HIPS - necessary or not? which is the best?

Hello
If you so much fear what starts and what can / cannot do, don't use Windows. Second, if you do not answer each and every single prompt correctly every single time, your HIPS is useless. But if you so completely understand what each key, process, handle, thread, and so forth do unto one another, then you seriously do not need any monitoring tool.
Mrk

 

Mrk! I think ur claim is not so true. I don,t know what a handle is, what is a thread, and what a dll injection can do. But of course if I see a weired file trying to execute from temp/ browser temp folders tc, I will sure deny it unless I make it sure it,s a legit application. Same if I see something installing a driver while I have not excuted any installation/ update etc.

I don,t know how can I prevent all this without a HIPS even with a lot more knowledge I currently have. I agree though that HIPS are not a must but I will not feel as secure as with a HIPS.

 

Hello,
Exactly my point! If something starts from your temp folder, yes it might be suspicious. But what about something you install yourself? Will you be able to tell the difference when you're asked to allow the installer and abcd registry key?
Mrk

 

Without a HIPS How I can even know of it, what to speak of blocking/ stopping it.

I can,t tell the differene but when I am installing something legit, I will simply allow all activity(allow once) related to it.

 

Hello,

What is exactly legit software? How do you tell? Is a Sony CD full of songs a legit software? Is MS WGA Notification legit software? How can you be sure that the software you run is actually what it is? One could tell you about ZA process phoning home. And one could tell you about Steve Gibson making a claim the WMF vulnerability was Windows backdoor.

I'm just giving you a few random examples that I can think of. Would you use ProcessGuard still? What about the download site getting hacked? Files infiltrated?

It all comes down to one thing: YOU. Therefore, you can skip all the steps in between.

Mrk

 

Hi Mrk, paranoia has no end but I like a bit of it and that includes a HIPS( but not must), nothing more, nothing less.

Brief answers to your questions: ZA phonig home is more of a privacy issue and there is no privacy on web. Same is true for windows backdoors etc. Any musical CD installing a driver is not legit unless proven otherwise. Legit site/ downloads are hacked very rare.

I will stop this discussion here as it will have no end. We can keep our choices and still remain happy.

 

Mrkvonic, the backdoor or a backdoor?
Is there a reaction to that claim? I'd like to see the other perspective.

 

One should separate the two principal methods by which malware installs:

1) by remote code execution (code embedded in web sites) and inadvertant clicking on an executable, either in a .zip file or email attachment

2) by installing a program - you disable your security and trust the installation.

HIPS or simple execution protection is the only real safeguard for 1). It's pretty much accepted by many in the security community that AV is not reliable for this. From sans.org yesterday,

For 2) there is nothing really to comment on, because everyone has her/his own ways of deciding what to trust, and how to check. If something works for you, who can argue otherwise?

Not separating these two methods just confuses the discussion as to whether or not HIPS is necessary.


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Speaking for myself, i have used hips for quite some time but it never actually blocked any malware, because i know where to look for stuff. The idea of having everything under your control is a nice, but if you mostly install legit software, you don't need it.

Even when installing a small application you will get prompts because the installation is adding this registry entry into that key, setting up a global hook or loading modules when you run the application for the first etc. and then you create a rule so that you won't have any prompts.

Sure i know what some parts of the registry are for, like start up entries, services and other settings,what is a hook but i can't possibly know ALL the entries of the applications i install and ALL the modules that are loaded and what they do.I work/study on visual studio/java creating database driven applications and with a hips installed i ended clicking everything yes in frustration so i don't use it anymore.

And you surely can't say 100% which is legit and which isn't with all this bloated software around. If you want more control, do your research and find an application which is more light on your system, which does exactly what it is supposed to do. Example: i use foxit reader instead of adobe, a plain and simple pdf reader.

 

I don't like the annoying multiple choice questions in HIPS, like YES or NO.
I have only 50% chance to guess it right and without understanding what I'm doing and without knowing what will happen if I give the wrong answer.
So I ditched all 'dangerous' HIPS softwares with such questions. That's not my idea of security.
I don't want to feel myself 50% safe, I want 99% !!!

 

Well. My experience with HIPS , chiefly SSM, it finally rounds out safety and completes a full circle along w/ the other security programs in place and gives some, like myself the 99% route . Shadow with PS and you add more shielding (99.9%), throw in FD-ISR and shadow it (110%), and short of hijacking the electrical current itself, tell me what cleverly crafted material is going to infiltrate your machine so as to disable your settings or controls. Wait, i can answer that, Microsoft Windows itself when it malfunctions internally or caves in on itself.

After some time & experience with SSM for example, with security all but assured, i use the service/driver module prompt to measure the behaviors when a driver/service is loaded or stopped/removed etc. Same for other features, while it serves to PREVENT before-the-fact and give the user the control he expects, it also is a masterfully designed learning tool to provide you with useful indications of how your programs and other O/S files communicate throughout the system.

 

I had a combo a while back that I liked, processguard 3.4 free and cyberhawk free. Seems like together they'd do a pretty fair job. Naturally, I don't have either on my system right now, but I do like processguard.

Toss in powershadow, sandboxie, geswall, or something like that for unsafe or suspicious type sites and you're probably okay.

 

Hi again Chuck57

I would also kind of keep an eye on EQSecure. I found it reasonably effective on first release in this forum and holding out for an update where it can also pull processes down that it blocks.

Like SSM in some ways, but considerably different in others, it's extremely configurable if your one of those who don't mind the time to set each and every permission to your choice. I admire the effort, and look forward hopefully for even better results from it.

Of course with any of these, i would shadow them all with POWER SHADOW to keep things upscale and completely free from permanent damage.

 

I agree. It would not work where it would be needed the most, on the Family Machine.

 

Thanks for agreeing with me. You are the 3th one this month.
Now I have to convince the other 62600 members. It's sometimes lonely at the top. (j/k)

 

# 4:

I liked DSA, Prosecurity, et al, but they never actually stopped anything because there was nothing to stop. Now that I have Powershadow (or sandboxie or DW or BF or FDIR) it seems uneccessary. The switch to a non IE browser (k-meleon) seemed to be the most effective anti-malware move I made. So now I am running Pc Tools Firrewall behind my router/firewall and notice the difference in speed. In a few weeks, maybe I will ditch Pc tools firewall. Oh yea, just so you know, I'm on a bit of a zen kick. Less is more!

 

After discovering your right choice of a security solution that you would need for the family machine then you could install & shadow with PowerShadow, then afterwards a simple reboot restores everything as b4. It couldn't be more simpler then that even for the most novice of beginners.

Sounds like if you were aiming for some fashion of HIPS for the family screen, then you would want to explore a more automatic type that requires basically nothing more then updating (by schedule?) and let it take over that control for you. I believe Prevx1 is been referenced many times as something on this same order.

 

Same here. HIPS - necessary or not ? has to be not for me. Great fun playing with these programs but anyone wanting 99% security should simply remove most of their unnecessary security programs and just take a little more care on the net. Less certainly is more -- more speed on an old pc for one thing.

 

I am trialing Cyberhawk now because I hear it asks far fewer questions say some here at Wilders and also the company boosts the same.

Not sure but I thought EASTER may have said such a thing. Sorry if I am wrong. What do you think of CH for the family machine?

EDIT: SSM might be fine for "MY PC"

 

Get yourself good backup/restore software and a external harddrive. XP on a CD is also a good recue (I use Bart's PE with driveimageXML). When you loan a XP-install CD, you can create a XP on a CD.

I have the following restore options:
- win restore and safe boot
- when XP still loads, restore an image with PartitionManager
- when XP does not, use dual boot, I have created a tiny, clean XP active
partition (drive letter is normally hidden), with Partition Manager on it
- Bart's PE with DriveImageXML to do a disk copy of a partition saved on my
external disk

Offcourse you could also buy First Defense.

Regards K

 

You guys do not do justice to DefenseWall, the 100% quite HIPS!

 

I agree

 

Not me, I consider DefenseWall as a possible and I already worked with DefenseWall, so I know how userfriendly and QUIET it is.

 

So you think this is worth a look too, I take it?

 

I think it is. Giving it a try, won't hurt your feelings, maybe your wallet later.