HIPS Program recomandation needed

Discussion in 'other anti-malware software' started by wir.sing, Oct 13, 2006.

Thread Status:
Not open for further replies.
  1. wir.sing

    wir.sing Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    60
    Im currently contemplating gettin a HIPS Program. Since im new to the HIPS and here seem to be quite some informed people, I thougth I could just ask, what you would recommend.

    I did a bit of a reading on here, so I kinda know what I want. I don't like programs like Prevx. I prefer to be able to "control" my computer myself. And I just feel abit uneasy about the whole reporting what you runs on your computer to a central database (maybe im just to paranoid). So i guess im looking for a more classical HIPS. And I don't mind bothering with Popup promts.

    So any programs I should use? Saw ProcessGuard, but then again already read bout quite a few ways to disable it, so I don't think its really safe.
     
  2. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    No program is perfectly safe. Programs you should have a look at that are popular around here include ProcessGuard, GSS, SNS, PrevX and Online Armor - all of which have trial versions available. See which one fits your needs


    Mike
     
  3. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    If you want control, I can recommend Ghost Security Suite (Appdefend and Regdefend). It will prompt you for everything. I just installed Logitech mousedrivers and got about 40 confirmation dialogs.
    It is a bit time consuming but hey, if you want control you have to pay the price :)
     
  4. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    While many vs minimal pop-ups can be a key attribute, understanding what to do with the pop-ups and what they really mean is much more important. In that respect, you either have to already know a fair amount regarding the OS on your machine, or be willing to learn it.

    Anything is possible with programs that are misconfigured and/or properly configured but provided unfortunate answers to alert pop-ups.

    As Mike and sukarof note, trial the options and see how you and your PC react. There is no single preferred answer and all the options mentioned above are solid (and there are others).

    Blue
     
  5. wir.sing

    wir.sing Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    60
    I know quite abit about Applications and the OS (as in windows) to know what should and shouldn be allowed.

    As said above I don't like the concept of CIPS (just my personal paranioa), so I Prevx or OnlineArmor won't really do for me.

    Besides that Ill of course test what I personally like best, since I gotta be using it. But I just want opinions from experienced users here. Coz a couple of opnions generally create a better picture than my own.

    So on my test list is then:
    - PG
    - GSS
    - SNS

    Any other ones I should give a try? And any comments on the three listed above? which one do you prefer and why? any major downsides (missing features, bug, exploits) to one of them? And a last question is there a comparsion of these programs somewhere?
     
  6. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    wir.sing,

    I'd actually put SNS in the same category as Prevx and OA. If you don't wish to test either of those, I'd recommend taking a pass on SNS.

    SSM (System Safety) is a very good option, possibly the pick of the litter at the moment (positions change over time as new features, etc. are developed; my own current ranking would be SSM, GSS, PG - PS my ranking due to timeliness/level of support and configurability).

    Blue
     
  7. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    I have long been a Ghost Security Suite (GSS) user and prefer it when it comes to HIPS.
    Before GSS I used Process Guard which was good too, but I liked the outbound network control and Regdefend in GSS.

    I have however lately gotten tired of all the popups. They have served me very well when educating my self on how things work, but I have found out after a couple of years that I dont need that much control so I am trialing CIPS

    here are a link to HIPS test, it is a bit old and I dont know if all the HIPS mentioned there are still developed, but will give you an idea about them.

    http://kareldjag.over-blog.com/categorie-69553.html
     
    Last edited: Oct 13, 2006
  8. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Exactly my situation. Full control HIPS are great. If you know what you are doing or have taken the time to learn then they give you all the control of your pc. I did this. I've used SSM in the past and due to the 'current' small size of the whitelist in Online Armor it gives 'a lot' of popups. Great app by the way. I did however get fed up with the popups. Try installing anything that is a suite and you will sit there merrily clicking away for ages. Hey, and if a piece of malware was in there how would you spot it? You'd naturally asume it is part of the installation. This is why I opted for CIPS. It checks if it's good or bad, makes the decision and only asks me about the things it doesn't know. I just installed KIS6 last night and Prevx1 didn't peep. Everything whitelisted. Try that with SSM or Appdefend and you'll have sore fingers after it's finished installing.

    muf
     
  9. wir.sing

    wir.sing Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    60
    I actually meant SSM and not SNS. Read about in another thread. But you know S and Ns and Ms all sound so alike o_O

    Thanks for the link to the comparison sukarof. Ill take a look at it.

    Im currently using KIS 6 as my AV/AT/AS & Firewall and now I read somewhere that its Proactive Defense posseses some HIPS like Features. Anyone know about that? And if yes, can they compare to a standalone Product like SSM, PG and so on?
     
  10. dah145

    dah145 Registered Member

    Joined:
    Jul 3, 2006
    Posts:
    262
    Location:
    n/a
    Yes, KIS Proactive Defense is HIPS based, is a good one, and is being improved for the MP1 version of KIS and KAV, the only feature it lacks is from process termination protection, but you can use also SSM free version with KAV or KIS and it will be a great layer of security.

    :cool:
     
  11. ccsito

    ccsito Registered Member

    Joined:
    Jul 27, 2006
    Posts:
    1,579
    Location:
    Nation's Capital
    The blog link that sukarof provided has a summary of the different types of HIPS programs. Even within the HIPS category, there are varying degrees of what is monitored on your PC. There are classical HIP, Community based HIPS, sandboxes, etc. Two of the newer programs that I have come across are Cyberhawk and Antihook. Most of the current users will probably have more familiarity with the older programs. Many of the more traditional antivirus, antispyware, and firewall programs have been modified to include some HIPS functionality, so there is increasing overlap between applications now. This can cause confusion and conflicts. It isn't cut and dry like word processing, spreadsheet, and database programs as in the past. I have been considering adding GSS to my system, but the tediousness of constant pop ups makes me think twice before trying it out.
     
  12. herbalist

    herbalist Guest

    wir.sing,
    There's nothing paranoid about wanting to be in control of your PC without divulging everything you run to a 3rd party, even if it is a security application/service. If taking control is what you prefer without relying on someone elses whitelists or blacklists, check out System Safety Monitor. SSM will let you decide just how much control you want. It can be as simple as allowing and blocking processes or as detailed as specifying allowable behavior for each individual application, including what other apps each one is allowed to start or be started by, which can set hooks, terminate processes and much more. While SSM is more configurable than most, it will prompt more. SSM is not a good choice for inexperienced users as it does require you to have a basic understanding of your system and how it works. One of the main differences between SSM and apps that use whitelists is that with SSM, you're making your own whitelist, not just one of allowed apps but one that specifies what these apps can and can't do. Needless to say, it's for users who know (or willing to learn) what the apps they want to control are and what they do. SSM doesn't differentiate between system files, legitimate software, or malware. That's in your hands.
    Regarding prompts, SSM does prompt. How many prompts you'll see depends on several factors. Learning mode saves a lot of prompting but should only be used on systems you know to be clean. What settings you use will greatly affect the number of prompts and the resulting configuration you'll have to do. The tighter the desired control, the more prompts you'll be answering. Other than settings, how you use your PC will affect the amount of prompts more than anything else. If you're always installing new software or changing settings, you'll be continually prompted. On systems like these, apps like SSM can be quite inconvenient. If you have a finished system, one that has the software you want installed and configured the way you want it, one that doesn't see many changes, SSM will prompt very little if at all, once you have it configured. Conventional HIPS software basically prevents changes to your system. While they effectively prevent unwanted changes (unless the user allows something they shouldn't) that same behavior makes it more inconvenient or difficult when the user wants to make changes or new installs.
    Right now HIPS software is being improved at a fast pace, with many vendors improving their versions. Which one is best can change by the day, but all the good ones are getting better. If control is your priority, look for the one that has the control options you want. Most of the HIPS vendors have screenshots on their sites.
    Rick
     
  13. dah145

    dah145 Registered Member

    Joined:
    Jul 3, 2006
    Posts:
    262
    Location:
    n/a
    Currently I am using SSM Free with KIS 6.0 and all is working fine, worth a try.
     
  14. Kenjin

    Kenjin Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    63
    I would add ProSecurity to the list. New version has just been released. See here. Better than all the 3 above. Another good option would be SSM 2.2 when it comes out of beta, which should happen somewhere in the next few weeks I guess.

    PG? Obsolete, lacks registry protection and other features you can find in more up to date HIPS (e.g. low level disk access, basic network firewall, etc.)
    GSS? RegDefend is good, AppDefend in principle too, but will it ever come out of beta? No new version since >9 months if I remember correctly. The combo is expensive.
    SNS? No, thanks. I wouldn't support that company. They messed up my PC once with their Starforce cr*p.
     
  15. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Making such assumptions is not "natural" to those who have learned even the barest basics of prudent computer usage.

    My 9-year-old granddaughter uses SSM and she does not make foolish assumptions about protecting her personal computer. She knows how to research processes at places like Process Library & Google, and readily does so when necessary.

    Ah me... I never cease to wonder why some folks feel it is necessary to trash apps that compete with their particular preferences.:cautious:

    Meanwhile, back at the thread -- you might also want to take a look at Pro-Security -- it's a relatively new HIPS in approximately the same genre as SSM, & is looking well worth a trial, I think.
     
  16. wir.sing

    wir.sing Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    60
    Thanks for all the good information. what makes me feel a bit uneasy though, is the following:
    http://www.morgud.com/interests/security/dfk-threat-simulator-v2.asp

    If a harmless threat simulator is already capable of disabling nearly all of the current HIPS programs, why shouldn't a malicious program be able to do the same. On the other hand you could of course say, that it isn't the job of a HIPS to care about what happens if malware gets installed, but only to stop malware from getting installed. But as you see in the example the real malware was only installed after the HIPS programs got disabled. So if the HIPS had been able to "fight back" or "stop" from being disabled, then the real malicious software wouldn't have been able to be installed or you would have been warned about the installation at least.
     
  17. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    So when she is installing a new piece of software she looks up every process and file that is being prompted. Find that unusual, but good for her. But she's in a massive minority. Most 9 year olds only know the basics of pc use, let alone running and controlling a HIPS like SSM. How many more 9 years do this? Maybe 0.0000001% of the world population? And as i've mentioned many times, i've used SSM over a year, so I know all about the 'full control' thing. If I was installing a new piece of software I never did look up every prompt, and maybe you do look up every process and prompt but I reckon you are in the minority. In fact most full control HIPS users turn off their HIPS while installing something. We have seen lots of threads where users of say PG state they turn off their HIPS while installing. Turn it off? That's not really a good way to have full control is it?



    I never trashed anything. Re-read my posts, here or any other thread and you will see I give them high regard. Point me to one where I 'TRASH' a full control HIPS.

    muf
     
    Last edited: Oct 14, 2006
  18. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,442
    Location:
    Sky over the Wilders Forest
    Bellgamin has a very smart grandchild for sure. ;)

    Herbalist has good news then as these programs are improving and maturing right along, which is why I am watching and waiting before I make my move. I am one of those who sets a system with certain programs and only a little changes and tweaks along the way on My PC. I could never tolerate so much control as to have pop up after pop up after pop up...that just drives me totally o_O A learning mode is very important to me in using these types of products. For example, I found AdWatch on AdAware Plus to bothersome...:p :rolleyes:

    :eek: 40 dialog boxes oh my o_O time to take Mercuire to the lunnie aviaryo_O :mad:
     
  19. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    Good point. I am sure all of the vendors (ourselves included) will have a look at this, and figure out a way to prevent it or at least give the user some indication that things are being shut down - or make it harder in general to shutdown (a`shutdown password is one of the things I am considering the practicalities of, for example, although I am yet to give it detailed thought.)

    Having said that - how big of a userbase do these products really have? I've seen claims on Wilders somewhere that Prevx has 500,000 installed users. We (Tall Emu) certainly have a lot less than that. From some posts made by Wayne when TDS was discontinued one can make some guesses at the userbase of PG - appdefend I am not sure about, but lets be generous and say that it's equal to PG.

    The reason I mention this (I'm getting to my point in a longwinded sort of way) is that in internet terms, all of the applications I have mentioned are niche. The malware writers typically go after the well known vendors - even so far as testing their wares against those products to try and ensure what they release evades detection.

    A ZDNet article I read mentioned (rightly or wrongly) as a contributing factor why the Kaspersky engine (or NOD32, can't recall which) detected a significantly higher number of viruses than Norton. Whether it's true or not - if I were in the business of writing malware, one of my tests pre-release would be to run it through the common AV apps to see whether it was heuristically detected.

    So, yes, DFK Threat simulator can disable these apps - but the chances of attacks on the apps mentioned are currently slim - with the obvious exceptions of the mainstream AV apps. So, the all the vendors will make adaptions and then someone else will figure out a different attack and the game will go on.
     
  20. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    @Muf
    Heh; yes.

    But PX did warn me about BOClean installer !!
    Could be the way it is packed or encrypted
    Could just be a V small bunch of deeply demented users who dont qualify for the "community" badge LOL

    @wir.sing
    Go here to post #3 here for a demo of PX;
    https://www.wilderssecurity.com/showthread.php?t=150091

    Regards
     
  21. herbalist

    herbalist Guest

    I would have liked to try that threat simulator on my system but it won't run on it. Worse yet, I didn't even get to see the video! I do have one observation on it though. While I couldn't run the test to completion, even on my box, the user had at least 2 opportunities to defeat it. The "projector.exe" alert should arouse suspicion no matter what. How may here have PCs that don't have Flash Player installed? Even if the user doesn't have Flash and allows it, the 3rd prompt should have set off alarms in any security conscious user. My point? In this example, the software didn't fail. Most HIPS intercept the "attack". The user failed by allowing the attack to go forward, twice. The first part of that test targets the user, usually the most vulnerable part of any security package. Since I run an older operating system, I'm limited to using SSM (limited to the best, how ironic!) so I can't address the other HIPS software, but that test scenario leads me to a question.
    Why is the user running with the HIPS UI (user interface) connected? SSM will flat out block all unknowns when the UI is disconnected, which is how it was intended to be run. If an app like SSM is being used on a multi-user PC, say one that has separate accounts for the kids, I would hope that a HIPS would be configured to not prompt these users (UI disconnected, password used), which would avoid such a problem entirely. Even on the primary or "administrator" account, finish that ruleset and disconnect that UI! Let the HIPS software say no for you so you don't get deceived into saying "yes".
    There's too much emphasis put on "tests" and testing how well a specific HIPS, firewall, AV, etc does against a specific test. How well any specific security application does isn't that important. What matters is how well your security package as a whole does.
    It's a terrible way to maintain control over a system. It defeats the whole purpose of having security software. During software installs, your system is more vulnerable than at almost any other time. If that software install includes some bundled adware or malware, your system is compromised, period. Leave the HIPS on, regardless of whether you trust the source of that new software or not. You have no guarantees that the place you downloaded that software from hasn't been recently compromised, with something being added to that item you're installing. You can't usually guarantee that you haven't been redirected to a duplicate site (DNS server compromised) designed to deceive people, if you even bothered to check. Phisers make such sites all the time. Monitor every install, no matter what it is. You're going to have to make HIPS rules for that new software anyway. Shutting down a HIPS for new software installs can cause operational problems as well, especially if you use restrictive settings that block new registry entries, drivers, etc, (like SSM's paranoid mode) or if the software requires a reboot.
    I couldn't agree more! Maybe the term "trash" is a bit strong, but there's too much misuse of the term "obsolete".
    If that kind of reasoning is carried to it's logical conclusion, then any security program that doesn't perform all security related tasks completely and effectively is obsolete and should be replaced. Why do people insist on having everything all in one package? I see this kind of argument used against older firewalls regularly. Comments like:
    It's obsolete, doesn't have HIPS, popup blocker, behavior blocking, etc.
    There is no single security program/vendor package/suite that can protect you from everything. Asking one program to protect you from everything is asking to be compromised. A firewall doesn't need to have built in HIPS. Hips doesn't have to include built in registry monitoring or an integrated firewall. Registry protection can be supplied by a separate application. HIPS doesn't need to include a basic network firewall. What, you don't already have a firewall? Why would another one be necessary? The only reason for wanting everything in one package is to save the user from needing to assemble their own package. That's putting convenience ahead of security, a one time convenience at that. If a user has a choice of using the firewall that comes with a HIPS or using a separate but more effective firewall, I would hope they'd disable the built in one and use the separate firewall. The same applies to firewalls with HIPS components. If a separate HIPS program is better than the one that comes with a firewall, disable the one built into the firewall and use the separate one. Use the same reasoning for registry protection. It's not only unnecessary that one program perform all these functions, it can actually make you more vulnerable than you would be if separate applications were used for these purposes.
    Putting aside the "which is better" issues, keep one thing in mind. Most of the better HIPS can defend themselves against direct attack. Most attacks that can defeat HIPS software don't directly target the HIPS. They target the user. No security-ware can completely compensate for user error.
    Rick
     
  22. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I believe that was the one based on a "retroactive" type test, testing new malware against each of the vendors, and the subject of the article was that 80% of new malware slips past AVs, with Kaspersky being an exception due to their response times (I don't believe they tested NOD32 at all). I do agree, however, that lesser known apps have a bit of an advantage in that area. Malware writers aren't going to target them specifically as much. I have seen some malware that does things like initiate a shutdown and abort it a short time later, thereby shutting down anything regardless of it's protection (I don't know, but I suspect that this method still targets specific software, point being that there's always ways around your protections).
     
  23. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Rarely is it necessary to look up information concerning every pop-up. That is because the regular use of a HIPS can help the user to learn a lot. Using HIPS builds knowledge. Thus it becomes easier & easier to know what NEEDS to be researched, and what doesn't.

    If my granddaughter is unusual, it is only from the standpoint that she has been taught basic security principles and given the opportunity to be responsible for her own computer. I cited her example only because -- if she can do it, I figure an adult can, too.

    The HIPS she uses functions as tool & teacher, for her use in making good security decisions. But it doesn't take over those decisions from her. After all, learning & practicing security is bloody good fun. It's like a great chess match against a skilled opponent. Something to learn from, and enjoy. For many of us, it's the main reason why we hang out here at Wilders.;)
     
  24. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Well said bellgamin. If only everyone who uses the net was as clued up as your granddaughter. Adults included. My god, I was climbing tree's and playing ball in the park when I was 9. How times have changed eh? Mind you, the only pc's available when I was 9 were bigger than my house!!! Ya gotta love technology...

    muf
     
  25. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    I've found the article I was referring to. Mildly interesting reading...

    http://www.zdnet.com.au/blogs/secur...pps_do_not_work_/0,139033343,139264249,00.htm
     
Loading...
Thread Status:
Not open for further replies.