Differences between Win Applocker and a commercial HIPS?

Discussion in 'other anti-malware software' started by lordraiden, Sep 27, 2016.

  1. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,081
    I would like to know the main differences, advantages and disadvantages between applocker (win 10) and a commercial HIPS in an enterprise environment.

    I can imagine a few of them but I would appreciate your input if you have experience with applocker because I have never touched it.

    What enterprise HIPS do you know? McAfee, Comodo...
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    In a "nutshell:"

    AppLocker can help mitigate these types of security breaches by restricting the files that users or groups are allowed to run. Software publishers are beginning to create more apps that can be installed by non-administrative users. This could jeopardize an organization's written security policy and circumvent traditional app control solutions that rely on the inability of users to install apps. By creating an allowed list of approved files and apps, AppLocker helps prevent such per-user apps from running. Because AppLocker can control DLLs, it is also useful to control who can install and run ActiveX controls.

    Ref.: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/applocker-overview
    AppLocker is used primarily to restrict user access based on privileges. Whereas, a classical HIPS is used to restrict access for processes, files, and registry areas absolutely. Additionally, some of the older HIPS's did provide a capability to lower access privileges along the lines of AppLocker for select processes like the browser.

     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    If I'm correct, AppLocker is meant to block process execution, so it doesn't monitor process behavior, like HIPS do. So they are not really comparable.
     
  4. SHvFl

    SHvFl Registered Member

    Joined:
    May 7, 2015
    Posts:
    546
    Yeah it blocks only execution and nothing else plus no alerts to allow things. You need to go and manually makes rules for everything you want to run.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I will also add that there are hybrid HIPS's like AppGuard that can be used in enterprise environments that combine the privilege restrictions of AppLocker and also provide HIPS like rule capability to restrict process, file, and registry modification. AppGuard provides Windows ring 0 and 1 security restrictions in the form of user and system mode restrictions.

    Also many endpoint solutions such as Eset use built-in default rules in their HIPS's to restrict activities from 0-day malware.
     
  6. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    Example which itman's nutshell explanation of AppLocker.

    AppLocker has the option to allow specific signers to run. For instance on my wife's laptop Windows 7 ultimate laptop
    only Intel (Chip), Realtek (sound), Broadcom (Wireless), Lenovo (laptop), Microsoft (OS+Office), MalwareBytes, Google and Albelli (photobook) are allowed to run. Chrome puts its flash updates in and Albelli has all its executables in (AppData) user folders. It is real easy to set a explicit deny for a folder (e.g. AppData\Chrome) with an exception rule on signer and product (Google signer and Chrome Flash). So you can make this much more granular than Software Restriction Policies. AppLocker checks the validity of the signature, so I don't worry about signed malware (booooohhhhhhhh).

    I have set UAC to elevate silently, combined with the option to allow only signed signature to elevate. Despite trojoan's and ransomware being delivered via mail she has not been infected since upgrading from XP. Using only Windows internal mechanisms, makes a PC snappy and responsive. Her 2010 laptop (Dual Core Pentium) with a 1 TB Hybrid runs faster than her work laptop protected by Checkpoint (with HIPS) using encrypted HD with i5.

    After a few months using Windows 10, she asked me to degraded her laptop to Windows 7 again, because her work laptop also runs Windows 7. To be honest on Windows 10 (I had Pro), I was struggling with SRP to allow Albelli to update and with Flash updating in AppData. AppLocker is really an improvement over SRP in terms of useability.
     
    Last edited: Oct 2, 2016
  7. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,637
    Location:
    Toronto, Canada
    @Windows_Security Do you utilize AppLocker's DLL filtering option on your wife's laptop? If so, have you noticed any performance hit with that option?
     
  8. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    @WildByDesign Yes I do guard DLL's, but despite the warning and the low spec CPU I did not notice a performance drop. I use it like this

    Default allow all on Windows and Program Files folders

    Deny all on User\AppData\Temp folder except for signed DLL'svof Intel, Realtek, Broadcom, Microsoft (Windows and Office) and MalwareBytes
    Deny all on User\AppData\Albelli folder except for signed DLL's of Albelli
    Deny all on User\AppData\Chrome\User Data\PepperFlash except for sgned DLL's of Google\FLash

    Chrome installs in Program Files, so you don't need to exclude them in Temp Folder (default folder where most programs install). I have MalwareBytes Premium (thanks to Pedro) which also guards Albelli photobook (set as other with as many advanced options enables as possible).
     
    Last edited: Oct 2, 2016
  9. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    Due to comments in another thread, I looked at the laptop and discovered that for daily use my wife is running as basic user. I allow to elevate to another user with admin rights. The basic user is not allowed to run cmd.exe, mshta.exe, regsrvr32, rundll32, regini, etcetera (plus 16 bits disabled).
     
Loading...