Classical HIPS and policy based HIPS discussion

Discussion in 'other anti-malware software' started by BoerenkoolMetWorst, Jan 28, 2015.

Thread Status:
Not open for further replies.
  1. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,940
    Location:
    Poland - Cracow
    Classical HIPS...and old (and classical for me) source of information - Karedjag's blog now in new interface. I think he'll probably join to discussion :)
    http://kareldjag.over-blog.com/
     
  2. Behold Eck

    Behold Eck Registered Member

    Joined:
    Aug 23, 2013
    Posts:
    558
    Location:
    The Outer Limits
    No it`s a BB not a HIPS. check #17 https://www.wilderssecurity.com/threads/seeking-copy-of-dynamic-security-agent.276982/



    Yeah that was a great thread did I not chip in on that one ?

    Outpost queries it`s own outbound connection after a full weeks training which isn`t that smart in my book.

    Regards Eck:)
     
  3. 142395

    142395 Guest

    Sorry for confusion, but I meant automatic decision, not whitelist. If you trust an app, you can't control all behavior of it whatever setting you made (some activity are allowed automatically). But if you didn't trust the app, again, some behavior will be automatically blocked. Fabian confirmed it. As I want to control all app's all behavior, I gave it up.

    For me, malicious update is real threat. I could be infected if I used Opera that time, though my AV could detect it in quite early timing. After that, again I could be infected as one of my trusted text editor's server was hacked. But cuz I only install that in virtual environment only when needed, I could avoid infection. And there have been other cases, Buffalo's driver (tho in this case sig check was effective), a minor media player, maybe more.
     
  4. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,601
    Location:
    USA
    Wouldn't it be enough to go into HIPS settings and change them all to ask user for your applications? You could change the HIPS ruleset for each monitored execution to ask user for all of them. In the screen shot below you can see I did not trust the executable, and I could change them all to ask user if I wanted to. If you want to do more than that plus not use any whitelisting then I don't know how you can get any work done. We all have our preferences though.
     

    Attached Files:

  5. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,442
    Location:
    Outer space
    Kaspersky's Application Control is also some sort of CHIPS, very configurable and the application trust levels make configuration easier. Downside is that you have to install the whole KIS package, custom install is long gone for Kaspersky.

    Ah finally some love for Outpost :D
     
  6. 142395

    142395 Guest

    No, not enough. I already did that and found some activity are automatically blocked w/out any interaction. As you see in the link, Fabian confirmed it.
     
  7. 142395

    142395 Guest

    Yeah, I like it too.:thumb:
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,111
    Location:
    U.S.A.
    The Dynamic Security Agent technology PF uses is a hybrid in that it uses both HIPS and behavior blocking technology. It is somewhat unique in that it looks for deviation from normal use behavior to make it's decisions rather than applying a fixed set of rules that HIPS and conventional behavior blockers use. As the Wilders thread pointed out, DSA requires extensive training to be fully effective and is best suited to users that perform a fixed routine of tasks on their PC. Remember that PF began as a corporate product and DSA would be ideal for that type of use environment.
     
  9. Nizarawi

    Nizarawi Registered Member

    Joined:
    May 26, 2008
    Posts:
    137
    Anyone have the latest version of DSA and also SSM ?
     
  10. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I uploaded SSM pro 2.4.0.622 here some time ago. It's compatible with Win 2000 through XP-SP3. If you're going to use it for more than the 30 day trial period, you'll need a key. The developers released a permanent key shortly after development stopped. PM me if you need it. I also have copies of the free versions. They work with 98FE through XP-SP2.
     
  11. Nizarawi

    Nizarawi Registered Member

    Joined:
    May 26, 2008
    Posts:
    137
    thanks noone_particular :-*
     
  12. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,194
    This looks to be a beta release. How stable is it and what settings do you recommend changing ?
     
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    13,853
    Location:
    Slovenia
    It was stable on Windows XP last time I have used it. It's also last release if I remember correctly. I also have installer for v. 2.4.0.621 (non-beta) if anybody would like to test or use it.
     
  14. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    All of the 2.4 versions were labelled as beta. That was primarily due to making it compatible with Vista, which it was before SP1. That broke it on Vista. Development stopped shortly afterwards. On XP it can be regarded as stable.

    Regarding the settings, that will greatly depend on what you want from it. I would start with these:
    Shut off the registry rules, at least until the application rules are completed.
    Don't set a password until your ruleset is done.
    Connect the interface at startup.
    Start automatically.
    Disable update checking. There will be none.

    Beyond these, your choices depend on how detailed you want your control to be. Under the applications options, I use the block everything option. The silent checksum update and trust signed binaries options are disabled.

    On the rules tab, under each rule group, I set the default parent and child settings to "ask". I also set the default to "ask" for libraries and drivers. These settings are accessible via "advanced properties" for each group. They will also be available for individual applications in those groups. There you can set exceptions to the policies assigned to the group. You might want to consider defining more groups. I use the "normal" group for non-internet applications and created a separate group for all applications and system components that need internet access. The system group contains several hard coded rules. I left them in that group and created an editable system group for all of the others.

    For the special permissions for each group, I set all of the options under logging, system control, code/dll injection, and network to ask. The options under process control and protection are used for individual applications when required.

    These settings offer the maximum control. They will also cause the maximum number of prompts. Most users will not want these settings.
     
  15. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,194
    I take it SSM 2.4.0.622 was the last version offered. Don't know how compatible it would be with my other
    security software.
     
    Last edited: Feb 1, 2015
  16. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    If the other software uses kernel hooks or requires similar low level access, the potential for conflict is always there. I ran into that very problem when AntiVir/Avira first released a rootkit module for their AV. The first update to it conflicted with SSM and blue screened any unit that used both. Contrary to what MS claims, on XP and older, well designed applications that hook the kernel are rarely a problem. It becomes a problem when more than one start hooking the same functions and start interfering with each other. Besides interfering with the functions themselves, this can disrupt the timing between the requests and responses that control events. Ideally, limit your system to one application that hooks the kernel. You might get more than one to work without problems. All that can change with a single update to either. If you're going to experiment with this, make a full system backup first. Don't rely on being able to get to the uninstaller.
     
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,601
    Location:
    USA
    Are there HIPS that do this? There's Comodo, PrivateFirewall, Outpost, Malware Defender, SSM, etc.
     
  18. Behold Eck

    Behold Eck Registered Member

    Joined:
    Aug 23, 2013
    Posts:
    558
    Location:
    The Outer Limits
    As explained in the link by Bellgamin it`s a BB with HIPS like monitoring of critical areas but this does not mean it`s an actual HIPS.DSA was fully incorporated into PFW with some improvments like instead of auto blocking after ten seconds it now gives 28 to allow.

    Yes once you get over the initial training it runs quietly enough with only a couple of pop-ups even when installing a new program etc.

    Regards Eck:)
     
    Last edited: Feb 4, 2015
  19. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,194
    There are a couple things I need to check out first. Hopefully I can keep the apps I have since they are in some
    respect first lines of defense that work well with the OS . I don't use many security apps since I try to
    harden the OS as much as possible and then apply few third-party apps that will further secure and protect.
    Sandboxie is a paid program and very useful so like to keep that. There is some kernel hooking on apps going
    on and I'm still in testing phase of another app I'm using.
    Full system backups are available if I decide to make any changes.
     
    Last edited: Feb 1, 2015
  20. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,940
    Location:
    Poland - Cracow
    I think one more is needed to set
    http://help.emsisoft.com/oa/Programs.shtml
    If is set "on" you are always connected to the Emsi's cloud so some decision are made automaticly...if "off" you are "alone in the dark" :)

    SpyShelter has such option in settings...I think it's what you expect. From help file of SS
     
    Last edited: Feb 2, 2015
  21. 142395

    142395 Guest

    A little correction to my previous post, what matters is actually not interactivity or popup as I can see log, but is I can't allow certain action w/out trusting the process.
    I haven't used all of them, but Comodo and Kaspersky seems to give full control.
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,111
    Location:
    U.S.A.
    http://www.techsupportalert.com/content/how-install-comodo-firewall.htm

    This is an interesting read by Chiron, can't believe the guy is still at it after all these years, on configuring the latest version of CIS. The gist of it is after using Defense+ to perform the initial whitelisting of your apps, he turns off Defense+ and forces everything to run out of Comodo's sandbox. Also since Comodo's cloud behavior blocker will check sandboxed apps, appears to me a trend by Comodo to be moving away from the classical HIPS approach and toward intelligent on demand cloud behavior blocking using the sandbox to provide process isolation security?
     
  23. guest

    guest Guest

    Please no, I don't want anymore classical HIPS to go ascending to the heaven. :'(
     
  24. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    When an application has to check with a vendors database to determine what it should and shouldn't allow, calling that "intelligent" is a perversion of the word. All that does is copy what AVs have been doing for years, getting their information from a server. The last thing I want is a vendor telling me what is and isn't allowed or acceptable on my equipment. No thanks.

    The servers that supply that data to those so-called "intelligent" HIPS would be a very high value target for a hacker. Care to bet that the NSA hasn't already been there and inserted a few permissions of their own?
     
  25. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,194
    How times have changed. The classic HIPS which offer more granular control without the necessity to upload to the cloud or get info from a server that could possibly get hacked. Maybe time to rethink and adjust accordingly. Maybe the only time I want to be notified is through classic HIPS .
    I go back to building own whitelist even with browser extensions. Not allowing automatically known apps the vendor trusts in HIPS .
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.