CFP- Poor Pop up alerts by compared with other HIPS?

Discussion in 'other anti-malware software' started by aigle, Aug 18, 2009.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    CFP- Poor Pop up alerts compared with other HIPS?

    The thraed by underdog inspired me and I tested a special scenario with multiple HIPS. I wanted to see how clear, simple and user friendly are the pop up alerts given by multiple HIPS on a driver/ service instasll.

    I tried three HIPS:

    - CFP
    - EQS
    - OA

    I am summarizing my findings here. I may be wrong anywhere as I am just an ordinary user with very limited knowledge.

    I installed the trial version of virtual cd 9

    http://www.virtualcd-online.com/vcd/apps/download/vcddownload.cfm?lg=0

    and looked for the pop up alerts generated by HIPS on drivers/ service install. This software install following drivers/ services:

    1- VDRV9000.SYS( driver)
    2- HH9Help.sys( driver)
    3- VC9SecS.exe( service)

    My observations are as follows:

    1- Out of the three HIPS I tried, IMO best alerts are given by EQS. It clearly warned that a driver/ service was being installed. Pop ups were not few but they were not also too numerous to be lost. Look at the pop up alerts by EQS. Not all pop ups are shown, I am showing the relevent alerts only.

    EQS 1.png EQS2.png
    EQS3.png
     
    Last edited: Aug 18, 2009
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    2- Worst type of alerts are given by CFP( ofcourse in my opinion only). CFP alerts are too numerous. It never tells you directly that a service/ driver is being installed. Rather it gives alerts about registry modification that many users wil not understand that it,s infact a driver/ service install alert. Moreover registry modification alerts in this case are so numerous that one might just lost in these alerts and overlook the registry modification alerts that actually indicate that a service/ driver is being installed.

    Look at the alerts by CFP. Not all alerts are shown, I am showing the relevent alerts only. CFP gave countless alerts about reg modifications.

    CFP1.png CFP2.png
    CFP3.png
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    3- OA was inbetween( may be on top by some). It gave very few alerts. It clearly gave red alerts on driver/ service install but IMO alerts were not
    so clear as they did not mention that a driver is being installed athough the red alarming color compensated it to some extent.OA howevre did not gave any alert about service install( VC9SecS).

    Look at relevent pop up alerts by OA.
     

    Attached Files:

  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I could not try MD as I have no licenec for that. If anyone can try and post relevent alerts I will be thankfull.

    Conslusion: CFP needs to make their alerets clear that a service/ driver is being installed and it also need to decrease the huge no of registry modification alerts( IMO).

    I am posting very same thread on their forums if they can listen. Let,s hope. Let me know of your opinions.
     
  5. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    any chance ud be willing to try Outpost Firewall?
     
  6. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Hi aigle

    Thanx for the tests.

    When a driver is about to be installed, i think a much more clearer warning should be given on all such Apps, as most people wouldn't even know what it was, or .SYS

    Something like,

    A potentially harmful piece of software is about to be installed, if this came from a reputable source, then it's probably ok. If in doubt, do NOT proceed make a note of it's name, and then use a search engine for more information.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I agree. OA gave red alerts atleast.
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Never used it and it takes a lot of time to try n understand anew HIPS. I spent almost a day already.
     
  9. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    im not really interested on an indepth understanding of the HIPS. i just wont be home for 4 days and am curious of what Outpost HIPS alerts look like for this situation at default level and if that doesnt alert then at max (preferably the alert at max or w/e it is between middle and max). since im considering installing Outpost on my main machine.
     
  10. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    Aigle, don't forget about Conficker test:
    https://www.wilderssecurity.com/showpost.php?p=1444190&postcount=115

    Good job! :thumb:
     
  11. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
  12. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Were all the software run with their respective default settings?
     
  13. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
  14. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Good test. Thanks.

    They all did mention services or blah.sys which is good.

    personally I'd only want to know how many *.sys files were being loaded , so
    more alerts than that would be a nuisance.
     
  15. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I agree completely with your findings, I too saw mostly "registry modifications" in CFP alerts, which, well, to put it rather bluntly, are useless. Allow me to hop up on my soapbox again real quick, I won't be up there long: Imho, none of these apps you tested have acceptable alerts. Okay, so they say "if you trust this program", well, okay, so what IS that program? Just about every legit program I've ever ran has done "suspicious" things, it's simply the way programs work. If that's the case, how in the world are the "average" among us supposed to know when to answer allow and when to answer deny?

    A lot of people here (and elsewhere too of course) are quick to praise these HIPS apps and recommend they be added whenever someone comes along and asks if their setup looks ok or they are brand new and wonder what they really need to be secure. That's fine, but right after we all suggest this stuff, how about we point them in the direction of a good "OS basics" manual, whether that be a post set up here, a website, whatever?

    If people are going to answer these prompts right and have the apps work for them and not against them, and if HIPS is ever going to be more than just a "specialty", then these people are going to need to know WHY "injections" are occurring, and WHY files and registries are being modified. We seem perfectly willing to make pages and pages of posts on the intricacies of Sandboxie, even explaining why the configurations that we post in detail are suggested. We do that for Sandboxie, SRP, firewalls, anti-virus, but no one ever bothers to explain much about HIPS (unless I'm missing posts here).

    Yet, with so little explanation, we cheerily sing HIPS praises daily, suggesting them to people that just want to make a secure environment for their small office, right down to people that admit they don't even understand the concept of things like Sandboxie...and then we want them to answer prompts about .sys files being modified and other cryptic jargon being spewed forth from these apps. *takes deep breath* All I'm saying is apply the same amount of knowledge and willingness to help towards HIPS as we do other security measures. HIPS might be the strongest security out there, but it isn't going to secure a bucket of chicken if one prompt is answered wrong.
     
    Last edited: Aug 18, 2009
  16. IceCube1010

    IceCube1010 Registered Member

    Joined:
    Apr 26, 2008
    Posts:
    963
    Location:
    Earth
    Agree unfortunately. The hips component can be the strongest part of your security arsenal but it could also be the weakest.

    Ice
     
  17. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    There is simply no extra prompt for drivers/services, everything comes as Autostart warning. This may be ok for standard mode, but in expert mode there should be an accurate information.

    Some parts of Virtual CD may be excluded because of signatures or OASIS, so I think you have to disable the OA whitelist for this prompt.

    Outpost is very accurate, apart from 'driver or service'.

    op01.png op02.png
    op03.png

    It's pretty much the same with PS/RTD, but here everything is a service.

    RTDVCD.png

    Cheers
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks for the nice screenshots.
     
  19. jp10558

    jp10558 Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    27
    One thing to notice for CIS is that it DID give red color alerts vs orange or yellow (see the top bar color), so this ought to be mitigation as with OA. That said, the content of these alerts were meaningless for me.

    I do think that Outpost probably has the best alerts for this, but is it the pay or the free Outpost shown?
     
  20. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    These are from Outpost Pro, but as far as I know there will be no difference with OP Free because the Host Protection is the same.

    These are the MD prompts.

    MDVirtualCD1.png
    MDVirtualCD2.png
    MDVirtualCD3.png

    IMHO also very accurate prompts with useful informations.
    There are also all these prompts about the registry stuff, like with CIS.

    Cheers
     
    Last edited: Aug 18, 2009
  21. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Malware Defender & Outpost look the best to me. This was a great idea for a thread. Funny the way the different apps compare.
     
  22. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    This is an EXCELLENT post dw426! It would be great if there was some resource which could explain to newbies such as myself how to answer HIPS prompts correctly.
     
  23. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Hi there, SSJ. I have to say I agree with what you say also, HIPS apps ARE like an AV with an awesome detection rate and horrible FP rate. I've never heard it put that way, but I don't think it could have been defined any better :) Now, on to your example of surfing the internet and having that ".exe wants to run" prompt...you're darned right that's a HUGE red flag....unfortunately that scenario is rarely played out, it's 99% of the time a GOOD program bringing up these alerts, and lots of times when you aren't surfing but just running/installing a program.

    I wish I knew of a better way to make HIPS "smarter", and have these alerts not appear so cryptic yet still give enough information to evaluate the prompt. However, I have no such knowledge to do so. To me, HIPS products scare people more than help them. They run a simple game or something, and all of a sudden these red-bordered warnings with the words "malicious" and "execute" pop up, they're likely to freak out, even if they already scanned said game for malware/viruses beforehand (I use that example because it happened to me once before I knew a bit more about how things work).
     
  24. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    i got a kinda dumb question about Outpost. it has the allow and deny buttons but then thers the OK button. what does OK do exactly if u dont pick allow or deny?

    and 2nd. if u just press Allow and dont do any of the drop down options of it does it just allow once or remember it?

    thx
     
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    wj32, developer of process hacker, has elaborated it very well.
    https://forums.comodo.com/empty-t44186.0.html
     
Loading...
Thread Status:
Not open for further replies.