Heuristics & HIPS?

Discussion in 'Prevx Releases' started by ams963, Aug 22, 2012.

Thread Status:
Not open for further replies.
  1. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    Hi,

    WSA can act as a HIPS but one has to disable all the three heuristics then- advanced heuristics, age heuristics and popularity heuristics. Whereas a suite like CIS or KIS offer both heuristics and HIPS at the same time.

    Why not offer both heuristics and HIPS at the same time?

    Best Wishes,
    Amit
     
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    WSA does use heuristics and HIPS at the same time, but it answers the prompts for you based on what the cloud determines. You can raise the advanced heuristics to receive more prompts if you want, but it isn't necessary.
     
  3. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    So if I set WSA to warn when new programs execute that are not trusted, the three heuristics become obsolete right?
     
  4. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    I believe they're still in operation even though you choose the fourth option. I would expect the sliders to not work if that wasn't the case. You can still move those even when 4th option is selected. You'll just get far more prompts, especially if the slider is set to maximum.
     
  5. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    The "warn when new programs execute" becomes a pure whitelist-based protection rather than a HIPS solution. The Heuristics screens are pretty complex but they convey three major different features.
     
  6. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    So what should I do to make WSA act as a HIPS? Should I choose the third option in Heuristics instead of warn when new programs execute? And if so, what should the settings of the three heuristics? I want HIPS rather than Whitelist-based protection.
     
  7. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    I don't think they're still in operation from what Joe is saying. If WSA acts as a Whitelist-based protection product rather than a HIPS when 'warn when programs are executed that are not trusted' is chosen, and if I whitelist an exe file for example at the first chance then what would the benefit of warning when a fairly new or recently created untrusted app, or warning apps unpopular with the Webroot community?
     
  8. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It does take the heuristics into account as the process executes but by definition, any malware would already have produced a warning for the user as it would be untrusted.
     
  9. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    How can it take the heuristics into account if I've already whitelisted or blocked an untrusted executable process? Does it warn again on behalf of the heuristics after whitelisting and allowing the executable?

    Also what about:
     
  10. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    To make it more like a plain HIPS, change the radio button to "Apply advanced heuristics before Age/Popularity heuristics" and then raise them to "High" or "Maximum".

    If you have it set as "Warn when new programs execute that are not trusted", it will prompt any time an unknown program starts. The additional heuristics will still run in the background, however, so you won't lessen protection at all.

    Hope that helps! :)
     
  11. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    Really? I thought it would be the other way round. That is apply advanced heuristics after Age/Popularity heuristics would do the trick to make WSA a HIPS. Hmm...you must be right. After all it's your product. You would know it better.:)
     
  12. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    What will the additional heuristics do running in the background? Rather why should they run in the background?

    Let's say WSA prompts as A starts as an unknown app. I whitelist it. Then A is allowed to start and run. If the three heuristics are running in the background, they will also prompt if they find anything right?

    The popularity heuristics becomes obsolete in that case as I don't need to know what Webroot Community thinks of the app as I've already whitelisted it. What could be better was showing what the Webroot Community rates the app at the same time as WSA prompts as A starts in the first place. Much like Emsisoft Antimalware does.

    Age heuristics also becomes obsolete. If A starts for the first time and wants to run WSA's 'warn when new programs execute that are not trusted' will prompt and I'll either allow or block it. If I allow it and whitelist it no need for age heuristics as it prompts for recently created or modified. If I block it then also no need for age heuristics.

    That leaves Advanced Heuristics. I'm not quite sure how it works. But it would too be redundant in anyhow it works.
     
  13. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Yes

    The "Webroot Community" isn't based on what users allow/deny - it's cloud-based protection which determines the intent of files itself rather than being reliant on user feedback. Popularity is an important metric as it tells WSA how to handle programs that have been seen by only a few users.

    To clarify - Age/Popularity apply world-wide. This technology is useful if you want to block any software that was just released in the last hour, for example, which, by definition, would block any polymorphic malware.

    Even if you use the whitelist mode and allow an application, the advanced heuristics can still block it if it does anything malicious (i.e. if it was a trojan horse in a seemingly benign game, for example).

    Hope that helps!
     
  14. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    Oh now understand it better. Thanks for clearing up my misconceptions. :)

    So now that we understand the three heuristics will operate in the background and protect my pc when 'Warn when new programs execute that are not trusted' is applied, do you not think it's better to apply that option than just 'Apply Advanced Heuristics before/after Age/Popularity Heuristics' as those options will not offer whitelisting but only Heuristics whereas ' Warn when new programs execute that are not trusted' will offer both whitelisting and the heuristics? I mean it should increase the protection, right?
     
  15. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    One more thing, you've explained Age and Popularity heuristics in excellent ways.

    Would you care to explain how Advance Heuristics works?
     
  16. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Yes, but it will also increase warnings/prompts and the dependency on user decisions.
     
  17. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It's a combination of heuristic protection on core system areas as well as centralized heuristics which use a different set of rules to help identify malicious changes.
     
  18. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    Ah okay thanks. I use OA on another pc. I've always used HIPS in the form of either OA or Comodo D+. So more increase/prompts dependency on user decisions are no biggies.
     
  19. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    What exactly is this centralized heuristics? And where do the rules come from? From Webroot Community?
     
  20. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It's the cloud database/intelligence network. WSA is built on an infrastructure which analyzes the data sent by the agents and makes decisions automatically and with human assistance. The rules are written both by the system itself and by human researchers.
     
  21. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    Amit, you might be interested in this quote from a PC Mag article published last year:
     
  22. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    Ah thanks a lot. Now I get it. :D
     
  23. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    Thanks Tony. It's much clearer now.:)
     
Thread Status:
Not open for further replies.