HIPS Crazy

Yikes! Sorry, I hope that readers don't think I recommend just running OA alone. I kinda know what I am doing, so it's fine for me (and I just tell the wife and the boy "block it").

When I *do* think OA is right for the "single" security app required, I'll make it more than clear

 

I must admit that I've used that word in the way that it's appeared in these threads, and I've never felt it was a good description.

Better, perhaps to say, "running with just a few applications."

regards,

-rich
________________
~~Be ALERT!!! ~~

 

I think that if ONLY you use your PC, and that you surf Totally safely and don't take risks, then you could most probably get away with just a fully secured OS and Browser, and the only App being a Properly configured Good bidirectional FW !!!

If you like to tinker and/or " induldge " a bit, well that's a whole different ball game. So employing the biggest bang for the bucks, and/or for Free, definately makes a lot of sense in these cases.

Me, i like to dabble, it's a challenge and can be fun too ! But you do learn a lot from the experiences and configuring etc, so i feel it's worth it.

Over on BBR Link Logger has another interesting experiment going on right now.

http://www.dslreports.com/forum/remark,15030985~start=40#end


StevieO

 

Having run a similar experiment with WIN2K, I decided to try with my laptop which has XP SP1. I set up a dialup connection and a port scan showed all ports closed with the IC Firewall disabled, so I left it connected all night and most of the next day, doing my regular internet work that morning. There were no problems. The only security was Anti-Executable and Deep Freeze.

As has been said by others, a closed port is a closed port.

regards,

-rich
________________
~~Be ALERT!!! ~~

 

Hi Mike,

It might be a bit of a risk to run only Online Armour on your PC. It is quite simple to write an application which isn't bound by user-mode protection, which means Online Armour wouldn't catch what the application is doing or be able to stop it.

There is nothing special about this potential application, it doesn't need any special privileges to effectively disable usermode security. If you are interested in the details of why this is possible, please email me.

 

Yup, until something new uses an exploit on an app you're using and opens another

 

Can you give me an example of how this "something new" would carry this out?

Thanks,

-rich

 

Hi,
I second this.
I find that Firewall, AV and Firefox with a bit of tweaking are enough.
Out of anal-retentive compulsive-obsessive habits I also have MSAS running because it has the nice William-Tell bullseye arrow target style icon. This is for the machines that are used for 'normal browsing' - this means quite a lot of p2p and pron - and 'normal other activities' - a bit of work and gaming.
I have machines with heavier setup, but that's for fun and experimenting.
Knock on wood, never had a prompt about virus / spyware or anything of the sort. But if someone / something wants to 'hack' my computers, I'll format them thin so they can see through the hard disks. Not a big deal.
About HIPS: they can get boring with the constant alerts and eventually your guard erodes after countless prompts and clicks - hclm\blahblah has changed, do you want to allow this? Boring.
However, most people here run multiple HIPS because they like it, I think.
Besides, HIPS are useless in the hands of an unknowing user. People will run software on their computer if they think they need, regardless of the prompts. And this comes down to ... experience. If you know what you should run or not, you don't need the background protection to categorize the things for you.
I think 90% of infections come from users. This or that downloads some free codec or something then run it on their machine. And then they wonder.
This gives me an idea, I'm starting a new thread....
Mrk

 

Anything communicating with a network (such as the internet) uses a port to do so. Unless you have a firewall, you have no way of controlling that communication and making sure it doesn't go outside normal traffic patterns, which is what SPI and rules are for. Feed one of those programs an exploit (see secunia.com for plenty) and it will behave in ways it's not supposed to, including opening ports that it normally wouldn't. Think IM, media player, antivirus, p2p, etc etc.. you can find plenty of exploits on secunia.com.

 

Hi Jason,

Will discuss with you off-list...

(nice to "meet" you by the way

Mike

 

I didn't see anything on secunia other than exploits for IE, which I don't use.

EDIT: OK, I see what you are saying. I had to search for exploits affecting different applications, but couldn't find any pertaing to applications that I use.

But I can see how that that could affect someone using unpatched media player, for example.

Thanks for pointing that out.

-rich

 

Yeah, it can happen to anything.. there's plenty of unreleased exploits as well. Just because it seems safe today, doesn't mean it will be tomorrow

 

I too gave up on messing too much with HIPS programs. I had some friends over the other day and I couldn't leave them alone using my computer cause the popups would go crazy from Safe'n'Sec, OA, RD\AD, and PG when they messed around with some programs I had not configured yet. I don't mind the OA popups cause they are blocking Active-X but the Safe'N'Sec, PG and RD\AD are another thing, but once you take time to configure are great, though it does take time and my friends aren't really computer fanatics. My dad was also making fun of my 3.3 Ghz CPU with DDR ram saying his old 1.8 Ghz CPU with SDR ram was faster in processing executables. No matter how much I explained each HIPS program, he said he didn't want to use a useless computer. I love those programs and good job developing them, just some of them aren't to user friendly for those who have no idea what the popups mean. So with that, I went back to an old setup plus OA and RD only just to please my dad and my friends. Funny the things you do to please other people but yourself.

I went from this: (would crash occasionaly)

NOD32
Look'n'Stop
GSS AD|RD (TRAIL)
ProcessGaurd
Safe'n"Sec + AV (Free Key)
Ewido
Online Armor

To this: (working without a single crash)
Nod32
Look'n'Stop
Ewido
Online Armor
RegDefend

I still have IE-Spyad's, Script Sentry, Harden-it, Secure-it, Safe-XP, Windows XP useless services turned off, BugOff, Enough, SpywareBlaster, Spybot Immunized, and MVPS host file. I might or might not be completely covered in all security areas, but that is why I do regular backups with Drive SnapShot. Maybe time will tell how OA, GGS, SNS, and PG will leave for the future and only then will I see what I will use then. For now I will stay with this.

dja2k

 

One example of this is "programs that run programs" like RunDLL32.exe, cmd.exe (command line prompt) or javaw.exe (used for Java applets). Most users will allow these since they have legitimate uses (RunDLL being called for many Control Panel functions) but they can also be used to hijack a system also (New.net being an example of a program using RunDLL32 for its installation). Execution-protection software therefore does need to include an option of restricting such items by parameter to provide more complete protection.

I would suggest that a minimalist approach is one targeted to the dangers that a user expects to encounter. Those practicing "safe hex" (disabling/blocking unneeded Windows services, not running unsolicited code, only downloading from mainstream websites) should be OK with a basic firewall and a free anti-virus. Those living more dangerously would need to consider more specialised scanners or process/registry control as a backup. However as malware evolves (particularly in its ability to masquerade as legitimate software), this approach will need to be re-evaluated regularly.

 

My point is no matter how hard you try Mike, you will still be subject to the
game of "one up" between vendors. For example in this thread, I already see Jason touting the advantages of ring zero versus user mode already. D And undoubtedly, if you address that (a big task), there will be more of such games, you will never win and those of us reading this forum will feel uneasy no matter how small the risk really is.

The problem is, we as laypersons don't know how serious some weaknesss is, and the people who do know, usually have a vested interest ... Either to dump on their rivals products or to protect their own.

Of course, for the average person it doesn't matter, but my perception of the crowd here is that they are either people who want to be on the cutting edge(protection against any and all exploits and vulnerabilities even theortical ones) or very paranoid or should I say people with a lot of valuable data to protect.

For them you will never be able to get them to stick to only OA.

There's not much I can say about risk adverseness. But I think someone made a good point about how rational people are. Are their houses as protected as their computers from remote attacks? Or is it the case of triple locking the front door, while the backdoor is ajar?

That's true of course for some people. But that group consists of our more junior members. Most of them eventually get better or are advised by the more knowledgable members like Blue.

But what about people who like me have 'half a clue'? I have a relatively good sense of what each of the apps claim to do, how they work roughly and can probably tailor them to avoid too much duplication. I don't claim any special expertise either, lots of people on this forum are at this level or higher.

But what I can't do is to evalute technical statements about the strength and weaknesses of software, not to any serious level anyway that goes beyond superifical testing of proof of concepts and leak tests.

For example, how seriously should I take the fact that OA doesn't run in ring zero? I see the guy from defensewall making a big deal about this weakness in bufferzone and releasing a PoC, and Jason is doing the same for yours.

And given that I can't evalute the seriousness of this, I will assume it is serious to play safe, and backup OA with Something else.

 

If you are looking for the good, simple and strong pure kernel-mode HIPS protection with no popups, very low CPU and RAM usage- just try my DefenseWall. You will need no more HIPS's at all! The new improved version is coming very soon.

 

This sounds a bit off-topic or least a sligtly biased suggestion
Let's call it agressive marketing

Fax

 

It's always nice to see someone being satisfied about his own program but I find this a bit overreacted...

I like popups btw

 

You mean a bit overrated?


Fax

 

Some of my friends are using their old (second) PCs to handle financial things on the internet. These PCs are located behind their routers' basic firewall and are equipped with the free MS Antispyware program and one popular commercial antivirus program. The point is that they never use these machines to go to any websites except those bookmarked and trusted ones to do things like online banking and such. No important personal information is kept on their other PCs which they use regularly for fast gaming, casual online surfing, etc. I think having a minimalist security setup with a dedicated PC which handles important personal information like the above is pretty secure too. In addition, many of us may have older PCs which we have stopped using after upgrading to newer/faster hardwares. The same idea can be applied to running any internet browser on some USB devices to only go to certain sites. Certainly DNS cache poisoning and other things make this approach not entirely secure but in reality nothing is 100% too.

 

We have Rundll32 covered already; I'd have to check on the others

 

Ladies and Gentlemen, we do not need any further comments about Ilya Rabinovich's post.

Back on topic please.

Blackspear.

 

Mike, I know you like fixing up OA and making it better, and I was wondering about what Jason said, myself, so I'd like to hear what you come up with.

 

I´ve been thinking, everyone is discussing which AV/AT is the best and stuff, but I believe it´s more important to have a HIPS installed on your system because an AV/AT/AS app will never be able (not even with heuristics) to detect all malware.

Don´t get me wrong you should always scan files first, because it can save you a lot of trouble, but why rely on only one engine? At the moment I scan all of my files with Jotti and VirusScan because I don´t really feel save scanning it with just one version.