Advice to HIPS makers

Discussion in 'other anti-malware software' started by Devil's Advocate, Dec 2, 2006.

Thread Status:
Not open for further replies.
  1. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    It strikes me that while Wilders might not be the most technically advanced forum on the net, most of us aren't super leet hackers, there's one thing where we are No 1.

    That is in the use of HIPS. The average member here has used more brands of HIPS than the average user has used antiviruses.

    We are the ones who drive demand for such products by recommending them to others. So we should be heard.

    This is the thread for us to give generic advise to makers of HIPS (please no specific remarks about existing products).

    My take (for us - advanced users)

    Give us more control + no hard coded rules

    Everything should be configurable. Something like Prosecurity is the first step in the right direction, but there are still many options that should be added.

    No blackbox modules please. Don't worry if the settings are dangerous and needs a computer scientist to adjust safely, we are advanced users who can do it, or at worse recover from backups.

    Make everything modular , so we can mix and match security products.

    Also don't worry about us locking ourselves out by accident, we are advanced users we know how to recover.

    If you are concerned about novices you can create two modes one for advanced users.


    About Adding firewalls.

    If you are going to add firewalls/ network controls, for god's sake, make it a real attempt, not one of those joke implementations that is practically unusable. We are advanced users we need to be able to set specific rules (by remote/local ip, port etc) in response to a prompt.

    If not, please for the sake of God, allows us to turn it off, or better yet to not even install that component at the point of installation.

    File/folder control

    Please add this. I want to be able to protect my files and folders from being read or overwritten. Encryption is nice, but I want to protect the data files of my security programs.

    I heard it's harder to protect files changes than blocking registry changes, but this feature is still not that common (short of sandboxes) so it is a feature to compete in. The whole process protection gig is getting a bit stale, everyone does it these days.

    Tell us why your HIPs is better.

    Don't be shy, tell us why your HIPS is better than the competitor's. I mean better in terms of protection, and not just hard to verify subjective stuff
    like "our gui is better looking", "we are faster" etc.

    Releases tests like Regdefend, APT, SSM's 2 hips test, CPILsuite etc so we can verify your claims. Or teach us enough technical stuff to understand why yours is better.

    Add features that increase safety even if it is by a small amount.

    Add features even if they are only a bit safer, every bit counts.

    BTW I'm shocked for example to see that prosecurity uses SHA1 as a hash function. It's a new product it should be using SHA256 at least if not whirlpool. If I wanted outdated products I might as well use <insert you know what>.

    Compatibility with other products

    We advanced users will not just use your product as the sole line of defense no matter how good your product is. So you should ensure that your product doesn't conflict with other products.

    Almost everyone here uses KAV , NOD ,Bitdefender, Antivir etc for example, it is criminal for a HIPS product to conflict with those! That's just a turnoff, and one of the few actors that will lead to auto rejection of your product.

    Between KAV and your product, almost everyone will choose KAV over your HIPS, no matter how good your HIPS is.

    If you have generic browser related functions, make sure they work in Firefox and Opera! A lot of us don't use IE at all (not so bad if it's IE only stuff like Activex).

    BTW, a certain product which I shall not name has suffered and is not popular here, because it broke the last 2 points.

    Also important is to ensure compatibility with popular HIPS like SSM, because most of us will be running more than one HIPS.

    This is where your choice of beta-testers is important. Pick people who run all sorts of HIPS.

    Rope in experienced members of Wilders into your team and establish a presence here

    It is not enough just to post support in your own forums. Come here and personally answer questions , post updates.

    Features that make operation easy

    Okay so we are advanced users, but that doesn't mean you should make it difficult to use on purpose. Even we advanced users can get tired up answering prompts, so there should be features to reduce that.

    Learning mode where every application gets 100% right automatically is passe. Who can ensure that his system is safe enough to run in such a mode everytime a new application is installed?

    Make rules easily exportable, importable, so you can easily get new rules. I can imagine there will be fans of the product who will be willing to maintain rule sets or will be willing to create rule sets for applications you request.

    We advanced users won't just blindly import any rules of course, but it helps.
     
  2. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Devil's Advocate,

    I do believe that you are speaking from the Bizarro world here :)

    Oppositely yours,

    Blue
     
  3. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    those are some good points DA, and HIPS could definitely benefit.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    LOL, I think most HIPS makers have already figured this stuff out themselves. But thanks for the help DA. :D
     
  5. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    God I hope not. lol.
     
  6. ejr

    ejr Registered Member

    Joined:
    Nov 19, 2005
    Posts:
    538
    While you make a lot of great points, I think that the future of HIPS is actually the complete opposite of what you want. Companies don't make money off their software until they make it for the masses. And vast majority of computer users aren't all that savvy.

    So as HIPS software heads mainstream, it will be dummied down for the average user. More and more HIPS programs will be making decisions for the end user and giving the end user less control.

    There will always be programs that are geared for the "power users", but I see HIPS going mainstream rather than sticking to a niche market.
     
    Last edited by a moderator: Dec 2, 2006
  7. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Really? I hadn't considered that. :)

    Well but if these guys don't satisfy us, we ain't going to recommend them.

    If not for people like us, nobody would use HIPS. :)
     
  8. ejr

    ejr Registered Member

    Joined:
    Nov 19, 2005
    Posts:
    538
    I don't know about that. I think whether the power user reccomends the product or not, the technology is going to trickle down to the mainstream. Advanced HIPS programs are out there. So eventually, HIPS will be incorporated to the mainstream products. Eventually, every "Internet Security Suite" will have them.
     
  9. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    True. But we will still sneer at those poor deluded souls for using them, just as we sneer at the deluded people who think Norton or Mcafee antiviruses are good antiviruses lol.
     
  10. ejr

    ejr Registered Member

    Joined:
    Nov 19, 2005
    Posts:
    538
    Unfortunately, I am one of the "sheep" that the power users laugh at. I am not computer savvy at all. But different from most other sheep, rather than just buy the mass marketed stuff, I come to forums like this to get solid advice from guys like you.
     
  11. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    OH !OH!:cautious:

    Randy from the 'Update Section' should be here any minute now!
     
  12. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Well, as a HIPS vendor and developer :D , I may say, that:

    1. Most users are not advanced. That is why-

    2. They don't need control under rulset. They just need simple and easy to use security!

    3. Tests are not very good to identify if HIPS really good or not. For example, HIPS may use ring3 hooks that could be very easy to be bypassed. HIPS will be very good under tests, but, in real life, under ITW malware, it will be a security hole. Outpost 4.0, for instance, is good in tests, but if you remove its ring3 hooks- it is just one big security hole!

    4. Software compatibility is something really important, but the real life is that 100% compatibility is impossible. That is why the real parameter is: "how fast you fix compatibility and other problems and improve your functionality".

    5. The fact is that it is very hard to say "My HIPS is the best because of ....." because there are almost non of HIPS comparative tests that will tell people if my words true or just a standard marketing bulshit. Also, ther is no standard methodology and tests for comparative HIPS tests. And that is the problem too.

    6. Yes, there could be person who will be talking to you, but if it is not somebody who is responsible for product improvement and/or technical support- this talk is just waste of your time and energy!

    7. 2 ejr. Yes, HIPS systems are going to be mainstream as AV's and firewalls (in fact, mostly, as firewalls, because people, mostly, looking for the cure, not for the prevention). But there are niches for any kind of HIPS! Sandbox HIPS are for novice/average/advanced users, classical HIPS are for professionals and geeks, expert HIPS are for advanced users only.
     
  13. herbalist

    herbalist Guest

    Good answer Ilya!

    I hope not. Running 2 HIPS programs is as bad as running 2 resident AVs or 2 firewalls.
     
  14. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,

    My concept of HIPS is like this (if anyone wants to implement it, I want percentage):

    Driver that will sit between kernel and anything else.
    Whitelisted processes can access kernel. Anything else gets rejected.

    You can add new item, by either specifying an application name, hash or whatever, and allow all children handles - or for advanced users - allow specific handles; for instance, disable keyboard hook for some IM programs.

    No popups - if a person wants to install a new program, he must specify it through the HIPS - otherwise it gets rejected. ONLY whitelisted programs should be allowed.

    Call it WinLinux if you like, this is how I see HIPS.

    Mrk
     
  15. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Exactly, that is why we need tests to test for that!

    So you saying Defensewall isn't the best? What's better than?
     
  16. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Devil's Advocate

    Spywareblaster is quite hip and doesn't give any popups. Set and forget, plug and play, have you tried it ?

    That's the problem though, it's sort of, how do you know if the freezers light has gone out when you close the door !

    I think people like the prompts, not too many, but enough to feel in control, to a degree, and dependent on what the designer coded. What's enough though, one persons drink is anothers poison !


    StevieO
     
  17. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Agreed
    Agreed. Sandbox for me :thumb:
    Yeah, they provide total control
    What are these ones? :blink:
     
  18. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Expert HIPS are behaviour-based expert systems that analyze the number of behavioural steps made by process and show you popup window in case they think that process is malware (like KAV's PDM). Such the systems, as all the expert systems, has False Positives (FP) and False Negatives (FN). Also, for process exceptions they need good application identification signatures constantly updated online. As they have FP, FN and poopup windows, they are for advanced users only who understand what is going on and that is HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.

    I've never said that DW is the best or not the best. You see, it could be the best for somebody and could be not the best for others. It is just opinion.

    I always say that it is right-architectured driver-based sandbox HIPS implementation with the aim to build good balanced defense system, as simple in use and learning curve as possible. As for other things- tests need to tell more then words! I believe in facts only!
     
  19. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    thanks Ilya :thumb:
     
Loading...
Thread Status:
Not open for further replies.