Ewido vs A-squared

Discussion in 'other anti-trojan software' started by JerryM, Jun 23, 2006.

Thread Status:
Not open for further replies.
  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes I already have other more powerful HIPS on my system, but I just wondered how advanced A²´s protection was. ;)
     
  2. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    HIPS is not the same as IDS .. Rasheed, you should know this .. :) iDs = Detection afaik based on sigs (heuristics with possibility to check outbound .. ... ) while IPS is prevention ... someone please correct me if I'm wrong.
     
  3. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,418
    Location:
    Slovakia
    Oh, all the time, I thought, that HIDS and HIPS are the same. Thanks for explanation. ;)
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I´m sorry but I have no idea what you´re talking about, it seems that even A² is confused about the IDS/HIPS terminology. But like I said before, the HIPS part (behavior blocker not based on heuristics), which they seem to call IDS, does not look that impressive to me. :)
     
  5. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    I thought that HIPS were activated by system calls (changes in system area's, like registry, drivers, .. ... ) and IDS is activated on/by network signatures used by malware/any kind of program or process .. so to prevent intrusion from outside the network .. ideal would be the combination of both, I have seen it in Tiny, which has an HIPS part (behavioural detection and an IDS for malware connections or something like that .. like snort (not the latest Tiny2005, cause there you'll have to enter/set it up manualy) and in Kerio I saw such an ids too .. I don't know about the rest ..

    /edit what this has to do with A2, and I guess, I can only guess .. it is trying to combinate the two HIPS & IDS.. for a great part they have succeeded I guess .. hence the flagging of Firefox acting with trojanlike behaviour or something like that .. now it is fixed :)
     
    Last edited: Jul 26, 2006
  6. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Yeah most of the IDS you see being used in protecting large corporate networks are network based IDS. They have signatures that take note of any unusual patterns and alert the administrator.

    Still it's acceptable i guess to call IDS systems that monitor more than just network related events and that is what A2 squared does. Host based IDS?


    Well yeah. But some 'HIPS' have signatures of a sort, for example they don't just flag any change to the registry, but perhaps have a sequence of changes they flag as fishy based on 'signatures'.

    Anyway it's all marketing whatever they call it.
     
  7. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    true DA (nice to see you back too!)

    the way I see A2 working is their realtime scanner and heuristics are in line with the ids (possible malware network connections) from there you'll have your positve (or false positive) and that's why their Heuristics in conjunction with their ids is so fine .. every unknown element with possible malwarelike (they call it backdoor like, lan bypass, .. ..) outgiong behaviour will be nailed.

    .. and I call this an effective realtime IDS ... like I told Andreas before: I hope their HIPS part will evolve soon (like realtime monitorong of their HijackFree ... the tools are available .. now someone to code it lol :D
     
  8. emsisoft

    emsisoft Security Expert

    Joined:
    Mar 12, 2004
    Posts:
    328
    Location:
    Nelson, New Zealand
    Well, the term IDS is not the best one for our a-squared background guard protection, maybe HIPS would be the better wording. We initially used IDS because of it's meaning "Intrustion Detection" and not based on the common understanding of that word which is usually used for network based intrusion detection systems.

    But call it as you want, here is what it actually does:

    It monitors in realtime actions of all running programs. That means the file access layer, the registry actions, the windows socket and process interactions. Based on that technique it allows us to use triggers to alert harmful behavior. That means if a special combination of the monitored actions appears, a program may be alerted. The trigger rules are secret, for sure.

    - You can compare it with heuristics because heuristics also search for specific actions, but usually not in a specific order. And note, that heuristics usually stand for file analysis, not for realtime action monitoring.

    - You can compare it with a firewall, because it monitors, if data it delivered via the network. But it's more a system firewall that monitors also system internal actions, not only TCP stuff.

    - And you can also compare it with process monitoring software that takes a look, if a process tries to manipulate other processes. a-squared therefore is able to block exploits that try to use buffer overruns to get started.

    So decide yourself how it should be called best. Our 'marketing' word is "Malware-IDS". ;)
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK thanks for the info :), so the IDS is in fact based on heuristics and the HIPS part manages the following things according to the website:

    At the moment other HIPS seem to be a bit more advanced, but A² main focus is not on the HIPS part assume. ;)
     
  10. emsisoft

    emsisoft Security Expert

    Joined:
    Mar 12, 2004
    Posts:
    328
    Location:
    Nelson, New Zealand
    Could you please specify your sentence "other HIPS seem to be a bit more advanced" a bit more in detail? What are you missing at the a-squared Anti-Malware guard?

    Regarding Heuristics: There is no strict line between heuristics and HIPS technology. Even a single simple file scanner signature can be heuristical if the signature searches for specific API call areas in a file.

    The term heuristic is usually used to describe file scanners and not live behavior analysis. Therefore I would not say, our a-squared guard is based on heuristics mainly. It is more a HIPS.
     
  11. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Hi Christian, what I would like to see (that is just my opinion, and it is in my beliefs that it would catch also *blocks* more nasties imho) is more registry control * see the second screenie after the 'more-process-control-and easier to build collection of processes-screenie' and not to set all important applications manualy like we want them to behave, an automatic link from your Hijackfree and whenever application/process gets changed (they are after reboot copied from HF into A2's IDS/background guard (now you have a compilation, a whole list of them .. and that link to hijackfree means : from the moment something changes into the Hijackfree (this is realtime, or it could be done I thinko_Oo_O), the HIPS/IDS part kicks in cause of the direct link.. that would make A2 complete imho .. some realy HIPS like SSM, PG, .. built-in your already hardcoded HIPS/IDS but constructed around the malware scanner and malware guard :)

    ....

    so to have a more secure machine .. like I said the other day .. it's already there, it just needs to be coded :D
     

    Attached Files:

    Last edited: Aug 16, 2006
  12. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    ok, I got some :thumb: ideas but kick me if I go to far or my ideas are impossible...

    @ Christian: from the moment you have that link with HF ... the possibilities are endless :
    ** cause it could work for 'Ports' area too then ... from the moment there is a new process that needs an outbound connection => this would get noticed by HF, with that direct connection to your IDS/background guard => realtime outbound protection (and afaik, this is something a lot of us want .. having 'http' outbound protection from anything but a real firewall is "IN" lately ;) GSS and bamm GSS had something working (ok not finished yet) but still, 60% reason why I bought it .. lol

    I'll explain on the picture .. but all this will not work if there won't be a direct connection between hijackfree and your background guard/ids/...

    Is it possible? this realtime link to eachother? I won't go any further, the image is costing energy ..

    Infinity
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.