comparison of anti-trojan programs and intrusion protection systems when dealing with

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

You missed my point. The question should be, what additional value does PG provide in terms of blocking rootkits in the very common scnerario I gave?

Many legimate software require drivers. If such software is compromised, there is no way for you or me to know , PG or no PG.

A user of PG compared to a non-user of PG is equally protected/unprotected against this kinds of threats. The additional warning given by PG is useless because for that software such prompts is expected!

So what is the value of PG in its claim to stop rootkits via blocking kernel? Answer is obvious - none.

If both of us didn't 'mess up' in being somehow magically aware of the trojan and not installing them, we would be equally protected, PG or no PG.

If both of us messed up, we would be equally protected/unprotected , PG or no PG.

Messing up or not is irrelevant to the argument.

In the above example, the failure of PG is not due to lack of understanding.
The problem is driver installs != automatically bad.

I do agree that some additional degree of control over your system can be helpful. This is the reasoning behind people who do system tweaks, and/or the additional capailities of some AV/AS etc.

I am doubtful however of the value of going beyond that.

You are doubtful about ATs and you ask when the last time someone was saved by it.

Let me reverse the question, when was the last time HIPS protected you from malware.

By this I don't mean some innocent warning about some obscure but legimate windows process you haven't heard of. I mean out and out MALWARE.

Since we are talking about additional protection, you would have to go show that without your HIPS software, it would have hurt you.

To be specific, when was the last time, blocking drivers by PG protected you from a rootkit that wasn't detected by KAV?

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

When I am installing so-called "innocent software" and it requests to install a service/driver, I stop the installation unless I understand why it is making this request. In at least one instance (which was verified by subsequent forum messages), this prevented by system from being compromised. Had I not have ProcessGuard, this software would have been able to install the driver that it needed to scan my system without me knowing it.

In the same manner, I prevent software from obtaining global hooks (e.g. possible keyloggers). I think you are substantially underestimating the value/necessity of having ProcessGuard-like capabiliites on a machine.

I could also add that my AV (KAV) only detects some malware only 2-3 times a year. The fact that it only happens infrequently, does not negate my need to have the protection. Even if PG only stops a keylogger once every five years or a rootkit once every 10 years (or even never) it is worth it to me to know that my machine is protected against these instances all of the time.

Rich

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Okay here's a list of software installations I have chosen that are likel to be familar to you. Do tell me which requires driver installation

Firefox
Diamond CS's Wormguard
Regdefend
Sysinternals Regmon
Windows XP SP2 updates

Of this list, explain to me what you understand about them that makes it necessary for one software to install a driver while another should not.

BTW answers of the form "cos it needs access to ring zero" is just begging the question.

What I'm looking for is for some general guidelines to help me decide if a program should have this or not.

Possibly, but I have being using such tools for years.

About global hooks. What exactly is it? Could you explain it to me in some detail besides the fact that it is used by keyloggers? It's not an idle question btw. I need this understanding so I can decide what programs should have them?

I'm looking at the following list of programs I have that have requested global hooks in snoopfree (I look at this instead of PG because it's easier and snoopfree is superior in certain aspects).

I see trillian ,some old dos based game that required a patch to work in windows xp sp2, Installshield setup, Spybot , Tor etc.

What is your advise?



What general guidelines do you have to help me decide which programs should generally have them?

I await your answers.

Okay let's nip this one in the bud, before someone says I'm critising setups.

No one is saying you don't have the right to protect your machine the way you see fit. Whether it is cost efficient or not is only for you to decide

What i'm trying to say is that HIPS are closer to the once in every 10 years scenario than once in a year scenario. People can then decide on their own without you or me interfering on what they should do.

Of course to many here, even the once in a century risk is worth covering

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

http://diamondcs.com.au/processguard/index.php?page=attack-hooks

DISCLAIMER: Referencing the above is for information purposes only, and in no way implies that I give any importance to the idea of monitoring hooks.

-rich
________________
~~Be ALERT!!! ~~

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Thanks , but do you seriously think I, or any user of PG or most wilders members wouldn't really know this page?

The problem is even "knowing" (in this superfiical sense) what is being monitored doesn't really help me in deciding what to allow.

 

It's always been PG's weakness - the user. A user installs some software, PG alerts to what it's adding, user allows it thinking it's ok. Some other stuff is allowed that should not have been, system hosed!

I think that the current breed of HIPS needs an experienced user. Noobs using HIPS will get infected. That's a fact! Experienced users who know their way around their system including the registry will most likely have success with HIPS. But even then they may allow something they shouldn't have. HIPS used with a signature based application offers a much safer option, but HIPS on it's own at the current stage of HIPS evolution will see unexperienced users getting fried. And there's plenty of unexperienced users about...

muf

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Based on my experience in other threads, No.

I never assume anything - I took your question at face value.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

I would say that the user is always the weakest point, PG or no PG. I take for granted that most people here are beyond the noob level of clicking yes to everything that popups when they surf, click and run email attachments that are unexpected /strange, or are easily fooled by phishing.

Then many other people here are familar with basic security software concept s and terms, a high level common sense understanding of threats out there etc.

This provides I suspect a level of protection that is often underestimated.

Given that you know all that, it still doesn't help to decide how best to respond correctly to a random prompt asking about installing drivers and or global hooks though. This is a whole new ball game. You are asking a user who has little if no experience with the guts of programming to make a decision that is totally technical.

Anyone can cite a short paragraph to talk about what DIamond CS has termed global hooks. But does a typical user, even an "experienced" one know when it makes sense for this to be utilised in any piece of software? Even if it makes sense for the software to call SetWindowsHookEx does that mean it's obviously safe?


I don't know maybe, everyone here had madz hacker skills and finds such questions trival to handle but I find then extremely difficult to handle, and I'm a noob compared to everyone in this thread.

When faced with such questions, at best I guess. At worse, I might as well flip a coin.

What exactly do you mean by HIPS with signatures? By that do you mean a whitelist/blacklist of programs? Or do you mean signatures in the sense of decision making rules?

The former I think is doomed to failure. A blacklist of programs is no better than an antivirus solution. An intelligent rulebased expert system to watch and handle all the behavior is a much better bet, but I suspect in the end it becomes a signature that can be tested against and beaten much like antivirus signatures.

Personally, I think that in the rush to cover as many areas as possible and to impress users with technical terms, there is a tendency to try to do stuff that is way beyond even "experienced users".

I'm not against providing users with more information about system states and behaviors though.

As far as it goes certain concepts are pretty easy to grasp and should be targetted. Autostarts for example, alterations to homepages and browser related settings for another. Even monitoring of starting unknown processes.
These are tangiable actions that the user can see. One can see a browser homepage change. One can also see the effect of a new program autostarting and one can generally see the effect of a new process starting.

A second area targetted concerns actions that are unusual and rare, and are known to be almost certain (say 85-95%) to be malicious. In this group we have monitoring of LSPs, hosts file etc.

On the other end of the spectrum we have things like loading drivers and global hooks. These are generally transparent to the user (assuming one doesn't know where to look), and generally whether one allows this or not, you don't really understand what has happened.

Disallow any autostart entry? Obviously it's not going to autostart.
Disallow any attempt to change your homepage? Obviously your homepage does not change.
Disallow global hooks in a game? Obviously.. Not so obvious. Sometimes it works, sometimes it doesnt.

Worse, the existence of such charateristics in no way indicates it is malware.

So the end result is we have prompts, which are not 100% understood by even "experienced" users and more often then not are harmless.

The same thing is happening on a lesser scale to the extended Regdefend ghst files. People are using specially prepared files that cover a lot of exotic registry locations without understanding what is being monitored.

The net effect is they get prompts they don't understand. Is that really more protection?

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Hi, thanks for your inquiry.
What a-squared personal IDS is different from the intrusion prevention systems(IPS) I am talking about. What the IDS here is about behaviour analysis and heuristics.

Here's what A-squared describe about its IDS:

However it is misleading. From what I understand from its statement, it analyse the possible behavour of virus/trojans etc. and report if they find sometihng suspicious. The same technique has also implemented in AV. So there're no much distinct difference which I can clearly see.

So what is meant by the intrusion prevention system(IPS)?

IPS is simliar to a system that detects all kinds of suspicious system attempts. If one wishes to compare to a home anti-burglary system, firewalls perform the role of door and window locks. These types of locks will stop the majority of burglars but sophisticated intruders may circumvent security devices that protect an intended target i.e. a home. Therefore, most people use a combination of sophisticated locks with alarm systems. An IPS performs the role of such an alarm system and adds the next preventive layer of security by detecting attacks that penetrate IT systems.

So IPS is a proactive measure. To products like ProcessGuard (the authors of TDS), they claims they can do the following:

In conclusion, its IDS is just the same as that of AVs. Depending on how you define the term intrusion prevention systems, if they are qualified as IPS, then they are just "lite/basic IPS" which many AV/AT have nowadays. And they are different from "complete IPS" which I mention.

PS: I don't analyse A-squared2 much since personally I no longer use any AT. I prefer "free AV/AT/AS online & offline (on-demand) scans + intrusion prevention systems (1 or preferably 2)". Since intrusion prevention systems have similar measures to protect authorised access to physical memory, the benefits of AT is going to be slight. To save resources, I install no AT.

This is just my cents, and how I view IDS & IPS.

EDIT: some very silly mistakes are corrected!

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Since I give some wrong impressions for some people on my stance of using security products, anyway, for people wo wish to know what security prevention measures I think is better. Read this:

==========================
One sad thing is if the software is automatic/trouble-free (ie witohut prompting you for nearly anything), we cannot get higher and better portection.

If you get proactive software, we can get higher and more well-round protection, but it requires some knowledge, willingness to learn, a bit of bothering.

Another sad thing is "your experience may lie". You see your computer doesn't been infected by any malware since your anti-virus or anti-trojan cannot detect any. However it may be just "false secure". It may be that neither your AV/AT can catch that bad guy.

AV's behavior blockers can be bypassed easily by a technique known as tunnelling, code premutation etc.
AT's detection can also be disappoinitng (http://www.trojanproof.org/sigexec.pdf).
Firewall can be bypassed by many leak attacks (eg copycat can bypass all firewalls easily).
AV/AT/AS are aslo subject to intrusion themselves.
Rootkits, driver installation, buffer overflow, mouse/key hooks and all sorts of things pose great challenges to AV/AT/AS too.

Now the situation of what security products face is similar to the situation where a country has to defend against crime. It is impossible to keep all their citizens intact. Even worse, some serious things can happen once in a while (eg suicidal bombs).

It seems to me if a hacker wish to hack/intrude your computer, it is just a matter of time. Sometimes resources are handy that hackers can intrude a computer easily even if that computer has installed AV, Firewall + AS (basic security requirement nowadays).

However don't interpret the above wrongly as something like secuirty porducts are useless, I have just told you about the dark side, but there are the bright side as well, so you don't need to be too optimistic. Try to do your best to secure your computer. If you ask me, I will advise you:

1) Seek help to security software
IMPORTANT: You need security software to portect you. Don't don't don't rely only on yourself!! A malware can attack you even you do nothing wrong.

What you need to install:
- 1 Anti-virus + 1 Firewall + 1 Anti-spyware (basic security requirement)
- at least 1 Intrusion Prevention System[IPS]. Preferably 2+ since 1 IPS may not be able to protect you from all (major) areas. The major areas which they should protect you from are:
-- malicious scripting/coding
-- new/unknown/private malware
-- rootkit installation
-- driver/service installation
-- process execution
-- mosue/key hooks
-- physical memory intrusion
-- dll injection
-- registry modification
-- buffer overflow
-- attacking/hijacking your security products (ie your AV/AS/Firewall)
-- and so on

2) Do on-demand scans
IMPORTANT: Any anti-virus, anti-spyware etc. cannot detect all malware. They may also give you "false feeling of security". Try to do a weekly to monthly scan to see if there are any missed malware which cannot be caught by your anti-virus or anti-spyware.

To do so:
- you may download any extra AV/AS to do on-demand scans. Remember to turn off their real-time portection or it may conflict your current AV/AS. Remember, don't tihnk that enalbing more than the same knd of real-time portection is of help. The fact is usually the opposite; or
- go to any AV/AS vendor websites. Many have free online scans.


3) Equip yourself
After all, only you can protect yourself to the fullest extent. Always remember "Security porgrams can never never never help a stupid user!!!"

- Configure your computer by setting higher security!!
- use your common sense and knowledge. If you lack of computing knowledge, don't be afraid. It is not hard to learn. If you try, you will know it is not as diffiuclt as you might think.
- practise safe online browsing

4) Replace potentially dangerous software
- replace Internet Explorer with another safer browser like Firefox, Mozilla Suite, Opera
- replace Outlook Express with another safer mail/news client like Thunderbird, Mozilla Suite
================================

This is my 2 cents.
Feedback is welcome.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Yes, exactly
We have the same mind.

Simply speaking, Intrusion Prevention System is a system layer which cover under AV/AT/AS/Firewall. It provides a safeguard against things where all the 4 fail.

Intrusion Prevention System may help in the folloing areas:
-- malicious scripting/coding
-- new/unknown/private malware
-- rootkit installation
-- driver/service installation
-- process execution
-- mosue/key hooks
-- physical memory intrusion
-- dll injection
-- registry modification
-- buffer overflow
-- attacking/hijacking your security products (ie your AV/AS/Firewall)
-- and so on

Note: Don't take it wrong an IDS is all-cure to all the above. It depends on the quality of the products and other factors. Also no security porducts can do perfectly to safeguard our ocmputer in their scopes. It is the same for AV/AT/AS (they still cannot detect all malware of their scopes). The similar case happens to IDS with no exceptions.

However the above explains why IDS is important to your system.

 

Hi Whereisthebeef.

I do agree with much of what you say, although I doubt I’d ever put it in the terms you do. I agree that installations are a weakness in programs like PG, and that many of the popups are of a technical nature. That aside :

The reason that the amount of extra protection that HIPS offer is ‘not much’ is because, when an AV like KAV catches 99.6% (or whatever) of virii, worms and Trojans…then ‘not much’ is the ONLY answer possible.

That doesn’t rule HIPS out as having no value at all.

Now this quote is just being argumentative. You've removed a couple of lines from a paragraph, thereby removing those lines from their overall context, and then dismiss the whole...

As an aside to your statement, I have no idea how to tell if a DNS has been poisoned. If a poisoned webpage is properly designed…how would I tell ?

This quote clashes with your above quote about the value of HIPS, but oh well….

Installation tracking is a major advancement in HIPS, which I would like to see included in all HIPS. Your arguments seem to indicate that one of your major concerns with HIPS occurs during installation ? This is one way around your concern <though not foolproof against kernel level malware as I understand it>.

Your quote also seems to state that you do not want to include new HIPS advancements in a debate on whether or not HIPS have value...

Err….I notice in other posts where you are arguing against both ‘dumb’ HIPS and ‘intelligent’ HIPS, so this can hardly be a true statement.

The newer HIPS are trying to become ‘intelligent’. They may not have passed the mark yet, but it is a genre of security products still in its infancy.

True that a number of AS/AT’s monitor startup etc regions of the computer (I personally don’t know of any AV’s that do). However, I choose to run an AV+HIPS realtime, rather than an AV+AS+AT. One major reason is that the HIPS I use is much lighter on resources than say MSAS.

Hope that clarifies some things, but I’m at a bit of a loss of some of your contradicting statements, even though as I said, I agree with a lot of the things you said.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Thanks for your reply.
Yes, PG doesn't specifically protect against scripts (one kind of malware). So you are correct.
By the way, don't think it wrong that PG does nothing about it. What it does is in an indirect or non-specific way.
Eg:
- when a script runs and attempts to hijack the program, it will warn!
- when a script access/modify/write iin physical memory, PG will block it automatically if you have enable the option to block unauthorized access ot physical memory.

As to AT, it prevents script from hurting our computer by means of memory monitor. And it has the ability to detect known harmful scirpts. However since scripts, hmm... how to say..., can be many variations of harmful behaviour by use of many different codes, so it is relatively easy to produce a script which is not in the signature database, right?

So they both offer different kinds of protection. I would declare a draw in this field.

What do you think?

You pointed out a very good one. That's really bad which is criticised by some reviews.

Program Installation
AT largely wins
[Note: In future, when PG has installation mode, it will be a draw]

PG
up till now (24 Aug 2005), it hasn't support installation mode yet. When installing programs it is advised to turn it off.

You may try to still switch it on when installing. However the problems are you need to make quite a few clicks, and risk the possiiblity of messing up the installation.

So here's the current workarounds:
When you install any program, you shouldn't online. If you are afraid your system is not clean at the time you do the installation. Run AV/AT/AS scans first. Then temporarily switch PG off. But remember to switch it on after the installation. Don't forget!!

To sum up, the problems are:
- botherings to switch it off & the measures to keep it safe at that period
- may forget to switch it on once in a while
[Note: "No protection for the time being" will not be a real probelm when you have implemented/considered my workaround]

Note: Up till 24 Aug 2005, it's the problem of PG. For other Intrusion Preventon Systems which have installation mode or its simliar, the above problems vanish completely.

AT
You don't need to switch it off at all.
No bother, no pain, full protection.

Oh I see. so you mean to say "alerts".
That's a good point.
I'm going to add it under the aspect of "convenience"

A fair evaluation.
To me, it is hard to tell how much more portection it is since different people have thier own value judgement on the same thing. I you ask me, I consider it as "not so high but not so low either". It's still advisable to have.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Just to tell you in ase if you don't realise.
One thing you need to notice is the 99.6% is NOT for all AV/AT but ITW AV/AT only, ie the AV/AT which has spreaded in the world.

What about others non-spreading, new/unknown/private/specific-desinged, & Zoo malware? The percentage are much lower.

Based on some tests and on average, it is just 40-50% (the best being NOD32 & KAV). Beware that we haven't counted false positives in these kinds of tests. Since they rely on their advanced heuristics and behaviour blockers to block these unknown malware, you will expect they may trigger far many false alerts than their ITW counterparts.

This impies a few things:
- signature-based AV is just capable for ITW malware (AT may add a jot of help on that)
- As to non-ITW malware (eg Zoo malware), the result is disappointing. You have more more than 1/2 chance to get infected.
- To fully utilise the benefits got of detecting 40-50% Zoo malware, knowledge is required to distinguish between false positives & true malware

IPS arises due to the lack of protection against non-ITW malware. Their philosophy is:
- if you need to update the signature for protection, you are too late. (It's true in that since the identification of a new malware to analysis to finding soluton to updating signature bases need time, eg may be even 1 month). So at that time, you are prone to these attacks)

It's what IPS does - taing a proactive approach to protect you from any possible attack, especially form the new & unknown.

- IPS provide basic and wide range of protection against all sorts of malware
- IPS protect AV/AT/Firewall from intruding/attacking by malware
- IPS add more protection to the operating systems, so it helps to close the OS vulnerabities which may be exploited by any fuuture malware.
- in case if other AV/AT/Firewall fail, IPS can still help.

Note: As whereisthebeef said, they have their problems too. Yes, it's very true since no product is foolproof (neither does AT). But remember, although it is not perfect, something is always better than nothing. Also AT have its own problems too, so this reason alone should not defy the use of IPS.

In short, IPS is simliar to adding one more security layer to the base of the operating system.


Finally read this to know more about IPS:
http://informationweek.networkingpi...SNDBCCKHSCJUMEKJVN?articleId=165600465&pgno=5

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

It all depends.
If you have the best AV which can detect more than 99.5% ITW malware. AT is to deal with the remaining 0.5%. But you should it is not guaranteed that AT can detect all/most 0.5%.

As to Zoo malware, AV & AT find it diffiuclt to deal with in this area. Although they do use different methods to detect malware, they don't hlpe much because they share the same problems - they are signature-based and rely on it heavily to detect malware. IF signature is not aviable, the AV/AT behaivour blocking or heuristics may not help much.

Based on what richf asked in one thread, AT doesn't detect anything in about 9 out of 10 users. So this may give you some ideas bout the usefulness of AT to detecting malware.

After all, yes I agree wiht you that adding one more AT can always help (although it may be small). Something is better than nothing, generally speaking.

Strange to hear you think noobs needs the protection of HIPS more. And I assume you also imply that experts do not need HIPS (much).

Sorry but I hardly agree. As you sohuld know clearly, it requires user knowledge (it doesn't need much to enjoy the benefits of HIPS), noobies are those who enjoy least. Even worse, they don't know how to use HIPS at all, or they don't bother to learn. For them, AT sounds better.

But I may be wrong. So tell me if I am missing something.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Hmm...
Sorry would you mind telling me why you will get such impression?
In wihch part of my article misled you?

I think I have make it clear that I'm not going to say HIPS should replace AT, and even AV.
What I say is it depends on what you value most before you choose either IPS, or AT.
And Finally, no one force you into either A or B. Why not choose both if you wish?



--------------

To see if I understand you, I try to figure out what you said/expressed (in various posts).
From what I understand, you've made 4 main points from all your posts:
- The biggest enemies are users. They will not know how to answer the prompts/alerts in any way. PG or HIPS will be useless.
- PG or HIPS will not help in stopping any malware. Trojans will only laugh at PG or HIPS. But if you use signature-based AT, it can detect them
- PG or other HIPS are not foolproof. They have problems and weaknesses, so it is better to use AT
- the effectiveness of PGs or any IPS is doubtful. You probably feel the gain is likely to be very small or unnoticeable

Are the above what you wish to say/express?

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Hi Wai Wai -

Regarding a-squared you are greatly under-estimating what the IDS is and is capable of - and most certainly in the case of Ver 1.7 which is currently in beta.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

I find all of these tests quoting the malware that can be detected of dubious value. I personally believe that it gives people a false feeling of security.

Some people might go out and buy KAV because they look at percentages and go wow...I only have a .5% chance of being infected.

The statistics as I read them are KAV can detect 99.5% of ITW malware but the only thing is that there is a lot of malware on the internet that is not on the ITW list.

If I am the unlucky guy that has the false sense of protection and runs into malware that is not on someone's arbitrary list, it is not going to matter if KAV can detect 99.5% of anything.

I have a feeling that in a real world scenario KAV detects far, far less than 99.5%. I won't even attempt to give a percentage of what it can detect out of all the potential malware on the internet because that can only lead to endless debates. It is virtually impossible to determine the exact amount of malware on the internet at some given point in time and then feed all of that malware to a scanner and determine the detection rate.

The only thing I will agree to is that KAV appears to have a higher detection rate than most other scanners...I get that mostly from anecdotal evidence from the posts people make.....which is also a inexact science.

The reason why I think there are so many disagreements in the security industry is because it is such a inexact science.

I work as a engineer on ships. On a ship, I have tempature guages, pressure guages, level indicators. It is a more exact science to know what is going on because the tools we use to measure things are much more accurate.

I personally find the tools to measure the different aspects of my security set-up as very inexact. Computer software in some ways is much like quantum mechanics.....

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

I have never heard anyone on this forum or any other forum suggest that HIPS be run on its own. With HIPS a user (such as myself) has a chance (opportunity) to stop malicious software that gets through the primary lines of defense, e.g. firewall/AV. Without it, I have no chance.

So, I spent a very little amount of time (a fraction of the amount of time it takes to learn how to code an Excel macro) to learn what a driver/service and global hook was. Those who don't want to spend the time reading a short paragraph on global hooks or drivers, have no need to purchase a product like ProcessGuard.

I'm amazed that the same people who suggest that people learn how to "correctly tweak an operating system" (which is basically a life-long endeavor, since the operating system is always changing), feel that learning HIPS is "too complicated". Different strokes for different folks. I learned HIPS, I'll leave studying operating systems to others.

Rich

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Instead of reading messages concerning "why not to use HIPS", read up on global hooks, services/drivers, dll injection. The time will be better spent in terms of how to create a more secure environment.

Rich

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Actually I feel that the PG manual does not go into enough depth. It takes more than a paragraph to explain what "hooks" are and what drivers are and how they operate.

The problem is that if DCS decided to put all the information in their users manual about how to go about determining the meaning of all the alerts and how to properly identify whether they are actually malicious or not....well, it would bore most people to tears and many would not understand a lot of things they were talking about any way.

Right now, what is in the user manual is just enough to help a person guess a little better. It is how much that a HIPS allow one to make a better guess that is in question.

Some believe they can guess better about what is malware and what is not with the HIPS and others believe the percentages of getting the guess right does not noticeably improve with the HIPS.



Starrob

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Yes, this is the whole point. Whether KAV catches 99.6% or 80% of all of the malare that are in the wild (not just the known ones) is inconclusive. But we do know that malware does get through, and the chances are very high that there are types of malware that will get through an on-access or in-memory process scanning. Given this - what should a user who wishes to plug these holes do:

1) Buy Linux
2) Use HIPS
3) Learn how to "tweak the operating system" (whatever this means)
4) Hope and pray

To me, it is absurd to argue against HIPS without an alternative solution. What such an argument suggests, is to ignore the fact that there are threats that AVs/ATs cannot stop and users should forever be satisfied with the notion that they will get infected and there is no way for them to stop it. I suggest that users do have a good alternative with HIPS. The argument that it is too difficult for most users is a red herring. Users, who can read a MS Word manual, can learn about the key technology issues that HIPS products are trying to address. My kid learned it, and he has almost no experience with computer technology other than downloading porn.

Rich

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Agreed. The PG manual, at this point is not end-user oriented. Nor are almost all security product manuals. End-users are constantly be hosed by false positives. Yet, life goes on. It is not quantity that counts here - it is quality. The manual must be clearly directed at the type of alerts that a user can encounter, how to understand these alerts, and what actions can/should be taken. It takes someone who understands the end-user needs to write such a manual (e.g. someone with zero experience, who uses the product, and in the process learns all the questions an end-user may have).

But given that this is not available at this time, it appears that users just learn how to self-educate themselves. It is a shame they have to do this, but in the scheme of things, it is the time that is needed. In any case, it is a fraction of the time needed to learn how to use Windows XP, which after all these years, still baffles me.

Rich

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

HIPS reacting before signature scanning is as useless as me deciding to run a program or not in the first place. Someone said that here somewhere and they are correct.

Rich - yes #1 - Linux or Apple is the way to go if you have a person so flagrantly bad with surfing and computer habits that the other option is to use blind block everything approach.

Thank you - continue on - as you were.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

And yet, DCS has some of the best user information of any product that I've looked at. Especially WormGuard.

Agreed, yet it shouldn't bore them if they want a product like PG. And since the manual doesn't give more, the user needs to read more. I read a lot of other technical papers about what goes on at the kernel level, and still don't feel confident - about hooks, for example. People often post questions to the PG forum about hook alerts. Most recently:

--------------------------------
Global mouse hook...what this means?
https://www.wilderssecurity.com/showthread.php?t=94575

"I´ve been alerted 4 times about opera.exe creating a global Mouse hook...what this means? Is this really any kind of attack, or a spyware?"
----------------------------------

From the PG FAQ:
---------------------
Not all alerts ProcessGuard shows are related to infections or malicious software. Some valid programs need certain privileges that ProcessGuard can restrict. It is up to you the user to know whether you trust a certain application. If you are unsure about the application then it would be best to leave ProcessGuard as it is, protecting you from whatever the application is doing. Otherwise if you know and trust the application then give it the privileges it desires.
---------------------

The question for me is, as I'm setting up a new system for someone, does the user in question want this kind of interaction with the security program? Or, does she/he want some type of prevention that doesn't bother with the trusted applications already installed, rather, just alerts when something unauthorized tries to enter?

There is no one-size-fits-all.


-rich
________________
~~Be ALERT!!! ~~