A good Default/Deny HIPS

Discussion in 'other anti-malware software' started by trjam, Feb 22, 2009.

Thread Status:
Not open for further replies.
  1. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Any suggestions for those looking but less savy.
     
  2. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    the paid version of processguard 3.5 may be one of those which can access deny by default;)
    also in drivesentry you could achieved this too:) and malware defender but it is not by default
    note:not recomended for daily use but very secure:)
     
    Last edited: Feb 22, 2009
  3. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    784
    Malware Defender can be used for this. ;)
     
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Default-deny is a policy, not a type of HIPS or security software. In its simplest terms, default-deny is the blocking of anything that you haven't allowed. Software such as classic HIPS are at their best when they're used to enforce this policy. Most of the better HIPS will allow you the flexibility to make this as simple or as detailed as you want. It can be as simple as a list of processes that are allowed to run or as detailed as specifying the allowed child processes, registry access, driver permissions, etc for each process individually.

    Using the free version of SSM as an example, there are 3 program behavior choices under options>applications.
    SSM program behavior.gif
    The first, "allow everything" uses a default-permit policy. Except for processes you've chosen to block, anything can run.
    The second option, "block process creation" enforces a process whitelist. Unless otherwise specified in the rules, it does not monitor parent-child behavior, DLL injection, driver loading, etc. On this setting, allowed processes can launch any other allowed process and can perform all the other mentioned activities.
    The third option, "block everything" monitors all the activities of each process and asks the user to specify what activities each is allowed to do and what other processes each one is allowed to launch and be launched by. This setting allows very detailed control over every running process and takes the most time and knowledge to set up.

    If you were using SSM free, you'd want the second option. I haven't used most of the other HIPS but I'm reasonably sure that most would offer similar options. Default-deny is a very effective security policy when properly set up. The one requirement is that the user needs to know (or learn) what processes are necessary for normal system operation and allow them.
     
Loading...
Thread Status:
Not open for further replies.