Comodo Antivirus

Eice, it is obvious that we won't agree. It is also obvious that you and i do different things with our PC. It is also obvious, that for you, a hips pop ups are way too difficult to be suspected by a user, while taking all the above precautions measures isn't.

Yes, some people use p2p and download/run things... Oh, i forgot, p2p isn't for security aware people too i suppose. Some people also don't have DEP enabled CPUs. A pdf doesn't always comes in an email, but also in sites or p2p. Same for wma. I hope you don't expect me to bring ALL exploits in circulation...

Ah, yes, for once IE did it better than FF! Let's see in the next exploit that will target IE7 vulnerability what will happen.

Huh? The facts say that people will fully patched windows get infected daily. Facts also say that classical HIPS do have a use for some people.

Let's put it this way. You can have fully patched Windows and IE7 and hope that there will be no exploitable vulnerability. You can also avoid downloadinf p2p files, phone to your friends each time there is an attachment to make sure they sent it to you volontarily. Or, you can use HIPS...

 

Anyway, as i can predict how this will go (you 've already shown your opinion in this thread), i will add this:

Some people avtually find a use for classical HIPS (or they wouldn't use it and classical HIPS themselves wouldn't exist.).

For the masses, (the same that don't even know how to enable the "show extensions for known file types"), classical HIPS are a pain. But, often, there is a common sense in saying no to a pop up, that some could use, if they wanted. I mean, there are classical HIPS newbies, that use OA or Comodo for example, that most probably have been saved by using common sense to an unexpetected pop up, when their AV let them down.

 

Eice, what exactly do security-minded people do with their computers in your opinion? Do we sit here staring at the interfaces of our AV, firewall, and what not? We do everything the non-security-minded people do, just more carefully. Whether you are security-minded or not, the FACT is that your system is only fully patched until another exploit is found and needs to be patched. Your OS isn't going to be a nice guy and give you a nice alert dialog saying "Hey, no one has found this yet, but I'm exploitable in this particular area, so be careful". So, what are you going to do in the meantime?

 

It may be obvious to someone like you, perhaps. But I think to any normal person with reasonable grasp of the English language, what would seem obvious from what I've said is that that if a person lacks the common sense to be suspicious of things like "nice attachments" and media files with odd extensions, they're not going to be suspicious of HIPS popups, and the people who will be suspicious of those popups, are the ones that won't see them.

Well, you're an odd case, no mistake about that. If you're interested in what the rest of us normal people do, it's use P2P, but be careful of strange extensions in filetypes where they don't belong.

It's got nothing to do with the CPU. Back then in 2005 DEP relied on software in most cases since hardware-based buffer overflow protection was still (relatively) rare.

I was talking about exploit PDFs. It seems that somewhere along the line you've surreptitiously shifted the discussion to ALL pdfs. Though if that's what you want to talk about, I'd agree with you.

Sorry, not interested in indulging such pettiness.

That I do not doubt, but do your facts also tell you that if all those people had HIPS, they'd suddenly become infection-free?

Or I can use a hardware firewall + UAC (Vista) or ufw (Ubuntu), and some common sense, and in doing so avoid both brands of nonsense you're trying to recommend to me.

 

If your previous reply wasn't enough of an indication, I think it's pretty obvious by now you don't bother reading my viewpoints before rushing to thump your chest and proclaim your own.

I never said HIPS was entirely useless. I said it was useless from a security standpoint.

 

The grand masters of chess play the same game as do novices, and they abide by all the same rules. But they move with thought and experience, they see what the novices do not, and they avoid those that fools rush into without second thought or notice. And yet therein lies all the difference.

 

Well, i don't know if i am normal enough for you, but certainly my english isn't always allowing me to understand well and especially what you write. But i still think we don't use the PC for the same things.

So, you are the "normal people" while i am the odd one? I guess you intend that you are "normal" people, but not the average PC user (because he doesn't know double extensions).

I think that clueless people can't use HIPS. But people that are aware of double extensions, can very well use hips and actually also do so. The rest is matter of liking or not. At least i have friends with double extensions disabled (for comfort reasons) that use HIPS too. (they must be odd too).

So, remind me please again, on why millions of patched PCs were infected with the WMF exploit?
http://blogs.chron.com/techblog/archives/2005/12/windows_xp_expl.html

(Btw, there are currently buffer overflow exploits that bypass Windows' DEP).

Who said about ALL pdfs? You think that in p2p you can't find exploit pdfs? Or in infected sites with apparently "benign" pdfs? I guess you don't use p2p or go to unknown sites. If send you an infected Pdf via mail entitled "Latest Malware detection methods - an essay", you will how exactly know that it's malicious, if your AV won't detect it?

I know, you prefer pettiness, when you can underline the irony of IE beating FF...

No, not ALL those people. But if you visit OA or Comodo forum, you will see several topics of "thank you" towards the product, for saving their ass.

Sure! After all, learning Linux must be much easier than learning a HIPS. Ok, some odd people like me also use games and some other odd applications that have no equivalent in Linux, but for most "normal people like you", i guess Linux is the way. ( i wonder why the normal people haven't massed migrated to Linux already).

Oh, btw, i am not trying to recommend to YOU anything. I am trying to explain to you, that despite the fact that you think you represent the whole universe, for some people, the following, is not true:

For some people (granted, the odd ones), it IS a security tool. You should try a conficker worm in its first days for example. I know... Security aware people, don't accept USB sticks from just anyone...

 

"A Master's windows and internet explorer, will not submit to the exploits of a novice's windows and explorer. So it shall be written and so it shall be done". Sometimes i wonder if you have the same windows as everyone else, or you have a "Master's edition".

 

That depends on your definition of "normal". And if you insist on defining normal as: a person who sees a suspicious double extension file, but instead of deleting it he executes it so he can cheer that his HIPS saved him - then I may abnormal, as far as you're concerned.

Hmm. That's odd, considering how Axel Eckelberry himself was the guy who announced that DEP stopped the exploit cold. I remember testing it myself a few months later, and it worked as well. Without knowing more, the best I could offer you at this point are hypotheses.

Wow, I never knew! Good thing Windows doesn't rely on it alone, then.

Hmm, fair enough. I guess I should concede this point. I'm not convinced walking around wearing a whole set of HIPS incase I meet a big, bad PDF is a good idea, though...

If you're talking about me personally, I wouldn't care. I'd open it, safe in the knowledge that I have Foxit (Vista) or Document Reader (Ubuntu) PLUS a restricted rights environment watching my back.

Those who are petty see the whole world in their own shade. I was merely pointing out a fact. I'm sorry if I hurt your feelings. I didn't mean to. Honest.

Yeah, I know. I was like that too, once. Until I realized that if I used a fraction of the effort in using and maintaining a HIPS to being less careless in watching my own back, I could do away with the HIPS entirely.

Wow, you're actually correct about this one. Though you left out "less troublesome" in your description. After your display of ignorance and subscription to popular FUD about IE7, I wasn't expecting this, but hey, it just goes on to show, I guess.

I still keep Vista around as a secondary boot OS for things like Warcraft III, Counterstrike, some old emulators etc. I COULD run WINE for those, using less RAM, CPU and disk space in the process, or install XP in Virtualbox and use seamless virtualization mode, but meh...

Hey, if people haven't mass-migrated to your Wonderhips, I guess Linux has an excuse.

Nah, we know how to turn off autorun. You know, it's amusing how you keep trying to pretend you know what security-aware people are like, or how you keep trying to substitute ignorance for paranoia and vice versa...

 

Same chessboard as everyone else. Though I'll gladly take it as a compliment if to you I play the game so well you think I must be cheating.

 

Eice, apart the name-calling and your master skills, for which i don't intend to continue,

Just for your education, oh grand master (aka difference between hardware and software DEP):

http://sunbeltblog.blogspot.com/2005/12/note-on-dep-and-wmf-exploit.html

Regards. I leave you to your mania of grandeur and your shiny chessboard. (yeah, take everything as a compliment!)

 

I stand corrected, my good sir. I'm glad to know that you weren't the one who had something new to learn today. Ah, the wonderful spirit of knowledge-sharing...

At the end of the day, it looks like HIPS is still a troublesome and unnecessary security tool, even though I am obliged to add to my previous advice the recommendation to run a restricted rights environment, as I do myself.

 

I disagree that HIPS is the strongest security, but I don't think it useless either. It has the potential to block more, but a security solution that displays loads of alerts good or bad isn't a very intelligent security IMO. There is a lack of clarity of what all those alerts actually mean, so bad things may end up running anyway.

Behavioral blockers are still fairly new and as such not perfect, but the idea they will only alert when something malicious tries to run is a better sercurity solution IMO. I buy security software to protect me, but while nothing malicious is running I don't want it bothering me.

 

May want to go back and read the posts before yours, lol, I'm not the one that said anything about chess. I don't even know how that managed to happen, lol.

 

Sorry about that, when quoting, i did copy-paste, it got your quoted message too and instead of deleting your name, i deleted Eice's. I know you didn't say that, but forgot to delete your name.

 

Lol, that's quite alright