Best HIPS For Windows Startup Protection?

Discussion in 'other anti-malware software' started by arran, Feb 16, 2009.

Thread Status:
Not open for further replies.
  1. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    what are the HIPS programs which load first on re boots?

    I notice that online armor starts early and eqsecure starts very early during bootup.

    Because you can have malware which can run on startup before your HIPS program starts.

    I once had eqsecure and system saftey monitor installed. I set them both to deny each other to run. I then rebooted and because eqsecure starts very during bootup SSM didn't stand a chance.

    So other than eqsecure what other HIPS starts early during bootup??
     
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Re: Best HIPS For Winows Startup Protection?

    Rising's HIPS is an early bird
     
  3. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
  4. progress

    progress Guest

    Re: Best HIPS For Winows Startup Protection?

    "Detects changes afterward: It will not prevent your system from being modified or corrupted. It will only tell you that something suspicious happened. Think of it as an early CAT scan against system tumors."

    The same goes for most other applications: WinPatrol, MJ Registry Watcher, System Protect ...

    A free "real-time" startup protection tool is Arovax Shield ;)
     
  5. mike21

    mike21 Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    416
    Real Time Defender (RTD)
     
  6. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    This is theoretically impossible to guarantee that a program can be the first to start on reboot because everything one program does, another program can do as well. The only way to guarantee nastie from stating on boot is to protect autorun registry keys, which most of the HIPS do.
     
  7. 2good

    2good Guest

    you could try anvir taskmanger its very good
     
  8. wat0114

    wat0114 Guest

    I concur with alex. The malware has to have infiltrated the system in the first place before it's going to wreak havoc on bootup.
     
  9. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Well, what about explorer.exe... and write or even read permissions? Think about it ;)
     
    Last edited: Feb 17, 2009
  10. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Let us talk about it ? :)

    Introduce your scenario. It can accept that protection of the reg records ONLY is not enough, but the main idea is the only way to prevent startup is to prevent the actions that result in something to start.
     
  11. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    By locking strategic locations (with file or application protection), following malware patterns, denying specific and obvious application operations, etc...
     
    Last edited: Feb 17, 2009
  12. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    This sounds great, sure, but I do not understand what do you mean, sorry. Could you be more specific ?
     
  13. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    System Saftey Monitor loads very early. Taken from my Win 2k unit using LoadOrder:
    Code:
    Boot	Boot Bus Extender	1	ACPI	Microsoft ACPI Driver
    Boot	Boot Bus Extender	2	PCI	PCI Bus Driver
    Boot	Boot Bus Extender	3	isapnp	PnP ISA/EISA Bus Driver
    Boot	System Bus Extender	4	IntelIde	
    Boot	System Bus Extender	8	MountMgr	
    Boot	System Bus Extender	9	Ftdisk	Volume Manager Driver
    Boot	System Bus Extender	10	Diskperf	
    Boot	System Bus Extender	12	dmload	
    Boot	System Bus Extender	13	dmio	Logical Disk Manager Driver
    Boot	System Bus Extender	5	PartMgr	
    [b]Boot	System Bus Extender	6	safemon	System Safety Monitor 2.0 Core Engine[/b]
    Boot	SCSI miniport	25	atapi	Standard IDE/ESDI Hard Disk Controller
    Boot	SCSI Class	2	Disk	Disk Driver
    Boot	Base	1	KSecDD	
    Boot	NDIS Wrapper	n/a*	NDIS	NDIS System Driver
    Boot	PnP Filter*	3*	agp440	Intel AGP Bus Filter
    Boot	Network*	2*	Mup	Mup
    System	System Bus Extender	14	lbrtfdc	
    System	Primary disk	4	Sfloppy	
    System	SCSI CDROM Class	2	Cdrom	CD-ROM Driver
    System	Filter	5	Changer	
    System	Filter	6	Cdaudio	
    System	Boot file system	n/a*	Fs_Rec	
    System	Base	1	Null	
    System	Base	2	Beep	
    System	Keyboard Port	4	i8042prt	i8042 Keyboard and PS/2 Mouse Port Driver
    System	Pointer Class	1	Mouclass	Mouse Class Driver
    System	Keyboard Class	1	Kbdclass	Keyboard Class Driver
    System	Video	n/a*	sglfb	
    System	Video	n/a*	tga	
    System	Video Save	1	VgaSave	
    System	Video Save	n/a*	mnmdd	
    System	File system	n/a*	fwdrv	Kerio Personal Firewall Driver
    System	File system	n/a*	Msfs	
    System	File system	n/a*	Npfs	
    System	Streams Drivers	1	RasAcd	Remote Access Auto Connection Driver
    System	PNP_TDI	4	Tcpip	TCP/IP Protocol Driver
    System	NetBIOSGroup	1	NetBIOS	NetBIOS Interface
    System	Parallel arbitrator	1	Parport	Parallel port driver
    System	Extended base	1	Serial	Serial port driver
    System	PCI Configuration	1*	PCIDump	
    System	Network*	5*	MRxSmb	MRXSMB
    System	Network*	4*	Rdbss	Rdbss
    System	Pnp Filter*	2*	redbook	Digital CD Audio Playback Filter Driver
    Automatic	Base	18	ousbehci	OrangeWare USB Enhanced Host Controller Service
    Automatic	Event log	n/a*	Eventlog	Event Log
    Automatic	PNP_TDI	5	NetBT	NetBios over Tcpip
    Automatic	TDI	n/a*	AFD	AFD Networking Support Environment
    Automatic	PlugPlay	n/a*	PlugPlay	Plug and Play
    Automatic	Extended base	2	ParVdm	
    Automatic	extended base	5	hidusb	Microsoft HID Class Driver
    Automatic	n/a*	n/a*	dmserver	Logical Disk Manager
    Automatic	n/a*	n/a*	Fips	Fips
    Automatic	NetworkProvider*	n/a*	lanmanworkstation	Workstation
    Automatic	n/a*	n/a*	mdmxsdk	
    Automatic	n/a*	n/a*	NtmsSvc	Removable Storage
    Automatic	n/a*	n/a*	PersFw	Kerio Personal Firewall
    Automatic	n/a*	n/a*	ProtectedStorage	Protected Storage
    Automatic	n/a*	n/a*	RpcSs	Remote Procedure Call (RPC)
    Automatic	n/a*	n/a*	SamSs	Security Accounts Manager
    Automatic	n/a*	n/a*	SchedulingAgent	
    Automatic	Network*	n/a*	SENS	System Event Notification
    
    How early a HIPS starts is not that critical. How well it's configured and what the user chooses to allow is what counts. With a decently configured HIPS on board, user error is the only likely scenario that will lead to a compromise. Malware isn't going to be in the autostart unless the user has already allowed it to run or install. If the user allowed the process or installer, they most likely allowed the autostart entries as well. The only other scenario is a horribly insecure configuration of the HIPS which also points to user error.
     
    Last edited: Feb 17, 2009
  14. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    What i mean is that relying on the registry isn't enough. There's two other important layers missing: application and file protection. They can both make a superb job aswell!
     
    Last edited: Feb 18, 2009
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    I wonder if WOULD BE SAFE so we could advance EQS to start up even earlier in the pecking order.

    I finally killed the mspaint AKLT keylogger #1 easily with a rule but the #2 evades like it was part of the system, but i found out the API it uses (bitbit) or something on that order would have to be hard coded in EQS to knock it off. NO real biggie, just bugs me because EQS BLASTS! BLOCKS! and otherwise SEALS! off a ton of entry points with either alerts or outright blinds them in the same manner as their own stealth. :thumb:

    EASTER
     
  16. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Easy solution would be to lock down the autostart directories and reg keys, and then run as a User. This way only admin can create any autostart features. Of course, you still need to trust what admin is doing. I like apps like StatupMonitor or Arovax because they are small and really only do one thing. But for advanced users this can be enough.

    Sul.
     
  17. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Agree :)

    I said about reg protection as an alternative to trying to boot "first of all". I didn't mean reg protection is enough, I did mean that you shuld not rely on a boot order which cannot be guaranteed.

    Just imagine the two programs fight to be the first to boot. The moment one program makes itself the first the second jumps up and reconfigure a boot order. But the moment it reconfigured a boot order the second program jums up and do the same. What we have in this situation is a permanent fight :)
     
  18. wat0114

    wat0114 Guest

    Absolutely, it's a given that registry protection is only part of the solution. Malware Defender, for one, will protect against file writing to any directory, all file types if desired, though this latter option will produce a very "chatty" HIPS. I'm building up my global rule to alert on common high risk executables attempting to write to critical directories such as root and \Windows\*.
     
  19. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Memory Use of my softwares from #post3 is only: 1924 Kb + 456 Kb + 228 Kb = 2608 Kb.

    They are sufficient for me.

    PROROOTECT
     
  20. demonon

    demonon Guest

    Just for references;
    LoadOrder from the sysinternal suite can determine the load order of all your programs and even all your hardware. Give it a go if you want to determine when precisely HIPS loads.
     
  21. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    411
    Location:
    London England UK
    Re: Best HIPS For Winows Startup Protection?

    Sorry, but that's just not true. MJ Registry Watcher not only hooks registry changes but also files and directories. As soon as an unexpected change occurs to system registry settings, it will undo the change and pop up an alert offering to reject or accept the change. If you accept the change, it then redoes the undone change for you. If files are unexpectly deposited in windows\system32, MJRW will pop up with an offer to quarantine them, and if it can't move them immediately, move them at next reboot. MJRW has evolved way past a simple registry poller. It's free and available from http://www.jacobsm.com/mjsoft.htm#rgwtchr ! ;) :D
     
  22. progress

    progress Guest

    Re: Best HIPS For Winows Startup Protection?

    That's what I don't like :rolleyes:
     
  23. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    Re: Best HIPS For Winows Startup Protection?

    hi nice litle program:thumb: how is it compare to WinPatrol Plus?not comparing them but i just met with MJRW and already like the idea;) and where can i find the MJRW Quarantined?thanks and if i set on highest when first install does it blocks any existing security apps thanks again
    also if i set the protection to max and reject then i decided to to auto allow will that released the quarentine to be allow or it will remenber previous action(reject)
     
    Last edited: Mar 6, 2009
  24. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    411
    Location:
    London England UK
    Please read the help file which should answer all your questions. Keys can be prefixed with an overriding action symbol. They are detailed :-

    PREFIXES

    You can prefix keys and filespecs with these mnemonics :-

    # - the line is commented out, and is not monitored.

    ! - automatically reject any changes to this key.

    = - automatically accept any changes to this key.

    $ - automatically prompt for any changes to this key.

    HTH,
     
  25. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    thanks alot
     
Loading...
Thread Status:
Not open for further replies.