Do IT yourself HIPS all freeware and light

Discussion in 'other anti-malware software' started by Kees1958, Jan 17, 2013.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Played with this today, really light on resources

    Firewall: Link
    Using Windows 7 internal with Wokhan's Firewall Notifier informing you on new outbound connections using windows event messages, (next version also win8 compatible, then it will get max 5 rating)
    light and bright rating: * * * *

    Permissions Monitor
    Using Windows UAC set to full, does not remember choices therefore four out of five
    light and bright rating: * * * *

    Exe monitor Link
    Freebie of No Virus Thanks EXE Radar free, whitelisting, default or paranoid (don't automatically allow Windows Program Files, but whitelist Windows folder, Program Files foldor and running processes),
    light and bright rating: * * * * *

    Driver Monitor link
    Freebie of No Virus Thanks Driver Radar free, whitelisting, loading of drivers for both 32 and 64 bits
    light and bright rating: * * * * *


    Memory monitor Link
    Freebie of Microsoft EMET 3.5 Add it to guard all non security and system processes in Program Files folder.
    light and bright rating: * * * * *

    Autostart monitor Link
    Freebie of TCP Monitor, StartupEYE, easy and simple, it covers most used autostart entries of the registry, not all therefore three out of five
    light and bright rating: * * *

    Drive by monitor link
    Again from the No Virus Thanks PE Dropper, set it to start with windows. Gets only three stars, because it is only available for 32 bits. When it would get an option to select multiple processes (e.g. e-mail, browser, PDF-reader and save this in the configuration), it would get four stars, add 64 bits compatibility and it gets 5 stars.
    light and bright rating: * * *

    Wondering why the guys from no-virus thanks do not combine their utilities into one HIPS program
    - EXE Radar Pro
    - Driver Radar Pro
    - Exploit Radar Pro (new!), consisting of existing utilities,
    a) PE Dropper (only for browser, email, etc and 64 bits)
    b) Write Process Memory monitor (same adoption as PE Dropper, monitor only for browser, pdf, e-mal etc)
    c) Ring 3 API hook scanner (monitor only selected processes, like browser, e-mail, PDF-reader. When those processes startup scan which hooks are set, check this against the previous scan and inform on changes).


    o_O o_O o_O let's all ask them to make it :D :D :D
     
    Last edited: Jan 17, 2013
  2. arsenaloyal

    arsenaloyal Registered Member

    Joined:
    Nov 1, 2009
    Posts:
    507
    Yes I was thinking of the same thing,combining all the modules into one.
    I Will ask about the same.
     
  3. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,617
    Location:
    Canada
    I am just afraid it becomes some kind of "Jack of all trades" after...
     
  4. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    good idea:thumb:
     
  5. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Me too. I am afraid it will grow heavy. If it grows heavy, then why should someone use this instead of Comodo/OA/Outpost...

    Initially, i had also thought of adding dll monitoring. But after thinking again about it, dll monitoring usually has severe impact on system performance.

    I don't know, i just know i want it to keep light. In this way, it fills the gap that the full blown HIPS have left. A lightweight antiexecutable is easy to implement on various security configurations. If you want to go for full blown HIPS, you may as well install Comodo 5 and get over with it.
     
  6. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    very true:thumb:
     
  7. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    I guess NVT keep their programs separate to fill the needs of those who need dedicated tools rather than a suite.
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Old proverb/saying in Dutch: "The best shippers stand on shore" :p

    It won't grow heavy, Exe Radar and Exploit Radar use the same hooks/API for process startup monitoring!

    The API/Hook swap could be limited to a handfull, the ones that drop the payload, like URL download, create process, etc. WinPatrol polls all the time, HMP.Alert does a simular "on execution" swap, plus it checks loaded dlls, ZeroVulnability Browser ExploitShield monitors a set of API's realtime.

    WinPatrol, ExploitShield don't feel heavy, HMP Alert applies a trick by performing the checks asynchroneous (loading of browser can continue). When you look at the utilities NVT offers, my estimate is that they will find a light solution (for them it is no rocket science, just programming what they allready know).

    Have you really tried this combo or are you just thinking that it would be heavy, bloated? :ninja:
     
    Last edited: Jan 18, 2013
  9. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,122
    Last edited: Jan 18, 2013
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Was my first choice, also because users report it is really light :thumb: , but could not find a download location o_O

    Then I thought well heck, why check all processes, just check a few processes (the threatgate programs) and EXE Radar was allready checking startups on disk.
     
  11. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,695
    Location:
    Zagreb, Croatia
    Looks like it is abandoned....:doubt:
     
  12. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
  13. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    In fairness though,the utilities mentioned are really "one trade" already.However all-in-one suites have a tendency to become bloated,so that is a valid concern.

    Kudos to NVT though,for providing some very functional freeware.

    Re. Kees1958 Permissions Monitor
    It's a shame that Symantec ceased development of their UAC tool,it'd fit the bill perfectly.
     
  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    YEP on Vista it worked, but Ms added AppLocker, this impacted UAC and SRP (no run as basic per application possible anymore to lock applications in Limited User Rights).
     
  15. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    Some questions:

    1 all these different applications that work separately have the same efficiency and safety that a single all comprehensive program have ?

    2 sure that they have not conflict problems that also could decrease their good working ?

    3 do they have the same autoprotection and power to block malicious process, applications.... ?

    4 do you trust UAC , that can be bypassed, as an HIPS ?




     
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    @blacknight difficult to answer your questions, no rational black or white, but grey schemes influenced by personal opinion.

    1 all these different applications that work separately have the same efficiency and safety that a single all comprehensive program have?
    The cover most entrypoints, not all attack vectors. Hips tend to look at all attack vectors. Comodo FW covers much more than AppGuard, but I dare to say that AppGuard is just as effective as Comodo. Simular statement can be made for the light and bright setup posted.

    2 sure that they have not conflict problems that also could decrease their good working ?
    On my rig it worked OK, considering that most came from NVT and all are single trade programs, I would not expect incompatibilities.

    3 do they have the same autoprotection and power to block malicious process, applications.... ?
    Compared to what, objectively any synthetic/POC test will show this combo fails compared to full blown HIPS, look at my sig, I manage well with far less (see also answer 1)

    4 do you trust UAC , that can be bypassed, as an HIPS ?
    Not on it self, but couples with another layer Yes (ranging from SRP/AppLocker to the auto sandbox of Avast).




    [/COLOR][/QUOTE]
     
  17. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    I'm not going to compare it to HIPS since they're different. In any case, you'd want to make sure that UAC is set to highest settings.
     
  18. jo3blac1

    jo3blac1 Registered Member

    Joined:
    Sep 15, 2012
    Posts:
    739
    Location:
    U.S.
    Why not just download PrivateFW and disable the firewall option. You will get a full blown HIPS without need to install so many different applications.
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Same applies to OA, Comodo and Outpost, would be to easy :D
     
  20. I don't see the point in making more effort for one's self... :blink:
     
  21. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
    nooooooooooooooooooooooooooooooo

    this is crazy.
     
  22. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,161
    Location:
    USA
    Careful with relying too much on the anti-exe/whitelisting products. There are exploits out there in the wild which do bypass them by using rundll32 or regsvr32 to infect users. I come across such exploits everyday and these anti-exe get infected. Its one of the favorite infection vectors of the police ransomware type trojans.
     
  23. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,695
    Location:
    Zagreb, Croatia
    Faronics AE and NVT ERP have those functions built-in.
    I'm not sure about AppGuard...
    They are only one layer in complete antimalware protection....that is why you have to use AV and some kind of web blocker along with them.
    OK....and ExploitShield too. :D
     
    Last edited: Jan 24, 2013
  24. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,161
    Location:
    USA
    I'm sure they do but I saw one of those get popped today... again. I know they are useful and good products, all I'm saying is don't rely exclusively on them against exploits. You should use EMET and/or ExploitShield alongside them.
     
  25. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,695
    Location:
    Zagreb, Croatia
    +1 :thumb:

    BTW, when do you plan to release the final version of ES?
     
Loading...
Thread Status:
Not open for further replies.