Classical HIPS and policy based HIPS discussion

Vendors for everything from operating systems to security software to user applications are shoving cloud integration or dependency into all kinds of applications, whether it's useful or not. IMO, the concept is fundamentally flawed. A single application, a cloud dependent HIPS that's tied to the core of your operating system is made part of your attack surface in several ways. It's directly accessible from the internet. The servers and database it relies on can be exploited. An adversary with the ability to seize or coerce the vendor or their server can misuse that HIPS to learn and defeat any defenses you use or to obtain any data that you have. The core of your operating system should not be accessible from the web via any application. People should start seeing cloud computing for what it is, a means to give others access to your data, your activities, and your devices.

When adware removers were popular, "trust" was being purchased, coerced, or threatened out of the removers vendors. With governments in the spyware and malware business, that threat is much bigger than it ever was back then.

 

If you know how to use HIPS in a beneficial way, then you're already an "expert user". You don't see yourself in this way, and seem to think that people don't really need HIPS. HIPS are not geared to people like you, that was my point.

It's up to the user to decide if it's dangerous or not. If a trusted security tool wants to inject code and install a service/driver, it's probably not dangerous. If some new "system tweaker" wants to do the same, it might be shady.

That IS full control over behavior that can be used in a malicious or unwanted way.

Malware has hardly used any new techniques to infect a system in the last 10 years. HIPS cover the basics, you can of course not protect against stuff (like a new code injection method) that you don't know about.

Yes I know, but why mention it in the first place, it's nothing like a HIPS at all. And I use Process Explorer quite heavily that's why I mentioned it.

 

Yes exactly.

About convenience, this depends on the HIPS itself, it's the reason why I don't like many HIPS (besides a bad GUI), HIPS should at least white-list and trust all "Windows OS applications and services", it should never alert about them. Some also offer an option to "trust all running processes". This all will spare you from a lot of annoying alerts.

It's also nice if HIPS give you an option to control rules, for example SpyShelter gives you an option to disable certain behavioral monitors. It's nice because some of the stuff is too difficult to make a decision about and will also make a HIPS too chatty.

 

I also believe that we have to be careful with product classification.

A pure behavior blocker works at the application level and either allows or denies the execution of the app. Once you introduce conditional logic into the allow or deny decision, then processing becomes a HIPS.
ref: http://antivirus.about.com/od/antivirussoftwarereviews/a/hips_behavior.htm.

Below is a screen shot of one of the rules Emsisoft's behavior blocker created of an app on my PC. Since the allow behavior has at least on conditional aspect to it, it can be argued that EAM's behavior blocker is in reality a HIPS. So an accurate definition of software like this would be a high level HIPS with behavioral aspects or the converse; whichever you prefer. Or better yet, it can be said it is a rule based HIPS.



Getting back to the definition of a "classical" HIPS, I would say it is software that allows for monitoring of system activity independent of a given application. In other words, it allows a level of granularity for example as illustrated by the following three Defense+ sections of the Comodo IS help manual:

https://help.comodo.com/topic-72-1-284-3031-Protected-Files-and-Folders.html
https://help.comodo.com/topic-72-1-284-3032-Protected-Registry-Keys.html
https://help.comodo.com/topic-72-1-284-3033-Protected-COM-Interfaces.html

Overall, it can be said that Comodo's Defense+ incorporates behavior blocking plus rule based and classical level HIPS characteristics. Plus it allows the user the ability to use an combination of all three technologies.

 

Correct, EIS does not offer a true behavior blocker. It's a matter of preference but I would never trust on a BB, it will always miss things and doesn't offer full control.

 

Yes! But then you don't really need it.

Oh, thx. That you know what people are like. But what was my question?
Every expert would tell you the the same like I did about HIPS. Classical HIPS are not dead until now (many are) but they will die in the near feature. Believe me

What is if a user trusta a software that does malicious things? Was it dangerous than?

No again. Especially existing HIPS systems are more user friendly and give you less control than for example Malware Defender did.

Do some research...

That was my point, and that's the dilemma.

I never said that it is like HIPS, I said it is more powerful than every CHIPS if it comes to see what a process does.

Ok. Let's top it here I would be happy if some classical HIPS would survive. But I don't believe.

 

That doesn't make any sense whatsoever.

You said it yourself? And who cares about if experts think HIPS will die? That's not what this thread is about.

Then you have made a wrong decision, nothing more nothing less.

I think I misunderstood you. But like I said earlier in the thread, there must be a balance between security and usability. So everyone has a different definition of "full control".

In the last years, I've read about roughly 5 new techniques, and most of them are already covered by modern HIPS. Apparently you have done some research, so please let us know what your findings are.

That's no dilemma to me, there is no such thing as 100% security, developers will always miss things, just look at recent bypasses of Sandboxie and AppGuard.

Yes but who cares when it can't block a thing? I don't really care about all activities from apps, it's about the ones that are risky, and HIPS let you block them.

 

That requirement alone creates several problems. On what basis does the HIPS determine whether a Windows application or component is legitimate? Digital signature? A HIPS using that option would have allowed Stuxnet to run. File hashes for every version of each component? That's potentially a few thousand files. the list grows with each update to Windows. Consulting an online database (cloud)? That increases dependency and the attack surface. Regardless of which way you go, there's a tradeoff. The HIPS would have to either trust the signed files, have access to a database that will need regular updating, or let the user decide.
Next issue. Just because a service or OS application is legitimate doesn't eliminate using them maliciously. Iexplore.exe is legitimate as is cmd.exe. I wouldn't want Iexplore.exe to have full access to cmd.exe, or regedit.exe, or regsvr32.exe. These and others aren't required for normal usage and don't need to be available to user applications. In order for the HIPS to intelligently decide which parent-child activities are necessary and which are undesired, it will need access to a lot more information. Back to a huge database or cloud access, and hoping that all of the data in the cloud database is accurate and uncompromised.

 

Right, that is also needed.
I'm now looking SS hard (only HIPS version, not FW). Does their test trial fully work until expire? I have seen some bad experience about their trial...

+1

Exactly, remember hacked update cases. Windows update was also hacked tho that was easy to block, who know next advanced hack? Even sig check is not perfect as noon_particular explained. And needless to say, some system component such as explorer, iexplorer, cmd, wordpad, csrss, smss, rundll32, regsvr32, dllhost, services, winlogon, spoolsv, wininit, etc. are worth being protected.

OTOH, I can't say move to cloud is generally bad thing. This is because security provider basically should focus on average users. However, not all vendor need to do so, and I hope we HIPS lovers won't loose option more.

 

Rasheed: To make it short. I think here are the points where we have simply different understandings/opinios and where a discussion thatswhy would run into circles.

(1)
The decision is left to the user at the end. That's what I said and so for me HIPS warns about observed behaviours but not about dangerous. So one extrem would be: If you don't trust an application, don't use it. Maybe a better way: Watch what an application does: With HIPS and/or with ProcMon and/or with other Tools. But at the end: At least if I find some (for me) unwanted behaviour I don't try to regulate it with HIPS an so on, I simply stop to use the corresponding application.

(2)
My definition of "full control" is full control about every activity. Yours: Most possible control about some behaviours which HIPS observes. Ok!
:cheers:

Edit: Nevertheless, I fully agree with what you said about the compromise between usuability and security. If I think about the KIS HIPS for example: It is one of the most powerfull solutions actually out there for home customers. But in default it is very quite and user friendly. OA also in some ways.

 

If it was only that easy. What do you do when it's a component of the OS itself, or a browser? If for instance, the unwanted behavior is your browser calling home, what are your options when they all do it? Preventing or controlling the unwanted behavior becomes your only option. Even if you configure the undesired behavior out of the application, what happens when it's updated?

When I was testing SSM, the version of Yahoo messenger in use at the time would attempt to set hooks on the keyboard and mouse. While experimenting with it and SSM, I found that blocking the hooks did not prevent the normal operation of the IM program. The hooks were used for one purpose, logging conversations, which was enabled by default if I recall. If the hooks were blocked, the conversation logs remained empty, even if an update to the IM enabled it. With rapid update becoming the standard and applications increasingly being given spyware behaviors disguised as features, monitoring for new behaviors is more important than it's ever been.

 

Below are excerpts from Big Brother himself on what is a HIPS. This by the way is the definition of a classical HIPS. The key point is that host intrusion prevention/protection is a system of components.

In reality, most retail internet security suites today employ elements of this model. The main difference being that the retail software is tailored to the average PC user; both in degree of protection required and usability. Again, the classic definition of security is protection versus usability.

ref: https://www.nsa.gov/ia/_files/facts...slicksheet_hostintrusionpreventionsystems.pdf

HIPS generally include four different technologies:

1. Host firewall.
2. Registry monitor.
3. File integrity monitor.
4. Process or application behavior monitor.

To be effective, it is crucial that a HIPS have a well defined and tuned policy, or set of rules. Vendors provide many rules with their product, but it is up to the system administrator to tune the rules to their particular environment and to address the specific risks that they face.

Many HIPS products provide the ability to “learn” normal system behavior. This is a double-edged sword. It is convenient because administrators can avoid some of the tedious manual tuning of the HIPS. However, if the learning period coincides with a period when the network is under attack(or the machine is infected - my words), the HIPS could learn that being attacked(infected) is normal and deem that as allowable behavior.

Note: The recommended way to install all monitoring software is immediately after the OS and applications have been installed with Internet access disabled on a "clean" hard drive .

The importance of dedicated and trained administrators also cannot be overstated. Many rules are passive instead of active; in other words, they are set to alert or log instead of block suspicious activity. Without a trained individual reviewing the logs on a regular basis, no action can be taken to address the suspicious activity. Addressing the anomalous activity includes both investigating machines that are determined to be infected as well as identifying cases where the HIPS rules need to be further tailored to not alert on legitimate activity.

 

I'm not sure what point you're trying to make. It's up to you to decide if it's dangerous or abnormal behavior. The thing is, almost everything that HIPS monitor can be used by legitimate apps but also by malware. So you need some expertise. And you can of course choose to either stop using some app at all, when it triggers highly suspicious behavior, or restrict certain unwanted behavior, like phoning home.

Like I said, it's normal for security tools to trigger certain behaviors, but you won't see it as suspicious because it's trusted, and you know it has to perform certain activities to be able to protect the system. For example, MBAE and HMPA both inject code into certain processes, for protection purposes. It's also normal for a browser to make outbound connections. However, it's not normal if the browser wants to "accept incoming connections" and wants to have "low level disk access", then something fishy might be up.

 

Well to be honest, to me it looked like you're all over the place. At one point it seemed like you suggested that you don't really need HIPS, especially if you're knowledgeable. But now it seems that you actually believe that HIPS can indeed be useful.

 

It's indeed not that simple. I will explain myself. That comment was mostly based on Comodo which will alert you about stuff that's normal behavior from the Windows OS itself. If you block it, then your system will most likely not function correctly. Just take a look at SSM, you can not configure certain Windows system applications, the developers were smart enough to disable this option.

But I was not talking about blindly trusting all Windows system apps and services. Some can be used in attacks, for example cmd.exe and powershell.exe, they should be running restricted. And HIPS should indeed be intelligent enough to look at parent-child relations, in order to trust or restrict apps. If svchost.exe is launched by services.exe, then it's trusted, if it's launched by some other app, then it should be monitored. So only essential Windows apps and services should be trusted, and trust is also based on the parent process.

How do you know that you're dealing with legitimate Windows OS applications? AFAIK, HIPS do indeed look at digital signatures, I don't see any other way to verify this stuff. I'm personally not into cloud based verification, especially if it's real time based.

BTW, this is an interesting article: https://sysforensics.org/2014/01/know-your-windows-processes.html

 

Usefulness for some persons and/or in some situations is another thing than "need"

Example:
I was a long time hips user, but most of all I was creating "allow" rules, complex rulesets and so on. Annoying. Really dangerous things I've only seen when I was testing malware. And in that times it was quite interesting to see what all the different HIPS solutions warn about. There were and are huge differences.

But the decision was always let to me, like I said "a hips alerts - the user must decide". That was my whole point. And you argument first was hips warns about "dangerous behaviour" - no the user must decide for himself.

But to be honest: sometimes I miss for example good old Malware Defender, mostly because of the powerful logging system it has. But x64 ...

In short: Let's come together in the middle. HIPS can be useful for semi-professional users

 

I certainly have been having the feeling that some people who know some nasty tricks, need the classical hips to be more at ease the same tricks are not applied to them.

 

The opposite also holds true. When testing security software and working with live malware, you get to see your fair share of nasty tricks employed by others. You can't help developing a familiarity with them. Some of them can be reused in your overall defenses, especially deception and misdirection.

 

It can be annoying, but like I said, it depends on the HIPS. You should be able to fine tune it, to make a HIPS less chatty. I personally don't like to be alerted about stuff that's too difficult to make a decision about. So you might as well turn some stuff off.

It also depends on how you use a PC. Two months ago I bought a new PC, so I was installing and testing quite a lot of apps. But I noticed that I'm a bit less active now, and I've already made the rules for my most use apps, so I actually don't get to see that many alerts. And it's not just about alerting, HIPS can also restrict vulnerable and targeted applications. This means that it will auto-block suspicious behavior.

HIPS are useful for anyone who can use it in a beneficial way.

 

You can also read about these "nasty tricks" in a lot of security blogs. But like I said before, most of these tricks have been around for years, that's why HIPS have not changed that much when it comes to behavioral monitoring.

 

I'll never live down the flash-in-the-pan demise of EQSysSecure w/Alcyon's Rulesets.

You could literally throw everything AND the kitchen sink at it after you fine tuned all the variables needed and nothing could bypass it's Interruption/Suspended gates, and you could leave the baddie securely in limbo until making the right decision on it or close it down completely.

 

maybe this is the right place to ask:

I have always been happy with CIS D+ (HIPS) but now switched to ESET with HIPS set to "Smart Mode". From what I tested and read, this is quite a good HIPS setup. But my tests were made with all other protections active. Maybe I should try a HIPS-only test against malware to see the real power of ESET HIPS-Smart mode?

 

Make it, but don't be disappointed

 

Of course you can if you want, but it would be wrong to say that the product failed if the malware could have been detected and blocked by some earlier layer in the product before it reached the HIPS that basically work as the last layer.

So doing that will stress the HIPS Smart Mode more but it won't show the real power of the product as a whole, as it is meant to be used. But if you want to test against the HIPS Smart Mode only then there is no other way to do it that I can see.

 

I tested Eset Smart Security 8 against Comodo leak test a few weeks ago, and Eset scored pretty good. I think Eset scored 240 if I remember correctly. I had the Firewall in interactive mode, but I don't remember what settings I was using with the HIPS. I was probably using the default settings. Online Armor scored the highest score possible. I think that is a 300 if I remember correctly.