HIPS Crazy

If you're talking about 2. then it will block it. If you're talking about 1. then it's a guess.

The HIPS I'm talking about block process execution, so all the malware will trigger a warning.

If you install a HIPS, you do so in the knowledge that you will be alerted to both benign and malicious activity (not that all the alerts are true attacks).

Perhaps a misunderstanding rather than a misconception. I was talking about those scans where you periodically scan the whole HD.

Well, the malware has to fool the HIPS by carrying out its actions without executing. I would say the assumption is valid.

Perhaps I should have said the AV will increase the chance of protecting you. Just in the same way that a HIPS alert about a driver installation will increase the chance of you making a correct decision to terminate an installation.

Perhaps that is the case. Also, the reason why I seldom see HIPS users with infected computers is because I seldom see computers with HIPS installed.

So we agree that nothing will eliminate 1, excellent. If you want to bar certain entities from the equation to skew the analysis in your favour then by all means do so .

Perhaps not but is that a problem?

 

yes i know, i am a licensed user since day 1

But other HIPS are not, that's why you need to ask this before you buy.

For me , i don't really care about this item, but i do think that
you have to know these things before you buy.

As i mentioned before i did, but it only offers me a VERY SMALL part
of what Tiny Personal Firewall Pro does. and that is also running on my system.
After testing for months, i could not find anything within PG that
was not in TPF2005pro

That said, it cost me months to find out, what it does exactly,
because as you said it works on kernel level, that makes it hard
to have a good idea how it really works.

With Rootkit HookAnalyzer you can (very easy) see in fact
that it REALLY works on kernel level, others that i have tested did not.

Except of course Apdefend (licensed user from day one as well),
which is not that strange if you know it's history.

Lots of tests proof what it can and can't do.

Since the development of programs at DCS were very slow over the last years, and the development group now is decreased with a very important developer, and the fact that they KEEP dsaying that programs are around the corner, i decided to advise customers Apdefend if i had to choose between those two.
Further more, i prefer all the options per process etc. it has.

I hope DCS can launch their new program soon, because i think they
really need that.

They have a very good reputation with their products, IF they are released.

I have

I have several pc's running in our lab, to see how it performs
against malware, but there is not one program that can prevent you from all malware.

There are enough solutions, that really prevent you from getting serious pc troubles, but a lot of those are too difficult to understand for every user.

I have one customer, that also has PG for a year, and called me that
he saw a unknown popup, because he was trying to install his first program
after a year.



For me it is more difficult to find more good malware for test purposes,
then new Anti Malware solutions.

 

For the HIPS only users... please combine it with another AntiMalware tool.

It is of course a bit more difficult, then this.

1) A lot of programs on your pc are trusted, sometimes HIPs don't care if They start another (dangerous) DLL or process etc.

2) If you buy a program you MUST trust this program blindly.
because you CAN not know if it contains a trojan or other malware or not.
Simply because you don't have a tool that can DETERMINE what is malware
or not like an AV , AT , AS etc can.

So if you install that program, on what do you decide if it can be trusted?
You bought it on the Internet from a well known shop? Your colleage?
Your best friend?
It sounds safe.
Be honest, and say that you alone can't DETERMINE that.

If i would send you three programs, with one of them containing malware
you have a serious problem.

Or you never change your programs or add new ones...

For the record i am a HIPS user but also a NOD32, Ewido , Spybot S&D,
A2, ShadowUser etc. etc. user.

 

And that's the crux of the problem, isn't it? I know that's what you're saying, but just to reiterate; HIPS leave the judgement entirely in the hands of the user, and lets face it.. 99% of the users out there cannot correctly judge every malware filename out there. That's how malware survives is by making the files look legit/harmless/needed to most users. If you see an alert for svchost.exe, especially during an install that you think is trustworthy, you're probably going to allow it unless you are paying very close attention. Execution control can be great, but I would say that it's one of the things that users are going to have the most problems with unless you're using something like Prevx1 or Online Armor that have white and black-lists. Then comes the problem of script files and DLL loading.. PG is especially bad about this because you have to set rundll32.exe to run-once, then most of the info on any given rundll32.exe is pretty cryptic.. if one of those DLLs during install is malicious, chances are the user will not be able to determine that on his own, and nearly every install is going to register a DLL. Prevx1 also covers even more ways of loading DLLs, what about regsvr and COM objects? I don't even think that PG is going to cover those.

Behavior blockers on their own are tools more than security solutions, and that's my main point. Approach it as a tool and it can do some good, but count on it being your 100% security solution, and you're probably leaving yourself more vulnerable than without.

Like I say, I'm a big fan of HIPS, and I don't think there's anyone here saying that they're bad.. you just have to keep it in perspective. Thinking of pure HIPS as a security tool, rather than a security solution, can do a lot of good in that regard, IMO.

Yes, but it stops 100% of everything else, too.. and that's the problem.

 

Oh sure I'm talking more about 1 . But even with 2. It is still a guess, as opposed to a positive indent. After all even in a long period of testing, people still encounter seldom used but legimate processes for example.

I don't really consider "process execution" as HIPS, it's more of software restriction policy, and those can be beaten.

But even without that there are many ways to error, because the user is not all knowing, or if the programmer makes a mistake.

Except scripts maybe depending on your settings? Or Java applets? Again depending on your settings? Or half dozen of things and all this without assuming a real security exploit, which can happen.

Yes, of course. But does that address my point in anyway that's it still a huge cost? Saying that one is expected to bear such a cost, does not in any way answer the charge that the cost is too high.

I never understood such arguments. why would such scans be necessary? If real time monitor is used all the time?

I personally do not count process execution as part of a HIPS, rather it's more of a software restriction policies use in corporate settings. But in any case, if you think such measures are foolproof and 100% protection, you need to study a bit more...


About protection against Type 1 threats

You forget perhaps that in the context of my arguments with Yahoo in this thread, we have being assuming an ignorant user, who doesn't respond correctly. He only knows what is base line reading and what isnt. In this situation as I argued AV will provide protection HIPS will not.

Of course we agree, I never claimed otherwise in the first place! If you disagree feel free to show where I have said AV can 'eliminate' threats.


Let's refresh your memory You first brought up the idea of AV eliminates threats out of the blue

In response I said

Remember Spikey?

Seriously do you expect the people here to talk about 'eliminating' threats? No one is silly enough to talk about such things, altough you seem comfortable throwing the 100% figure around

It looks like someone didn't really read the thread before jumping in .

*OF COURSE* we are as you say 'barring certain entities' (the less skilled users).in the analysis. That was the intent all the time! We mustn't be selfish and just think of only ourselves you know.

Let me post again the section in case you missed it, where Yahoo starts discussing the use of HIPS using the "baseline method" only

I simply ran with the idea of how useful HIPS would be in such a situation.
Get with the program kid

As for my analysis of the usefulness of HIPS for skilled users, I did make one, as an aside which you snipped without saying whetehr you agree or not

Personally I suspect I'm overestimating this effect, but I'm willing to concede that smart use of HIPS (where general knowledge of what actions typical software might do even without a baseline reading) might possibly add some protection for threat 1. How much though is debtable. and has not being established yet.

Of course not if you are selfish and care for yourself only.

 

Though in this thread I have being posting from the POV of a less skilled user, in threads I posted in the past I have expressed doubt over whether even skilled users of the type Spikey belongs to (short of security pros with malware analysis experience) can really determine if a certain behavior is fishy or not without some normal safe baseline to compare with. Perhaps they can, but how much additional protection does that add?

Sure if this small diary program you installed suddenly tried to install drivers or terminate yoru firewall you would be damn suspicious.

But what if a so called security program wants to install drivers?
Say this new fangled rootkit scanner?

What if this diary was actually a spam bot or simple worm, would you know simply by looking at HIPS prompts generated by say Processguard? Maybe, maybe not.

Indeed, and those that do care like SSM, creates even more popups that even a seasoned and security minded user will start feeling tried.

 

Tuatara, Notok and deviladvocate, thanks for all your comments. With regard to the main topic, I must confess, I agree with most of what you say. I think I just don't see the gap between the protection offered by HIPS and AV to be as great as deviladvocate is suggesting.

With regard to the lighter topic:

Please, refresh my memory. Where exactly did I bring up the idea that an AV can eliminate threats.

Actually, the entities that you barred, which I was questioning, were "rare zero day exploits" (exactly the type of thing AV's don't pick up on).

Did you know that Process Guard can block 100.0% (note, quoted to 1 decimal place this time) of malware if we bar the rare methods used to bypass its protection. More seriously though, how many zero day exploits have caused problems compared to the number of methods to get round PG's protection?

This one really did get me chuckling:

Please, explain the logic of that one, I'm totally bamboozled.

 

I guess the question is whether you think AVs are overrated, or HIPS are underrated (at least for the purposes of this thread). I'll agree that a behavior blocker (note that not all HIPS are behavior blockers, some are network based) combined with a good scanner (or two, if you use an AT or AS) and a knowledgable user that knows his/her system well, can make a good combination against 0-day worms that require no user interaction. It's more a matter of who is using it, how, and for what. That's different from saying that they're more effective than scanners in the reality of practical, real world, every-day situations.

 

NOTOK

I wished that i wrote that, with other words i totally agree on that

 

Let me quote Notok again.

I'm not fully convinced that HIPS provide any appreciable additional protection on top of a good decent AV, even in the hands of a skilled user, but that's not the topic I'm arguing here. The statement in bold above is what I'm trying to explain and defend.

People who overestimate the value of HIPS generally just focus on 2 points

1. It's provides "100% (to 1 decimal place)" protection

2. Popups are easy to handle and are few.

I thought i already did. In any case, search the thread for the word 'eliminate', and see who mentions it first. Given that you talk about 100% protection from HIP as well, are you really surprised?

I don't believe there are 100% solutions that can eliminate any threat, you do.

Okay The reason why I discount them, is because they are rare. When I say zero day exploits I mean exploits like buffer overflows that enable execution
of foreign code without permission. Those clearly are rare.

I do not mean common virus or worms that are not detected by signatures. The reason why I do not is clear in the context of the different types of threats that HIPS generally protect against.

Let me borrow a line from you.
"If you want to bar certain entities from the equation to skew the analysis in your favour then by all means do so". LOL

Seriously, my major point is not that PG can be beaten in theory, altough I do admit to not feeling comfortable making "100%( to 1 decimal place)" security claims because such claims are either possible only in very limited circumstances , or foolish , usually both.

In theory, if you don't mind the costs of handling popups (and have a special frame of mind of viewing popups etc), if you are a skilled user who is able to avoid the pitfalls mentioned by Notok and tuatara, and if you disregard the rare exploit that bypasses the HIPS, THEN you have some protection (let me assume it's 100% to i decimal place) against a limited class of threat.


Notice the number of qualifications? The limitation in scope? I submit that's the right way to view things, not just chant slogans about 100% (to 1 decimal place) protection .

Wrong way of looking at things. The correct way is to consider the number of zero days exploits that actually occur. I hasten to point out that this figure is NOT the same as the number of malware threats that AV's miss. It's way smaller as explained in earlier posts.

 

Hi,
My view of things:
HIPS are either too restrictive or too loose. If they aim to prompt the user to decide what to do with certain process / application / dll, then the security will ultimately reside with the user's choices. If the HIPS is made to interact as little as possible with the user, aiming to replace the prompts with smart heuristics, usually the abundance of FPs is to great to be acceptable.
For an average user, the best way would be without, and if they must use HIPS, then with one that prompts as little as possible. It's one of the main reasons why Norton products appeal to so many. There is hardly any interaction between the user and the software.
Back to HIPS, similarly, the HIPS softwares should be made to try to talk back as little as possible. In this regard, the heuristics are preferable. The user will either do some damage alone or an occasional FP will do it for him, which is preferable since the user has infinitely more chances of screwing up than a self-guided program.
Having tried several HIPS, I found them all lacking. I DO like to tweak and play and click on prompts - but that's only when I'm playing with software. I do not want that while resting, gaming, surfing etc. After a lot of prompts, they become tedious and you casually click yes just to get rid of them.
Now words are so much easier than deeds. I do not say achieving this is easy. But HIPS should be a fire-and-forget. Not a single prompt. This is very difficult. The closest alternatives to this optimal are sandboxing and semi-sandboxing.
I think HIPS should be more oriented as to what a system needs to do rather than what specific programs are trying to do. Whitelisting with hashes would be a good start. And everything less is denied. No need for explanations. No prompts that tell you why and what and where. Pure almighty whitelist. What isn't there simply isn't.
Mrk

 

The HIPS i've tried all have to learn some of the programs you use,
(or with other words add them to their white-list)
for the others there is a default/factory- whitelist..

So, you find them lacking because they are to "noisy"
too many popups etc? T think this is a very minor reason
to find them 'lacking'.

Most of the HIPS i've tried only popup when something new is seen,
and some of them can just disallow those items.

I've been using HIPS, now for almost 2 years, and i do like them,
i think they are a very good addition to make your system safer.

The larger AV companies seem to agree on this, because they all are adding these features, as i wrote here before.

Perhaps your problem would be solved if HIPS software
had an option to "Don't allow and Don't POPUP" option for unknown
things. (and trusted software installations).

I've been testing with Online Armor, this HIPS popups when it
is really needed.

 

Or it could just be a fashion and everyone is jumping on the bandwagon. That happens you know.

It sure looks good for marketing 'proactive' , 'zero day exploits', '100% protection'. etc. The reality behind the marketing is what will decide the fact of such features though

 

Hi tuatara, Notok and deviladvocate

The strenth of your argument is too great and I have to accept that an AV gives the best chance of protection against software that you install yourself.

ROFL

 

i am happy with that, i was very afraid that you needed some extra posts from some of us, to convince you.

 

Notok

I wasn’t able to answer this question when you originally posed it. It was just a feeling I had and I wasn’t able to articulate those feelings. I’ve had a think about it and will now attempt to answer that question. I’m still not sure I can answer the question adequately but I will explain my logic in the hope that further discussion will clarify the situation for me.

To recap, the discussion highlighted two methods of getting infected:

For an AV, I would suggest that both of these methods are covered to the same degree. Simply, if the software you intend to install or the software which tries to install itself is in the AV database then you will be protected. If it’s not in the database then you are not protected.

For a HIPS, I would suggest that both methods are not covered to the same degree. For software that tries to install itself, the HIPS would block everything. By everything, I mean the things your AV software would pick up on and also the things which would get past your AV (because it’s not in the AV database). Therefore, for software that tries to install itself, a HIPS gives greater protection than an AV (so HIPS is underrated). For software that you install yourself, the HIPS does not really give you any protection.

So to stop software that installs by itself, you use a HIPS and then you can use an on-demand AV to scan software you intend to install yourself.

One of my errors in the previous discussion is that I have effectively forgotten that I do have an on-demand AV. Due to the way I use my computer, I have not used the AV for such a long time, it’s almost as if I don’t have one.

I have argued based on my requirements and not the requirements of a broad range of users. As a result, I have incorrectly argued the point that you don’t need an AV under any circumstances.

 

Nicely put SpikeyB

I been in this business a long time now in mostly a volunteer capacity as both a common user and also HijackThis Analyst. I will never be able to count the numerous issues where users limped into the forums with affected machines that have the top dog AV's that might have alerted to something foul but was completely powerless to prevent malware/virus spreading or wreaking havoc in the first place.

HIPS much more effectively and solidly eliminates BY INTERCEPTING AND PROMPTING TO STOP COMPLETELY any potential problems from signalling your operating system and it's file system/registry at the start.

 

I agree that there's a better chance that you'll block something unexpected, but the problem remains that the level of security is still completely dependant on the user making the correct decision. What do you do if you get a prompt for C:\Windows\System32\Kernel32.exe, or something similar? What about updates silently installing in the background? Answer incorrectly and the consequence could either be major system problems or getting infected. Unfortunately the numbers aren't for the idea that people will know how to answer this correctly. In a lot of ways I tend to think that things like running as a limited user is going to be more effective as it will not allow many infections, and won't require any decision making.. except that it will make you more seriously consider installing software as you will have to consciously log out, log in as admin, and then install.

If your intelligent and dilligent about scanning, researching, or otherwise obtaining pertinant info on a file before allowing each prompt, then it certainly could be more effective, but can you honestly say that you would do so for each and every prompt? I would say that if you're not able to look at someone's HJT log and pick out the malware correctly, then there's a good chance that a behavior blocker won't be that effective for you (and I would suggest this as a good test for anyone.. go to a forum that does HJT logs and look at the old logs. Keep the answers off your screen until you've made your pics, then scroll down). IF, however, you have it in perspective and keep a behavior blocker as just one layer, then I think it could still be a worthwhile additon to a layered approach. I think the balance also tips significantly when you're using a behavior blocker with sufficiently large white and blacklists, where prompts are the exception rather than the rule. At the very least it will allow you to block first and ask questions later, without fear of crashing your system.

Like I say, I'm not saying that behavior blockers are bad, just that they need to be kept in perspective. It's imperative that a user understands how the program works, what it can and cannot do, and their own role in the process. I think we also need to be careful about recommending them to any and everyone, as most people are not going to be able to use them effectively. There are a lot of other options that can provide equal or greater protection, and the statistics lend more to "greater".

 

In everyone's opion what is the most affective HIPS program? I have tried to install Prevx1 but I can not get the agent to run so that program for me is out. I do have Kav 5 and KaH would it just be worth the wait for KIS 6 to a have the proactive and not use another HIPS program?

 

Since you already own KAV/KAH, I'd recommend wait and try on KIS 6.0. It's effectively at release stage now, so it will be available for general download soon.

Blue

 

Ptah,
What is it that you are looking for in a HIPS program (ie: why do you want one) ?
Are you looking for an "entry level" HIPS that is on auto-pilot ?
Do you want something that is configurable as you learn more about security and related issues (assuming that you are interested in doing so) ?

Blue's advice to try KIS might still be the best option for you but it does depend on what you are trying to achieve and what level of interaction you find acceptable

 

I am just starting out but I would like to have total control or with options to choose when I want total control. I am looking for a well rounded protection base with minimal security programs to acheive it. Also I do not mind the interaction part but again I would like to choose when I want it. I guess I am looking for a program like Prevx1 it just sucks I can not run it!

 

I don,t get exactly what you are lookinfg for but after AV, and firewall, if I have to choose, I will choose Online Armor or PG or may be both. But other members who are using them currently can guide you more. Both are easy to use. If you want free one Antihook is also good but has much pop ups, some system slow( in my experience), and has some conflicts( like with sandboxie). Still there are many equally good optios so I will suggest you to try yourself and then you can decide which one you like most.

 

You might just get a hold of Prevx support (go to the home page and click the "Support' link at the very bootom of the page), they can probably help you get it up and running.

 

I am not against Prevx but infact my experience with Prevx R1 was not good, I have ranked it with the worst ever system slowing HIPS for me. Others might have different experience. However this was the only main issue, otherwise it was working well although can,t say how good it is in its prevention but seems good.