Combining and HIPS/IDS with an Integrity Checker

Discussion in 'other anti-malware software' started by Seishin, Aug 16, 2006.

Thread Status:
Not open for further replies.
  1. Seishin

    Seishin Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    204
    I was thinking if it's a good idea installing an IDS like System Safety Monitor with an Integrity Checker (like Sentinel) in order to reinforce the shield. I'm mainly concerned about the software compatibilily issue as I (like anyone I guess) hate system crashes or slowdowns.

    Thx in advance.
     
  2. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Given that an intergrity checker like Sentinel, merely scans on demand , creates a list of files and compares against an older existing list to check for new additions , it is highly unlikely to cause any conflicts.

    SSM like most other solutions in its class already acts almost as a intergrity checker for exe files anyway.
     
  3. herbalist

    herbalist Guest

    Decided to try your idea and installed Sentinel on my PC, which already has SSM. Since my PC is Win98, the results are probably of limited value to users of newer operating systems. SSM and Sentinel got along fine on my PC, no conflicts. As Devils Advocate mentioned, the main difference is one is real time and one is on demand. Sentinels Appwatch window displays pretty much the same thing as the Window Filter Module of SSM when the "include hidden windows" option is used. One difference is that SSM refreshes the window automatically while Sentinel doesn't. If a new process starts, you wouldn't see it unless you refreshed the screen. SSM also has more powerful process termination. Other than these, they basically duplicate coverage. The registry watch is also duplicated by SSM, which covers many more keys and is more configurable. While SSM does check the hash of the executables as they're used, Sentinel can check a wider range of files. I did like the ability to define custom folders to scan and its AV integration, though it did give me a hard time getting the integration to work properly, partially from interaction with SSM. When I set Sentinel to autoload, it is running minimized after my system is started for several minutes. My bootup time isn't greatly affected. My system is somewhat sluggish while Sentinel does its startup scans, but is still quite usable. Once the scan finishes, everything is back to normal. It'll likely take less time on other systems to perform the startup scan as mine is quite underpowered and it was scanning 6 additional custom folders with all file extensions enabled. In my opinion, Sentinels most useful feature is the secure shutdown, checking thru your system during shutdown or reboot. On my older unit, this does take a few minutes to finish, with 6 additional custom folders specified.
    Since SSM and probably other HIPS software duplicate and improve on the other functions of Sentinel, the file integrity scan is the only component that would add any additional protection. I'm inclined to think that a dedicated file integrity checker that works either by polling or in real time would offer at least equal protection or better. Filechecker by Javacool can perform the integrity checking on a regular interval, though it doesn't integrate with an AV. Sentinel is easier to use in regards to selecting specific types of files, though Filechecker will scan entire folders as well.
    Another option would be NIS Filecheck, an on-demand file checker. Like Sentinel, it can choose files by type or extension. It's very configurable and can be run thru the system scheduler or run at startup.
    Both of these filecheckers are also free. It's pretty much a matter of user preference whether you would use Sentinel or one of the others I mentioned, depending on what features are more important to you.
    Rick
     
  4. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Correct me if i'm wrong, but System Safety Monitor has a built in integrity checker?
     
  5. herbalist

    herbalist Guest

    As I understand it, File integrity checking is a feature they want to add to SSM. It also might be different with the paid version, which I can't use, running Win98. With the free version, it checks the integrity of the executable being started. I believe it also checks any libraries and drivers that are listed on the advanced tab for the executable involved. From what I can tell, it does not check the regular system files like DLLs at this time. In this respect, a dedicated file checker or integrity scanner does add another layer of protection.
    That said, with a properly configured HIPS running, it's much less likely that system files could be modified or replaced without the user knowing it, or at least having permitting it. The files get replaced or modified by a running process, either a legitimate one like Windows Update or an installer for something else, in the latter case the change may or may not be desirable. Either way, SSM would alert the user to the new process wanting to run, assuming its UI (user interface) is connected, otherwise the process is just blocked.
    Rick
     
  6. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Ohh ok :D Somehow I mised that you were using the free version.
     
Loading...
Thread Status:
Not open for further replies.