HIPS confustion and a few questions.

Discussion in 'other anti-malware software' started by kevinz, Jan 12, 2009.

Thread Status:
Not open for further replies.
  1. kevinz

    kevinz Registered Member

    Joined:
    Jan 5, 2009
    Posts:
    16
    Hi,

    I am new and have been reading the forums a lot lately. I am a little confused about is the HIPS stuff. I have been reading about DefenseWall and trying to figure out exactly what the difference or advantages it would have over Comodo Defense+, which is also a HIPS? o_O

    From what I can tell defense+ simply won't let anything run that isn't on a safe list i set or give permission to? But once I say ok or put it on the list, anything is fair game? DefenseWall you set what programs are allowed to make changes, and others are untrusted and any changes untrusted make are virtual and can cause no harm? Or am I totally off here?

    Also in regards to something like SBIE, which if I understand correct.. Anything you run inside it's sandbox is totally contained and can cause no harm while inside? Is anything inside the sandbox able to be scanned by the realtime protection?(even if it cant get out, would be nice to know if a site had something bad)

    Also in the case of SBIE, if I were to do all my browsing inside of that and I did want to save certain files that I felt were safe I see you can recover just those files. When doing so do you risk having anything else bad in the sandbox at the time out? Or is it truly just the file you allow out and everything else is still held bad to be cleared later?


    My current setup is: realtime:NOD32, Superantispyware Pro, Comodo firewall(custom policy mode) and Defense+ (SafeMode) granted I need to read up more on Defense+ to understand everything and use it properly still.

    On demand I have A-Squared free and MBAM

    Thanks, appreciate any help. :)
     
  2. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe

    Yes, Comodo Defense+ is also an HIPS. An HIPS generally has many modes to set. The most sure mode to use an HIPS is " to block and alert all that is not previous allowed or that is going to do something not previous allowed ", and Comodo too naturally has this mode. For your security, would be better to set Defense + in " paranoic mode ", the best would be set it in paranoid mode, delete all previous rules and do new rules for all applications.

    For your setup - I don't like Nod but is my opinion - you have to emprouve Defense+ use and to add a sandboxing or a virtualising software.
     
  3. tlu

    tlu Guest

    First of all, you should understand that computer security is NOT simply a collection of security tools as many posters here seems to think. Rather, security is a concept that consists of a few important cornerstones:
    • Always keep your Windows up-to-date by turning on Windows Update.
    • Always keep your applications up-to-date by using tools like Sumo, Secunia PSI or Updatestar.
    • Make sure that you get software only from trustworthy sites - don't install anything just because it looks fancy. Your most important software is brain.exe - use it!
    • Implement a strong security strategy as described on http://www.mechbgon.com/srp/ . It will make a HIPS rather needless. Read also this thread, particularly post #29 and following.
    • Don't use Internet Explorer. If you still want to stick with it disable at least ActiveX in the Internet Zone. Better use Firefox with the Noscript plugin.
     
    Last edited by a moderator: Jan 12, 2009
  4. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    I always try to differentiate between programs with different mechanism to avoid confusion. Once upon a time, the only HIPS around were the kind of SSM or PG. Now there is a whole array of prevention programs and most can be put under the now generic "HIPS" label.So,

    Defense+ = "Classical" HIPS. (You allow or deny everything that wants to run/modify/change).

    Defensewall = policy HIPS. See here of what it does:
    https://www.wilderssecurity.com/showpost.php?p=1383891&postcount=24


    I am afraid there is no way around. You must read Comodo's help file. In Comodo you give permission for a specific action or group policy. If you give the ok to run, it still can't do just anything , unless you have it as "trusted application". Each policy in D+ allows for specific rights. The "trusted" is the most relaxed policy and in that case the process can do pretty much anything. In other policies though, you will be asked again for actions that you haven't specifically allowed.

    Almost. DW doesn't make "virtual" changes. That's what virtualization sandboxes do. Simply it doesn't allow the untrusted to mess with system files or trusted processes. Because once you mark something as "untrusted" it is treated as let's say "limited" application from DW and can do things that won't do harm. It's not virtual though. If you run a malware under DW, it's still there. It simply can't let's say go to Windows folder and interact with system processes.

    Yes. SBIE runs everything in a virtual enviroment. It even creates a virtual registry. So you malware can happily modify your registry, but it's not the real one! (Poor malware). As soon as you delete the sandbox, all is flushed down the toilet. The malware, the virtual registry, everything.

    I think this depends on your scanner. Most likely yes... But can't say for sure. You must trie and see. I know Threatfire can see inside the sandbox for example.

    It's just the file you allow out. What's in the sandbox, is contained.


    I would put Defense+ in "clean pc" mode if i were you. It will generate from time to time pending files, but it will give less pop ups. Do read Comodo's help file, because if you don't understand well what you 're doing, having D+ won't save you from infection. It will only give a false sense of security. Now, if you do read the help file, your setup will be very, very safe.

    If i were you, i would run on demand the Superantispyware and i would go for NOD32+Comodo+Sandboxie for your browser. Or DW for more broad coverage.
     
    Last edited: Jan 12, 2009
  5. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Not exactly. DefenseWall protects files not only into the Windows system folder, but, also, other files according internal ruleset and its extension. Registry keys are protected also according internal ruleset.
     
Loading...
Thread Status:
Not open for further replies.