Has your HIPS ever actually blocked anything?

Discussion in 'polls' started by Gullible Jones, Apr 14, 2013.

?

How was your HIPS configured when you saw it block an intrusion attempt?

  1. As an anti-executable (i.e. notify on unknown program launch)

    8 vote(s)
    22.2%
  2. With "maximum" settings, and learning mode as necessary

    5 vote(s)
    13.9%
  3. As a policy sandbox (i.e. restrictions on specific programs)

    4 vote(s)
    11.1%
  4. Other configuration (please specify in the thread)

    4 vote(s)
    11.1%
  5. I have never seen my HIPS block anything malicious.

    21 vote(s)
    58.3%
Multiple votes are allowed.
  1. To those of you who use HIPS software:

    - Has it ever blocked any malware, or other intrusion attempts?
    - If yes, what sort of configuration were you using at the time?
     
    Last edited by a moderator: Apr 14, 2013
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    I've seen them block when testing, but not real malware in the wild.

    Pete
     
  3. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,871
    i use comodo internet security and i turn off the HIPS and use the BB.I hardly ever download anything new on to the system so even if they were turned on,it would be a rarity to get an alert.
     
  4. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Nope, i have never noticed any weird pop ups from OA or any of the HIPS i have ever used (OA, Comodo, Outpost, MD etc).

    I have seen it work in my amateur tests in a VM (A long time ago) but i have never caught anything in my real machine. :D
     
  5. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    I don't use the type of HIPS you're referring to atm.

    However, when I did use CIS, I had configured it to run in the 3 different manners as mentioned in your first 3 choices in the poll (AE, max+learning mode, policy sandbox) at different points in time.

    I didn't come across malware/intrusion attempt so they had nothing to do in that sense.
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    AE + = ProcessGuard

    AntiKeylogger + = Zemana

    Some people, no names mentioned :p don't seem to realise that both those Apps do a LOT more than just AE & AK :thumb:

    As an anti-executable (i.e. notify on unknown program launch)

    Hundreds + of .EXE/.SYS etc, both Malware & All new stuff. Plus PG can do these ;)

    pg.png

    pg2.png

    Z also Alerts/Blocks to Driver install attempts & code modification attempts etc. Along with it's ALL it's Anti capabilities.

    With "maximum" settings, and learning mode as necessary

    Yes for both.
     
  7. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    When I used one, all it ever really did was interrogate me about every breath I and my system took. Nothing ever sounded any alarms over malicious activity though.
     
  8. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Hahahahaha Pop Up heaven.
     
  9. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I have mine (SSM) set to silently enforce policy during normal usage. I'm not prompted to allow anything or alerted when something is blocked. On a few occasions I've found activities attempted that my policy doesn't allow recorded in the SSM logs. Most of these are either attempts to launch unknown files or attempts to use a permitted process to gain access to another.

    Regarding the poll question:
    "How was your HIPS configured when you saw it block an intrusion attempt?"
    I never actually saw the attempts, just the record of them in the logs. As for the configuration/policy, it's strict default-deny applied to the processes, their activities, internet access, and their access to other processes and system components. All rules are based on file hashes.
     
  10. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Nothing that I can say with certainty is malicious, but it could have saved me from having a ton of info. being sent to who knows where from blocking certain events. And the same goes for my outbound FW.

    I run a pretty tight/clean ship here, so my chances of intrusion/compromise are very low. So it's more privacy/anonymity that I aim to curb.
     
  11. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,947
    Location:
    USA
    I did once out of all the years I have been using Online Armor. I turned on Shadow Mode, and hit a whole lot of porn sites in an attempt to find some malware in a real world environment. NOD 32 went nuts lol Online Armor stopped something that I was sure was malicious, but I don't remember what it was since it's been years ago.

    My HIPS has made me aware of many programs installed on my machines that I did not want to communicate with the internet or did not want installed on my PC to begin with over the years. I do like HIPS for it's anti leak functionality. I have uninstalled, disabled, or blocked internet access to many application that my HIPS made me aware of.
     
    Last edited: Apr 15, 2013
  12. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Whenever I'm updating my system or applications or installing something new, I connect the UI on SSM, which effectively changes its default behavior to "ask". On quite a few occasions, SSM has intercepted and alerted me to undesirable actions by the installers and application updaters. On a few occasions, SSM alerted me to the installers attempting to install a toolbar even after I deselected it. On other occasions, it prevented the installer from changing default handler settings I didn't want changed. On others with built in updaters, it's alerted me to the app calling home even though I'd set it not to check for updates. On different occasions, the activities SSM intercepted were enough reason for me to either skip the new version or replace the application with something else. It's not always because the activities themselves are malicious. Often they show a change in the attitude of the vendor where they no longer respect the wishes of the user (much like Windows).
     
  13. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Actually, after reading the above post I concur. I've also seen such activity. Phone homes from installers... or pings, which CCleaner would do every time it updates. Heck, I don't know what it's transmitting. Many apps people in here regard highly, I've seen do some shady looking things, namely a certain PDF reader. It basically asked for a blank check to take over my computer.

    So I don't place full trust in anything. People saying to only download from trusted sites/sources... that doesn't always cut it. I'd rather not be oblivious to what's really going on on my box.
     
  14. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I was using ProcessGuard many years ago (among other things) and attended a lan party. I had set it somewhat aggressive (you know, a prompt for everything) but I did see some activity. A guy brought in his dads pc which had a virus on it and was attempting to spread across the lan. In all my years using such things, thats the only truly legitimate thing I can recall.

    True that. I like to get files from sources I trust, and would say its an overall good practice, but who are we fooling really? There are so many things you would want to download that won't come from someplace like majorgeeks. I don't use a hips often any more, but do start new things in a sandbox and watch the processes, and maybe turn on my firewall. If its really sketchy I install it into a VM thats setup with many tools for "sleuthing".

    Sul.
     
  15. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    539
    Location:
    United States
    I've had it false positives when running applications for my school. Some of the "show me the answer" or "show me how its done" gets flagged for certain behaviors like hijacking my mouse. Unfortunately, its been a while since I've had an infection on my system that I am aware of. More recently, I've had to work with file types that my system flags upon execution. I know they are harmless because I'm the one creating them. Hopefully this is indication of how my system would respond to an actual threat. I'm running maximum settings and add temporary exception when needed. I didn't bother with learning mode at all.
     
  16. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Your use of the terms "false positive" and "hijacking" when describing mouse or keyboard hooks shows the real issue. Users have been conditioned to view hooks as malicious when in reality, they're a tool. Part of the fault here lies with the vendors. That is one of the problems with HIPS, especially classic HIPS, making decisions and rules for activities the user doesn't properly understand. When I get prompted regarding a keyboard or mouse hook, I normally deny the action the first time and see if it breaks or adversely affects how the app works. If the app functions properly without the hook, I make the blocking rule permanent. If blocking the hook breaks a function I need, I'll allow it for that app.
     
  17. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    539
    Location:
    United States
    @noone_particular

    Terminology is often adopted and modified across different industries and fields of study. I'm curious what these terms mean to you, as people often have different perceptions based on their own experience and knowledge. Based on your description though, it would seem we both react to keyboard and mouse hooks in a similar fashion, but maybe not for the same reasons.
     
  18. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    To me, as they relate to computers, hijacking means taking control of an application or system without the owner/users approval. False positive means incorrectly identified as malicious.

    When I see a prompt for a keyboard or mouse hook, I try to determine why/if that hook is necessary, and for what. During some of my beta testing of SSM, I was working with Yahoo Instant messenger (circa 2007). On startup, SSM prompted regarding the Yahoo executable, ypager.exe wanting to attach idle.dll with 2 hooks, WH_MOUSE and WH_KEYBOARD. As far as I could determine, the only function that relied on these hooks was message archiving. Everything else worked normally whether I blocked the hooks or not. Message archiving was not a "feature" that I wanted so I made the block on those hooks permanent. Yes, message archiving can be shut off via the settings. It can also be turned back on via an update if the vendor doesn't respect the wishes of the user. IMO, Yahoo is such a company. With the hooks blocked, archiving remains disabled even if Yahoo decides to re-enable it.

    Behaviors like this are one of the reasons I use classic HIPS, specifically SSM. More and more, software (and OS) vendors regard users as a commodity to be monetized. Things presented to the user as features are often used to spy on them or record their activities. Although the apps are regarded as clean, I consider some of their behaviors intrusive or outright malicious. While not an ideal solution, HIPS often does make it possible for the user to disable undesirable behaviors when better choices for the user apps aren't available.
     
Loading...