Do IT yourself HIPS all freeware and light

Played with this today, really light on resources

Firewall: Link
Using Windows 7 internal with Wokhan's Firewall Notifier informing you on new outbound connections using windows event messages, (next version also win8 compatible, then it will get max 5 rating)
light and bright rating: * * * *

Permissions Monitor
Using Windows UAC set to full, does not remember choices therefore four out of five
light and bright rating: * * * *

Exe monitor Link
Freebie of No Virus Thanks EXE Radar free, whitelisting, default or paranoid (don't automatically allow Windows Program Files, but whitelist Windows folder, Program Files foldor and running processes),
light and bright rating: * * * * *

Driver Monitor link
Freebie of No Virus Thanks Driver Radar free, whitelisting, loading of drivers for both 32 and 64 bits
light and bright rating: * * * * *

Memory monitor Link
Freebie of Microsoft EMET 3.5 Add it to guard all non security and system processes in Program Files folder.
light and bright rating: * * * * *

Autostart monitor Link
Freebie of TCP Monitor, StartupEYE, easy and simple, it covers most used autostart entries of the registry, not all therefore three out of five
light and bright rating: * * *

Drive by monitor link
Again from the No Virus Thanks PE Dropper, set it to start with windows. Gets only three stars, because it is only available for 32 bits. When it would get an option to select multiple processes (e.g. e-mail, browser, PDF-reader and save this in the configuration), it would get four stars, add 64 bits compatibility and it gets 5 stars.
light and bright rating: * * *

Wondering why the guys from no-virus thanks do not combine their utilities into one HIPS program
- EXE Radar Pro
- Driver Radar Pro
- Exploit Radar Pro (new!), consisting of existing utilities,
a) PE Dropper (only for browser, email, etc and 64 bits)
b) Write Process Memory monitor (same adoption as PE Dropper, monitor only for browser, pdf, e-mal etc)
c) Ring 3 API hook scanner (monitor only selected processes, like browser, e-mail, PDF-reader. When those processes startup scan which hooks are set, check this against the previous scan and inform on changes).


let's all ask them to make it

 

Yes I was thinking of the same thing,combining all the modules into one.
I Will ask about the same.

 

I am just afraid it becomes some kind of "Jack of all trades" after...

 

good idea

 

Me too. I am afraid it will grow heavy. If it grows heavy, then why should someone use this instead of Comodo/OA/Outpost...

Initially, i had also thought of adding dll monitoring. But after thinking again about it, dll monitoring usually has severe impact on system performance.

I don't know, i just know i want it to keep light. In this way, it fills the gap that the full blown HIPS have left. A lightweight antiexecutable is easy to implement on various security configurations. If you want to go for full blown HIPS, you may as well install Comodo 5 and get over with it.

 

very true

 

I guess NVT keep their programs separate to fill the needs of those who need dedicated tools rather than a suite.

 

Old proverb/saying in Dutch: "The best shippers stand on shore"

It won't grow heavy, Exe Radar and Exploit Radar use the same hooks/API for process startup monitoring!

The API/Hook swap could be limited to a handfull, the ones that drop the payload, like URL download, create process, etc. WinPatrol polls all the time, HMP.Alert does a simular "on execution" swap, plus it checks loaded dlls, ZeroVulnability Browser ExploitShield monitors a set of API's realtime.

WinPatrol, ExploitShield don't feel heavy, HMP Alert applies a trick by performing the checks asynchroneous (loading of browser can continue). When you look at the utilities NVT offers, my estimate is that they will find a light solution (for them it is no rocket science, just programming what they allready know).

Have you really tried this combo or are you just thinking that it would be heavy, bloated?

 

@Kees
ExeWatch https://www.wilderssecurity.com/showthread.php?t=322697

Similar to PE Dropper but works with x64 bit. Can't access its download site though.

 

Was my first choice, also because users report it is really light , but could not find a download location

Then I thought well heck, why check all processes, just check a few processes (the threatgate programs) and EXE Radar was allready checking startups on disk.

 

Looks like it is abandoned....

 

I am running ExeWatch, so if anyone is interested, i uploaded it here:

http://www.filesend.net/download.php?f=2514c33ca6eac036092a56b798a89d39

You need to manually add it to startup.

If they can keep NVT light, fine.

 

In fairness though,the utilities mentioned are really "one trade" already.However all-in-one suites have a tendency to become bloated,so that is a valid concern.

Kudos to NVT though,for providing some very functional freeware.

Re. Kees1958 Permissions Monitor
It's a shame that Symantec ceased development of their UAC tool,it'd fit the bill perfectly.

 

YEP on Vista it worked, but Ms added AppLocker, this impacted UAC and SRP (no run as basic per application possible anymore to lock applications in Limited User Rights).

 

Some questions:

1 all these different applications that work separately have the same efficiency and safety that a single all comprehensive program have ?

2 sure that they have not conflict problems that also could decrease their good working ?

3 do they have the same autoprotection and power to block malicious process, applications.... ?

4 do you trust UAC , that can be bypassed, as an HIPS ?

 

@blacknight difficult to answer your questions, no rational black or white, but grey schemes influenced by personal opinion.

1 all these different applications that work separately have the same efficiency and safety that a single all comprehensive program have?
The cover most entrypoints, not all attack vectors. Hips tend to look at all attack vectors. Comodo FW covers much more than AppGuard, but I dare to say that AppGuard is just as effective as Comodo. Simular statement can be made for the light and bright setup posted.

2 sure that they have not conflict problems that also could decrease their good working ?
On my rig it worked OK, considering that most came from NVT and all are single trade programs, I would not expect incompatibilities.

3 do they have the same autoprotection and power to block malicious process, applications.... ?
Compared to what, objectively any synthetic/POC test will show this combo fails compared to full blown HIPS, look at my sig, I manage well with far less (see also answer 1)

4 do you trust UAC , that can be bypassed, as an HIPS ?
Not on it self, but couples with another layer Yes (ranging from SRP/AppLocker to the auto sandbox of Avast).




[/COLOR][/QUOTE]

 

I'm not going to compare it to HIPS since they're different. In any case, you'd want to make sure that UAC is set to highest settings.

 

Why not just download PrivateFW and disable the firewall option. You will get a full blown HIPS without need to install so many different applications.

 

Same applies to OA, Comodo and Outpost, would be to easy

 

I don't see the point in making more effort for one's self...

 

nooooooooooooooooooooooooooooooo

this is crazy.

 

Careful with relying too much on the anti-exe/whitelisting products. There are exploits out there in the wild which do bypass them by using rundll32 or regsvr32 to infect users. I come across such exploits everyday and these anti-exe get infected. Its one of the favorite infection vectors of the police ransomware type trojans.

 

Faronics AE and NVT ERP have those functions built-in.
I'm not sure about AppGuard...
They are only one layer in complete antimalware protection....that is why you have to use AV and some kind of web blocker along with them.
OK....and ExploitShield too.

 

I'm sure they do but I saw one of those get popped today... again. I know they are useful and good products, all I'm saying is don't rely exclusively on them against exploits. You should use EMET and/or ExploitShield alongside them.

 

+1

BTW, when do you plan to release the final version of ES?