HIPS - necessary or not? which is the best?

Discussion in 'other anti-malware software' started by carioca, Mar 24, 2007.

Thread Status:
Not open for further replies.
  1. carioca

    carioca Registered Member

    Joined:
    Jul 9, 2005
    Posts:
    96
    Dear Forum users,
    o_O
    Is enough one hips only or should I use another one together or many together? May I use OnlineArmor with firewall, ProcessGuard, defenseWall, system safety monitor,Sandboxie, greenborder, bufferzone, neova guard and winpatrol plus? Which are the best security stuffs together? Should they conflict themselves? Do I have to choose only one Hips, one antispyware scanner, one AV scanner and one AT scanner. All opinions are welcome. Could you clarify me because I'm confused with hips. Is it a must or not? Do you have some hints? Best Regards.
     
  2. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    wow, you aim to shoot flies with a canon :) One HIPS is more than enough, if you dont have a fetish for clicking on confirmation dialogs that is :)

    IMO HIPS is not a must. I have used HIPS for a couple of years but grew tired of them. Sure they did block all the leaktests but that was all they did in my machine, they never caught any malware - simply because I never get any :/ but if you attract malware it could be a good idea to use a HIPS if you want to be sure.
    Before I went over to Prevx1 I tried SSM and kind of liked it. Appdefend is (or was? isnt it abandoned nowadays?) good too.
    If you decide to use sandboxes I would say that adding HIPS seems a bit overkill, unless you want information on what the eventual malware is trying to do behind you back.
     
  3. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    HIPS is not a must.

    My recommendations: if u like control or just like clicking dialog boxes go for SSM or ProSecurity. If u want a more silent solution you may want to look at Prevx1 or Cyberhawk.

    As for sandboxes, sandboxie and geswall are good.
     
  4. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Take only ONE app from each group:
    - SSM, PG, Neoava Guard.
    - Online Armor, WinPatrol.
    - Bufferzone, Sandboxie, Defensewall, Greenborder.
     
  5. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, Lucas1985 : Since you brought this up in this thread, may I ask you a quick question? You mentioned that OA and winPatrol are in the same catagory, and I currently use Scotty, and have an impression that OA and Prevx1 are in the same class. Can you elaborate a bit why your thinking is different from mine? My sincere request, of course. Thank you.
     
  6. Jo Ann

    Jo Ann Registered Member

    Joined:
    Jan 6, 2007
    Posts:
    508
    HIPS, SHMIPS - why oh why do this at all? I use the internet for hours every day (downloading whatever appeals to me). I am constantly receiving emails with attachments that I open without hesitation (if I know the sender!). I've never encountered any problems that were beyond the detection, 'fixability', or scope of my current setup (see signature).
     
    Last edited: Mar 25, 2007
  7. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I´ve grouped full classical HIPS (SSM, PG, Neoava) and sandboxes (Sandboxie, Defensewall, Greenborder, Bufferzone).
    WinPatrol and Online Armor don´t have much overlap (startup/BHO reg. entries come to mind) but since they don´t hook deeply into Windows I have put them in a same group.
    Hope it´s clear now.
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    Since you asked that question - no, HIPS is not for you.
    To use HIPS, you need to know stuff; and when you know stuff, you do not need HIPS. It's a paradox. You'd best go with whitelisting sandboxing if you want that kind of protection, in which case DefenseWall is the best solution I can think of.
    Mrk
     
  9. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    Hi Lucas,

    I think that you're talking about OA 1 because, version 2 hooks at Kernel Level and give the same (more ?) level of protection than SSM, PG or NG

    Even, OA 1 could not be compared to Winpatrol because OA 1 monitors process execution ( i'm only speaking about HIPS like features)

    Here is a description of the new version 2

    May be you can give it a try :rolleyes: (just joking)

    MaB
     
  10. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I don´t think so. SSM and the likes hooks extensively into the SSDT and other system areas. IMHO, OA is less "aggressive" hooking Windows.
    Yes, OA has more features. I wasn´t comparing Winpatrol and OA in terms of features:
    I think that SSM can coexist with OA, but I wouldn´t use this combination.
     
  11. Metal425

    Metal425 Registered Member

    Joined:
    Mar 20, 2007
    Posts:
    188
    Location:
    Southern California
    Prevx1,is a nifty HIPS.
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    The absolutely 100% silent HIPS and also a Sandbox is . . . DEFENSEWALL

    Better yet DW is also a good performer in tests (for what they are worth)
     
    Last edited: Mar 26, 2007
  13. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I consider DW as a possible in my frozen snapshot. It only needs to save the day, once I reboot I have my clean computer back anyway.
    Another possible is Anti-Executable, I hope the combination of both works.
    I'm still fishing, it's hard to find the RIGHT softwares. :)
     
  14. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    Maybe but using a HIPS is a great way to learn and get you to the point where you do know stuff.
     
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    The most user friendly combination: DefenseWall and AntiExecutable (EDIT should be Primery Response Safe Connect, mistake) in my opinion. DefenseWall is 100% quite, PRSC (editted) makes most of the hard dicision for you (other behavior monitors let you decide). Together with first defense it makes one of the strongest (paid) setups in my opinion. The poistive side of PrevX1 is that it really assists the user (so on this point they score points).

    PS 1.
    I do not like HIPS which use a multiple of concepts like PrevX1 (community whitelist/blacklist and behavior blocking). Blacklisting is for AV's it does not keep the architecture clear, overlap is waists CPU and makes the defense architecture less transparent, more of the same does not give better protection (same holes keep existing).

    PS 2.
    I wonder why so many people do not like the idea of combined protection of traffic- (fire) and data-wall like (CoreForce, SensiveGuard, R-firewall + R-guard, etc.)
     
    Last edited: Mar 27, 2007
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Mrk, it is partly true. I knew not much about security until my son, started to be a script kiddy, hacking others people's PC. He left warnings (your friendly hacker advises you to close port 9999 or what ever leak . . .). One day he hacked the wrong guy. We found out the hard way and got hacked back (with only windows firewall and a weak AV like AVG). That is why I use 3 HIPS-like programs (DefenseWall, SSM, SensiveGuard) on my wife's PC and were behind a hardware firewall. Now I know I should never have bought XP Home, but should have bought XP Pro, with restricted users and a nice policy management setup, I could do with less security programs.
     
  17. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Scanners are much easier to use, you don't have to be a genius to click on the scan/remove buttons.
    False/positives are a problem, but average users remove them anyway, which might cause a small or big problem, but who cares.
     
  18. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Interesting, but if you think only about the community, then it's only natural to understand why/ how it blacklists and whitelists applications. They are related, that's how it sorts things out. Behaviour/heuristics is also natural, since that's how Prevx1 analyses applications automaticaly, localy that is (and without confirmation from the comunity).
    It's all conected, and if you take one, you have a crippled Prevx1.
     
  19. carioca

    carioca Registered Member

    Joined:
    Jul 9, 2005
    Posts:
    96
    :thumb:
    Hi
    Kees1958,
    Sandboxie is the most extraordinary sandbox software! In my opinion it is a jewel (small and bright) and is the best software I have tried on. Much better than greenborder, bufferzone, defenseWall and many others. Try it on and you will make your mind by changing to it. Besides, It's free and no overlapping ! Best Regards.
     
  20. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    OK. I put Sandboxie on the list as a possible, it won't hurt my wallet. ;)
     
  21. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    I agree with the guys who say splitting between Winpatrol/Online armor on one hand and SSM,PG,Neoava on the other is a bad idea, even leaving aside whether OA 2 is kernel level or not.

    If people followed your advise literally of picking 1 from each group they would run say Sandboxie + SSM + Winpatrol/OA.

    That's overkill. I can see no reason why someone running SSM would need Winpatrol/OA.
     
  22. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    You are right, but DefenseWall and GeSWall are seamless compared to SandBoxIE (not a seperate sandboxed environment). Since my wife uses the PC I needed the simplest of all DefenseWall. On my son's PC we have GeSWall Pro, also seamless, but with more configuration and safety level options and the fastest (in his opinion, I tried SandBoxIE first, but let him decide, he also favoured Regdefend and Cyberhawk free over SSM-Pro).

    Regards K
     
  23. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857

    True,

    Maybe in time when PrevX1 developes to be stronger than other HIPS (in a test it missed four samples while CyberHawk only missed one and GesWall and DefenseWall missed none) I will change my opinion. Although there are some pretty strong suites, I favor the 'best of breed' approach (downside more configurating effort).

    Regards K
     
  24. carioca

    carioca Registered Member

    Joined:
    Jul 9, 2005
    Posts:
    96
    :D
    Hi Kees1956,
    What about prosecurity Pro? Have you tried it on? I have heard some praising comments about it. Someone said that it's similar to SSM or perhaps better than it. Besides, I read a thread that this software Co. charges only a lifetime edition. Concerning licenses I have heard DefenseWall was lifetime earlier and It breached the contract by charging some anual fee nowadays. But it's not a lot of bucks. I've heard it's about u$d 10.00.Best Regards.

    PS: now I'm triying prosecurity pro and it's working smooth. Thus,we can change experiences about this security software in the future. There is also a free version.
     
  25. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Is this the software you are talking about ?

    Feature list of ProSecurity 1.30

    I. Process Guarding / Control

    Process Execution Restricts
    1. Restrict from executing
    2. Restrict from loading applications

    Process Protections
    3. Reading Memory
    4. Writing Memory
    5. Terminating
    6. Injecting thread
    7. Terminating by windows message and task end

    Process Accession Restrictions
    8. Read Process Memory
    9. Write Process Memory
    10. Terminate Process
    11. Inject Thread to Process

    Process Global Privilege Restrictions
    12. Read Physical Memory
    13. Write Physical Memory
    14. Install Service/Driver/Rootkit
    15. Install Global Hook/Install Hook to Other Process
    16. Modify Protected Registry Key / Value
    17. Access Network
    18. Modify Registry

    II. Registry Guard

    19. Registry Key Protection

    20. Registry Value Protection
     
Loading...
Thread Status:
Not open for further replies.