[HIPS]Free Netchina S3 HIPS 3.5.5 released

Great

And many thanks for all the screenshots and additional information/results either up or down, as they become available.

Looking forward to changing snapshots and giving this a whirl myself.

 

You are welcome

One last post for the night. It seems buggy still, because it is alerting me to the two same "modify registry" attempts over and over, even though I know I'm accepting them permanently. Other than that, it seems to place quite a brick wall around the system. The logging does not seem to be working either (I have logging enabled for the rules I created but nothing gets logged).

The screenshots show the application rules created so far, most of them invoked by the rules I manually created.

 

Okay, one more because I can't resist. The ss shows two possible ways to answer the alerts, with explorer.exe being the program in question. One allows unrestricted program launching, while the other allows restricted individual program launching.

 

How does this compare with EQSecure? Aside from the firewall component, are they similar?

 

Nice, another avantgardist and probably wonderful Chinese hips to play with! I'll install and test it right now. Thanks Netchina.

 

Hello Netchina,
Thank you for the new "Toy" for us to play with...
Just one question as my "Chinese" is a little rusty... (as per posted site).

Is this a full release product or RC? Beta?

 

How is this different from ProSecurity?

 

Watt thanks

I can see that the global rules of EQSecurity is simular to 'OBJECT' and Application exceptions (All applications of EQS) is simular to 'SUSPECT'

Regards Kees

 

Seems to me that this HIPS is pretty obvious to use. I don't know why rasheed is asking all these questions.. Seriously using HIPS is a no-brainer even my 6 year kid can use it , I don't know why you seasoned wilders hips experts are having so much problem.

 

[*]Network access is either Allow (High availability) or Block (High security). There are no prompts for anything attempting network access, which is very inconvenient[*]

Consider DDOS attack, so prompts for DDOS are bad idea.

[*]I have Application control mode set to Querrying but I have seen several applications launch without any warning from S3, and I have "Enable digital signature based decision" un-checked![*]

Specifying what application? M$?

[*]Some of the Application tab's purposes are hard to understand such as subject, Object and Loaded.[*]

Concept is from Access Control Matrix in security engineering.
Subject seems like CAP, means you have to authorise the subject can do something or can not do something.
Object seems like Access Control, means you have to define the ACCESS CONTROL to protect the object.
Loaded means policy (Ruleset) S3 has loaded currently.

[*]There is a Protected group option for applications, but I don't know how that works, especially since I have launched several appplications - notepad, anydvd, winzip, cmd.exe, ccleaner, wmplayer.exe - without any warning from S3.[*]

Group is Role Concept.

 

Some process unstatefully send two or more attempts when S3 queries the user. If S3 keep state, negative impact on performance. S3 do not keep state.

 

Quite different!

Both seem same functions. but S3 well structured to support future Label and Role security except controlled access.

 

Hi S3MAC,

no worries, my two days testing is finished and eventually I pretty much figured out the basics...I think, though an English help file would certainly be of benefit. A few bugs need to be ironed out and some polish to the interface would help, otherwise it's a pretty decent product with some promise. Just my opinion.

LOL I can't help but think of a lawyer we might know who would get a chuckle out of this

 

LOL, that´s funny, but the other topic was about how to respond to alerts, and not about HIPS usability. I actually don´t like HIPS that are too complex, HIPS should be quite easy to understand and easy to use. Of course, I also asked these questions because, as you can see, I don´t understand everything yet, but I do know that these methods can be used by malware.

 

Hi, Hermescomputers, this is a beta version of 3.5.5.

 

Usability is "why does it take so many clicks to do X? " You were asking what does so and so prompt mean, what does so and so feature do... Sure looks like a question about how to respond...

Want to try again?

Think about it. "These techniques *may* be used by malware" (your words). Not definitely ARE used by malware.

So you need to learn about HIPS so you can know what to ignore and what to allow ...

How easy is it to respond to prompts when you are asking so many questions about what the prompts really mean and because each software differs you have to ask questions everytime you try a new one...

One more point.

Say you install 4 different HIPS on 4 otherwise indentical computers, then you run through the same series of actions 4 times, how many times would you say the prompts match? I.e do they prompt at the same time on the same actions with roughly the same message?

My experience is that the overlap is not large.

That's another thing that makes HIPS really hard to use.

 

I don´t know if it makes any sense to actually respond to you, but what the hell:

Well, first of all, a lot of the stuff that I ask questions about is currently not even covered by the HIPS that I´m using. So I don´t have to deal with it yet. But as more and more features are being added, it makes sense to learn about it, no?

You would think so? And from what I´ve seen most of them do? Not sure what you´re getting at, but looks like a non issue to me, at the moment.

 

Hi Netchina, can you perhaps answer the questions in post #20? Thanks

 

WoW!

I am a HUGE fan and user of HIPS but don't know if i can wrap my head around yet another one, especially with so many avenues of settings, but to the contrary i no doubt will give it a try.

I'm still not through fine tuning EQS yet

 

Any update to Netchina S3 HIPS yet as far as anyone knows?

It has some promise in my brief run with it so far, just curious as to how far along they intend to press ahead with it's development?

 

I think they did not have new release since Augest 2007.
http://www.netchina.com.cn/user/start.html

 

Ok then, thanks QQ2595 for that tidbit of info.

Some of us are HIPS intent no matter what so was nice to find yet another new one surface. Problem is they must take a lot of programming time and effort with testing to get them ready enough for prime time release, even in beta stage.

EASTER

 

new results from matousec about Netchina S3 2008 3.5.5.1 reached 85% very good score
althought i don't believe in the maousec testing and ranking importance
a very light free firewall like that to reach a high score is a good start
http://www.matousec.com/projects/firewall-challenge/results.php

but it has 2 major defects
1- no english version for the help file
2-i don't understand why i don't receive prompts about application asking for internet access

but it has some veru usefull features :


Access control matrix based HIPS, provide:

--Process control
----Process run
----Launch another process
----Inject process
----Open thread of other process
----Create thread of other process
----Set thread context of other process
----Debug active process
----Suspend process

--File access control
----Modify file
----Read file

--Registry control
----Modify registry

--Loading and invoking control
----Load driver control
----Set window hook
----Load OLE component
----Invoke API function
----Load DLL
----Anti keylogger
----System call control

--Memory control
----Access physical memory
----Allocate virtual memory
----Write virtual memory
----Protect virtual memory

--System control
----Adjust privilege token
----System debug control
----Query system information
----Shutdown system


Desktop firewall, provide:
--TDI firewall
--Packet filter firewall
--IP/MAC binding

Misc tools, include:
--Autoruns edit
--Process list
--Netstat
--Anti-DDOS
--Stealth mode
--Logs

----DOS , DDOS attack protection
"i want a comment from STEM on this point regarding DDOS " COZ i remember that once we discussed about possibility of availability of DDOS protection in software firewalls


and the best advantage is that being free


their website have published the new matousec score and ranking for the 2008 version herehttp://www.in9.cn/read.php?tid=316422

 

This looks very promising. It makes me happy to see all these new HIPS popping up left and right

Thanks for your efforts Net China Group; keep it up please!

 

These concerns MUST be addressed as they are completely legitimate concerns.

Waiting to see if they take the effort to remedy these or not.

EASTER