Are answering prompts in hips really that obvious?

Discussion in 'other anti-malware software' started by LUSHER, Jan 17, 2008.

Thread Status:
Not open for further replies.
  1. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    People always say it is obvious how to respond to hips prompts...

    The one example always mentioned is ones involving driver installation. The streotypical comment would be "if my notepad like app try to install drivers I will stop it)...

    This example always comes up, when someone doubts the viability of users (even users as exalted as the likes of people who read this place religiously) answering the prompts correctly...

    But i have never ever seen anyone give other rules of thumbs... I wonder is this because the driver rule is the only fairly clear one.. (and even that rule doesn't help if you are trying to install say a anti-rookit)

    Basically i'm looking for something like this...

    Prompts about X should be blocked unless <insert condition 1>
    Prompts about Y should be blocked unless <insert condition 2>

    alternatively you could phrase it as "should be allowed unless" for perhaps the less dangerous actions...

    Of course you can say condition 1 = if you feel it is safe, but that is kind of pointless....

    Once you write down your "decision ruleset" on how you decide how to respond, one can then see how well it works on a range of software (both safe and unsafe). What is the "FP rate" ?

    It's kind of interesting that when you do this, you are manually going through what stuff like TF tries to do, but with different information (you probably know stuff TF doesn't and vice versa).

    Another interesting experiment i can think of is someone to arrange a test with say 50 apps of different types (security tools, word processors, messaengers), among which a number (unknown maybe even zero) are or have malware... How well would you fair in such a test?

    The aim here of course is to have as much functionality as possible without getting nailed.

    Of course some fans will say anti-exe functons are all that is needed and if they are unsure they won't even let it start, and if it does start and it is malware, it's game over already...


    But if such people are also big fans of HIPS like SSM, surely they must think the other HIPS functions are in principle usable. and these functions are usable only if users can react correctly...
     
  2. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I consider myself a average but unstable,;) user. I really cant tell if the prompts are good or bad. I mean one comes up and says serv.exe is trying to connect, I have no idea what it is, but do have a 50/50 chance of getting it right.
     
  3. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Let's put it this way. If you don't know how to answer prompts, what're you doing with a HIPS anyway?

    It's like going to buy a bicycle because everyone keeps talking about how it's faster and easier than walking... except that you don't know how to ride one.
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,043
    There are degree's in this. A lot of users might know not to let a program run. But how many average users would understand the SSM pop up, that a piece of malware gave when it tried to change a registry key disabling all registry modifying.

    When I did that Evaluation of the Erik Albert thread, I had OA and SSM turned on, but I allowed everything and then looked at what protected the user.

    Then there is the second problem. How does the user know something bad actually happened?
     
  5. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I am not argueing your point solcroft, you are right. But that is why it is important for anymore to take all of this into consideration when choosing. Hell, you can end up worse then you were if you choose wrong.

    And I can ride a bike, its called a Fat Bob.:cool:
     
  6. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Once upon a time a missionary went to a tribal native village and decided he ought to teach the villagers about birth control. Summoning all the men in the village, the missionary handed out condoms, and demonstrated to the men how to use it, by putting it onto a straightened index finger. The village men nodded in understanding, and went home to their wives.

    However, the number of pregnancies in the village failed to decrease at all. Thoroughly baffled, the missionary cornered one of the villagers, and asked if he'd been using the condoms, only to receive an affirmative answer. Even more puzzled than ever, the missionary asked the man if he'd followed the usage instructions - whereby the villager said that he'd faithfully put a condom on his index finger each time.

    Can anyone tell me what the moral of this story is?
     
  7. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    "That his finger will never catch an infectious disease."o_O
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,043
    ROFL. Yes, you have to understand the "attack" vector
     
  9. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    ok, lets take prevx 2.0 as an example

    ------------------------
    windows vista updates
    ------------------------

    not sure, BLOCK IT!

    1.jpg

    description makes it pretty simple to understand what it is, right?



    2.jpg


    you can always check or allow it later on :)

    however, if in ABC default mode... it will automatically allow all activity determained to be good, and stop all the nasties, but my preference is to query all, as i like to know what it is doing.
     
  10. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    D+ seems reasonable too. It will give you the option to check out the properties of the executable, tell you what is happening e.g. "is trying to access keyboard directly" and gives you an explanation on why programs may do this "keyloggers often use this technique" etc/ (I'm just going off memory so don't quote me).

    Classical behavior blockers makers are trying to make things easier. But I do think the issue is that to most users, it will be hard to make a decision.
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I don't like security softwares with multiple choice questions, like Yes or No, Allow or Block. That's not security, that is gambling and I have 50% chance to answer correctly or I'm infected.
    Security softwares are supposed to know this, that's why they are called security softwares. If a security software can't answer that question, they better don't create it.
    A less-knowledgeable user will always say "Yes" or always "No", because he doesn't know what he is doing, including me.

    I use whitelists all the way, they don't have these annoying questions and no false positives either.
     
    Last edited: Jan 17, 2008
  12. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    prevx on default settings will make the choice for you, its only my preference to know what its doing, and to put me in control a little bit :)
     
  13. pojispear

    pojispear Registered Member

    Joined:
    Jan 12, 2006
    Posts:
    90
    i've started using Prevx 2.0 and like it. i have the floating window on too that appears each time an application opens or close
     
  14. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    Pop ups drive me nutz so I just let the software do what I paid for it to do and leave me alone. There are times when I have been known to surf while in a slightly enebreated state and am pretty sure if something pops up wanting to know if I want to let something run or not I am not going to know what the heck its talking about anyways.
     
  15. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    That's funny, I learned how to ride a bike by using the bike itself. I also didn't start with a 10-speed either. In other words, while I would like to try SSM, I started with WinPatrol and now OnlineArmor. But I'm still using "training wheels" such as an anti-virus and Sandboxie.

    My system is fairly static with many things disabled and I do everything manually. If I get a pop-up from my HIPS, it is unusual and my first instinct is to deny the action or allow once. I don't know exactly what's going on and can only assume from what info is given. I really hope to learn something from this thread and hopefully it will be worth bookmarking.
     
  16. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    That's good.

    I was referring to the people who rushed to buy the bike just because it was the latest rave in town, and then start badmouthing it when they discover they can't stay on it for more than five seconds without falling down.
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    A good way of using classical HIPS for beginners whose system is static( doesn,t change often) is to install it on a vclean system, make rules by allowing everything they face( or by using learning mode) and then putting the HIPS in locked mode( silend Deny All mode).

    Really if u use HIPS for a period of time and also play with malware off and on, only then u can know somewhat how to answer the pop ups. U can always Deny if in doubt.

    Some things are obvious, if u are not installing, updating anything and some .tmp exe tries to execute, or some thing tries to execute from a tem folder, or from browser,s cache folder, I will always Deny it unless I am sure about it. HIPS with file protection will prompt u even earlier with pop up about the creation of an executable in these folders that must be denied. Also in above scenario( no ongoing install, update etc) if I get a prompt about an executabe being created in Start up, Windows Directory or esp system 32 folder, I will deny it.

    Many HIPS have nice features like giving u details about the prperties of the executable and some even give u option to locate/ explore to the executable via the pop up menue.

    In all fairness, answering HIPS pop ups not a straight forward issue at all! I am sure if we get malware attack each and every day, many will answer wrong. Fact is that I almost never get a malware on my system in daily life, so infact i don,t know how good I will prove myself if I get a real malware. Playinh with malware is something else as I already know what I am doing at that time.

    It,s a good idea to supplement classical HIPS with a Sandbox and a Behav blocker!
     
  18. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Ok, I understand. That happens with all security software, but it is a good point. It's hard not to catch the HIPS fever with all the talk lately about not running AVs and all. Especially when those comments are being said to obvious newbies (which I'm only one step above myself). I'm not referring to you by the way.

    Cheers
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep, but you have problably square tyres and sunglasses and a big smile.
     
  20. simmikie

    simmikie Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    321
    your answer is precisely why it puzzles me when certain people object to running a pure behavior blocker alongside of a 'dumb' HIPS program. it is a very small percentage of PC users that can consistently, with a high degree of certainty of being correct, answer HIPS pop-ups.


    Mike
     
  21. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    i disagree,

    a n00b can operate a HIPS.

    deny ALL.

    if you find a program you want is not working, allow it.

    if you have no problems on deny ALL, then all is well.

    the option is always there to change your mind, but first things first... if unsure, DENY/BLOCK.
     
  22. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    I think there is no specific right answer to this rather complex question, as too many variables are at work during such a dynamic process as what takes place within a system as windows and applications operate within.

    The only viable or perhaps the lesser evil is in building the HIPS with a comprehensive database of behavior characteristics accessible within each prompts. The more detail available with appropriate user guidance, the better the user will be equipped to make an appropriate choice when confronted with a troublesome prompt.

    I think most hips are trying hard to implement this simple but obviously necessary component within the system with varying degree's of success. Either way it will always boil down to the users mindful interaction with the utility.
     
  23. Coolio10

    Coolio10 Registered Member

    Joined:
    Sep 1, 2006
    Posts:
    1,124
    Comodo TC (ThreatCast) is suppose to help a bit.

    Sounds similar to Prevx...community assistance type alerts.

     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,043
    That approach isn't without issues either. Used to annoy the heck out of me when Prevx jailed an app I knew was good, but it didn't.

    The only fool proof way to fool proof a computer from a fool is the on off switch.
     
  25. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    prevx - right click program in jail, click Probation, this will allow the program.

    double click the program, and disagree with their determination, they will check the file and get back to you within 24 hours with a fix.
     
Loading...
Thread Status:
Not open for further replies.