Has your HIPs ever saved you from tragedy?

Bellgamin does seem to enjoy his little raves of sophistry,so why deny him,even when he hasnt a clue of the other persons actual level of security,

 

I don't know how much SSM (System Safety Monitor) has intercepted or prevented during normal usage. I run it with the UI disconnected so there's no prompts. When trialling software, it has alerted me to unwanted behaviors or changes I wouldn't have been aware of otherwise, resulting in my killing the install process and restoring to the previous state. There's no way I can determine if the results would have been tragic or just undesirable should the install been allowed to finish. I only know that the changes the apps tried to make were unwanted.

 

I've had a couple of saves from system safety monitor. I was trying out some software from an unknown site when ssm is pops up a warning that this piece of software is trying to gain low level disk access which is not what this particular bit of software should be doing. Then in a similar situation i was trying out some more unknown software when ssm pops up that this software is trying to terminate certain processes which i knew it shouldn't be messing with.

Its definitely not everyday that something like this happens but it has shown me the benefits of hips.

 

I don't know if HIPS ever saved me from tragedy,
because I never had one.
However, I still use it,
because I might have it later on.

 

To answer the question: I´m not really sure, but I wouldn´t be surprised if it did. Like others have already said, I use HIPS for protection against drive by attacks (sandboxing) and to keep total control of the system, this means that you get to decide what software is or isn´t allowed to do.

Quite a few times in the past I have seen questionable behavior from certain apps so I ditched them immediately. I´m not really sure if HIPS have ever stopped a drive by attack (I run HIPS mostly in silentmode) but I wouldn´t be surprised. I think it´s likely that I don´t even notice most attacks because they can´t even start to do their thing, when they don´t have certain rights (can´t execute, can´t modify registry/file system).

 

DSA saved me from a destructive piece of malware (whose name escapes me) that Nod32 missed. It's stopped a couple trojans that tried to set up shop as well.

 

I've done tests and that sort of thing - But it has only saved me one time from malware from a file my friend sent me >.>


"The same Principle as a condom, I would rather have one and not need it, than need it and not have one"

 

I was saved once by my DW trial, when I hit a site with that miserable rogue av 2008. The other time was by Sandboxie - not a HIPS - and the same stinking rogue.

The above were both within a few weeks of each other on supposed low risk sites. I don't do high risk surfing, although it's beginning to seem any surfing is high risk as far as antivirus 2008 or its variants is concerned.

Since 1996, I've never encountered malware of any kind, until the past couple of months and that thing above.

 

Yep,

I was testing GeSWall and DefenseWall against some drive by infections. After testing GesWall and switching to the DW image, I started testing and discovered that i had DW PROTECTION DISABLED.

ThreatFire intercepted the start up of an executable from an unusual place triggered by a video download.

Was sefl inflicted pain of a test image, so counts

 

I'm feeling more confident in old abandoned CyberHawk since it jumped up and intercepted a drive-by that attempted to add itself to IE Zones.

After selecting DENY the forced executable was formally TERMINATED.

What makes this important for me is that at the time i had RTD "disabled" and been waiting and watching for more results & returns then just dll injections which it seems to master at. Looks like that gamble with old CH is paying off afterall. This is just what the doctor ordered here. Now i know why i always admired this behavioral blocker after it was introduced. Novatix actually formulated several versions/releases, some of which were excellently crafted, others later on not so well.

This is a very early version 1.1.1.3 and utilizes only 3 drivers. Later versions added another driver making the total number 4. To me this was of some significant concern later because those latter versions were increasing with FP's on even the common items such as notepad, IE, etc. and shortly thereafter DURING complaints by users over it's keylogging FP's, PCTools entered the picture. Go figure

CHOW

 

I have used several HIPS off and on over the years, and I can't say that any of them ever caught or alerted me to anything that mattered. So no, they have never saved me from any tragedy. On the other hand, I still like them for some reason, and I think they do provide a nice security blanket of sorts. Although now, in Vista x64 I no longer need them.