HIPS Program recomandation needed

Wir Sing,

When you do not mind pop-ups, dislike CIPS and like free aps:
- GeSWall, SandBoxie or BufferZone (treath gate defense = first layer HIPS)
- Antihook (proces protection), Dynamic Security Agent (General) or SSM as a general hips defense layer

Regards

 

Shutdown password seems to be easy and traditional method (also gives other benefits such as preventing other unauthorised users from changing settings) , and I'm surprised that a lot of HIPS products do not have that. Particularly ones that have a big point about how good they are at preventing termination (not talking about OA though).

I personally find entering passwords when changing settings quite troublesome, a crazy idea, allowing the user to set up a randomised customised layout screen, might stop all these simulated mouse clicks from being succuessful unless they guess correctly .

I guess another thing to consider is how costly it is to include such measures. If it's going to take a lot of costly time and effort it will probably be excluded.

My understanding however is that, such methods (there are 2 of them) described in the threat simulator is pretty trival and easy to include without much cost.

I do agree that if the aim of the attacker is to spread as much as possible, probably adding such extra features to the malware is probably not going to help much (infect maybe 10 more people??).

But someone who needs to hit a certain target for sure would certainly add these methods particularly since it's not that difficult.

I don't think the comparison to antivirus fits though.

The guys who are trying out against AV, are probably creating variants or modifying existing malware , which is quite time consuming so they naturally focus on the major ones.

The two termination methods described are low cost and easy to include. So they will probably add everything.

Just look at how some worms try to terminate processes corresponding to antiviruses. They include pretty much everybody even the lesser known ones and not just the major ones. Why? because it is trival to do and not costly at all (just look for a list of AV processes).

I submit that this case fits closer to what we are talking about than the earlier one.

 

Shutdown passwords would be really annoying I agree, but we may well need to implement something like that - or, a delay like on a nag screen where the "OK" button is greyed for a few seconds. There are likely more cunning things that could be done, but need to consider it a bit more.

Randomised layout screens (unless the text and button classes/names were also randomised) would not really help. We just finished a project to force thru installers automatically - (parse the layout of the form, and click OK, accept EULAs, etc) - it would make it harder for the user and lift the bar slightly for the malware writers.

Yeah, you're probably right - in any case we'll be taking a look at improved termination protection fairly soon - not just for OA, but for other apps as well.