Advice - best HIPS for testing - shows everything that happens

Discussion in 'other anti-malware software' started by Sully, Aug 10, 2009.

Thread Status:
Not open for further replies.
  1. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I wanted to know, what HIPS product would you suggest that could be used for testing, in a vmWare box. Criteria is simple really, it must give a popup for anything and everything that happens when you run a given application.

    This question is posed because I use vmWare a lot to test programs in, in as much as to see what it does etc, and if it is something I might like to use myself or pass on. However, I am also curious to see exactly what it might be doing. I have Process Guard, which is nice, but it falls a little short of some things I would suspect. It does give a pretty good prompt though which tells what the program is attempting to do. Of course I don't mind just allowing the program to do it's thing, as I am only investigating, not really planning on keeping it or putting it on my real system anyway unless I approve of it.

    So, any suggestions for a HIPS that throws popups on everything, BUT that is also informative and easy to click 'OK' so as to continue to the next popup. I definately DO NOT want to have to make rules or other nonsense, only see the prompts/info and continue.

    Thanks for any suggestions.

    Sul.
     
  2. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    Malware Defender may be what your are looking for. With all protections enabled it should react to everything (with a pop-up message). It also has a log. Screen shots here:

    http://www.torchsoft.com/en/md_information.html

    It has a 30-day free trial period.
     
    Last edited: Aug 10, 2009
  3. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    How about Online Armor, it has one of the best classical HIPS on the market.
     
  4. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    Online Armor will prompt like its on crack so long as you don't make rule.
     
  5. Julian

    Julian Registered Member

    Joined:
    Sep 14, 2008
    Posts:
    103
    Jeffrey Wu from PC Security Labs testing uses Malware Defender. Seems to be very good for those purposes.
     
  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    OA, I had that installed once upon a time. It is worth a try. Is the HIPS onboard as granular as a standalone one?

    Thanks for the replies so far.

    Sul.
     
  7. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    I like the idea of, by not clicking Remember my decision, the HIPS function will prompt for all actions. OA will display the process tree info within the prompt, and safe options, System Restore is kinda clever - hadn't noticed that.

    installer1.JPG

    Could pick an application to load in Sandboxie and see which HIPS prompts the most.

    Folder is greyed out as its a swear word :p
     
  8. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Malware Defender is what i'd suggest also.
     
  9. Wildest

    Wildest Registered Member

    Joined:
    Apr 28, 2009
    Posts:
    304
    After a disappointing GUI crash of OA today, I installed this Malware Defender.

    This Malware Defender is definitely not joke software; seeing is believing.
     
  10. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
  11. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I'm not sure if any of them tell you everything. SSM pro will alert to the following on a per process basis:
    Physical memory access
    low level disk access
    Low level keyboard access
    attempts to shutdown system
    remote code control
    suspending processes or threads
    remote data modification
    attempts to terminate other processes
    command line parameters
    network access, trusted and untrusted
    global hooks
    loading drivers
    processes starting or stopping
    many registry changes

    Is this the type of info you're looking for? I don't know its status with Vista. You don't have to make rules if you don't want. You have the option to allow or block anything on a "this time only" basis.
     
    Last edited: Aug 10, 2009
  12. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Yes, probably any of these would do it from what they claim to do. It will remain to be seen which has the best compromise of data given as to what is happening as well as allows a quick and convenient method to keep going. Logs might be nice also as all I am interested in is to see exactly what happens in questionable circumstances.

    My old ProcessGuard is what I was using for a long time, but I know some of these newer HIPS pick up more, so I am looking to test and see.

    Thanks for the input everyone.

    Sul.
     
  13. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Sul,

    MD or OA,

    What is also nice for your purpose is using GeSWall.

    Just have a look at the user manual. When you set everything to redirect, the programs continues without pop-ups. You can read teh logs. Some redirects are less informative (especially the deny/redirect message logs).

    For that use MD (can also be set to allow silently) OA (gives best intrusion interpretation, but will always pop-up)

    Cheers

    Kees
     
  14. icr

    icr Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    1,588
    Location:
    Mumbai
    I have used Online Armor only and found that it notifies for every behavior of any program.
    Even when i copy or cut any file using tera copy message pops-up.
     
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    How about a HIPS that is easy to not have activated unless you want to use it? Some applications throw up a few processes, and even when you have them 'disabled' they are present. Since I am using Shadow Defender in shadow mode all the time, the thought occurred that maybe it would be easy to test from the real OS. Shadow mode should clear anything up on reboot, and a HIPS that could be turned off would work great. Only when one needed then they could fire it up, then run something or test etc, and not have to worry about it the rest of the time. I don't usually care to use programs that load even when you turn them off. When I want something to start I will allow it otherwise it is not behaving IMO.

    Just some ideas bouncing around in my melon in the last day or two.

    Sul.
     
  16. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    good ideas indeed;)
     
  17. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Oh, in that case
    :D
    Seriously though, Malware Defender at least has the option "Run Malware Defender when Windows starts", and i think SSM and EQS can too. You can also disable registry protection or file protection etc. as you please, and by tweaking the rules, you can monitor only what programs you wish and so on.

    They are truly open as far as the rules go, and i'd choose one of these. There is a free license for SSM Pro around if you don't know what to choose, or skip for a MD trial - excellent program and support.
     
  18. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    EQ Secure with Alcyon ruleset is a pretty nice brick wall for system. :D
     
  19. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    SSM is one running process, and only when running. Your choice if it starts automatically. When started automatically, it loads very early.
     
  20. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    One comment: some programs may run differently when they see they're being slowed down by a HIPS (malware can use the required human delay as a way to identify the environment and change behavior).

    It may not completely suit your purposes as it doesn't track interprocess transmissions but Total Uninstall could be a helpful addition if you're looking for another layer of analysis on registry/file changes.
     
  21. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    what about REVO Uninstaller?
     
  22. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I believe Revo works differently than Total Uninstall - Total Uninstall tracks all of the changes during install and shows you a full listing while Revo has built in routines to remove programs (I could be wrong, however).
     
  23. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
  24. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I never tried it, but you can probably do similar with MD and its log system. Wildcard rules with allow and log for everything.
     
  25. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I have been using InstallRite in the vm box. I have a snapshot set up that is already taken the first image with installRite. I drop in the setup.exe, run it, then perform the second image with installRite and see what files or registry changed.

    I have not looked at total uninstall ever. Tonight I will try some of these suggested tools in vmware and see what they look like.

    Sul.
     
Loading...
Thread Status:
Not open for further replies.