HIPS/AE for Vista

Discussion in 'other anti-malware software' started by NoHolyGrail, Aug 13, 2010.

Thread Status:
Not open for further replies.
  1. NoHolyGrail

    NoHolyGrail Registered Member

    Joined:
    Nov 14, 2005
    Posts:
    46
    Which free HIPS programs for Vista are available and which are most similar to ProcessGuard and AppDefend?

    I've been using Online Armor, but it's too unstable. I haven't been able to find a configuration that does what I want without crashing regularly. The main features I'm looking for are anti-executable (whitelisting) and controlling applications' access to internet (outbound firewall).
     
  2. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    comodo D+;)
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    @Noholygrail
    You can use ThreatFire for it. It has two pre-defined custom rules to realise this. For your comfort edit the descrition and explanation of those rules.
    see Outbound rule (use in combo with inbound windows FW protection) and Launch control custom rule.

    You can change the launch control rule of threatfire by using the except clause (the user interface will assisit you to add this). With except clause you could allow all programs in windows and programs files directory to launch. For those processes you still would have the behavioral analysis/blocker part of ThreatFire to watch your back.

    By head the launch control should read like

    When any process
    tries to access [execute] a file
    which looks like an executable
    except when the
    [v] the process is in the system process list
    [v] the process is in the trusted list
    [v] the target file is in the folder
    (Select this option, the first two should be on by default, now you are prompted to add folders, select windows and program files)
    C:\Windows or C:\Program Files


    The default outbound is OK, only give it a more clear description and name


    @Jmonge,
    Have you played with this variant?
     
    Last edited: Aug 13, 2010
  4. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Malware Defnder :thumb:
    Comodo D+ too!
     
  5. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    kees which one?threatfire?
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep, using ThreatFire as a smart ProcessGuard with outbound protection.

    Funny thing is when you use TF as FW/AE it is easy to use, You just have to make ome precautions
    A) in the settings select a windows restore point before Quarantaining
    B) start an internet application (after you have activated the outbound rule, de-activate and re-activate TF to reread the rules data base) and kill it. Now start this application again: TF will ask you whether you want to quarantaine Explorer, set Explorer to allow plus remember. This is because you lanunched a just killed application, TF thinks explorer is infected also :argh:

    Okay now you have a Deny Execute and Outbound warning, but most malware works like this

    1. An executable is silently dumped as with some hidden executables

    2. Through clickjacking or social engineering this executable is launched

    3. The silently dumped executable moves the other executables (e.g. hidden as tmp file in TEMP dir of your Recycle = waistbin directory) to places it survices reboot

    4. Another executable may be launched which tries to get one the executables into an autostart location. This launch is often an intrusion to get temporary elevated rights (e.g. injecting a process with enough rights to access autostart locations)

    5. After reboot steps 3 and 4 may repeat to increase rights obtained until you are pawned, without knowing.

    6. This programs uses you as a bot or runs away with your data


    Analysis
    a. By nature a behavioral blocker will at process intrusions, changing an existing executable in a suspicious way etc. So with TF and no custom rules you are protected against step 4 and 5.

    b. With the extra outbound rule a you are protected from 6

    c. With the extra Anti Executable rule you are protect from 2.

    So steps 1 and 3 in the average intrusion process could have some extra rules

    Dropper protection extra custom rule
    When any webbrowser
    tries to access [create] a file
    which looks like an executable
    except when
    [v] the target file is in the folder
    Enter your download folder

    So now it is harder for malicious javascript to drop executables (protection against 1).


    survivor - payload preperation protection extra custom rule
    When any process
    tries to access [write] a file
    which looks like an executable
    in folder (Recycle bin]
    except when
    the process is a system process or trusted process

    Offcourse explorer and ccleaner are flagged once, just allow and remember them. Now you have protection against step 3 also.

    Malware has a hard time busting TF with 4 custom rules (of which 2 ae predefined)


    Cheers
     
  7. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    yes i did tested before and i like it alot but it slowed my browser down:) but it was good when i tested againts malware it did very well:thumb: :thumb:
     
  8. Mihail Fradkov

    Mihail Fradkov Registered Member

    Joined:
    Apr 12, 2008
    Posts:
    93
    Location:
    St. Petersburg, Russia
    OSSS: Security Suite. Topic here. (You can get free license).
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  10. NoHolyGrail

    NoHolyGrail Registered Member

    Joined:
    Nov 14, 2005
    Posts:
    46
    Thanks for all the leads. Threatfire sounds ideal, I will give it a try.

    Also, does anybody know if there a comparison chart somewhere? It would be pretty helpful to have a list of HIPS & Behavior Blockers, with info on OS compatibility, free/pay, and a list of features. Just seems like there's a lot of threads here where people ask for the program to meet their needs, get an approximate list given to them in pieces, and then people ask pinpoint questions to further narrow it down. Would save a lot of time to have a comparison chart.
     
  11. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    You could try the AE in the Returnil version in my siggy.

    The AE function is available through the start menu. Don't use it fulltime myself but have tried it and it seems quite robust and light. (and free)
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep the Returnil Home version is a decent free disk partitioning application. Its features like AE and AV included are really great. I have had some contact with Coldmoon in the past about offering different levels of settings.

    Something like a scale for the settings

    None: all off
    Light: Virtualisation OFF, AE ON, AV on exec + on write
    Medium: Virtualisation on, AE off and AV on exec + on write
    High: Virtualisation on, AE ON, AV on write only
    Max: all maxed out
    Custom: any combo you would want

    Has that been implemented (yet)?
     
  13. NoHolyGrail

    NoHolyGrail Registered Member

    Joined:
    Nov 14, 2005
    Posts:
    46
    Returnil is like Deep Freeze, right? Is it possible to just use the AE feature?
     
  14. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Yes you can just use the AE feature and or slip into virtual mode whenever or not at all.

    The version in my siggy is an older version with no AV engine.
     
Loading...
Thread Status:
Not open for further replies.