Anyone try Blink® Personal Edition?

Well Stem, how about it? Would you, or could you test out Blink Neighborhood Watch and let us all know what your expert opinion of it is? I'm already getting the itch to uninstall it, ( who would have guessed? LOL) but a good review from you would save me the effort. LOL. I will add that although no major slowdowns on PC, it does seem slightly slower. This may only be though because I know it's using close to 58MB of memory and just makes me feel this way.

 

I'm still good, but not knowing what or how to make execution rules does concern me. Is Blink doing anything in that area without those rules? I know the rest of the program is working, and can't see installing something else to cover an area that Blink will cover if things are set up right - which I can't do.

Shoot, I'm not even sure what 'execution rules' are, or if they differ from one computer to another. I'm thinking Blink is a good program but beyond my capabilities to get the best out of it.

 

Chuck,

The execution rules are parent-child execution control (see pic). You can find the user manual in the Blink directory (a PDF). The execution control is a bit akward. Blink uses these rules as additional limitations (block), control (allow under conditions) or monitoring (log). Programs not mentioned in the list are allowed. The use for execution control is to fine tune the application monitor (programs initiating traffic).

Registry control is the same as CyberHawk offered in the first release. You have to know the exact registry entry, which is not very user friendly (they could take an example to SSM, which guides you through the entries and possible values).

To me the advanced options in Blink Neigbourhood will be great in release 5 or higher. At the moment (release 3) it requires to much knowledge and is very labour intensive to set up.

Hope this helps

PS
Chuck I would instal CyberHawk again, see Blink as a Behavior IDS on network level and CyberHawk as a behavior HIPS on process level, so they do not compete, but complement.

 

The upside of Blink (default control)

+ granular traffic control (core firewall competence)
+ on-par application monitoring like any other software firewall
+ strong MD5 control of applications initiating traffic (comodo uses weaker CRC)
+ allows only traffic which is strictly according protocol, drops suspicious packets
+ has basic rules to protect against phising (redirects etc)

But I keep on using SensiveGuard.

 

Thanks Kees1958, that was very informative and very nice of you. I like Cyberhawk, so I hope it's ok to use it with Blink, but the Blink website does say that Neighborhood Watch has Host Intrusion Prevention. What you're saying though, is that it is more of an IDS because it only alerts you right? Also what do you think about Blink's capabilities compared to other Firewalls? I know you mentioned it has better MD5 control than Comodo does. I just wish there was some tests done on it like AV Comparitives did on Ch, and others. Take care and thanks again.

 

Duke,

You can set the Blink rules to block and allow, so it does more than warning. IT-jargon is so confusing. In the corporate world they call network protection (where Blink comes from) "endpoint IDS solutions". HIPS or IPS is just a marketing term, because it sounds safer than IDS.

Use Cyberhawk for (behaviorak) protection of your processes and Blink for (behavorial) protection on network level. In the OSI-model the process level is on top of the netwerk level. As a general rule, the earlier the protection the better. So use Blink to skip out some malware (at the network level) before it reaches the process level and let CyberHawk deal with the left overs.

Regards

 

Thanks Kees1958, I think I understand. But would a good Third party Firewall do some of what Blink does? I like the program, but it just seems to be slightly heavier running on my 512MB PC compared to when I had stand alone programs running. So I guess what I'm asking is. Would a separate FW and HIPS pretty much do the same thing for protection, or is Blink that good? I liked the combination of Zone Alarm free 4.5.594, Spyware Terminator, and Cyberhawk. But I must say that Blink NW is growing on me.

 

Personal firewalls with IDS modules aren´t lightweight.
More information on IDS:
Whitepapers
Snort

 

Blink Neighborwood Watch is a free firewall, and it seems to be very promising.
As I wrote in a previous threat (https://www.wilderssecurity.com/showthread.php?t=165878), the GUI is confortable, the logs (one of the most important point in a FW - my point of view) are good, there is an option to log just in one click all the deny traffic.
Blink is working at TDI and NDIS layer.
It is working as a service. All the processes are consuming about 50 MB ! Not a very light soft.

There are some swf (video) available at
http://www.eeye.com/html/resources/tours/blink/index.html
to have an idea of the features and the GUI.

Right now, I haven't found my personal firewall. Comodo should be great, but without the possibility to log permit trafic on application rules, it doesn't fit my needs.

This one could be the one for me.

I will investigate a bit further on that piece of soft.

 

I see they have changed some stuff, the last time I checked there was no Blink Neighborwood Watch (just Personal and Pro), I still have an old version with the Retina Local Vulnerability scanner.

But anyway, I assume it has gotten better and I would sure like to see some of the stuff that it offers in other firewalls/HIPS. But the problem with this tool is that it´s a bit of a resource hog and I don´t think it will play nicely together with other HIPS. Also, when it comes to certain stuff it´s not as advanced as SSM Pro for example.

 

when i installed .... avg free edition prompted a trojan
Trojan horse Generic3.FBN

C:\Prorgam Files\ Coomon Files eEye Digital Security\application Bus\eeyeevny.exe

 

Is a false positive

 

The term "HIPS" is taking on a life of it's own here.

Blink has an IPS, but it is primarily a network IPS. Since it's on the host, it's still a HIPS. Network IPS (host or network based) were actually the first to really use the term, such as BlackICE. Blink does have "Application Protection", but is highly limited, only blocking 3 APIs (SetWindowsHookEx, TerminateProcess, and WriteProcessMemory), 3 registry keys (CLSID's of components that may be exploited), and child process control (which they say will have default rules added later - I believe it can prevent execution of an arbitrary file, but they stated that controlling child processes is the intended function for that feature).

Blink Neighborhood Watch is primarily a firewall, with the other features primarily geared towards preventing malicious actions that would subvert the firewall. It's the same way that nobody considers anti-spyware apps as behavior blocker HIPS, even when they have many more behavior blocking "Shields" then programs like Blink. While one of the features is an IPS, and despite the fact that that's pretty much all I personally use it for, I wouldn't really call Blink NHW a "HIPS", except in the strictest sense of the word, which includes any security software that you install on your desktop or laptop computer (which is still a valid technical use of the term, so long as it's understood that it does include AV, AS, FW, and other security software).

An IDS would be like Snort, Nuzzler, or several others. The difference between an IDS (Intrusion Detection System) and an IPS (Intrusion Prevention System) is that an IDS only detects potential intrusion, and does nothing to stop them. As soon as you set it to start blocking detected actions, it becomes an IPS because it helps to prevent intrusion. You can set Blink to only inform you of detected network anomalies, but it's not set that way by default.

 

Notok,

Are those 3 API calls sufficient to control all global windows hooks, dll injection and data injection (via process memory to prevent any change in excution of the process) and process termination within Windows XP?

How did you get this info on Blink?

Thx K

 

Just those 3 particular functions - hook, writing to another process's memory, and terminate process. Other methods of doing the same or similar would use different APIs or use different resources. There are always ways around things like that, even with "full featured" behavior blockers. To cover each and every possibility would take a whole lot, and probably make the program very aggravating to use.

Beta testing. If you want/need to exclude the application control for a particular process you (still) have to edit an .ini file, which is where I copy and pasted those three words from. These are listed in C:\Program Files\eEye Digital Security\Blink\Config\apiex.ini. What's covered in the registry protection can be seen by just clicking "View all rules", and the child process control is something that I asked them about.

 

So an IDS only detects potential intrusion, No prevention/ intervention at all?
Is it absolutely true?

 

Yes, but "pure" IDS don´t exist anymore. Almost all of them are NIPS (Network-based Intrusion Prevention System)

 

Correct, it only informs you that whatever it monitors has occured. That's what differentiates IDS from IPS.

There's plenty of IDSs out there, it's just that almost none of them are host based (which is not really any different than before). Snort is still an IDS, until you configure it to run "inline" and set the rules to actually block. It's an immensely bad idea to set Snort to block everything when you first install it. You want to run it as an IDS for a while so that you don't block most of your traffic. Most NIPS run as IDS until you configure them otherwise, which is why you will often see the feature listed as "IDS/IPS". For compatibility and performance a lot of companies prefer to run IDSs.

 

Yes, most companies deploy IDS/IPS as checkpoints/forensic tools in their network infrastructure.
My point was that "pure IDS" (i.e. prevention isn´t available as an option) are almost extinct.

 

I would agree to the degree that most other security technologies are also being consolidated and/or sold as packages/suites. That's not really surprising considering they are inherently supplemental technology, if you think about it. Plus making the signature/anomaly based NIDS block the things that it detects seems a logical evolution of the technology. I guess my main point is that I wouldn't want people to think that IDSs are either rare or obsolete technology, as they are still widely used, even if sold as a part of an IPS or a firewall (or just with functionality to block).

I was wrong about Snort, though; Snort_Inline seems to be specifically modified version. There are at least a few standalone NIDSs out there, as well as a number of integrity checkers and a couple that notify you of certain auditing events (which are both billed as IDSs).

 

Looks a good offer. I know eeye from the Iris network traffic analyser and vulnerability assessments and solutions. They have a team that finds new (and look at existing) security vulnerabilities, and make sure we and ms know about it and help in patching - I would of thought Blink would have already been patched/protects against the lastest vulnerability fixed in the out of cycle microsoft update and more vulnerabilities not yet patched.

 

I tested Blink and found it rather heavy on resources and it did not pass any Anti-Keylogger tests. After using Tiny Personal Firewall, I just cannot see myself being happy with Blink.

The vulnerability scan was interesting, but had a few errors in wording and detecting things that were already patched. The scans diddn't have any percent bars which I found somewhat anoying when testing, although I could see them as less of a problem when running scheduled scans.

Looks like Blink could have a nicer future, but I'm waiting to see what Comodo comes out with in the meantime.

 

Blink Personal Edition just caught a Trojan named Malwre. UXK, first in Local Settings/Application Data/Mozilla/ Firefox, and then in Documents and Settings/Desktop/cyberhawk exe part. How? I was on a website reading something about Cyberhawk, then clicked on something that took me to the Novatix/PC Tools Site and on a whim decided to download the free version of Cyberhawk. That's when Bam! a pop up from Blink PE told me a Trojan was found. It also told me again later that there was a Trojan in the Recycler because I had deleted the cyberhawk exe. to the Recycle Bin and then opened it up to delete it from there. I'm not sure if I am allowed to mention the website, but McAffee Site Advisor did have a warning about it. I was just thinking about using Cyberhawk with Blink PE for added protection, (if possible since Cyberhawk is a behaviorial blocker and Blink PE isn't) but now I'm not so sure I need any. I'm liking this program more and more as it was the only one that found a HotBar toolbar in my registry under HKEY_CURRENT_USER during just a quick scan. I had done scans previously with a-squared, Prevx2 and Avira PP not long before this one. Maybe I just got it and that's why, but I don't know how I would have since I hadn't downloaded anything since those scans and the one by Blink PE.

 

Does it prevent EXECUTION of malware ?

 

All I can say is it caught what I posted about and Quarantined it, but after I saw this I didn't try to open the Cyberhawk exe. I think this may still qualify as a yes though. Maybe one of the more experienced members that have posted in this thread before will weigh in. I saw that one of those experienced users and they know who they are, (Kees1958, LOL) already told Chuck57 that it's ok to use Blink PE with Cyberhawk as they compliment each other, so I may try it after all. Take care ErikAlbert.