps working fine.

Extra benefits
PG largely wins
PG
Surely it doesn't only design for anti-trojan only. It has many benefits.
Just to name a few:
- supplement AV/AT/AS, firewall
- stop trojans to rewrite memory
- stop malware to install drivers/services
- help firewall to pass (nearly) all leak attacks (without it, your firewall may pass from 0-10% to 50% only)
- prevent insidous execution of files (if you use learning mode, any execution which is not expected/triggered by you are very likely to be evil. Block it.) Simple!)
- prevent you from: termination/crashing/modifing/nullifiyng system or security programs, dll injection, suspension, memory leak/overflow, rolkits/driver/keylogger, mosue&keyboard hooks, user imitation
- and so on

AT
- It only help you to add small portection for trojan protection (you know AT is only used as a supplement over AV, so that's why it's just a small protection). That's it.


Resource usage
PG wins or it depends
PG
The author claims it uses few resources due to its way of design (kernel-based, using driver etc.). The memory usage is 13,XXX K only in my computer.

AT
It depends on what program you use.
But I may guess it generally use more resource due to its way on how to have real-time protection. (remember I say generally only!)


Trojan Removal
AT wins
AT
It has the ability to remove trojans on its own.
Good!

PG
No, only prevention, not removal. But if it cannot enter in the first place, it is no need to remove.
Unfortunately if the trojans have intruded your computer,


Summary
PG wins in more aspects than AT.
However it doesn't mean you MUST choose intrusion prevention system like PG, but AT. You may place different values on some aspects, eg:
- if you feel convenience and alert-free is of utmost important, you should choose AT.
- if you feel protection is of utmost importance, PG or other intrusion protection system is your pick.
- if you value both, PG is probably your choice since it is designed for beginners: easy to use. Apart from some exceptions, if you don't bother to spend some minutes to read the manual and use Google/forums, you have no problems when using PG most of the time. You don't really need to make any alerts but a few if you use its learning mode properly.

Finally, no one force you into either A or B. Why not choose both if you wish?

 

Good article

It's a nice way to learn something, and to choose for some users...

 

Nice comparison.

It does miss scripts and program installations in the comparison though.

Also doesn't directly mention a comparison of popups.

 

why comparing popups Vikorr?

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

I think the above information should be more useful than something like:
==================
- Since people generally don't wish to bother with learning, AT is a must.
- Since intrusion protection system(IPS) offers better and more diverse protection, it is stupid not to use any IPS.
==================
(Note: Don't make me wrong that I intend to criticise the above claims/statements, or the ways people give their own opinions. There are nothing wrong on their own right indeed.)

So in this article, what I try is not to give you a black-and-white answer because different people have their own sets of weightings to different factors. So I just try to compare them. Hopefully this can help users to make their own informed & good choice which suits them best.

Does anyone think this is better than if I throw out an answer/choice based on my weightings/reasoning?

 

nope...it won't be better Wai_Wai but...you cannot compare let's say a scanner with IPS (like you mention PG...)

there is no comparision possible...but you tried, just like I did and finaly it comes down to making a team of and IPS and AT (just like you summarized in the end)...

I guess what I am saying is post like yours that compare pg with at makes people think that pg will block trojans and that is simply not true...

in three days I have read 4 times if pg or rd will block trojans...

and that is my point...making such comparisions (which was a good one to be honest) makes people confused but it sure helps to bring the discussion on.

Sincerely,

 

Feel free to add your comparison/opinions here.
So the quality of this article can be improved.

And would you mind clarifying what so the followng really mean/comprise:
- script (the blocking of script? What kinds of scripts?)
- program installation (the installation of the security products, or else?)
- popup (blocking web popups?)

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Did you make your own post/article about that too?
If so, do you have the link?

What do you mean by "blocking trojans" here?
As far as I know, PG can (at least in some aspects/ways, and not wokr the same as AT).

What's rd?

Yes, sort of.

Making comparisons will make people confused in the way they may not know which to choose in the end (both have pros & cons - they are not perfect!). So it's not an effortless choice.

What you may need to do is to stay calm. Think seriously what factors are your dominating factors. You may set your weighting and give marks to each aspect (if you wish to be more scentific at your choice), eg:
=============================
Protection method (weightings: 0.2)
PG 6
AT 3

So the score in this aspect is:
PG = 6*0.2 = 1.2
AT = 3*0.2 = 0.6
=============================
(Note: Don't treat the above values seriously. These values are just arbitrarily assigned)

So in my opinion, this article is may not be completely useless in several senses:
- we may need to make decision between this and that, although they are not exactly the same type
- this article should improve the understanding about this 2 products (although it may be very slight for some people)
- hopefully not all people who read the article will get nothing but confusion
- some poeple may benefit from it and make good decisions.

In short, although ths article may not be useful, it is at least of some uses.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

I didn't say this "article" is useless and I don't have to proof myself with "articles" I wrote here...

pg will block some actions of trojans (like dll injection - ..not all injections though .. - driver protection for rootkits,...) but it won't prevent the trojan itself. trojans/malware can be packed in various ways...even in "legitimate" programs that you can find on the web, P2P,...so you allow paintshop pro but in fact it's a trojanised version...how can pg stop this? It can't, cause you gotta allow it to see the pics.

rd = regdefend and it works in the same way.

those programs are not holy...and without a decent AT pg/rd can become useless if you try to compare and some clueless reader reads your stuff and thinks hey ... let's purchase pg and rd to protect against trojans/spyware.

every time you use AT in your article...you could have written: spyware/malware...
cause trojans and spyware are not that different anymore...

will pg and rd block spyware/virii? some actions it will block...but be carefull..

therefore I don't think comparision is possible...

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

It doesn't matter.
The purpose is I would like to read more comments from your articles, but not for proofs.

Yes, I see your point.
Anyway it is a sad fact that both AT & intrusion prevention systems have their own wekanesses.
following your reasoning, maybe I should state:
Neither AT nor intrusion prevention systems(IPS) can block trojans (in every aspect/situation). If we say either AT or IPs can block trojans, we may give them illusion or false sense.


So the best defense against trojans may be multi-layered protection:
- AV
- AS
- AT
- Firewall
- Intrusion Prevention System

Nothing is holy(all-cure), as you said, and everything can remedy each other's weaknesses.

I think you are saying using "anti-spyware/malware" to replace "AT".
It's a better label. However the problem is readers are not familar with this new term, and will confuse the readers. What's more, I once get criticised when I say AS also deals with trojans, so we can call it AS/AT. To prevent unnecessary confusion/argument, let the name AT as it is.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Exactly. All those claims about IPS is overblown, and the complementary bashing of scanners. Though we cannot really blame Wai Wai, there is so much hype about them by lots of people who should know better.

Try downloading and installing warez without any AT/AV. Load on whatever IPS combo you want, and you will still get infected. I'm not encouraging people to use warez, just making a point about trojans.

The point is trojans laugh at IPS. Even in the best case scenario, you realise what is going on, but it's too late.

There is a short article in the tech support newsletter about IPS/IDS/HIPS

First he talks about handlng 2 classes of alerts, basically alerts that occur when you are not doing anything or surfing the web.

These alerts are relatively easy to handle.

But..

A good AT/AV would make the difference because any warnings it throws up are more definite.

Considering that most experienced users would be immune to driveby downloads and the like due to good system configurations, handling malware hidden in self installed software is even mroe important.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Thanx Wai Wai, that is exactly my point...false sense of security....

What I stated for a long time: the only respecteable combo I know with sigbase and IPS is SafeNSec...but it lacks mem scanning...if that was the case we had a "winner" but then again it's a matter of time...like everything: all good things comes to an end...call me "not positive" ... I was Optimizer once a little bit contradictionary keeps us sharp isn't it??

anyway I wasn't addressing this to you in particular...I was stating this for the reason of this hips and ips and bablababb blub blub ...

the combo I am looking for would be Zonealarm ... let me just hate Zonealarm for the bloateness too much of the goodness cannot be good...

take care, don't take it personal...

Andy

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

I know but it is way to easy to read my posts and compare it with yours...that is not the idea/intention of me .. I am not the best in English grammar...sometimes I have difficulty expressing myself ...

I have at least the double of my "official" posts here...while I do like ten forward...I want to learn, I am learning @ the moment...

we all do...

I am not an expert however in some places people are considered to be an expert

I wish you the best, let me read a lot of your "articles" and I'll learn!

best wishes,

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Hi,

I think most (all?) proponents of host intrusion protection system (HIPS), recommend it as adjunctive software to a fire-wall and atop-tier AV (which usually already has more than adequate AT and AS capabilities). This approach has many advantages over simply adding more and more anti-trojan and anti-software packages, all of which have similar weaknesses, i.e. relying primarily on detection rather than preventative techniques.

I do not think anyone is suggesting that HIPS software act (at least at this stage of its evolution) act as a complete replacement for detection-based security software. I think what some people might suggest is that one top-tier detection-based/on-access software (e.g. Kaspersky AV, NOD32) is enough and it may be supplemented with HIPS.

Rich

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

The main weakness of AV and ATs is that they do not have signatures for everything. This is why adding more of them as backups is helpful. Even the best AV will miss things, so another AT is generally helpful.

For many experienced people, their AV is good enough already of course. But I doubt there is much incremental gain from piling on HIPS as recommended by so many here.

As explained earlier, the most common way of getting infected is via self installed programs, where HIPS are of limited use besides sitting in the system tray and flashing prompts.

For experienced users with well configured systems, the threat is most likely to come from programs they choose to install. In these cases, it pays more to invest in additional AV/AT technology than in HIPS, which add little additional protection.

Noobs are likely to need the protection of HIPS , the only problem is first generation HIPS tends to be pretty difficult to decipher.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

personally, I would prefer to have a seperate AV/AT rather than having them combined into HIPS. It seems unlikely that a new startup focusing on IDS can quickly acquire the knowledge and skills of established AV and AT companies. Any scanning technologies they incorporate will most likely be inferior to that of established companies. I'm thinking specifically of Prevx1 which is currently advising you to drop AVs.

A technological trade or merger between two companies might work though. KAV + Online Armor for example. Bitdefender + SafeNsec.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

I hate combo's normal spoken but SafeNSec came close except the Memscanning.

from the moment they'll merge Outpost pro in it...I'm gone what's the difference with Zonealarm? I don't think there is one...that would be too much candy for me ...

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Hey Wai Wai
How does your paper relate to a-squared personal. It is a combination of IDS and antitrojan, And the IDS is quite intelligent I might add

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

You may want to take note of the many experienced users of this forum who are using HIPS.

There are many protections that HIPS offers that are not delivered by signature dectection systems. Simply adding another signature detection system which is simply a subset of the AV's signature set (with possibly a little bit more signatures) does not really add any real additional protection. There is the on-going issue of zero-day attacks, stealth attacks (e.g. specialized rootkits), customized attacks designed specifically to evade signatures, including heuristic types, which, which only HIPS software can address. DiamondCS (one of the oldest signature-based systems on the market) exited the business because they understood that ultimately, signature-based systems alone are not adequate - they must be augmented.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Yes, but many would be the first to tell you, they don't know if there is any incremental protection at all.

There is no evidence that HIPS can work against zero day attacks despite claims. Even if they did, the risk is extremly minimal.

I'm unfamilar with the term stealth attacks. But how does HIPS work against rootkits? The only way I know of , relies on blocking Kernel drivers but that does not handle user mode rootkit. More importantly, a rootkit generally is used hidden via a trojan, so the user is likely to allow driver installation anyway despite the warning before he is the one that installs it. Eg A trojanised copy of Sysinternals Port ex[;prer would nail you.

Notice, to the limit 'heuristics' in AV and AT can approach and even exceed the HIPS software that are so popular here. For example A2 squared IDS and Panda's Truprevent basically uses techniques of monitoring behavior+system states (what you associate with HIPS) PLUS a intelligent expert system.

My second objection to HIPS available now is that they are generally reactive, by the time they notice the malware doing something it's too late.

Execution protection is all very well, but it doesn't help much given the nature of trojans.

Another problem with HIPS of the PG varity is that it's DUMB. No intelligence what so ever. This leads to unnecessary popup fatiage.

You can of course add some intelligence by implementing a rule based expert system to handle this, but then what you get is a heuristical rule that can be evaded same as any signature.

So there is always a tension between the two. You can try to monitor every area, and go crazy, or you can use some 'AI' to decide whether to warn you. The latter is what we call "Signatures" , and can be fooled.


Sadly, it's as easy to fool HIPS as antiviruses.

Trivally, there are literally hundreds of locations and behaivors not monitored by HIPS today that can be exploited. Take the most basic area of registry monitoring, there are literally hundreds of locations that needs to be monitored to prevent autostart ups.

Less trivally, there are methods available to fool Prevx, PG due to weaknesses in implentation etc using simple mapping, reversed cloaking etc.

To sum it up, the area that we should be concerned most with isn't really covered by HIPS, while it isn't proven that HIPS can really handle exotic zerodays.

While it is true that traditionally scanners have weaknesses, there isn't really much that can take their place for covering this critical area.

I wouldn't read too much into the fact that the end of one anti-trojan no matter how beloved by the people here says anything about the state of the industry.

The end of one company certainly doesn't make a trend.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Well said i.e. - that was just the beef.

 

Hi Infinity/Wai Wai

I simply meant that PG doesn't protect against scripts, but a AT would likely pick up the script running in memory

For Program Installations, many people would simply turn PG off to do the installation...so an realtime AT would be better in this instance

In regards to Popups...I thought a comparison needed to be done, because PG generates way more popups than an AT, and they are usually of a more technical nature.
-------------------------------------------------------------------------

As for the argument of how much more protection HIPS will provide over AV's, the answer is 'not a great deal more'...but...as Online Armour is proving, HIPS can offer services than AV's simply can't <in their traditional sense>...like DNS poisoining protection (checking that the site you are visiting is actually the site you are visiting), analysis of the website you are visiting for dangerous objects, tracking of installations so that you can do a complete uninstall if you find it to be malware (or you simply don't want it anymore), as well as the standard HIPS ability to give control of your computer back to you (ie homepage protection etc).

So there can be some very good advantages in using a HIPS to not using one.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

I think there is a difference between discussing the capabilities of software with the ability of a user to make effective use of the software. The argument that "users will mess up" can be used with any type of security software. How many times have users hosed their systems by deleting false positives? How many times have users incorrectly answered system alerts and allowed their systems to be poisened. All products need proper understanding in order to be used effectively.

The issue at hand is whether HIPS can provide additional protection and/or opportunities to users to protect their system which are not available under AVs. I must say that the answer to this question is a categorical yes.

Rich

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

I think there is a difference between discussing the capabilities of software with the ability of a user to make effective use of the software. The argument that "users will mess up" can be used with any type of security software. How many times have users hosed their systems by deleting false positives? How many times have users incorrectly answered system alerts and allowed their systems to be poisened. All products need proper understanding in order to be used effectively.

The issue at hand is whether HIPS can provide additional protection and/or opportunities to users to protect their system which are not available under AVs. I must say that based upon my real-life experiences, the answer to this question is Yes.

Rich

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Hello vikorr

Thank you for agreeing.

Arguably these are services that are useful mainly by people who are not familar with phishing or DNS poisoning techniques. If this is the major value added that HIPS brings to the table, HIPS is in trouble.

Tracking of installations is fine, though I don't consider it part of the HIPS feature set that we usually discuss here.

In this forums when we say HIPS, we generally mean dumb monitoring of specific system areas, or behaviors. IMHO, a very small subset of this (including your example of homepage protection) is *probably* worth monitoring (say the subset covered by winpatrol/MSAS), but attempts to add more is likely to be counterproductive without some intelligence in the software.

Already, many AS/AV/AT monitor these areas so the value added by a specialised HIPS is dubious at best