Classical HIPS and policy based HIPS discussion

In order to not flood the AppGuard thread with posts not entirely on-topic and also to keep this discussion clean of AG questions/support posts etc. I opened this thread to continue the discussion from the AG thread.

 

Good you decided to open it. I was a DW user but after migrating to win8.1 x64 no more.

 

This is from the AG thread. What part of: "AG can't alert me about suspicious behavior" don't you get? Like some other member already said, HIPS bring something else to the table.

 

Yes, but that's just a matter of preference. I don't trust any app fully, unless I have no choice. And who cares that HIPS are not popular? It's not surprising because they are geared to expert users, who know how to use them.

It's not just about stopping malware, it's also about stopping unwanted behavior. A lot of apps keep working normally even when certain stuff is blocked. And to get back to my first point, let's say you run some app and it wants to modify boot data, or wants to log keystrokes, for no good reason. Personally I would like to know what some app is up to, instead of just silently blocking it.

 

No. No expert uses a Hips Who knows how to use them doesn't need such a thing.

No again. A classical HIPS doesn't warn about dangerous or unwanted behaviour, it's not so intelligent. A HIPS alerts about actions it observes and says nothing more. It leaves the decision to the user. More intelligent BBs combine such actions and decide what can be dangerous and what not - a classical HIPS does nothing about that.

Then try other ways to observe apps: Process Monitor & test systems. HIPS solutions only inform about application behaviours they watch - and that are only a view and not all.

 

You're clearly not one of the "expert users" otherwise you wouldn't say such things. Which proves my point.

That's the thing, everyone decides for themselves what's unwanted behavior. A HIPS is not supposed to be intelligent, because the user is the expert. HIPS give you full control over apps, while BB's do not. They only alert when they think something might be wrong, I rather rely on my own expertise.

You don't have to monitor everything, only the stuff that's being used by most malware. And a tool like Process Explorer is cool, but it won't block a thing.

 

I don't care, I've used SSM and Neoava Guard for 7 years on Win XP, long after development was already dead and gone.

 

That is completely backwards. For users who understand what is and isn't necessary for normal operations, how different processes interact and what their needs are, classic HIPS provide the means to create a granular, fine tuned, and enforceable security policy that no built in Windows components and very few other security applications can equal.

 

Some of todays HIPS use massive whitelist so some user's like myself will get very few alerts. The only prompt I have received from Online Armor in the past 5 days was from Adobe Flash updating. I rarely ever get a prompt from Online Armor. It trains itself well during installation, and anything training does not pick up is usually whitelisted by the cloud.

You want be able to reach the same level of security with other products. The only exception is memory protection. They want provide you with good leak protection, and a behavior blocker will always be bypassed easier than a good HIPS. A HIPS gives you granular control over everything running on your system. Developers cut down on alerts by training the HIPS to the user's machine during installation, and using whitelisting in the cloud.

A behavior blocker can be intrusive as well. I use to receive more prompts from Mamutu than I did with Online Armor. I use to get a prompt from Mamutu all the time that said an application is exhibiting backdoor like behavior, and it would ask me if I wanted to allow it. It was an extremely vague prompt. It did not tell me what the behavior was that was considered backdoor like behavior so the information was not sufficient to make an educated decision. I can look at a HIPS prompt to see exactly what is trying to interact with what, or see what is trying to execute so BB prompts aren't any better than HIPS in my experience. BB's, and HIPS both use the cloud to cut down on the user being prompted about harmless executions so if a HIPS is not intrusive for the user then why not use it since it will provide better protection? Like I said, Online Armor rarely ever prompts me for anything. If a HIPS is intrusive for you then by all means use something else, but I will stick with the HIPS because it will provide better protection.

 

The only real survivor is Online Armor, which is the last classical HIPS left standing.

All the rest are gone.

 

Malware Defender still around -http://labs.360.cn/malwaredefender/index.html- If I recall it is 32-bit only.

 

Using a HIPS to enforce what applications can do is fine, but if it's configured to police every single action/interaction applications can do, the user can get bogged down in a micro-managing quagmire, rather than using the computer for its intended entertainment or work purposes.

 

At first, it takes a while to get all of the permissions set. Once it's done, that's over. After that, they do the job silently.

 

Used several HIPS programs (individually) and depending on how you configure your settings they can be
"talkative". Whitelist unchecked many popups.
Whitelist checked fewer popups. May not be for everyone, but in the right hands
of the user they can be very effective in securing your system.

 

Comodo, and Private Firewall is still around. I never had any luck with Comodo though. I did get prompted to death with Comodo, but I have not tried it in a long time. I have heard their whtielisting works much better now, but I can't speak from experience.

 

What made I finally gave OA up was that automation which you can't completely disable.
I don't want to have any whitelist or automatic decision when I use HIPS and want to treat all programs equally, only exception is a few security program which shouldn't be interfered in any way.
As noone_particular said once you established all rules after 1-2 weeks or possibly even a month, you'll rarely see popups.
The reason I don't use whitelist is a fact that there're already cases that trusted program's server was hacked and their product was used to convey malware. Sometimes cert check might help you, but in e.g. Opera case even cert couldn't help. I now am interested in how that Opera hack was treated here Wilders, so searched and found this.
https://www.wilderssecurity.com/threads/opera-users-get-warnings-from-security-software.349261/
It seems even some Wilders member considered it as FP initially. I don't blame them as it can happen to me as well, but good reason to be extremely careful when you treat suspected FP.
Sorry for bit off topic, but Opera is not the only one case and if your AV didn't detect such malicous update then HIPS can be able to block them but only when you had applied strict rules for the app.
As to expertise and user decision, I never trust myself but for me such high expertise is not 100% necessary when main purpose is anomaly detection. Even expert don't know how each app behave precisely until he apply HIPS to the app, tho some general prediction should be made.

 

No I don't see me as an expert I was a long time user of different HIPS systems and have some experience with them. Not less, not more.
Can you name me some experts which use some of those HIPS solutions we talk about here? I know no one, but I'm in touch with many experts, security and malware researchers. btw: Which point of you is proven?
But of course my statement was a little bit provocative.

Here I'm with you - if we talk about unwanted behaviour. But dangerous behaviour is anonther thing.

No. HIPS observes several behaviours (some more, some less) which the user can restrict. But that is not full control.

Yes and No. Problem: they can watch things that were used quite often in the PAST. But that is no guarantee about future stuff and methods used. But not only HIPS have those problems, right.

I know that ProcessMonitor can't really block (I spoke about that tool not about Process Explorer)

 

Exactly

 

It depends on how static one's environment is, as well as how granular the HIPS settings are made. If you're installing a lot of new programs, this is not necessarily the case. Not only that, even updates for programs already fully addressed by the HIPS can elicit new pop-ups. But, again, reducing the granularity of the settings can help a a lot in reducing pop-ups.

*EDIT*

not just how granular you want to make the HIPS monitoring, but also what, exactly, you want to monitor. Probably of less importance are protected directories such as Program files and Windows ( although there are some user-writable directories within). More important will be the user space (%USERPROFILE%) directories. Attached is just an example of how granular Jetico's Process Attack HIPS filtering can be made. If one wants to monitor with that much granularity throughout the entire directory structure, they'll be up to their eyeballs answering pop-ups.

 

Also what one feel "many" varies on individual.
I test some products from time to time, but still I think my system is static.

 

That's true. If one is okay with it, then it's irrelevant.

 

The main difference between HIPS and behavior blocking is how the monitoring activity will be defined.

HIPS assumes the user will assume some degree of the final configuration; or as stated above, granularity. A HIPS like Comodo's Defense+ allows the user to define monitoring at operating system level along with features like sandboxing and options for it. Most users do not have the technical knowledge to do this "fine tuning" configuration.

Behavior blocking allows the user to select what behavior he wishes to monitor but does not give him the capability to configure that behavior. The behavior blocker provided in Emsisoft Antimalware, aka Mamutu, is a good example. In the below screenshot on the right hand side, you select the type of behavior to monitor. On the left hand side of the screen shot, you indicate how the behavior is to be monitored. You either indicate that you want the EAM user community to make the decision based on archived history at specified level of confidence or; you indicate you want to make the decision by specifying "paranoid" mode. The community or your decision is limited to block or allow the behavior.

 

What is a HIPS? The technology behind Emsisoft Online Armor Firewall explained
HIPS or behavior analysis – what is better?
http://blog.emsisoft.com/2012/07/10/tec120710/