Has your HIPs ever saved you from tragedy?

Discussion in 'other anti-malware software' started by Bob D, Aug 20, 2008.

Thread Status:
Not open for further replies.
  1. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    My theory is that people who use HIPs (or even know what HIPs are) are those that least need them.
    Many of you (myself included) have DL'd and run numerous and sundry intrusion and leak tests (Breakout2, Wallbreaker.exe, tooleaky.exe, etc., etc.) and gleefully noted their HIPs' efficacy in blocking the potential threat.
    We realize that many of these tests are based on P.O.C.s and have little bearing on real world threats. Nevertheless, we feel safer.
    The question I pose is this:
    Has your HIPs proggie ever really saved you from potential calamity?
    Or are we mostly just filling the coffers of the developers?
    I am quite curious and look forward to sincere responses.
    Those whose HIPs has averted disaster pls include a brief description of the threat.
     
  2. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I think that twice DefenseWall popped up stopping a Keylogger. I guess that could have been a calamity.
     
  3. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    I believe that too. My HIPS has never caught anything (unless I willingly fed some malware to it)
    In the beginning of my HIPS period I was lyric about the control and protection they gave.
    I thought they were perfect for some of my computer illiterate friends who somehow managed to get infected all the time.
    I forced it on them, but needless to say they got infected anyway. It got little better when CIPS like Prevx came.
    CIPS took away the decision from the user to some degree, but still they felt that there were too much questions.
    Today I am advocating LUA to them (I use LUA myself) If they dont want to learn it, I just dont give damn anymore.
    I just tell them to stop bothering me and to go to a av site and download a fix for the malware they got.
     
  4. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,617
    Location:
    Canada
    On the beginning when HIPS came out I went crazy with them and I tried quite a few of them. my first one was Process Guard and I must say I learned quite bit about my Computer with it.

    Then I had OA, SSM and more recently EQSecure. To be honest I don't think any of them ever saved me from tragedy but it was fun playing with them.

    Lately I removed all my Security Software, including my AV and rely solely on DefenseWall as my primary security.
     
  5. steve161

    steve161 Registered Member

    Joined:
    Nov 22, 2006
    Posts:
    681
    Location:
    New York
    Honestly, no. I started using HIPS right about the same time I moved to Firefox and K-meleon. While my Av caught a few things prior to having Firefox, the only thing DSA, appdefend, et al. caught was me trying to install legitimate software.
     
  6. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    In the brief time I used a HIPS (EQS 3.41 with Alcyoun's ruleset), it didn't saved me from an actual tragedy, because of 2 things:
    1.- Returnil always watching my back
    2.- Safe surfing 99% of the time

    If I had felt I need it I would still use it.

    But, it was really usefull to know what was happening. For example, once I downloaded a program for something I needed, and when I installed it, EQS warned me of a lot of executables being placed at system32. If I had not used EQS at that time, maybe I might have decided to permanently install that software. I don't know if those files where malware, Returnil did it's job back then.
     
  7. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    My answer has to be no but then I only installed a hips program in Nov 06 and got bored by Jan 07 as nothing ever happened so uninstalled it. To be fair av and as and software firewalls never saved me either primarily because I have never been attacked.
     
  8. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    My HIPS saves me from stuff I do not want on my computer at least once every few days. I trial lots of software. I do not like programs that try to do schtuff like: (1) putting themselves into start-up without asking my permission, (2) trying to create a service behind my back, (3) assuming that I want their icon in my system tray, (4) requiring me to register or "activate" before a trial, (5) trying to call home without permission during or after install -- etc etc etc.

    My HIPS alerts me to crap-o-la like that, so I can kill the trial before it ever starts.

    As to saving me from tragedy -- yeah, a few times, long ago, System Safety Monitor saved my bacon. That was before I got Image for Windows (IFW). With IFW, my current HIPS doesn't save me from tragedy -- rather, it saves me, at times, from inconvenience. Also, it enables me to block schtuff like wuauclt.exe from running when I do not want it to do so. It also covers me on monitoring outgoing connections since I do not use a software firewall (I have a NAT/SPI router).

    Bottom Line: A HIPS has much more utility that merely serving as a security layer. HIPS are VERY handy for exercising granular control over computer activities that, while not malware-in-nature, can slow things down & clutter one's system with ap-cray.

    Further, the issue of whether or not a HIPS has actually "saved me from tragedy" is simply beside the point. I have never had to make a claim against my fire insurance or collision insurance, but I renew the policies anyhow. No one has ever attempted to break into my home, and my neighborhood is very quiet. Even so, I lock my doors at night. I keep strong batteries in our smoke detectors, I lock my car doors, I carry a kuboton at all times, I use secure passwords. These are common sense safety practices. It would be very foolish for me to say, since none of this has yet proven to be needed, I will just go la-la-la blithely around, bragging to everyone how little concern I have with security.

    Those who are careless & arrogant about not needing security are the reason why insurance premiums keep going up, more & more malware proliferates, etc. Those kinds of people are making things easier for black hats and tougher for the rest of us.

    The adequacy or inadequacy of one's security is never proven until it is breached. The fact that it has not yet been breached proves exactly NOTHING. Ancient Samurai saying: "After victory, tighten your helmet cord & sharpen your katana."
     
  9. Miyagi

    Miyagi Registered Member

    Joined:
    Mar 12, 2005
    Posts:
    420
    Location:
    Honolulu, Hawaii
    You forgot to include a cell phone and a Bible in case of emergency. LOL :D :D :D
     
  10. tetsuo55

    tetsuo55 Registered Member

    Joined:
    Aug 12, 2008
    Posts:
    126
    No it didn't save my idiot friend from getting bored and randomly choosing yes/no/yes/no after getting 50 popups from comodo 2.4

    15 minutes later the system was completely comprimised (viruscanner had removed 34 trojans before i decided to stop the scan and hit the format button)

    Yes it has saved me a lot of times. BUT i do think HIPS are not perfect and should be almost completely silent.
     
  11. curious george

    curious george Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    218
    After messing around with sandboxie, i have ditched all other protection. I did one last final scan to make sure that my pc was clean, and left everything. All im keeping is sandboxie, ghost security tools (new add), and returnil. I honestly dont think ill need anything else. Its true...those who worry most about their comp are the ones who need the least protection.
     
  12. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    For that, I recommend Mabutu -- a powerful behavior blocker HIPS that you can configure to be as silent as you like -- unless (of course) the fit hits the shan.

    Regular $29.95, but there's a 20% discount HERE.
     
  13. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    This is really an irrelevant comparison. You have fire insurance because presumably you can not afford to loose your home. It is the outcome that matters not the probabilty here. The first law of insurance is never insure what you can afford to loose. As to Collission insurance you have it because it is the law. My car is so old I would certainly not insure it if I wasn't required to.

    I can't speak for others but I don't bother with hips, av, as...... because (a) I have never been attached and just as importantly (b) any attack would be an inconvenience and far from tragic - a few minutes to restore an image or a reboot if running virtual protection.
     
  14. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    Have you any recollection of the threat that was averted?
    (Just curious)
     
  15. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Just a few general comments....
    • For the most part, the downside outcomes tend not to reach tragedy, and often not disaster. Mild to extreme inconvenience is generally what we're guarding against. Let's keep some perspective afoot.
    • A HIPS certainly can minimize the likelihood of suffering the inconvenience of a malware infestation..., or not. It's really the same story with virtually every other security option under the sun. In this regard, they are equivalent. They shift the odds, they don't completely eliminate the risk. The same comment applies if one were (or were able to) layer each and every product available in existence into one massive fortress. The odds are moved, they're moved a little closer to zero probability for a malware infestation, but zero is a state that they simply will not achieve.
    • Long View's comment regarding outcome vs. probability is particularly apt and all too often neglected. I tend to focus on the potential outcome when I balance what I choose to do versus measures I choose to ignore. The probabilities tend to be low enough that they really don't heavily come into the equation. I know that every few years I may experience something (that's my personal rough statistic to date) - zero day, mental lapse, whatever - that could lead to a malware event. I plan for that.
    • From an investment perspective, backup and rapid recovery are probably still undersubscribed aspects of security. I'm using the term security here broadly, in the sense of securing electronic assets (photos, digital music, other digital assets) against loss, which could also include hardware failure or physical theft. That's should be as much a focus on security as is attention paid to malicious software since the outcomes can be identical (hence the protective measures should overlap).

    Blue
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hmmmmm....never on internet but there are two points valid for me atleast.

    1- Whenever I let some one borrow my USB memory stick, it usually comes back infected with some autorun worm. With a HIPS on my system, I am never afraid. I just plug it in, catch the malware and tie it with zip to put in my collection. I know almost all of them will be also caught by an updated AV but HIPS gives more security here indeed.

    2- With HIPS on my system, I feel secure from roootkits etc as there is far less chance of a rootkit install without a pop up.

    Don,t forget that I am a very safe surfer. Infact I surf few selected sites only, most of the time. Not that I am cautious, I never needed more actually.
     
  17. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Gooood grief, preacher. Buy some glasses. Read! Here is what I wrote...
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Attached to what? :)

    As to never having been attacked being a reason to not use HIPS (or some other security app, for that matter) -- Experience is a great teacher. Unfortunately it sometimes kills its pupils. And -- more often than not -- the final exam is administered BEFORE the lesson is taught.

    I first came to Wilders in order to learn. I continue to hang around so as to learn even more. I suppose that, nowadays, there are others who come here for much the same reason. Thus, I am disappointed when someone seems to offer counsel to the effect that -- "As long as nothing has ever gone wrong, or you have good back-ups, you needn't worry all that much about security."

    If one's personal data is compromised by malware or phishing or whatever, then THAT sad event won't be solved by a simple restore. You can't reboot your way out of identity theft, stolen passwords, etc.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    When I taught elementary school, I sometimes used analogs such as slicing apples to demonstrate basic concepts in fractions. On occasion, some kid would make a comment such as "Mr. B, you didn't cut the apple exactly in half."

    Arguing about the literal accuracy of an analog or parable is a child's game. The main point of my analogies is that it is specious NOT to insure against disaster *simply because* I have not recently experienced a disaster. (Now I suppose someone will ask, "Do you insure against elephant stampedes, as well?")

    Ah well, objecting to nit-pickers can sometimes get me into trouble -- as it did for little Johnny...

     
    Last edited: Aug 20, 2008
  18. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    No Hips have every saved the day for me in Fact the matter is no other security app has either.
    At this point almost every disaster I have experienced was of some sort of security software or software in general or hardware.
    The only thing thats every really saved me every time was recovery images or backups ups.
    IMO the most important thing is to be able to recover from important data or once in a lifetime photos of my family/children etc,and IMO it is priceless.
     
  19. SYS 64738

    SYS 64738 Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    130
    So far, i would'nt say that HIPS saved my ass really, rather i have to admit that i use it for things like blocking unwanted web access, installation of drivers, unwanted execution of MS mail programs, etc., etc. So, i use HIPS more in this sense to have control over what applications want to do on my system. Don't know if it ever saved me from anything, but i certainly know, what i do not want any unknown application to do on my system.
     
  20. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,214
    If you lose your money through cybercrime it could be tragic (unless you are a millionaire). If someone steals your identity and details for some kind of scam, it could be tragic too (it took years for some innocent people to clear themselves from police investigations, lawyers fees).

    I stopped doing online banking out of fear, but I still use my credit card online which presumably could get me into trouble. It will probably never happen but the possibility is there. That's the reason that I run some kind of HIPS(which is particularly important for me as I stopped using antivirus programs).

    Saving one's system from malware damage is not always the only security aspect of HIPS, data theft could be disastrous.

    When I had ProgressGuard on, it blocked several things that could have been potentially dangerous. I've never investigated the issues as I don't have the knowhow, I tend to block things by default and check what happens later. If something is affected, I reboot the system or restore an image depending on the perceived gravity of the situation.
     
  21. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    The do not to does for me is No online banking and never enter my SS# Anyways that information still exist on us at the bank at IRS at major CB in the computers and on papper. whats stopping hackers from getting it from the banks data or perhaps uncle sam.
     
  22. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Yes, serious situations can arise. They can arise in any context. However, should one live their life according to a collection of worst case scenarios or through a rational consideration of risk and benefit? Further, more to the topic of this thread..., each time an antimalware program issues a valid alert does not mean that it has necessarily saved you from a tragedy. More likely than not, you've been saved from inconvenience. That inconvenience is real, and it can be substantial, but I believe that it's important to maintain a pragmatic view of the situation.

    Blue
     
  23. Hairy Coo

    Hairy Coo Registered Member

    Joined:
    Oct 19, 2007
    Posts:
    1,486
    Location:
    Northern Beaches
    Threat Fire HIPS was installed 9 months ago-just checked the statistics;

    Malware blocked=0.

    I am also a sceptic and believe a security fetish may be a nice time consuming hobby,but achieves little of value for most users.

    Everyone has a backup app for use in emergencies.

    Online banking and share trading is also carried out-no problems or concerns.
     
  24. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    2 minor points: (1) Threatfire is not a full-scope "classical" HIPS. Rather, TF is a behavior blocker -- an "expert system" that mostly bases its actions on what its programmers configured it to do. Those "defaults" are largely invisible to, & unadjustable by, the user. As an expert system, TF pops fewer alerts requiring user input than is the case for a classical HIPS. (2) A classical HIPS does not block much of ANYTHING on its own, unless commanded/configured to do so by the user. It has few defaults, & most or all of them are visible to, & adjustable by, the user.

    By the way, I am commenting upon frequency of alerts requiring user attention -- NOT that the amount of malware knocking at one's door is necessarily denoted by the number of alerts popped by one's HIPS.

    If TF has spotted no malware attempts at Coo's system in 9 months -- may the Force *stay* with him. I suppose I must be one of those who Coo regards as having a "security fetish" inasmuch as I run an AV and a HIPS, & teach my computer science students to do the same. I now begin to wonder why Coo hangs out here at Wilders, & posts so often, inasmuch as security seems unimportant to his interests or needs. :cautious:

    As for others who swim in more dangerous waters than Coo do -- just be careful not to confuse safe hex, mundane surfing habits, luck, & probabilities with a non-existent need for security.
     
    Last edited: Aug 21, 2008
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    TF is a Behavioral Blocker and this topic points specifically by directing attention to exclusively HIPS, unless the interpretations of these different type products have changed recently.

    Speaking on my behalf, casual safe surfing i normally turn off EQS which is my HIPS of choice, on the other hand, when researching malware by deliberately entering drive-by download sites or even installing known malware from research sources, HIPS is a WINNER! each and every time by virtue of it's SUSPENDING at-once any unknown or foreign potential malicious file and allowing to capture it while momentarily aborted from proceeding. Enter CUT & PASTE to the malware examination folder.

    Is been a real charm on this end in intercepting such samples for submission to security vendors for possible inclusion to their database as well as dissecting it locally for risk behavior.

    EASTER
     
Loading...
Thread Status:
Not open for further replies.