[HIPS]Free Netchina S3 HIPS 3.5.5 released

Discussion in 'other anti-malware software' started by netchina, Feb 2, 2008.

Thread Status:
Not open for further replies.
  1. netchina

    netchina Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    7
    Current version is 3.5.5.1,
    You can download it from:
    http://liveupdate.netchina.com.cn/ens3_3.5.5/ncs3_3.5.5_EN_setup.exe
    Official website:http://www.netchina.com.cn


    Netchina S3 HIPS is a hybrid HIPS include:

    Access control matrix based HIPS, provide:

    --Process control
    ----Process run
    ----Launch another process
    ----Inject process
    ----Open thread of other process
    ----Create thread of other process
    ----Set thread context of other process
    ----Debug active process
    ----Suspend process

    --File access control
    ----Modify file
    ----Read file

    --Registry control
    ----Modify registry

    --Loading and invoking control
    ----Load driver control
    ----Set window hook
    ----Load OLE component
    ----Invoke API function
    ----Load DLL
    ----Anti keylogger
    ----System call control

    --Memory control
    ----Access physical memory
    ----Allocate virtual memory
    ----Write virtual memory
    ----Protect virtual memory

    --System control
    ----Adjust privilege token
    ----System debug control
    ----Query system information
    ----Shutdown system

    All these functions support query mode.

    Desktop firewall, provide:
    --TDI firewall
    --Packet filter firewall
    --IP/MAC binding

    Misc tools, include:
    --Autoruns edit
    --Process list
    --Netstat
    --Anti-DDOS
    --Stealth mode
    --Logs

    and so on.

    Some snapshots:

    1.Working mode:
    http://liveupdate.netchina.com.cn/en1.jpg

    2.Application rules editor:
    http://liveupdate.netchina.com.cn/en2.jpg

    3.Loaded rules:
    http://liveupdate.netchina.com.cn/en3.jpg

    4.Firewall rules:
    http://liveupdate.netchina.com.cn/en4.jpg

    5.Firewall rules editor
    http://liveupdate.netchina.com.cn/en5.jpg

    6.Autoruns editor:
    http://liveupdate.netchina.com.cn/en6.jpg

    7.Log viewer:
    http://liveupdate.netchina.com.cn/en7.jpg


    Welcome to use and enjoy it.

    ----

    Best regards,
    David Guo
    Netchina.com.cn
     
    Last edited: Feb 2, 2008
  2. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    I will certainly try it thanks netchina.
     
  3. netchina

    netchina Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    7
    Thanks, hope you enjoy.:)
     
  4. Banshee

    Banshee Registered Member

    Joined:
    Nov 10, 2004
    Posts:
    543
    Looks interesting. Thanks Netchina.
     
  5. Matern

    Matern Registered Member

    Joined:
    Nov 20, 2007
    Posts:
    102
    Looks cool, with a Outpost like Firewall Editor.
    Hope to read more about this and how many Popups it make.
     
  6. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi,

    It appears to be a very comprehensive defense system by reading its Chinese web site.

    Can it be added to any existing firewall ? or

    Has to be used as a stand alone application ?

    Is it better than any leading Firewall in today's market?

    If any and why ?

    Take care.
     
  7. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    No English version of the website? :(
     
  8. netchina

    netchina Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    7
    Grateful to you for interest in S3;),
    and you can visite here for more information about S3:http://bbs.kafan.cn/forumdisplay.php?fid=68, but only Chinese available...

    I suggest that use it as a stand alone application, although you can allow all traffic by select "pass all" mode. Because whether you select this mode or not, firewall drivers already loaded, this may cause conflict with other firewall driver sometimes~

    S3 is a relatively comprehensive solution at desktop, it contains control functions and management tools, furthermore, it is small and free~

    Hope you enjoy it!

    ----

    Best,
    David
     
  9. netchina

    netchina Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    7
    English version website will coming soon...:p
     
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Thanks.

    We'll be watching for this Grand Opening when it's ready.

    Appreciate your sharing this.


    Regards EASTER
     
  11. wat0114

    wat0114 Guest

    Which Windows versions will it run on?
     
  12. netchina

    netchina Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    7

    Windows 2000/2003/XP

    Vista not supported
     
  13. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Is this more comparable with OA, comodo firewall 3, private firewall, or should this be compared with SSM, ProSecurity?
     
  14. jack90125

    jack90125 Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    19
    you can read the site thru google translater.seems there are some issues to be worked out but sounds promising.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    It sure looks interesting, but on first sight it looked a bit complex, couldn´t really figure out how to make rules, but I have not really tested it yet. I also had some minor GUI problems as seen in the screenshots from post #1. But I think combining a firewall with HIPS makes sense, is it a a two-way firewall btw?
     
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    First Impressions - shot from the HIP ;)

    Cool Firewall rules editor for a HIPS, very cooool registry editor (the categorised tabs really look great)

    Application rules

    Question:
    Only program based rule set, or is it also possible to set a system wide filter (likeAppdefend, NeoavaGuard, EQSecurity, Defense+), with programs causing acceptions to allow.

    I will give this a test drive, when English version is available

    THANKS

    MORC CALLING SOLCROFT, COME IN SOLCROFT (give some feedback on this).

    Regards Kees
     
  17. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
  18. wat0114

    wat0114 Guest

    Just a quick play so far. This has some promise but it sure needs a lot of work based on the odd behaviour I've seen.

    1. Network access is either Allow (High availability) or Block (High security). There are no prompts for anything attempting network access, which is very inconvenient.
    2. I have Application control mode set to Querrying but I have seen several applications launch without any warning from S3, and I have "Enable digital signature based decision" un-checked!
    3. Some of the Application tab's purposes are hard to understand such as subject, Object and Loaded.
    4. There is a Protected group option for applications, but I don't know how that works, especially since I have launched several appplications - notepad, anydvd, winzip, cmd.exe, ccleaner, wmplayer.exe - without any warning from S3.

    Overall, it seems like an unfinished product, the most disturbing aspect being that it's anti-executable funtion is erratic, at best. As an example, just to get Snagit to work (S3 did block this app!) I had to manually place it into the Trusted group before I could take screenshots. Also, there really also needs to be an "ask" option for applications attempting network access, rather than only allow or block.

    It's memory footprint is, however, light at ~15 MB.
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    MikeNas,

    Sorry should be English help file available + some more info on English Website. I am not going into the process of trying to figure out a Chinese app again. I did wit with EQS, which was to early (3.3), the next version 3.4 worked extremely straight forward.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    @ wat0114, thanks for the test.

    I would like some more info about these filters.

    What´s the difference between the two?
     
  21. wat0114

    wat0114 Guest

    You're welcome. I can not possibly answer your questions on the filters, at least not yet :doubt:

    I continue to see unpredictable, puzzling behavior with this utility. Just now I am alerted to anydvd attempting to launch, whereas on several attempts before it could launch at will ?? I swear I made no changes to the options between then and now. The ss shows the details of the alert. You will notice there is no parent process (should be explorer.exe at least) indicated in it.
     

    Attached Files:

  22. wat0114

    wat0114 Guest

    More bewildering behavior...

    In the screenshots you will see amongst the few application rules I have, IE and Firefox are nowhere to be seen. I created two network rules to give basic Internet access for, in this example, IE and FF browsers. I have Network control module set to High security, which blocks all inbound/outbound by default.

    1. I was able to launch IE and connect to my home page (Google.ca) with no alerts for program executable launching nor attempting internet access.
    2. For firefox I did get an alert that it was attempting dns to port 53, 192.168.0.1, I allowed it, then it went straight to home page with no alert for attempted http network access. Also, no alert for program executable launch either.
     

    Attached Files:

  23. wat0114

    wat0114 Guest

    Incredible! I created a couple Application control rules as seen in the first ss, still silent, so I re-booted, and now S3 has gone from the shyest HIPS I've seen to the chattiest I've ever seen. Just to launch IE7 and navigate to this site, I counted - no kidding - 84 alerts! I allowed them all and had to shut S3 down because it seemed they would never cease. Many of them were on tmp files. This will surely give Comodo 3 defense plus a run for its money on "noisiest" hips, at least if an "all-encompassing" rule is made, like the one I created.

    The second ss shows one of the alerts for Nero. It does actually alert on the parent/child relationships.
     

    Attached Files:

  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Keep it coming. :)

    I really haven't had a chance to get this up and in action to test but these screenshots definitely look promising. Some of us you might say are a noise tamer and don't mind going thru some time-consuming tunings.

    By this i don't mean to diminish in any way whats being reported, just that it seems it's a pretty comprehensive HIPS at first glance. I'm confident they will in time address the common bugs found in any early release apps or the over reactions that can follow any HIPS which isn't fully understood yet or need restructuring here and there.

    So you might say that i am encouraged from both sides of this new app, the tested results/reports and the member/author who is following the progress of this HIPS.

    Carry On All

    EASTER
     
  25. wat0114

    wat0114 Guest

    I haven't given up on this, Easter ;) Clearly, this utility requires considerable effort to figure out, at least for me. After running amok with numerous added rules without having a decent understanding of how this HIPS works but, nevertheless, learning slowly along the way, I decided to uninstall and re-install to start fresh. It seems I may have finally figured out the "Object" tab and the importance it plays in the effectiveness of this utility.

    The ss shows the "Object" rules I created manually, highlighted in yellow. The default set of "Object" rules are highlighted in cyan.

    Without the additional rules I created, I found S3 to be quite weak in its HIPS monitoring/alerting functionality. so far with only those rules, it now seems quite powerful. There are still more that can be created which will obviously make it noisier, but that remains to be tested. It is easy to get too carried away, as I discovered earlier, and create all-encompassing rules that will cause an endless barrage of alerts that will drive one bonkers o_O

    It is still very early in testing and I need to learn more about S3, but it is now looking alot better than I thought in my first testing attempt. As before, I had to place snagit32.exe in the "Trusted" group before I could take screenshots.
     

    Attached Files:

    Last edited by a moderator: Feb 4, 2008
Loading...
Thread Status:
Not open for further replies.