An HIPS for Windows 10

Well @Bill_Bright you may not know some of us or serviced as you have for others locally in which you have, either online or in person their machines/systems, but I for one can assure you without exaggeration that I can attest to at least 1 HIPS security program that is proven beneficial in NOT getting infected AFTER installing and granular fine tuning that HIPS. COMODO is the one. But even before that in fact I swore off ALL AV's for years without incident or concern utilizing HIPS ONLY.

That being said here is your better argument. That was predominately back on Windows XP so your no more worse for wear to your credit in bolding that statement now. However we all know no more reliable HIPS exist with perhaps the exception of CFW which can be of use that sadly the OP can no longer use on his system. In fact it's not the HIPS per say but Comodo's iron cage CONTAINMENT that prevents getting infected.

And I don't consider any of those third party security programs fun. Many demand serious time and effort that MOST users simply do not have the luxury of spending time to LEARN to adequately lock down and prevent infections.

MS Windows Defender is as you allude to probably the best choice since it's been sorely tested and pretty much handles everything without HIPS IF also complimented with 3rd party backup security programs. But then that gets into Layering which is topic for a different discussion altogether.

But courtesy HIPS I gone several many years without even a HINT of any intrusion from malware and was sad to see them fade albeit many commercial AV's do implement many of their best benefits now a days from when they were all the rave back then.

 

Well this is very good to know. For those like me who have only a passing and sparse knowledge of HIPS in practice, sometimes just the mention of it can be a little intimidating.

Yes, using OSA on my W10 drive and VS on my W11 drive. If they never block anything even vaguely malicious, it's worth it (to me) just for the little extra peace of mind that something besides the primary antivirus is keeping tabs on here. It's my money and my computer after all, right? Decisions like this aren't made with the fears of what others may think of what I'm running on my device. Seems a little strange that way. Who cares?

 

I hear you, loud & clear @plat1098 -- grace & peace to you. Aloha from Hawaii to all Brooklynites.

 

Here is one.

 

Well, it wasn't really meant as a personal attack, but some things need to be said. Especially because you still seem to be missing the point. And that is that nobody on this forum is claiming that you absolutely NEED to be using extra protection tools (HIPS, anti-exploit, anti-logger) if you want to stay safe. So nobody is disagreeing with you on this.

However, the people who still choose to use extra protection tools are clearly trying to achieve something. And that is to get an even higher rate of protection. So yes, most of us still patch our systems and download apps from trusted websites and are not being click happy. We also use AV's and firewall, either third party or built-in.

However, we still think it's fun and more importantly USEFUL to use extra protection tools in case we will encounter more sophisticated attacks which are able to bypass AV's. To give an example, in the latest test, Win Defender failed to block 7 out of 725 malware samples, which is still a pretty good detection rate, but if we somehow got tricked into downloading one of those 7 malware samples (zero day exploit or supply chain attack), then our systems would be toast.

Again, nobody is claiming that you can't stay safe without these tools, or need extra layers. But these tools use almost no CPU time, hardly any RAM and don't cause any extra disk activity. If they would bog down the system, we wouldn't be using or recommending them.

So yes, if people on this forum are interested in learning more about these tools, we will give them advice, and let them make the decision about if they want to go the extra mile or not. I think this is more productive than to simply say that people don't need them, without explaining how HIPS/behavior blocking may be useful even when you are already practicing safe computing habits.

How would this proof anything? This probably means that those people simply never encountered malware, or that the malware was stopped by AV, which is absolutely great. But this doesn't mean that HIPS can't offer protection in case AV gets bypassed.

 

LOL, exactly my point. How boring would life be on security forums like WSF, if we all believed in this mantra?

 

For me, even more distressing are the "Windows Firewall is all you need" comments.

 

so you got infected while using a hips?

i think this is by reason. the given examples are very technical, niche products, not really to sell nowerdays.

no & yes.
i can understand when people use product for fun, to raise experience and adopt it on another level. it takes time and users should adopt the experience to another level. "should"... sometimes it does not.

OSArmor and VS have totally other targets as the other antivirus (suites).

thats a major problem shown in this thread. a variety of suggestions for software for users...

 

I can go one better. Before MS Windows Defender improved I used 360 many months infection-free up until Ransomware debut and it carved thru that AV like butter. That was the last straw for me with ANY commercial AV's PERIOD, never looked backed, and utilizing LAYERED 3RD PARTIES security programs locked that crap out FOREVER. Even deliberately infected myself time and again afterwards to test the defensive metal and been going strong for years now with no concerns. Even WITHOUT MS Defender at all.

On my meager memory starved systems the performance is at top efficiency without no strains like AV's used to cause with their constant scanning files.

WVSX is the ONLY semi av which for me is so stupid light but with a lightning rapid response. (When I use it)

 

Yes, when you have such diversity in hardware, software and user behaviors, it's rare that a blanket statement could cover all scenarios.

One's past experiences dictate things also. Whatever works for you. I know HIPS nowadays wouldn't work for me--I'm lazy and there's other good stuff out there that's way less interactive while also being effective (if configured properly). There's a REASON this type of security is relatively uncommon nowadays.

 

OP asked about available HIPS apps. One purpose of using HIPS is that they can offer excellent protection against zero-day & other malware that might not be detected by signature-based scans. In response, I offered 2 apps that provide good HIPS capabilities.

Later in the thread, I also mentioned OSArmor & VoodooShield because they also offer protection from those same kinds of threats, even though they do so in different ways from those used by a HIPS.

=>OSArmor is primarily a behavior blocker and, thus, it can block zero-day & other malware that gets past a sig-based scan &/or a less constrictive, AV-component-based behavior blocker.
=>VoodooShield is a broad based anti-exe/default-deny/whitelister/reputation-checker with a good deal of AI thrown in. As such, its manifold barriers to malware provide excellent defenses against zero-day and other malware that evades sig-based scan.

I mentioned ESET, Kaspersky, & Emsisoft because these AVs all incorporate a HIPS or HIPS-type component.

In summary - there are many methods of protecting users from zero-day and other malware that may slip past *conventional* methods of malware protection. OP was seeking a HIPS. I offered some HIPS then went on further, to name apps that have similar protective goals to those of a HIPS.
~~~~~~~~~~~~~~~~~~~~~~~
~ OT Remarks Removed ~

 

I think @plat1098 you see it clearly. It's the mention of the INTERACTIVE factor. In HIPS great 32bit days the interactive features were new and they did indeed implement a solid SUSPEND action, whereby a user could thoroughly examine originating file(s) process issuing a command to another etc and that in and of itself at least for the learned was a welcome boon. User could further see PATH and DESTINATION and if even somewhat suspicious, you would simply click DENY or DENY & DELETE. At least A good HIPS could HALT any further purposes until user could verify whether or not to Temporary/One Time Allow or even WHITELIST.

I think the rub with HIPS came about due to the interruptions and at the time the internet channels were freely allowing all sorts of malicious incoming to run rampant which is where HIPS in it's debut served a very useful purpose. Actually still can and does today but PC Security Apps have also improved their own tactics of tackling such those same PC interruption dangers or intrusion possibilities.

 

"stopped" should mean "prevented"?
problem seems that there exist no logs or images from that attack.
next problem is that he wrote about "comodo hips and firewall"
was it hips or firewall? in case of hips user already got the attacking program on its system. thats all Bill is telling us about, and from my view user already has lost the game.
in case of firewall i have to assume that no router is used, only a modem, or wi-fi (which means same).
windows is selecting based on router or modem/wi-fi the proper rules (private or public) - public roules are stronger.

the change from modem to router here stopped immediately all incoming "attacks" (that time i had more emule scans than anything else). outpost got out of inbound work. and i started LAN, this is now 20 years ago.

 

It depends a bit, because OSArmor can also be considered a HIPS. But interactive HIPS like SpyShelter and Comodo were never that common because you need to be able to operate them. If you don't understand those alerts, it's pointless to use them. So that's why they were never popular in the first place.

LOL, good one. I suppose it will do a good job blocking network traffic from standard malware, but more advanced ones won't have any difficulties connecting out.

 

You nailed it, Rasheed. Me, I got irked and irritated at every notification. I'm not a HIPS person, for sure. But I appreciate the security philosophy behind it also.

 

Yes too many alerts are annoying, so that's why I have configured SpyShelter in a way that will minimalize alerts. The strange thing is that SpyShelter has never implemented an auto-block mode. That's why about eight years ago I also switched from ZoneAlarm (no auto-blocking) to WFC and later TinyWall because those pesky outbound alerts were driving me insane. But HIPS like SpyShelter should basically be seen as a way to manage app permissions, just like on smartphones, but with even more control.

 

For me, CFW never blocked Windows updates. Even if it did, you can unblock any process.

 

I believe that it is a conflict issue between WFC and CFW; when I restored a 10 image without CFW the update process worked fine.

 

Thanks for sharing the results from your experience with it. Helpful

 

I really like SpyShelter's HIPS component. It's VERY user friendly. Very! It was a busybody for my first few days of use. Its alerts asked questions but gave great info to help with answering them -- including access to a zoom-fast upload to get scans by several top-notch AVs on VirusTotal.

After the HIPS' first few days of learning my system's apps & usages, the HIPS rarely pops alerts any more. However, when it *does* pop an alert, I do pay very close attention -- NO fast clicks for me.

SpyShelter's HIPS enables users to make their own rules, & provides a step-by-step process for easily doing so. However, I am getting along just fine, security-wise, with only those rules that were automatically made by the HIPS itself, based on my responses to alerts.

It works for Win 7 through Win11. I like it a lot (obviously).

 

Thats the problem with HIPS, all these alerts that are false positives, allow, allow, allow, allow. No thanks.

 

I've never had a False Positive (FP) with SpyShelter's HIPS. Actually, it is well-nigh impossible for the SpyShelter HIPS to ever generate an actual FP. The same is true for ALL well-designed HIPS & Behavior Blockers.

 

SpyShelter HIPS sounds very appealing to me since I had such a successful solid experience on XP with EqSysSecure HIPS which was amazingly user friendly AND highly configurable as well as a proven stopper until rules could be set OR paths determined. Rulesets were minimal in XML format and could be customized per users choice of protections of limited alerts. A sorely missed creation that sadly wasn't picked up to transition to x64- was 32bit only then done as in finished.

 

Obviously I tried to solve giving all the reciprochal authorisations to WFC and CFW, but it didn't work. Neither worked to set CFW, during the installation, in Training Mode.