Classical HIPS &/or behavior blocker?

Discussion in 'other anti-malware software' started by bellgamin, Mar 8, 2008.

Thread Status:
Not open for further replies.
  1. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Suppose that someone is running a nicely configured "classical" HIPS (such as Prosec), and is ALSO running a behavior blocker (such as Threatfire).

    Q1- Is there any possibility that the behavior blocker might detect a nasty that would NOT be detected by the classical HIPS?

    Q2- (To put it another way...) Is it basically *useless* to run a behavior blocker in addition to running a classical HIPS?
     
  2. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    I don't think it is Bellgamin. I have run Processguard and Prevx at the same time with no problems. My thinkin is if I made the wrong decision in Processguard that Prevx would grab it or vicea versa.
     
  3. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    My answer would be yes, unless your ruleset has a big hole or you take the wrong decision which would mean that classic HIPS isn't for you.
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Contrary in some circles and opinions at the time, i safely and effectively ran both CYBERHAWK & SYSTEM SAFETY MONITOR with great results.

    CyberHawk jumped up first followed by SSM if i chose "allow" in SSM. For me that effected a very useful double-layer shield.

    Would i do the same today with say a EQS & ThreatFire? I just might. Since the first onset and debut introduction of BOTH types of new sensory detection methods/apps, i've experienced such a marked improvement in protection that i am long since independent from any dependency again to an AV/AS except only for research purposes.

    This technology IMO has successfully proven to bridge the gap that the other methods fell short on for so long and is also helped increase awareness that pro-active interception of signals to and between the O/S doesn't now have to be constrained to updating/depending on blacklists alone.
     
  5. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    Processguard hit for me first followed by Prevx authorizing the program. I've dropped both for now and only run Defencewall for my HIPS.
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Bellgamin,

    When you run your HIPS full fletched, I would say it is not needed. Maybe only for the duration of th elearning period a behavioral blcoker can help ypu fine tune your HIPS ruleset (allowing f.i. TF pops up is not a wise idea, but I do not have to explain that to you).

    I can imagin using a HIPS and behavioral blocker, when you apply in f.i. EQsecure 4.0 only the system protection and advanced sysem protection, but leave the process protection untouched. This would protect you from the worst type of infections. The Brhavioral Blocker would protect you from process modification, com objects, windows messages.

    Regards Kees
     
  7. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Speaking strictly with respect to ThreatFire: it catches buffer overflows, suspicious network activity (such as silent connections, or attempts to create an SMTP server on your computer), modifications to account privileges, and some others I can't remember offhand right now. These are some actions that not many HIPS can catch.

    Otherwise, unless you have big gaping holes in your ruleset, no.

    And of course, there's the question of practical usability, but that's for another topic.
     
  8. SecOmnius

    SecOmnius Registered Member

    Joined:
    Mar 2, 2008
    Posts:
    70
    Location:
    In the Light of PARTHENON
    Without having conflicts, many users
    selected the following combinations:
    - ThreatFire with D+ of Comodo 3.0,
    - ThreatFire with EQSecure, and
    - ThreatFire with SSM.
    Indeed, Behavioral Blockers and HIPS
    can walk side-by-side and cover each other.
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    TF and CFP no so friendly together however SSM and EQS play well with TF.

    Adding TF to CFP gives rise to some annoying and confusing pop ups that u never see while using CFP alone.
     
  10. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I had TF SSM with no problems. Then Comodo Ver.3 came along. They would coexist so long as you weren't downloading something. Then each tried to control. TF and SSM would lock up. I removed SSM.
     
  11. SecOmnius

    SecOmnius Registered Member

    Joined:
    Mar 2, 2008
    Posts:
    70
    Location:
    In the Light of PARTHENON
    Did you use the settings provided by Kees1958 to configure D+?
    When I did it, D+ had no serious conflict with TF.
     
    Last edited: Mar 9, 2008
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857

    Bellgamin, sorry second thought

    Q1 - There is like Solcroft explained, but there is also another reason why a Behavioral Blocker and Classical HIPS work fine. Some behavioral Blockers analyse a series of events. These events could be in itself be not that intrusive. Although the accumulated events might trigger the Alarm. Most classical HIPS have not got this staged rating system (except Neaova Guard).

    Q2 - Yes when you do not ease up the most common intrusion in your classical HIPS, like explained in post 6 (EQS) or SecOmnius mentioned for D+ in post 11. So in general, no or limited COM, no memory violations check, no messages, no hook setting intrusions are handled by the classical HIPS, leave that to the Behavior Blocker. Lucas1985 and Solcroft say YES only when you have holes in your HIPS, I would say NO when you leave holes in your classical HIPS on purpose and let the intelligent behavior blocker deal with common intrusions (to reduce pop-ups and get the best of both worlds)
     
    Last edited: Mar 9, 2008
  13. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I had completely shut down D+ and still had some problems. I finally made a decision to go COMODO full ,remove SSM and ThreatFire. It kind of hurt because I had recently bought a Lifetime Site License for SSM . But right after I did, it looked like development stopped. Comodo looks like they are moving on. Also I don't feel like I need all that running. I feel that NOD32 and Defence+ are enough for sensible surfing. If I'm going to get frisky I can turn on DW, Sandboxie and or Returnil.
     
  14. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Great information. Thank you!

    Please think some more, when you have time. Your comments are revealing things about TF that I have not been able to find anywhere else.

    Yet another new fact. Thanks!

    Questions to any & all...

    Q3- Does TF have this ability to analyze a series of events?

    Q4- Can anyone give a hypothetical example of a *suspicious* series of events that a behavior blocker might detect?
     
  15. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Launching of an executable from the cache directory which tries to hijack a running process and use a hidden instance of it to connect to the Internet.
     
  16. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    That's probably the rut ThreatFire has trapped itself in now.

    It's a program designed and aimed at effective protection for the Average Joe, only that Average Joes aren't using it (yet) and those who do are the more savvy people and early adopters. They're trying to advertise themselves to the general computing public, but their promotion comes off as unclear and buzzword-heavy to the rest of us who then don't really get a sense of what ThreatFire can really do and how powerful it is. They're also hoping for feedback from the average user at large, but all they're getting is comments from the "techies" and resulting in them adding quite a few useless bells and whistles to their product - like the protection level slider, for instance.

    Let's hope this trend doesn't continue.
     
  17. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    I doubt that "average joes" will ever have much to do with ANY stand-alone HIPS. If the HIPS is bundled into a security suite, yes. But stand alone? I don't think so.

    I wonder why PCTools has not yet bundled TF into its own suite. They have all the other ingredients...
     
  18. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi,

    As far as TF is concerned,

    They could have come out with Standard and Professional (not the one they have now) versions.

    Standard one with little or Nil tweaking ability, more or less a turn key application. No manual to go thru, no this no that, just start up with Windows, Quarantine or allow automatically, then every average joe will be happy to try it out.

    Professional one with all the features they can gather from gurus, make these experts a real feast, a very spicy one.

    To remove the on demand AV from current pro version, why on earth do they put an av scanner and a behaviour blocker together ? Poor implantation work.
     
  19. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    And then not even really. Just look at how many Kaspersky users know about the PDM even though its been integrated into KAV/KIS for years. Some even go out of their way to turn it off, and I still see long-time Kaspersky users asking me what it is when I mention it to them.

    You're missing the whole point. That's not the problem at all. It's a problem of the general computing public refusing to try something new, just like when personal firewalls were introduced years ago.
     
  20. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Beats me too, but then Spyware Terminator w/ it's HIPS implimentation does that with ClamAV but being a AS scanner at the start, decided to throw all 3 together.

    CyberHa........ThreatFire rather, courtesy PC Tools, as i recall (not in active use yet on my units), IMO has or had a very good thing going with it's pure behavioral blocking technique. To add an AV jumps a bit at the nerves if you ask me, since it's proven to do a fairly competent job at what it was designed for in the first place.

    I have to side with that expectation because we all seen too many times what happens where an app has gone down that BLOAT & FLOAT road.
     
  21. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Agree, PC Tools should integrate TF with its Firewall and use it Antivirus kernel to check at first intrusion whether it is known malware. In short PC Tools should take the Online Armor route (intergrating user friendly HIPS in FW). When you consider that PC Tools firewall was elected in a Dutch test (for Vista) as best freeware firewall, because of its multi language feature and user firendliness. CFP was marked as most secure. So I thik PC Tools has got it to become the user friendliest + strongest firewall of the whole pack.
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    I personally wouldn´t do it, because I expect to see lots of double alerts, especially because you can´t fine tune most behavior blockers, it´s not worth it. Of course there are always things that one tool monitors and the other don´t and that´s what´s so frustrating, they all seem to have certain unique features, which makes you want to run like 3 or 4 HIPS, but we all know that this is a bad idea. :)
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I totally agree with this.
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    No I did not. When I tried them together, I used them as out of the box. Instaed of cutting down monitors of CFP and adding TF, I will prefer to use only CFP with its all monitors/ filters enabled.
     
  25. wat0114

    wat0114 Guest

    Choose only one HIPS or behavior blocker. Any more than one is a waste of one's time and energy and their system's resources.
     
Loading...
Thread Status:
Not open for further replies.