HIPS needed - and which one?

Discussion in 'other anti-malware software' started by L Bainbridge, Aug 12, 2006.

Thread Status:
Not open for further replies.
  1. L Bainbridge

    L Bainbridge Registered Member

    Joined:
    May 15, 2006
    Posts:
    173
    Location:
    London,U.K.
    I have been using Process Guard as my HIPS up to now but have found it conflicts too much with FD-ISR to keep (and FD-ISR is an essential for me).
    My current security set up is NOD32, ewido 4, SpySweeper, Look 'n' stop and a Hardware firewall (Netgear) plus ATI and FD-ISR
    I'd be grateful for any advice regarding these two questions:
    1. Do I actually need a HIPS with this set up?
    2. Which of the following is the best or would play most nicely with my existing set up:
    PrevX1
    SSM
    Online Armor
    GSS/appDefend/ Reg Defend
    I know I should trial them all but being a bit of a sloth would rather narrow it down to a couple before doing this.
    Thanks
     
  2. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Need? Absolutely not. Can it be a useful complement? Sure, but it depends on how aggressively you're exposed to potential malware. If you play with live malware or sometime tread where you shouldn't and you want a bit of a safeguard..., maybe.
    They all work fine. I guess I'd split the answer on whether you want/desire a lot of pop-ups/alerts/interaction (GSS/AppDefend/RegDefend or SSM) or prefer a quiet working-in-the-background approach most of the time (Prevx1 or Online Armor).

    Blue
     
  3. L Bainbridge

    L Bainbridge Registered Member

    Joined:
    May 15, 2006
    Posts:
    173
    Location:
    London,U.K.
    Thanks for that.

    Having used PG for 18 months or so I'm used to its, ahem, rather talkative nature, so SSM / GSS would not be that difficult to master and in general I've been quite pleased with PG - it's light on resources and stable and I've had no trouble from it other than the fact it does not like FD-ISR.
    What I'm looking for is something fairly light on resources and stable.
    I use Online Armor for my laptop and although its good it keeps doing strange things to my start menu - not a big fault I'll admit- but bloody irritating.
    I've heard from the PrevX fans on other posts that with it you can safely dispense with AT and AS protection and I wondered whether other more 'independent' people felt the same.
    I've always been a believer in layering defences but with ewido and SpySweeper renewal dates fast approaching I'm not unhappy to give PrevX a whirl if it really does let me dispense safely with some layers.
    I have to say my experience with PrevX Home pre-PG was that it turned my fairly high spec. PC into having all the responsiveness on a snail on tranquilizers and I'm not keen to do this again .....
    Any thoughts?
     
  4. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,214
    I'd like to add to what's been said that the main reason I use a HIPS (PG for the record) is mainly to protect my security applications from termination (i've read at least one horror story about NOD32 being disabled by malware).

    As far as I know only few HIPS provide for this kind of protection, but then again there might be other ways to avoid such a threat.
     
  5. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    the new prevx1 isnt the lightest HIPS, but it runs smooth on my comps. i currently use prevx1 with nod32 and looknstop and its great. i have superantispyware for on-demand only.
     
  6. screamer

    screamer Registered Member

    Joined:
    Apr 14, 2006
    Posts:
    921
    Location:
    Big Apple USA
    I too was a ProcessGuard user pre FD-ISR. Changed for the sames reasons also. Tried a few hips but settled for SSM. The app is low on resources, quick and has a great support / development team behind it. Most of all, it plays nicely w/ my other security apps. Give the free version a try prior to purchase.

    my $.02

    ...screamer
     
  7. herbalist

    herbalist Guest

    Apps like SSM and PG are "talkative" when the rulesets aren't complete or unknowns are launched. I've been using SSM for going on 2 years. It is stable and very light. It sits in my system tray silent most of the time. When initially installed, it will prompt about everything that's running or started unless the learning mode is used. Although it's been said before, it bears repeating because it makes a difference:
    Do not use the learning mode unless you're as certain as you can possibly be that your system is clean and free of adware/malware of any kind.
    If you do and malware is present, it will be treated as trusted software. Do whatever needs to be done to clean it first before installing SSM or apps like it. Clean out all your temp files before beginning, especially any executables that may be there. Oftentimes, executable files in temp folders are not items you want installed or run.
    With learning mode, figure on spending a few hours at least to get it configured, maybe more. If you prefer doing it manually, figure at least a day to cover everything. When I first started using SSM, it didn't have a learning mode. You had to launch each item and answer the prompts for them individually. The recent versions adjust both rules simultaneously for the process being launched (child process) and the one launching it (parent process). The old versions (before 2.0) on which I originally built my ruleset didn't even do that. If you didn't look closely, you'd swear that you were answering every prompt twice.
    The easiest way to get a ruleset for SSM finished is to put it in learning mode and launch everything on your desktop and start menu. If there's apps on either that you don't use, it's a good time to get rid of them. Make your scheduler start every task in it. Use all the functions of your office program, CD burner, and other software with muliple executables. Apps like CD burners often use different executables for burning data and music CDs. Same applies to office programs and different document types. Use your printers and scanners. For apps that get launched from more than one place, launch them from all locations they're normally started from. Example, launch your media player from both your desktop and your browser and let SSM (or another HIPS program) include them as allowed parent processes for the media player. Use all the entries in the "Send To" menu. If you use the "Run" entry on the start menu or a command prompt, do that too. When you use the browser, go to a site with PDFs and media files and open one of each. Run all the components of your AV, especially those involved in updating it. Scan something with it. If you have it integrated into a download manager or IM program, launch it from those locations. Do everything that you normally do. Access everything you use while in learning mode. The hard part here is remembering everything. Does your system ask you to use wordpad when you try to open a large text file with notepad? Open such a file. Don't make rules for installers. They are "one time" items that don't need permanent rules. Avoid installing anything new during the rule making process.
    After you go thru this process, with SSM still set in learning mode, the UI connected, and with the "Start automatically" option disabled, reboot your system. This will cover any items from the RunOnce areas of your registry, such as an entry for Script Sentry or similar application if you use them, as well as the shutdown process. If all goes well and your system reboots properly (it should) with no prompts, enable the "Start automatically" option and reboot again. If all runs as it should, uncheck learning mode. If you're going to use the paranoiac setting, do so now. This may cause you to see more prompts, especially on reboot, but the majority of apps are already covered. Leave the UI connected for a few days. There's bound to be items you've overlooked, like Windows Update or auto-updaters for other apps if you allow that behavior. I don't allow any auto-updaters, including Windows. If you covered everything you use, you'll see very few prompts from this point forward. If after a few days you don't see any, disconnect the UI. If you're working with a PC with multiple user accounts or profiles, make sure the ruleset is in effect for all of them. If you want to change settings for certain users do it now and save the modified SSM configuration file under a user name, then instruct SSM to use that configuration for that user. If you want to use the Windows Filter module as a parental or user control tool, (it's excellent for this) now is the time to set it up. In addition to being able to filter web pages by title entries (like closing any page with the word "Sex" or "XXX" in the title) it can also keep users out of any file or system folder you choose. I use it to keep others out of the control panel, folder options, system configuration utility, etc on a few of the more troublesome PCs I maintain, people with kids whose friends won't leave things alone. SSM is ideal for this, especially on Win98/ME, systems which need that protection badly.
    Rick
     
    Last edited by a moderator: Aug 12, 2006
  8. screamer

    screamer Registered Member

    Joined:
    Apr 14, 2006
    Posts:
    921
    Location:
    Big Apple USA
    Excellent Post Rick! :thumb: :thumb: :thumb: :thumb:
     
  9. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    If you chose Hips from the information category (or talkative if you prefer) i'd go for either GSS or SSM.

    You migth find SSM more user friendly.
    However for different "behind the scene" reasons i prefer GSS.

    For example, for certain feature, SSM use pooling rather than kernel hook.
    I know it may be not noticeable performance wise on fast computer but it's a bit slower and under certain condition, possible to counter.

    As for wich kernel app are ligthweigth and wich are not, it's hard to tell as they "hijack" other process time and memory. However a benchmark is under development.

    @Herbalist,

    This is a very nice post on how to configure any Hips.
    Another way of doing so is simply to use the computer normally and have it configured over a month or two instead of a day or two of hard work ;)
     
  10. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
  11. Chubb

    Chubb Registered Member

    Joined:
    Aug 9, 2005
    Posts:
    1,967
    GSS = Ghost Security Suite...:)
     
  12. herbalist

    herbalist Guest

    Normally I would agree, but there's a few problems with that. If you have Windows update running automatically, your system can get changed before you finish, as can several othet apps that auto-update. It also increases the amount of time that malicious software has a chance to get in while the learning mode is active, and end up being trusted. Except for the browser launching other apps and updaters for AVs, etc, you'd actually be better off not being online while setting up a HIPS. If you're dealing with a multi-user PC, and the users are young or otherwise not completely trustworthy, you don't want to have learning mode running when they're using it, and are able to install or change what they choose.
    Rick
     
  13. InfinityAz

    InfinityAz Registered Member

    Joined:
    Jul 23, 2005
    Posts:
    828
    Location:
    Arizona
    I recently purchased SSM, am very impressed with it, and think it was one of my better security software exchanges.

    It can be a little talkative but if you use learning mode properly, it's not that talkative (see Herbalists post on using learning mode).

    I would definitely try the paid version in demo mode for about a week and test it .
     
  14. kdm31091

    kdm31091 Registered Member

    Joined:
    Jul 18, 2006
    Posts:
    365
    HIPS can be annoying but I find them to be worth the annoyance. With browsers becoming insecure, even Firefox will eventually probably be somewhat insecure, it's good to have a surefire way to stop processes, etc.

    It's too bad you had the conflicts with PG because I use PG free and I find it's got one of the lightest system impact of any HIPS I've used. I've also used Prevx, Neoava Guard and SSM Free. Neoava caused blue screens, Prevx caused too much startup slowdown and SSM free wouldn't startup on boot at all.

    Spyware Terminator (http://www.spywareterminator.com/) comes with HIPS, antispyware and antivirus (from Clam) all integrated. The only problem is, when it blocks a virus or such, it doesn't really tell you specifically; the thing just won't load. I like to be told specifically. But it's a good HIPS and if you need it, AS/AV.
     
  15. egghead

    egghead Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    443
    Location:
    The Netherlands
    True.
    I’m "testing"on the moment PrevxR:
    On a partition I have put a copy of windows XP with as defense only a router and PrevxR. I use Internet Explorer (to invite the baddies) and deliberately visit “naughty” sites (for testing purposes only, as you will understand :rolleyes: ). I’m online about 4 hrs a day. I’m testing for 5 days now. PrevX protects very well: it caught a couple of nasties, among them a trojan. Now and then I check with an AV and an AS on demand and these find nothing (except couple of cookies). Prevx does not slow down my rig (latest PrevxR version decreased use of memory noticably) and does not conflict with other software.

    As for your other question, give the following proggies a trial:


    SSM: outstanding program with outstanding support. In the beginning a little “talkative” after that not anymore. Needs a little knowledge/interest of/in computers. I have thrown every test( leaktest, spycar etc etc.) I could find at it and SSM blocked every one of them. Triail the commercial version (price is a steal for what you get and it is a one time fee)

    Prevx: Very user friendly. Good support. Very suitable if you are the kind of "set and forget" user (ABC mode). Within the program there is an option for pro or expert mode. Integrated in the program is a firewall for controling outbound connections. Cheaply priced (year license).
     
    Last edited: Aug 13, 2006
  16. egghead

    egghead Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    443
    Location:
    The Netherlands
    Herbalist is a very knowledgeable user and what he writes in his first post in this thread is absolutely true. However, there is a chance that there are readers who, after reading Herbalist’ post, will refrain form trialing SSM because they might think the proggie is too difficult for them.

    Here is a way yours truly made his ruleset using the KISS principle:

    1.make sure your bitburner is malware free
    2.disconnect from the internet
    3.install SSM and enable “learning” mode
    4.run every program on your desktop
    5.disable “learning” mode and connect to the net
    6.now you are going to create rules by answering popups (often first, sporadically thereafter)

    If SSM asks your permission to run a process and you don’t know what it is go to this site :http://www.liutilities.com/products/wintaskspro/processlibrary/agrsmmsg/ .Type in the "Process Search" window what your looking for to get more info.
    ;)
     
  17. L Bainbridge

    L Bainbridge Registered Member

    Joined:
    May 15, 2006
    Posts:
    173
    Location:
    London,U.K.
    Thanks to everybody for their answers and ideas.
    I think I've narrowed it down to 2: Prevx and SSM.
    I'm going to trial them both with my existing setup using FD-ISR.
    With the competitive upgrade SSM and Prevx are about the same cost :)
    Thanks to herbalist for such great notes on SSM setup - and to egghead for turning it in to something a duffer like me can get his around.....
     
  18. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Excellent choices since these two options do cover the range of approaches.

    You can probably get some insight into the style of program you are likely to gravitate to by looking at your software firewall preferences. If you like to dig down into the operating details and create customized rules, something like SSM is more likely to be in line with your style of interacting with the OS and your machine. If you prefer application based firewalling (simple allow/disallow by application), the Prevx1 approach is likely to be more in line with your style.

    Personally, I'm more of an application firewall guy (Outpost Pro with Rules Wizard or LnS using only application filtering) and do decidely prefer Prevx1. Both approaches work quite well, but they have somewhat distinct target audiences.

    Good luck in testing....

    Blue
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Personally my choice will be SSM but as both are quiet different in approach, many might prefer Prevx. In general, Prevx is better/ easier for ordinary users with less headache to configure and to maintain( easier to manage different auto-updates, new installations etc).
    I have used Prevx for a while now and I will say though it still uses a bit of memory(39 MB on my system) but it does not slow down the system significantly as it used to do in the past, so it,s much lighter now.
    I will advise u to try both one by one and choose the one u like.
     
Loading...
Thread Status:
Not open for further replies.