Best HIPs for termination protection??

Discussion in 'other anti-malware software' started by SamSpade, Oct 17, 2007.

Thread Status:
Not open for further replies.
  1. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415
    I am now considering ProSecurity and Online Armor, as well as SSM and EQSecure. All in their "free" iterations. (I know EQS is always free.)

    Which of these has the best record for preventing involuntary terminations of processes, particularly the termination of AV and/or Firewall??

    I saw the report at: http://membres.lycos.fr/nicmtests/Unhookers/unhooking_tests.htm

    ... but am wondering what other data there is on the subject, so I may compare the various apps.

    Sam


    |||
     
  2. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415
    OK, let me put it this way: the report I cited,

    http://membres.lycos.fr/nicmtests/Un...king_tests.htm

    compares several well-known HIPs apps, with especial regard to *termination protection*, as in protecting one's computer from malware which first attack antivirus and firewall programs. Once these nasties shut down the av & fw defenses, they can rule the roost, do what they want inside one's computer -- UNLESS a good HIPs catches them, either in the act or, better yet, even before they get in and dropped.

    We've just seen things on the eset NOD32 list about a new polymorphic which is *extremely* good at hiding itself, getting into some (presumably legitimate) progs/apps that normally work for one instead of against.

    What I am looking for is the best HIPs for preventing such a nasty to terminate my av and firewall. Unless nod32 and Jetico1 are totally bullet-proof -- and from what I'm reading here, they are *not* -- I need the best HIPs there is to prevent termination of my av and fw.

    The above comparo doesn't say when it was done, and it does not include all HIPs. Can anyone tell me if there are some HIPs that I should consider above and beyond what that comparo cites, and/or if there are any other most recent comparisons that check into this issue ??

    Thanks all !!



    //
     
  3. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    While I don't have time right now for any particularly insightful comments, I do suggest you take some time to learn more about HIPS and what they do, instead of focusing solely on a single aspect.

    A HIPS program defends you in many ways, not only against kernel unhooking and process termination, so even if a particular brand of HIPS happens to be weaker in this area, it doesn't mean they're helpless against any malware that uses these types of attacks. To be more specific, the greatest strength of a HIPS program is to completely block and prevent such suspicious programs from executing themselves and, in some cases, even managing to get a foothold on your hard drive in the first place - IF you know how to use them and what you're doing.

    Besides, terminating security applications isn't always done on the application level. Malware can, for instance, delete, modify or even create specific files and registry entries to disable your security software instead. In that case, even if a HIPS has the strongest process termination defense possible at the application level, it still needs to be able to monitor activity at the file and registry level, AND the user needs to be thoroughly familiar with the ins and outs of their security software so as to be able to configure the HIPS to monitor the correct files and registry entries.

    Lastly, there is no process that cannot be terminated if you are running with admin rights, so focusing on process termination isn't always necessarily the best path to take. Imagine if it were possible to create an unterminatable process - it would mean that it's also possible to create a malware that cannot be terminated. Think about it.

    In conclusion, your concerns, though valid for a newcomer to HIPS, are in truth largely irrelevent when trying to decide which HIPS you should use. Of the options you listed, either one will provide an excellent complement to your setup.
     
  4. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
  5. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415

    Good pointers all, Solcraft. Thanks for chiming in. I will need to research more about what exactly I want my HIPs to do, and how to integrate it with my AV and FW. Btw, I'm now using BOClean, as it seems to have a lot of upsides and few, if any, down. Runs pretty light on my system, with no conflicts. (Ed. Note: I did have some BSODs last week when I was on the road and using a wireless LAN, but that turned out to be *not* caused by BOClean, but rather some conflict within my system, I think I may have disabled some key component of my wireless system, perhaps a service; I'm still checking on it.)
     
  6. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415

    Thanks, AJohn, for the tip. I have seen this study before, not long ago, and it makes me want to try out the latest version of Comodo FW once again. I tried Comodo last year but it was running slow and heavy on my system. The latest version is running on my son's computer with no apparent problem, save for a lot of pop-ups. Seems like Comodo FW 2.4xxx doesn't have a very good memory.(??) Do you know if the latest Beta of CPF is ironed out enough for prime time or should I stick with the latest 2.4xxx??



    //
     
  7. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Wait for the next beta which should be out next week and watch user's posts in the beta forum to see how well it works. If you are on a production system I recommend you wait a month or two for the final or at least the Release Candidate :D
     
  8. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415

    Good suggestions. Thanks!!



    |||
     
  9. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415
    Any other opinions based on personal experience of HIPs that succeed in stopping termination of vital defenses (anti-viruses, firewalls, or other) would be deeply appreciated.

    Come on, chime in!!


    //
     
  10. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    Hi Sam,

    First, i advice you to open a new thread for your question
    Second, this time i'm not wrong if i say that Online Armor both free and paid protect effectively against process tampering with its Program Guard.
    You can find this protection in advanced options for each program listed

    OA protection.JPG

    MaB
     
  11. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415


    Very impressive! I'll keep that in mind. I'm trialing ProSecurity at the moment. If it gets too cranky I'll give OA another shot. (I tried it about two months ago, but it seemed to run heavy and sluggish; maybe I didn't give it enough time. )


    SamSpade


    |||
     
Loading...
Thread Status:
Not open for further replies.