Any HIPS that meet both of these requirements?

Discussion in 'other anti-malware software' started by Gullible Jones, May 20, 2012.

Thread Status:
Not open for further replies.
  1. 1) The HIPS must be able to prevent executables from running

    2) It must be possible to turn auto-allow based on digital signatures off, because there is malware now that comes with a valid-looking digital signature (and never mind stuff like the Sony BMG rootkit)

    3. Most importantly, it must be possible to update the whitelist en masse; i.e. to allow individual files in batches, rather than one at a time. I'm not talking about allowing everything in a given directory, which is grossly insecure, but rather the mass creation of hash rules.

    Are there any HIPS or HIPS/firewall combos like this? Freeware would be a bonus, but IMO such a piece of software would be well worth paying for.
     
  2. tomazyk

    tomazyk Guest

    Malware Defender has first two options. The third option is not possible... One can only add folders and/or subfolders but not more than one individual file at once.
     
  3. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,434
    Location:
    Europe
  4. Why? I can't think of any reason the HIPS couldn't iterate through a set of executables and calculate hashes for all of them.

    (And if it's a limitation of the Windows file selection dialog, then why not allow one to calculate hashes for all executables in a directory, instead of blindly allowing anything in that directory like e.g. SSM?)
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Most HIPS can be tailored the way you want, out of the box those will do fine
    1. FW / HIPS = Private Firewall, Online Armor
    2. AntiExec = NovirusThanksRadarPro, SpywareTerminator

    regards
     
  6. Thanks... Unfortunately PrivateFirewall doesn't allow mass addition of executables, and neither AFAICT does Online Armor. I might try Spyware Terminator next.

    (If you're wondering what this is about, I'm trying to create a whitelist-based setup that works reasonably well with development and CLI tools; because at the moment, whitelisting looks to me like the most sensible approach to Windows security.)
     
  7. tomazyk

    tomazyk Guest

    MD does not use hashes to identify apps. It uses filenames with paths to identify an app. Modifying/replacing an executable is prevented with file rules.

    When manually adding a rule only one executable can be added at a time. I usually put MD in Learning mode for a while and run programs that I use. After a while I put it back to Normal mode and check and edit all rules created during Learning mode.

    I never had a need to blindly add all exes from a directory to my rules.

    EDIT: OK I saw your post to late.

    EDIT2: I think you can achieve what you want with MD. You can add whole dir with subdirs to whitelist. All exes in that folder will be whitelisted. File rules of MD will prevent modifying and adding new exes to that folder so untrusted apps can't be accidentally whitelisted.
     
    Last edited by a moderator: May 20, 2012
  8. Update: Spyware Terminator doesn't allow mass additions to the whitelist either. This is really quite annoying!

    As for learning mode. I suppose that's doable... It seems to me like an excessively dangerous way to whitelist a few dozen files. Granted that you can prune the whitelist later, if you get compromised while in learning mode it's all over.
     
  9. Thank you. That is exactly what I am looking for!

    (And if anyone knows of any other HIPS that can do that, please do let me know. The more the merrier.)
     
  10. Tsast42

    Tsast42 Registered Member

    Joined:
    May 7, 2012
    Posts:
    137
    Location:
    United Kingdom
    Why not SRP? It can deny executables from running and you can specify whatever directories/subdirectories you want to exclude. Virtually no performance impact and free (sort of).
     
  11. Again, no en masse whitelisting, except through directories - which is either very insecure (as administrator) or very inconvenient (as limited user).

    (Win7 parental controls do make LUA/SRP easier, but unfortunately seem to recalculate each and every checksum whenever adding a new application to the whitelist. When you have a MinGW toolchain installed, this takes a while.)
     
  12. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    Mamutu is more of a behavior monitor as opposed to a HIPS but has a white list that is updated. I had issues running it on my computer but others report no issues.
     
  13. Yanick

    Yanick Registered Member

    Joined:
    May 3, 2011
    Posts:
    269
    SpyShelter, perhaps?
     
  14. Again, thanks. :thumb: I managed to set up what I consider an acceptable situation with PrivateFirewall, thanks to its training mode, but there's always room for improvement.

    BTW, I also tried Windows Defender's HIPS mode briefly, I have a question about it. Supposedly one of the things it can watch for is program execution... But it clearly has a very extensive whitelist built in. Where does it get/keep that whitelist?
     
  15. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I think Kees's sugestion, NVT EXE RADAR PRO could do what you're looking for.
    You can select a folder to scan for applications for the whitelist (MD5).
     
  16. Thank you, EXE Radar Pro appears to work exactly as I want. I'm not entirely certain it's trustworthy, but then I'm not entirely certain anything in the Windows world is trustworthy.
     
  17. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    EXE radar pro is an excellent program. Since I switched to it I've loved all its features. Its a very easy program to use. It has a ton of options to configure it. Its very light on resources and don't even realize that its running.
     
  18. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,953
    Location:
    USA
    I believe Online Armor is going to be your best option if you want to stay with a HIPS. Don't take my word for it; just try it for yourself.
    -http://www.emsisoft.com/en/order/oa/

    You may also want to look at Appguard from Blue Ridge Networks. Its an anti-executable. If you want to be extremely secure then you need to try this application! It stops pretty much everything in its tracks! -http://www.blueridge.com/index.php/products/appguard/consumer
     
  19. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Online Armor fulfills your first 2 requirements, not so sure about the third one. :D
    Give it a try! (And has lots of other features) :thumb: :thumb:
     
  20. Tried it. It does not fulfill the third requirement.

    I'm kind of surprised how few HIPS/firewalls do actually. It should not be hard to implement, and is an essential feature for anyone using e.g. Cygwin.
     
  21. Yanick

    Yanick Registered Member

    Joined:
    May 3, 2011
    Posts:
    269
    Agnitum Outpost Firewall Pro does 1) and 2) on 3) im not sure maybe half the 3). It's been sometime since i used it, but that hips is very clear and effective. Has lifetime license too :thumb:

    Mmm.. Il probably have to install it again :D
     
  22. I just discovered Online Armor's install mode, which somehow escaped my notice earlier... Consider this problem basically solved.

    (And I'm liking Online Armor Free. It is... very paranoid.)

    Edit: Or not. OA adds some serious overhead when running small executables - several seconds per command. Grr!
     
    Last edited by a moderator: May 22, 2012
Loading...
Thread Status:
Not open for further replies.