HIPS or BB with outbound protection

Discussion in 'other anti-malware software' started by innerpeace, Jun 24, 2008.

Thread Status:
Not open for further replies.
  1. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    I need to replace my current HIPS which is OA2. I'm looking for something free but I'm not interested in Comodo and I can't use OA free. If I need to use 2 different programs, I would like them to be light or more importantly, quick. I have no idea how to make custom rules and probably all installs would have to be done is learning mode.

    I need some sort of outbound control. I'm already behind a NAT router and if need be, I can also enable Windows XP firewall for 'extra' inbound protection. Leaktests don't matter to me, but I want to know when something connects out. All downloads are scanned by my AV, SAS and MBAM. Any other suggestions are welcomed.

    Also, HIPS alerts also still confuse me so I mainly use it as an anomaly detection tool. In other words, if I get a pop-up in the middle of doing something and that pop-up is unrelated, I will deny the action or temporarily allow it based on my gut feeling. Laugh if you want, but that is also why I still run an AV.

    My current XP Home SP3 Active protection setup:
    OA2 paid
    Antivir Premium
    Sandboxie for Firefox 3, Winamp, Miranda and they are set as the only programs that are allowed internet access. I also will tighten SBIE's rules after the new HIPS/BB install.

    On demand:
    Returnil
    SAS
    MBAM
    Virus Total
    Service tweaks
     
  2. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Try ThreatFire.
    Custom rules are very easy to build, and there is a thread here in wilders by Kees where he shows how to create them.
    With one custom rule you can have outbound protection in TF.

    BTW, it's light too.
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi, innerpeace

    It sounds like cursing in church to you (as a proclaimed PRSC and DW fan), but . . .

    - use ThreatFire free and add an outbound custom rule
    "When any process creates 1 network connection, Except when the source process is in the system process list"
    - next download GeSWall Pro and install
    - try all your internet facing applications and try making prints with these applications (GW sometimes blocks named pipe access of printers)
    - when problems occur with printing write down the conflictning names, look in the resources part and or the application part of the console for these names.
    - change the security classification from deny or system to "redirect" (meaning virtualize as with sandboxie) of these names

    Open the GW console and write down which internet facing aps you have (simular with untrusted processes of DW), make screenprints of the (general) resources part and the applications you wrote down. Safe these screenprints.


    - uninstall GW Pro
    - next install the GW free version and manually enter all command lines wihich you saved in the screenprint
    - voila yu have got GW free with coverage of GW Pro

    I know GW is less user firendly than DW, but if you want to save money . . . (also beaware that moving a file from one partition to another changes the status from untrusted to trusted, so it is not as seamless as DW).

    Alternative (when trouble or the shock of using your favourite competitors is to much for you): buy a second DPRSC and DW lisenceor use ThreatFire with SBIE ;)
     
  4. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Hurst, Thanks for your reply and the link. Threatfire was one of the programs I had in mind but have never tried it. Kees is pretty sharp when it come to set-ups. I wonder how well the outbound control performs?

    Kees1958, Thank you, I was hoping you would give your input. Are you sure your not confusing me with someone else? I have never used DW which I here is good and I'm not sure what PRSC is (Primary Response Safe Connect?). If so, I guess it's a BB but haven't read much about it. I'm definitely not a fan of any certain program and really hate to give up on OA, but it doesn't like when I delete the sandbox.

    What you suggest is interesting. I also have a data partition and if I move a file there, it's ok if GW 'untrusts' it. Would it be of any benefit to run GW, Threatfire (with outbound control), Sbie and Avira together if I'm the only one who uses the computer? Or would it be fine to use Threatfire, Avira and Sbie? I want to ween myself from blacklist scanners, but I'm not quite ready.
     
  5. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Check the HIPS-comparative table over YONDER and look on the row labelled "Network control." You will see several HIPS that fit your specifications. Among them is Dynamic Security Agent (DSA). DSA is free, does a bloody good job as a stand-alone HIPS, and also has SPI firewall capabilities.

    DSA can be configured to a goodly degree, but if you are addicted to having LOTS of tweakability, then opt for freebie Webroot Firewall, which includes a fully configurable HIPS (DSA) + firewall combination.
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Sorry,

    I was wrong (CognitoErgoSum is DW + PRSC), apologies for that.

    Bold statement: TF + GW = enough (when behind a router)! When you are the only one using the PC and have never made the mistake by accidentally removing a file in SBIE virtualisation pocket, stick to TF + SBIE.

    I prefer policy sandboxes over application based virtualisation sandboxes, also GW is quite fast. Another speed improvement tip: use Opera and skin it like firefox, you will love the startup time improvement.

    I am now experimenting with Rising, see https://www.wilderssecurity.com/showpost.php?p=1268124&postcount=13. When using a policy sandbox, the extra checks of TF are a 2nd safety net, I am having so much trust in DW (also GW) that I do not need this overlap anymore. Also downloaded files are trapped in the strong limited user environment of DW/GW. DW's resource protection covers a lot of registry keys also now. Ilya will be providing outbound control in the near future (problably release 3.00).

    When you are not ready to drop blacklist scanning completely, you could try this

    First level of Defense
    Network stack is the first contact with the external world, therefore you need a firewall. When you are not a firewall specialist (which are loaded with classical HIPS functionality, eg D+ of Comodo), the default XP firewall will do for daily home PC issues.

    Second level of defense
    This is the process stack. GeSWall to mitigate all internet facing aps in very powerfull limited user environment, it also chains downloaded files, paralising most malware.

    Third level of defense
    Realtime check on known malware on INCOMING data streams only! Preventing to enter it om the PC is why I use this (not for post infection situations). I re-installled Avast and only use the Network shield (filters on worms and backdoors), Webshield(browser) Internet-mail (outlook express) , P2P (limewire). Messenger shield and outlook shield and the standard shield (for real time protection of data/executables on your PC) are not installed. ThreatFire will replace the protection offered by the standard shield, messenger and outlook are not used on this PC.

    Fourth level of Defense
    Install ThreatFire, add the extra rule for outboud protection. When executable code and data arrives on your harddisk, TF will guard them, not by scanning all actions or trying to control all attack vectors (like D+ of Comodo). In stead it monitors sensible area's of your PC and looks for bad behavior. When an intrusion triggers ThreatFire, it will track all actions of the intrudor. When the intrudor has collected enough bad behavor points, TF will trigger a pop-up AFTER checking its Anti Virus blacklist data base first. So when TF warns you, you known that it is not a known malware. So it can be a false positive or a zero day threat. TF has a reputation of throwing close to zero false positives at you. Besides that you can always Google for the program causing the warning (just click "learn more from this threat". Consider TF your gate keeper/goal keeper protecting your system on process and data level, with a blacklist and behavior blocking HIPS.

    Regards Kees
     
    Last edited: Jun 25, 2008
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    TF custom rules are useless infact at least as far as outbound network access is concerned.
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi Aigle,

    Same applies to outbound control, because it is post infection detection for real malware, for people just wanting to know what programs initaite outbound connections, the custom rule will do, assuming TF will take care of the intrusion which led to a hidden/spawned outbound connection.

    I do not know (anymore) about GeSWall, but DefenseWall warns you when an untrusted resource wants to access another untrusted resource (e.g. spawning of Opera or IE), so you got direct outbound access covered (TF), Intrusions (DW + TF) and spawning (DW), how useless is this?

    What protection does Comodo offer you which is not provided by for instance TF + DW?
     
    Last edited: Jun 25, 2008
  9. IceCube1010

    IceCube1010 Registered Member

    Joined:
    Apr 26, 2008
    Posts:
    963
    Location:
    Earth
    DSA is very good and DW is very good. But how about this setup:
    TF free + AntiVir free + GesWall free + XP/Vista FW = Safe, Secure and Simple computing! Use Kees rule for outbound protection. You can leave TF at its default level and your good to go.:D

    Ice
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I wil not involve in the un-necessary comparison/ discussion of products. One can use watever suites him/ her.

    Outbound control for me means, if u get a pop up u must be able to just deny the outbound attempt without killing the application itself. That is not possible with TF.
     
  11. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    TF will end (=kill) the process seeking outbound connection, so I understand why it is useless when you apply your criteria.

    Regards
     
  12. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Thanks bellgamin! I've been searching older threads about Webroots firewall and found Hairy Coo's post of how to enable DSA's features. I'm not sure if it still applies to Webroot's current version though. I'll also have a look at DSA as it might be all I need. Thanks for the links and your advice.
     
  13. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    No problem ;). Cognito's signature of "Peace and Love" is very similar to my screen name.

    I'm really hooked on SBIE and it seems to fit the way I use my machine. I do see what your saying about TF + GW and it is very tempting but I'm not sure if Threatfire's outbound would work for me.

    If this is true, I need a little more flexibility. For example, if I do a search in Windows and Explorer.exe wants to connect and I deny it then I'm in trouble right?

    I do appreciate your advice and it has me thinking about my "Levels of Defense". I'll do some more reading and have a look at some of the recent relevant threads as well as some of your other threads. It doesn't look like TF's outbound will help me, but TF may fit into my setup in another way. I will start trying some of the programs and see how it goes.

    Cheers
     
  14. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Hi Ice,

    Thanks for the input! In all honesty, that setup looks fine to me. The only problem is I am hooked on SBIE and need a little more outbound control. (I'm a control freak LOL.) I'm sure SBIE could be used in place of GW and I could still use TF, but I would still need something else for outbounds.

    It is a nice setup and I would have no problem installing it on a relatives computer if they would allow me. My sister needs all the help she can get :D.
     
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Innerpeace,

    With your Nat router I would opt for DSA (not Webroot FW), DSA is one of the few products which protects against more threats than it claims to do so. NicM did some testing against DSA and it surprised. The new Vista compatible release does not suffer from forgetting the settings anymore (old DSA sometimes lost it settings, so you needed to train it again).

    DSA + Antivir + SBIE is strong enough
     
  16. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Kees,

    Thank you. I will give DSA the first shot. I've had my current setup for about a year now o_O and I've developed a pattern of habits because of it. I've also not tried anything new (realtime) in that time period so I'm a little hesitant as I'm not sure what I want or need. Anyways, I'll install DSA tomorrow and see if we get along.

    Regards
     
  17. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    i have a problem with DSA
    after installation , it automatically blocks all the ping replies
    when i ping my gateway , or any other dns from "run"
    then i got "request times out"
    despite i did not configure it to block pinging
    as webroot firedepend also on DSA , it suffers from the same issue
    any solutions?
     
  18. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    I'm currently trying DSA. How do you configure DSA other than the obvious settings? Do you recommend changing any of the default settings? Also, how well do you think it does as an "anti-executable"?

    Regards
     
    Last edited: Jun 26, 2008
  19. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
Loading...
Thread Status:
Not open for further replies.