HIPS Crazy

Discussion in 'other anti-malware software' started by WilliamP, Dec 18, 2005.

Thread Status:
Not open for further replies.
  1. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I don't know what is going to happen to our systems with all the HIPS programs trying to check everything. It seems that everything wants to cover it all. I have Ewido and Online Armor plus Counter Spy. I have shut down the real time on CS and Ewido because I feel that OA is enough. I had to shut down OA's E Mail check because NOD and OA was just about stopping my E Mail when someone sent some pictures. This in some respects is fine but I don't like putting all my eggs in one basket. I know that even if you shut down something it can still cause conflicts sometimes.
     
  2. sosaiso

    sosaiso Registered Member

    Joined:
    Nov 12, 2005
    Posts:
    601
    roflmao! pictures!

    Well, most of us subscribe to the theory that it's better to be safe than sorry. :/

    I for one am about to go for the minamalist approach. Though it frightens me to do so.
     
  3. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    sosaiso,

    While minimalist means many things to many people, if what you are about to do frightens you, that's a signal that you're treading on ground that requires additional preparation before walking down the path. If you fully understand the technical reasoning behind the steps you are taking, fear should be absent. Fear is like pain, it's often a signal to go slowly and deliberately.

    Blue
     
  4. sosaiso

    sosaiso Registered Member

    Joined:
    Nov 12, 2005
    Posts:
    601
    hai. I totally agree BlueZannetti. That's why I am lurking around this forum trying to pick up the tips on how to go about things.

    Well, it's not that I really want to go minimalist, but the resource hogs that some of these programs are. :/
     
  5. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    Personally, I think it's crazy that people feel the need (or have to) to install 3, 4,5, or 10 different security programs to protect themselves.

    Installing multiple programs trying to do the same thing at the same time will cause collisions between them, and generally sag performance.

    For example, imagine two people gnomes trying to unload some watermelons (for some reason watermelons come to mind) through a narrow passageway.

    While there are two, it's pretty easy for them to co-ordinate and keep out of each others way. Then, we add a third. And another, and another. Then, a special gnome who has the job of just grabbing a certain size of melon.

    Suddenly, you have a swarm of gnomes all trying to do the same thing, they'll be tripping over each other's feet all the time and squabbling over those special melons.

    So, regarding to - "Everyone wants to cover it all" - well, yes, I do - and I think for a very good reason. To stop the gnomes from tripping each other up and ruining watermelons.


    Mike
     
  6. isnogood

    isnogood Registered Member

    Joined:
    Sep 22, 2004
    Posts:
    83
    Location:
    France
    I second the opinion of Mike. Some time ago people seemed prefering separate specialized security applications in the context of "layered" approach. In contrast, every application trying to cover more aspects of security was quickly labelled as "bloated", and criticised. I feel, however, that the actual trend is rather self-contained security suites, that covering everything from firewall, through AV to process control. Examples ? KIS2006, Bitdefender9, OA, GSS, Safen'Sec, Tiny2005 from a long time already, and many more.

    Is it really bad ? I' am afraid that the main problem for you guys is that gives you hard time to decide what to choose, otherwise the redundancy and conflicts are becoming just too evident. You are just too attached to programs you have bought some time ago, trying to add new ones that seem attractive as well, and not being able to get rid of anything.

    If you heap up 4,5 or more applications of this type, all good ones, just imagine their struggle at window startup to take their palce in the kernel. Even if there's no apparent conflicts, the smallest modification or new installation in your system brings you an avalanche of alert popups. I'm afraid the most likely effect it has is your developpinng a habit to click OK everytime, only to get rid of these popups as quickly as possible. Is this your sense of security ?
    Too much security, especially kernel based, is no good, I tell you.

    isnogood
     
  7. sweater

    sweater Registered Member

    Joined:
    Jun 24, 2005
    Posts:
    1,674
    Location:
    Philippines, the Political Dynasty Capital of the
    Ya... HIPS programs can sometimes collides w each other. In the past I tried the Kerio 4.2 w their added HIPS functionality and it crashed, I also tried SSM and it also crashed on my system. And recently uninstalled the latest ZoneAlarm firewall coz it also affects my pc in a negative way (i think ZA also has some kind of HIPS features in it) :oops:

    I then thought that those things conflicts w some of my protection softwares already installed and i think I don't need to add more as it becomes too much for my system.. as I am already using ProcessGuard and WinPatrol and I think even Microsoft Anti-Spyware beta even has some HIPS features also. :cool:
     
  8. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    Have you tried Online Armor?

    Mike
     
  9. Mikkey

    Mikkey Guest

    People only need one HIPS application. Using more than one is just plain silly. Why use Safe'n'sec and Online Armor? Defencewall and Bufferzone. Or even using three or four of these at the same time! I use Online Armor. That's it! Why would i want to use Safe'n'sec as well? Does Safe'n'sec cover things OA doesn't? Well maybe, and so if it's important then i should uninstall OA and install Safe'n'sec. But no, i chose OA because of what it does do. I chose only one HIPS, the one that does most for what my circumstances require.

    I'd like to also comment that OA's icon disappears from my system tray. This is because i have my XP preferences set to hide inactive icons. So OA runs so little resource that the icon "goes to sleep". But when i run a new application or encounter a suspect ActiveX, OA jumps in immediately. Why bloat when you can float!

    M.
     
  10. Well the problem is OA covers things safe'n'sec doesnt and vice versa. :)

    We are in a security forum, where daily, we read about yet another new 'threat', new 'exploit', new 'Proof of concept' that defeats some security software. Vendors try to differentiate themselves by releasing 'tests'
    that only their software can defeat. People like me are thrown into confusion.

    Is the threat highlighted by a vendor's test, valid? Is it likely? What other circumstances would it require before it could hurt you? Would other layers protect you? Would defeating the test require a greater cost than you are willing to pay in terms of ease of use?

    I'm certainly not expert enough to answer most of these questions, when experts argue and can't even agree on say the importance of 'leak tests'.

    So if all threats loom as equally likely in my eyes, to play safe, I just get all the software, so i can cover all the bases and beat all the tests. Of course, I still don't like duplication, so if i know for sure 2 features are exactly the same (as far as I know), I hope that at least one can be turned off.

    This is the main reason why traditionally this forum consists of members who prefer control, rather than suites. And even within each app, we generally prefer software that allows grandular control, so you can shut off features piece by pieces. For example, Some people like both SSM and either PG(or maybe appdefend now), but turn off PG's exe monitor in favour of SSM's one which has more control.

    Of course, there's a minority school here, who justifies HIPS Madness on the grounds of redudancy. In which case, they don't feel the need to turn off duplicate functions.

    OA alone is hardly enough, since you can misclick on prompts, if you run it with appdefend, you get a second chance. So goes the reasoning. Perhaps, Mike can recode OA to prompt the user TWICE (or more of course, configurable) to alley such concerns. :)

    I'm kidding of course, redundacy is more than that. If some superhacker manages to down OA, he still needs to get pass Safe N Sec AND Appdefend.

    HAHAHAHA
     
  11. isnogood

    isnogood Registered Member

    Joined:
    Sep 22, 2004
    Posts:
    83
    Location:
    France
    No, he would not need to do anything execpt trying to trigger as many alerts from your security arsenal as possible. This will drive you nuts, not being able to answer all the popups, and your PC will be hosed even more efficiently as you'd been running with no security at all :D

    isnogood
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    I don't agree. Lets say his program, were to unleash 10 programs each of which unleashed 10. Or whatever.

    He does something clever and gets by OA. Then SnS pops up with it's first challenge. I don't have a clue what it is or why so I block it, and SnS shuts it down. It never gets to appdefend, and how does it get to do the rest of ti's stuff. I'd be curious isnogood how you think it would work.


    Pete
     
  13. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Sweater,
    All three of those programs you first mentioned (Kerio 4.2, SSM and ZAP 6.x) have had or still have in some cases "issues" with their kernel drivers that cause instability and crashes. I have encountered some of the bugs in the Kerio 4.2 drivers and seen reports of the issues with SSM and many reports about ZA 6.x

    Sometimes the answer isn't as complicated as layers of programs (or gnomes) causing problems. All programs have bugs, it all depends on how you use your computer as to whether you will run into them.

    A good measure of a company is how long it takes them to accept that they have a problem and then fix it. Another thing to look for is the relative experience of the company in the field, it takes a while to figure out the undocumented kernel interfaces and interact with them in a stable way.

    New entrants to the HIPS market have a steep learning curve and that doesn't make their offerings bad, there might just be more bumps in the road. There is also a distinction between those vendors that have a usermode implementation and those that have been implemented as a kernel driver. People have varying opinions about which is better and I think that the separation of privileges between user mode and kernel mode would make it harder for malicious software to bypass kernel based HIPS
     
  14. Peter, get a grip, he's joking!
     
  15. isnogood

    isnogood Registered Member

    Joined:
    Sep 22, 2004
    Posts:
    83
    Location:
    France
    :D :D :D it was a joke, Pete. But I really believe it may work. Someone will go nuts with these popups one day, it's likely !
     
  16. simple_user

    simple_user Guest

    Multiple security progarms make me think of running multiple encryptions on the same file. How many locks do people usually put on their front doors? Probably that number is less than the number of security programs they maybe running on their PCs. :)
     
  17. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I started this and I feel there has been some good points made. I have put a lot of faith in OA and will continue to do so. But I am interested in what the other programs are doing. If I feel something is better for me, then I may change. I have Ewido and use it to scan. It also is supposed to become hippy. Will just have to wait and see. There has been some great improvements in security programs lately.The one area I am lacking is registry. Tried Appdefend with Regdefend on my old computer. Got too many popups. The pictures I was referring to in my Email were for a family member. So I knew they were ok. In regards to the registry ,with PG ,OA and NOD running all the time,how is something going to get to my registry?
     
    Last edited: Dec 19, 2005
  18. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    This was sort of the point I was getting at when I mentioned that making a single product do more "stuff" is a good idea.

    Some people feel the need to install multiple programs because they know the risks, they have measured them and they would rather the inconvenience of multiple popups than the loss of data. They are fully aware that their setup has multiple protections for the same event, and that is the way they would want it. Pete falls into this category - he's had to recover a hosed system, and prefers a good backup, and a couple of chances.

    The group that I am concerned about is the group that *feel* they have to install every security program to feel safe. You know, you'd best get RegDefend, PG, OA, Sns, Spywareblaster... oh, and a hosts manager because someone said that was a good idea, and AppDefend is by that RegDefend guy and his stuff is really good... best get that too.. and the MS one is good as well... Oh, and a personal firewall with Hips... and they have not a clue what they are buying, or why, just a feeling that if they don't they'll be screwed.

    They then have an issue with popup hell, conflicting apps, and an unstable system. And, these are the people who are least capable of dealing with such a situation. I'd say 90% of my support relates to resolution of application conflicts. Sometimes, I wish I could take the MS approach and recommend(require) that other software is removed :D

    sosaiso made the comment he is going for a minimalist approach, and Blue raised the point that if sosaiso is feeling frightened, then perhaps he ought to tread carefully. It would be very interesting to know what sosaiso considers minimal.
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Maybe others would post also, since I'm finding more people opting for a minimal setup. Mine:

    Firewall
    Anti-Executable
    Deep Freeze


    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  20. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,617
    Location:
    Canada
    Hi Mike,

    As for myself I am really looking forward for the release of OA Version 2.0. Then, if it is as good as expected, I will run only OA, NOD32, and my Router
    of course.;)
     
  21. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    I'm already running just OA and a router :)

    Back to WilliamPs original question goes I think all of the vendors in one way or another will extend their offering to make "suite-like" products.

    Then, it comes down to the user to choose which they prefer, and if they want more than one - are they compatible.

    It wouldn't surprise me, for instance, if the new DCS product is a consolidation of PG, Worm Guard, and their part-developed TDS-4 technologies with some new stuff thrown in as well.
     
  22. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Hey Mike,how about my question. Running NOD,PG and OA,how can something get to my registry? Is it possible if I don't allow it?
     
  23. sosaiso

    sosaiso Registered Member

    Joined:
    Nov 12, 2005
    Posts:
    601
    I think AV and a Firewall being minimal. Maybe a backedup Harddrive? But well, this is from ditching things like Adaware,spybot,resident Registry protection, antihook, etc. It's going to be a long time before I start ditching the rest of my resident programs. But eventually, I hope to get my processes below say... 35? :/

    But maybe I will look into just running ZA Pro and OA? Oh, the possibilities. :D
     
  24. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    Hi William,

    Well, A program needs to run to update the registry, or a script needs to run. Or, you need to be tricked into double-clicking a reg file (which would give you a warning anyhow before it added it).

    So, provided you're busy blocking everything, I can't see a way on the surface.

    Most of the risk comes from inadvertently allowing things. Once you allow them, they can sorta do what they want.

    As far as your protection goes, both OA and PG would warn of something trying to run. NOD32 would also have done/do a scan to warn if it looks dodgy.

    Hope that helps


    Mike
     
  25. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    I personally don't consider these minimal in the sense that they could be lacking. Deliberate options were weighed and decisions were made to arrive at this endpoint. The same applies with Antarctica considering (OA v 2.0/NOD32/router). I don't see anything fundamentally lacking in such a setup. It could be made stronger or weaker with some alternate decisions, but that wouldn't leave you lacking.
    I'm not sure if I'd recommend this one for the masses, personally I'd back it up with an AV as mentioned by Antarctica. As for myself, while I've noted it elsewhere, between 6 boot partitions on 5 distinct machines, the basic configuration is:
    • router
    • NOD32 (2)/KAV WS 5.0 (3)/KIS 2006 beta (1)
    • BOClean (6)
    • SafenSec (5)/ RegDefend & AppDefend (1)
    • LooknStop (4)/Outpost Pro (1)/Firewall from KIS 2006 beta(1)
    I view the 4 distinct configurations covering these systems as equivalent and as aggressive as I'd ever want to contemplate. OA could be a switch out for SnS or AD/RD. The KIS system does not have the Proactive Defense module installed (AD/RD is used in that case). As for whether it is too much, that's a reasonable question. My answer would be that over the past 6 months or so each component except for the firewall has uniquely flagged either verified malware or a verified malware based activity, so while there is backup, it is not idle backup simply poised for action that never arrives. Also, in keeping with this anecdotal observation, if I were to remove a piece, it would be the firewall, but I don't see a need at the moment since system drag is really not observable on these systems as configured. Does a simple user absolutely need this level of coverage? Probably not.

    Blue
     
Loading...
Thread Status:
Not open for further replies.