Do you use a HIPS with your specialized desktop setup?

Discussion in 'polls' started by Gullible Jones, Aug 20, 2012.

?

Do you use a HIPS with your specialized desktop setup?

  1. Yes, I'm a gamer and I use a HIPS

    2 vote(s)
    4.9%
  2. Yes, I'm a developer of some sort and I use a HIPS

    0 vote(s)
    0.0%
  3. Yes, I'm an artist of some sort and I use a HIPS

    0 vote(s)
    0.0%
  4. Yes, I'm a student of some sort and I use a HIPS

    4 vote(s)
    9.8%
  5. Yes, I have some other specialized setup and I use a HIPS

    11 vote(s)
    26.8%
  6. No, HIPS software gets in my way too much

    24 vote(s)
    58.5%
  1. And if so, how do you keep it manageable? If you answer yes, please say what HIPS and a brief description of what sort of settings...
     
  2. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,486
    Location:
    Poland - Cracow
    I voted "I'm a student"...there is still many things to get to know and learn so I'm as always still some student :) What I'm using?...at this time fully licenced System Safety Monitor v. 2.4.0.622 on WinXp SP3...why?...because it works fantastic and enough good for me. My settings in short words:
    - added 3 group in application rules (on screenshot default group are gray): user apps, office apps and security apps...it's easier form me manage all my programs
    - all modules are enabled
    - turned ON "Alert on changed and temporary files in Learning mode"
    - turned OFF "Trust signed binaries"
    - current config file is settled on non-system disk
    120820101316_4.jpg 120820100844_2.jpg
     
  3. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    no.

    i don't have time to babysit a HIPS.

    beside, i find this stuff too confusing.
    answer one Allow/Deny popup the wrong way and you're pwned. lol
     
  4. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Mind explaining what you mean by "specialized setup"?
     
  5. Something that exceeds the requirements of a "normal desktop." e.g.
    - Playing realtime games that require network access and no interruption
    - Using graphics, audio, or office applications that have special requirements
    - Running an integrated development environment
    - Using Cygwin

    To be blunt, what the question boils down to (for me) is whether HIPS software is actually useful for people who do more with their computers than just browse the web, listen to music, and occasionally print something.
     
  6. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Got it. Thank you. :)
     
  7. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Kind of a Gamer/Student and i have a HIPS. Decided to vote for the first option. :D
     
  8. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Answered No...

    Classical HIPS has far too many rules permissions types - over granular, making them too cumbersome and time consuming to manage. I like a simple Allow or Deny anti executable approach. An example of one that I used a few years ago had the following permissions types:

    • Create new process
    • Access data of other processes
    • Control other processes and threads
    • Send message to other processes
    • Load kernel drivers
    • Access kernel memory/objects
    • Access physical memory
    • Access physical disk
    • Access keyboard in low level
    • Access registry in low level
    • Installmessage/event hooks
    • Set system time
    • Shutdown windows

    Way overkill, imho. I admit, I never figured out to what degree I should allow a trusted process permissions to in order to function properly. Basically it should just be a simple matter of:

    1. Do you trust the process?
    2. If Yes, Allow
    3. If No, Deny (or omit from the whitelist)

    If I were to go back using a HIPS, I would tone it down severely to the point of making it a simple Allow or Deny anti-executable.
     
  9. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    The thing is though, I've now seen software that I completely trusted one day doing shady stuff the next... after an update/install. Asking basically for free reign over my computer. Legit, even well regarded apps one day can go rogue the next. So I want to see everything they're doing.

    It was the only time I've ever had my HIPS catch something shady looking like that, in 5 years of use now. But that 1 time showed me how useful a tool it can be.
     
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    How does one know what is shady and what is legitimate, especially if it's required for the application to work properly? In my case I'm no software genius, which one almost needs to be in order to know exactly how to configure a highly granular HIPS for all their applications. In all the permissions types I listed above, how can it be possible to know what's needed and isn't needed for each and every application to function correctly?

    Besides, as long as the activity isn't breaching my privacy, then I don't really care too much, and about the only way it can do that is over the Internet, which is why I administer at least some degree of control over how an application - all applications - can communicate over the network, and if I know it doesn't need any network comms at all, I won't create a rule for it in my default-deny firewall configuration, thereby blocking all potentially attempted outbound comms from it.

    I used HIPS software for several years, including System Safety Monitor, Malware Defender and Outpost firewall. For the most part I found it all interesting, and even learned a lot about how certain processes interact or attempt to interact with others, but in so many cases when I configured rules for them off the alerts, I was guessing rather than knowing how to answer them. Usually I simply allowed permanently the actions they were attempting, because I had already trusted the application long before its attempted actions were triggering the HIPS alerts. All I really want is something that stops anything that isn't whitelisted from attempting to execute, including DLL's and scripts because they can be just as dangerous, and that's where I find AppLocker fits the purpose, and NoScript in the browser for web borne threats.
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I'm assuming you're talking about popup HIPS that alert you to various calls that programs make. No, I don't use that nor would I. They're a pain in the ass and I'm not qualified (nor is anyone other than the developer of the application/ someone who has examined the application in depth) to make decisions about what calls an application should or should not be making.

    At that point it's a huge pain just for me not to know how to even use it.
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    I'm pretty certain that's the type this is about. They can be fine for someone who is keen on seeing what an application is attempting to do, for the sake of interest or learning, but they are just far too labor-intensive to maintain for security purposes, although most of them can be "toned down" to keep user decisions simplified to mainly Allow or Deny the executable then be done with it. MrBrian wrote a tutorial somewhere on how to configure Comodo HIPS that way, at least to some degree.
     
    Last edited: Aug 21, 2012
  13. Alas, this was the sort of answer pattern I was afraid of getting. Ah well. I was hoping someone would enlighten me as to how to make a classic HIPS usable when actually doing stuff with a computer, but it looks like that's a pipe dream. :(
     
  14. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    The beauty of traditional/classical (aka 'pop-up') HIPS compared to approaches such as Ilya's DefenseWall and Tzur's Sandboxie (both of which are great apps btw) lies in the alerts and the ability to custom set the config to your particular needs. Therein also lies the problem. As Hamlet says "To be, or not to be, that is the question..." The more you tweak it to satisfy your needs to be aware of each and everything (aka 'paranoid'), the more alerts you get and vice-versa. You'd get differing opinions on this matter...some will encourage you to tighten settings while others will do the opposite. Things like 'trusted vendors/publishers' and 'auto-trust' options are available in most of these classical HIPS (e.g. CIS, OA, PFW, etc) to help quieten things down and to a certain degree, make it easier to use. Yet these 'friendly approaches' have been proven to be somewhat a 'design hole' which works against the initial idea of why you might want such HIPS in the 1st place. It all boils down to personal preference. If you can 'live' without such HIPS, then ask yourself if you really need to go to the extremes if/when you decide to use 1.

    Honestly speaking, I've been on and off such HIPS...at random times. I just can't vote for any of the given options in this poll.
     
  15. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    It's hard to give any kind of detailed answer that accommodates "doing stuff with a computer". The configuration is very dependent on how you use that PC. The list wat0114 posted for instance includes many of the options available in SSM. Most user apps don't (or shouldn't) require many of those permissions like kernel drivers and low level disk access. With others, the needed permissions are much harder to determine, like those related to other processes. That said, just because a HIPS has the ability to alert to those activities doesn't mean you need to configure it to do so for all processes. OTOH, a simple allow or deny option is often insufficient. The browsers executable is obviously legit and an allowed process. Rundll32.exe and cmd.exe are legit system executables, but I don't want my browser using them. Being able to specify what other processes each executable is allowed to parent does make the setup more time consuming. With attack surface apps, the ability to restrict the allowed child processes may save your system should that app encounter a new or unpatched exploit.

    It gets more interesting with the registry. Some apps and system components change parts of it constantly. Others never touch it. With SSM for instance, the registry module of the free version was quite simple and easy to understand. On the pro version, the rules are complex and convoluted, and can drive you up the wall. The coverage is extensive but not user friendly.

    I can't comment on other HIPS but I'd assume many have a similar feature. SSM allows you to make rules for folders that cover the files in them. For a development area for instance, you can allow all exe's, dll's, etc contained in the folder to function without interference.

    Until the ruleset is completed, all conventional HIPS are noisy. When the configuration is done, they fall silent until your system changes, eg patch day, browser update, new flash player, etc. Auto-updating and rule based HIPS don't work well together. Unless the HIPS has the ability to allow executables signed by a specific vendor to run without interference, auto-updating generally requires the allowing of new/unknown executables by specific processes. That alone I consider unacceptable. With an AV for instance, signature/definition updates are not a problem. When that AV decides to update its components, it becomes a big problem. On a friends XP unit, I tried for a while to get AntiVir/Avira to auto-update and remain compatible with SSM. Allowing executables with changing file hashes was bad enough. Allowing them to execute new and unknown executables and giving them permission to do most anything they wanted was nearly impossible and created a big hole in the security package.

    For me, the easiest way to approach updating maintenance is to make it a manually performed administrative task. I don't update very often or run an AV so it's a very minor issue for me. If you're the type of user that immediately installs every minor update for every app you use or one that wants your AV updated every 10 minutes, HIPS will be a big hassle. Classic HIPS are designed to enforce a default-deny policy to the point of being "anti-change". For all practical purposes, when you install updates, patches, new versions of apps, etc, you're making exceptions to that default-deny policy. I'm not saying that updating or patching is unnecessary, but if that's your security policy's top priority or first line of defense, you're not going to get along well with classic HIPS. For me, MS patches and updates are a non-issue. My OS is unsupported. For the attack surface apps, I'll update when the new version offers or fixes something I feel is important. If it patches some specific security issue that doesn't affect me or that my system already mitigates, I don't bother. If I'm running version 13.1.2 of an app, chances are I won't install 13.1.3. Might not install 13.2. If I'm satisfied with the app, I might not update it til version 14.0. I back up the OS before I update, then usually install all the updates I'm going to. If I don't like something about one of the updated apps, it's easy to get back to where I was.

    IMO, you're asking the wrong question and approaching it from the wrong side. Since HIPS are default-deny enforcement tools, the question you have to answer is if default-deny is suitable for that PC and the way you're using it. Don't try to build a security policy around an application or specific type of application (HIPS). Start with choosing the policy that best fits your needs, then pick the app(s) that best support that policy.
     
  16. Thanks, all.

    For now I've settled on Malware Defender, the famous classical HIPS. I don't let it alert me at all; instead I put it in learning mode when doing anything novel, and silent mode at all other times. For convenience I've set it to let unrecognized executables run, but otherwise the full restrictions are in place... And so far it works extremely well. It may be abandonware, but it's quite powerful, and not painful to use at all.
     
  17. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Make sure that you know and trust the apps/code that you run when in learning mode. Classic HIPS does not differentiate between good and malicious, desirable and undesirable behavior. It treats them all the same.

    I don't know what options MD has in regards to saving and loading rulesets. With SSM, you can create several different rulesets and switch between them as needed.
     
  18. carat

    carat Guest

    No, HIPS software gets in my way too much! :doubt:
     
  19. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    No, it gets in my way too much, i prefer light virtualization.
     
Loading...