Classical HIPS and policy based HIPS discussion

Discussion in 'other anti-malware software' started by BoerenkoolMetWorst, Jan 28, 2015.

Thread Status:
Not open for further replies.
  1. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    In order to not flood the AppGuard thread with posts not entirely on-topic and also to keep this discussion clean of AG questions/support posts etc. I opened this thread to continue the discussion from the AG thread.
     
  2. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    1,763
    Location:
    Mexico
    Good you decided to open it. I was a DW user but after migrating to win8.1 x64 no more.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    This is from the AG thread. What part of: "AG can't alert me about suspicious behavior" don't you get? Like some other member already said, HIPS bring something else to the table.
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    The same part that you don't get. It doesn't matter to me if the behavior is suspicious, as long as it isn't intended to be harmful. If it's innocent I don't care, and it it's malicious Appguard stops it. Also this is why hips are a dying breed. A majority of users being alerted to suspicious behavior wouldn't know what to do about it. Frankly I am not sure I always would. All I care about is if behavior isn't harmful it can run and if it is, it's blocked.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    Yes, but that's just a matter of preference. I don't trust any app fully, unless I have no choice. And who cares that HIPS are not popular? It's not surprising because they are geared to expert users, who know how to use them.

    It's not just about stopping malware, it's also about stopping unwanted behavior. A lot of apps keep working normally even when certain stuff is blocked. And to get back to my first point, let's say you run some app and it wants to modify boot data, or wants to log keystrokes, for no good reason. Personally I would like to know what some app is up to, instead of just silently blocking it.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039

    Fully understand, but just don't be surprised if these apps slowly disappear, due to financials.
     
  7. SLE

    SLE Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    361
    No. No expert uses a Hips ;) Who knows how to use them doesn't need such a thing.

    No again. A classical HIPS doesn't warn about dangerous or unwanted behaviour, it's not so intelligent. A HIPS alerts about actions it observes and says nothing more. It leaves the decision to the user. More intelligent BBs combine such actions and decide what can be dangerous and what not - a classical HIPS does nothing about that.

    Then try other ways to observe apps: Process Monitor & test systems. HIPS solutions only inform about application behaviours they watch - and that are only a view and not all.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    You're clearly not one of the "expert users" otherwise you wouldn't say such things. Which proves my point.

    That's the thing, everyone decides for themselves what's unwanted behavior. A HIPS is not supposed to be intelligent, because the user is the expert. HIPS give you full control over apps, while BB's do not. They only alert when they think something might be wrong, I rather rely on my own expertise.

    You don't have to monitor everything, only the stuff that's being used by most malware. And a tool like Process Explorer is cool, but it won't block a thing.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    I don't care, I've used SSM and Neoava Guard for 7 years on Win XP, long after development was already dead and gone.
     
  10. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    That is completely backwards. For users who understand what is and isn't necessary for normal operations, how different processes interact and what their needs are, classic HIPS provide the means to create a granular, fine tuned, and enforceable security policy that no built in Windows components and very few other security applications can equal.
     
  11. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,947
    Location:
    USA
    Some of todays HIPS use massive whitelist so some user's like myself will get very few alerts. The only prompt I have received from Online Armor in the past 5 days was from Adobe Flash updating. I rarely ever get a prompt from Online Armor. It trains itself well during installation, and anything training does not pick up is usually whitelisted by the cloud.

    You want be able to reach the same level of security with other products. The only exception is memory protection. They want provide you with good leak protection, and a behavior blocker will always be bypassed easier than a good HIPS. A HIPS gives you granular control over everything running on your system. Developers cut down on alerts by training the HIPS to the user's machine during installation, and using whitelisting in the cloud.

    A behavior blocker can be intrusive as well. I use to receive more prompts from Mamutu than I did with Online Armor. I use to get a prompt from Mamutu all the time that said an application is exhibiting backdoor like behavior, and it would ask me if I wanted to allow it. It was an extremely vague prompt. It did not tell me what the behavior was that was considered backdoor like behavior so the information was not sufficient to make an educated decision. I can look at a HIPS prompt to see exactly what is trying to interact with what, or see what is trying to execute so BB prompts aren't any better than HIPS in my experience. BB's, and HIPS both use the cloud to cut down on the user being prompted about harmless executions so if a HIPS is not intrusive for the user then why not use it since it will provide better protection? Like I said, Online Armor rarely ever prompts me for anything. If a HIPS is intrusive for you then by all means use something else, but I will stick with the HIPS because it will provide better protection.
     
  12. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    1,437
    The only real survivor is Online Armor, which is the last classical HIPS left standing.

    All the rest are gone.
     
  13. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    Malware Defender still around -http://labs.360.cn/malwaredefender/index.html- If I recall it is 32-bit only.
     
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    Using a HIPS to enforce what applications can do is fine, but if it's configured to police every single action/interaction applications can do, the user can get bogged down in a micro-managing quagmire, rather than using the computer for its intended entertainment or work purposes.
     
  15. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    At first, it takes a while to get all of the permissions set. Once it's done, that's over. After that, they do the job silently.
     
  16. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    Used several HIPS programs (individually) and depending on how you configure your settings they can be
    "talkative". Whitelist unchecked many popups.
    Whitelist checked fewer popups. May not be for everyone, but in the right hands
    of the user they can be very effective in securing your system.
     
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,947
    Location:
    USA
    Comodo, and Private Firewall is still around. I never had any luck with Comodo though. I did get prompted to death with Comodo, but I have not tried it in a long time. I have heard their whtielisting works much better now, but I can't speak from experience.
     
  18. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    What made I finally gave OA up was that automation which you can't completely disable.
    I don't want to have any whitelist or automatic decision when I use HIPS and want to treat all programs equally, only exception is a few security program which shouldn't be interfered in any way.
    As noone_particular said once you established all rules after 1-2 weeks or possibly even a month, you'll rarely see popups.
    The reason I don't use whitelist is a fact that there're already cases that trusted program's server was hacked and their product was used to convey malware. Sometimes cert check might help you, but in e.g. Opera case even cert couldn't help. I now am interested in how that Opera hack was treated here Wilders, so searched and found this.
    https://www.wilderssecurity.com/threads/opera-users-get-warnings-from-security-software.349261/
    It seems even some Wilders member considered it as FP initially. I don't blame them as it can happen to me as well, but good reason to be extremely careful when you treat suspected FP.
    Sorry for bit off topic, but Opera is not the only one case and if your AV didn't detect such malicous update then HIPS can be able to block them but only when you had applied strict rules for the app.
    As to expertise and user decision, I never trust myself but for me such high expertise is not 100% necessary when main purpose is anomaly detection. Even expert don't know how each app behave precisely until he apply HIPS to the app, tho some general prediction should be made.
     
  19. SLE

    SLE Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    361
    No I don't see me as an expert ;) I was a long time user of different HIPS systems and have some experience with them. Not less, not more.
    Can you name me some experts which use some of those HIPS solutions we talk about here? I know no one, but I'm in touch with many experts, security and malware researchers. btw: Which point of you is proven?
    But of course my statement was a little bit provocative.

    Here I'm with you - if we talk about unwanted behaviour. But dangerous behaviour is anonther thing.

    No. HIPS observes several behaviours (some more, some less) which the user can restrict. But that is not full control.

    Yes and No. Problem: they can watch things that were used quite often in the PAST. But that is no guarantee about future stuff and methods used. But not only HIPS have those problems, right.

    I know that ProcessMonitor can't really block (I spoke about that tool not about Process Explorer)
     
  20. SLE

    SLE Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    361
    Exactly :)
     
  21. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    It depends on how static one's environment is, as well as how granular the HIPS settings are made. If you're installing a lot of new programs, this is not necessarily the case. Not only that, even updates for programs already fully addressed by the HIPS can elicit new pop-ups. But, again, reducing the granularity of the settings can help a a lot in reducing pop-ups.

    *EDIT*

    not just how granular you want to make the HIPS monitoring, but also what, exactly, you want to monitor. Probably of less importance are protected directories such as Program files and Windows ( although there are some user-writable directories within). More important will be the user space (%USERPROFILE%) directories. Attached is just an example of how granular Jetico's Process Attack HIPS filtering can be made. If one wants to monitor with that much granularity throughout the entire directory structure, they'll be up to their eyeballs answering pop-ups.
     

    Attached Files:

    Last edited: Jan 30, 2015
  22. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Also what one feel "many" varies on individual.
    I test some products from time to time, but still I think my system is static.
     
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    That's true. If one is okay with it, then it's irrelevant.
     
  24. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    The main difference between HIPS and behavior blocking is how the monitoring activity will be defined.

    HIPS assumes the user will assume some degree of the final configuration; or as stated above, granularity. A HIPS like Comodo's Defense+ allows the user to define monitoring at operating system level along with features like sandboxing and options for it. Most users do not have the technical knowledge to do this "fine tuning" configuration.

    Behavior blocking allows the user to select what behavior he wishes to monitor but does not give him the capability to configure that behavior. The behavior blocker provided in Emsisoft Antimalware, aka Mamutu, is a good example. In the below screenshot on the right hand side, you select the type of behavior to monitor. On the left hand side of the screen shot, you indicate how the behavior is to be monitored. You either indicate that you want the EAM user community to make the decision based on archived history at specified level of confidence or; you indicate you want to make the decision by specifying "paranoid" mode. The community or your decision is limited to block or allow the behavior.

    EAM_Behavior_Blocker.png
     
  25. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    4,085
Loading...
Thread Status:
Not open for further replies.