HIPS programs: Who DOES NOT use them?

Discussion in 'other anti-malware software' started by CJsDad, Jun 24, 2006.

Thread Status:
Not open for further replies.
  1. CJsDad

    CJsDad Registered Member

    Joined:
    Jan 22, 2006
    Posts:
    618
    I noticed between HIPS and security suites this seems to be the way to go as for now, whos to say what it will be like in another 3 to 5 years.
    So who here DOES NOT use any of them?
    What is your reason?
    If you use a HIPS program then fine, this is not a knock against them, just a legit question for the ones who find no use for them and why.
    Thanks.
     
  2. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,639
    i have one computer with no HIPS because i share it with my dad and i dont want to create any inconvenience for his web surfing.

    having no HIPS doesnt not make me feel any less safe and I surf on dangerous sites, p2p and play online games as usual.

    i could also use no HIPS on my main computer, but wheres teh fun in that? :D
     
  3. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,161
    Hi,folks: I am one of those WHO DO NOT have HIPS. The reason? very simple. My current defense system has flately rejected the apps. Just name few; such as online armor,cyber hawk etc. I am not saying the HIPS are not good apps, what I am trying to say is that these apps are not a MUST apps, not an integral part of your defense system. I have at present time the following: outpost fw pro, KAV pro, ewido plus, winpatrol plus and e few AS. These apps are heavyweight players providing multilayered defense system; I have made myself refrain from d/l any HIPS until someone can convince me otherwise.
     
  4. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,639
    u dont consider winpatrol an HIPS?
     
  5. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,161
    Hi, folks: I am under the impression that winpatrol plus is an AS. Or perhaps a crossover of AS and HIPS o_O
     
  6. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,614
    Location:
    Milan and Seoul
    I've been using ProcessGuard for almost a year and sometimes I must say it has been a bit of a pain on my system as you don't know why something is not working properly, and as soon as you disable PG things run smoothly again. This is especially true for new applications.

    I suppose it is a small price to pay if you want to keep things under tight control. I presume that some people don't want to be bothered with warnings and deem their knowledge about computer processes inadequate to appreciate PG full capabilities (I am in this category).

    So why do I have it? For two reasons: to protect my security applications from termination (mainly AV and FW) and hopefully from rootkits.

    Is there a way to protect security apps. from termination without having a HIPS installed?
     
  7. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,639
    the way i see it, antispyware programs typically use signatures and scan files.

    OTOH, many HIPS dont rely on signatures and instead monitor your system areas for changes or your applications for odd behavior.
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,215
    Hello,
    I don't use HIPS for several reasons:
    I do not feel I need them.
    They are annoying with constant popups.
    They are confusing with their messages; even if I understand the purpose of a message, I do not wish to check my registry every time a HIPS decided to prompt me about something.
    They conflict with lots of software; btw, this is true for most of strict programs (and security guides on the net), which are made for single standalone PC, no gaming, no P2P, strickly mail and web configuration.
    No HIPS has fully satisfied my view of security software, although a number of products come close. And my view is - solid control with max. flexibility.
    Lastly, if you can debug what HIPS tell you - you do not need them. It's a paradox. If you're inexperienced, you need HIPS, but you cannot use them properly. If you are, you don't it.
    Mrk
     
  9. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,418
    Location:
    Slovakia
    I have tried HIPS and I say it this way, if I would use internet banking, I would probably use Antihook additionally to make sure, that I have no keylogger in PC, otherwise, it is a "luxus".
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I agree and I will just add if theres is some more intelligent HIPS with less user interaction, I will like to use it. I found Zone Zlarm Pro HIPS to be least intrusiev and intelligent with an info available on internet if u want to chech with the pop ups.
    I just install them for a bit play around.
     
  11. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,177
    Location:
    Canada
    I've been using HIPS for couple of years, first Process Guard but I had to get rid of it because it was confilicting to much with some of my programs and also like Mrkvonic said too many popups.
    Then I had OA which was much better but for a while my wife will be sharing my PC and there was still too many confusing messages for her, so I
    remove it also.

    Now I am really questionning myself, do I really need HIPS? and the answer is, I don't think so.
     
  12. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    236
    Location:
    Netherlands
    I guess it depends what programs you run. Remember the Sony rootkit? Would it have been stopped with or without a HIPS?

    Currently I'm not running a HIPS. If I would, I would probably first take a look at SSM or PG.

    Instead of a HIPS I'm thinking about configuring limited user accounts.
     
  13. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    236
    Location:
    Netherlands
    I'm using internet banking, but this requires a hardware token. Even if I had a keylogger active it still would require physical access to my hardware token.
     
  14. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,587
    I like the way mrkvonic summed it up...
    "If you're inexperienced, you need HIPS, but you cannot use them properly. If you are, you don't (need)it."
    Im in the inbetween category and use SSM,mainly for the registry /startup modules and the programe md5 authentication.I was using kerio 2.15 for this function ,but since im now using AVG plus firewall (which doesnt have md5 authentication) version i took kerio off.Plus its termination (of other apps) is second to none.Handy for an old 98 system.The learning mode is handy too to get rid of most of the popups and once thats done (and you take it out of learning mode) your pretty much done.The continued support for 98 (well done guys) and the promise of making it easier to use in future releases makes this top hips software in my view.
    ellison
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    I don't because they require too much user interaction.

    Easy without HIPS:

    1) running on limited account

    2) running a default-deny white list program that blocks unauthorized executables

    3) software restriction policies enabled (see posts by SpikeyB)

    4) MS toolkit (see posts at DSLR by Zoverlord)

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  16. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,215
    Hello,
    Stopping Sony rootkit could also have been easily prevented by not allowing cd-rom to autorun.
    Mrk
     
  17. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    236
    Location:
    Netherlands
    I dont' disagree, but doesn't this require the same amount of effort as configuring a HIPS?
     
  18. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,587
    Its easy to stop the sony rootkit in hindsight though isnt it?.If it fooled a security expert like mark russinovich for a while,what chance would the rest of us have had ? when it first appeared.Hips do seem to have thier place but there is always a trade off.
    ellison
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    White List programs require no configuring.On installation, the program creates the White List and that's all there is to it.

    For the others, I'm not familiar with configuring, but understand from reading the posts I mentioned that there is no user interaction (pop ups, etc) once configured. This is what I was referring to.

    No hindsight required - just foresight.

    You can be the best security expert in the world, but if you don't have the proper security setup iin place - evidently he did not - you will be hit.



    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  20. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,381
    Location:
    West Yorkshire, UK
    Thats pretty much what I do.

    Plus my drive permissions are locked down - everyone removed so users only have full access to their profiles rest of drive (inc windows and prog files) are effectivly readonly.

    Its how my machines are setup, its how our company setups their machines up (we have 5000 users), not had a problem ever (from nt 4 to 2k to XP), I dont see a reason to see using HIPS - maybe in the future we might but currently we have no need to.
     
  21. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    When HIPS programs did not exist, it made sense not to use them. Now that they DO exist, it is prudent to take advantage of the significantly extra protection they provide.

    In other words, the answer to the question posed by this thread can be found HERE.

    No offense, mates. Only keeding with that link.:cool:
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    RollbackRx
    GesWall
     
  23. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,418
    Location:
    Slovakia
    When running Antihook for a day or 2 in a fingerprint mode on the system, which is not infected of course, it will get all neccessary rules. Then it will just ask about once per week, so there is no need to configure it manually. Actually it is not a good idea to configure it manually, allways when I tried to create rules my way, like blocking system's DLLs, I got BSODs. :)
     
  24. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Let's not fool outselves, whether you call any feature HIPS or not, it is going to incur a cost and inconvenience compared to a guy who just runs Antivirus in admin accounts.

    White listing apps, software restriction policies etc etc.

    The main idea of so called HIPS is to provide a baseline of what your normal systems are and alert when it changes. Whitelisting of processes and files, pretty much fall into the same category.

    Will there be inconvenience ? Of course. Popup or no popup, you still have problems . If you set it up for someone else, and the guy is a novice, he is going to complain all the time, something new he wants isn't working. If you teach him how to add to the whitelist, he might complain it's too inconvient.

    I think the OP's question should be better posed as, who runs as admin account with antiviruses only?

    Once you start adding things on top of that, it quickly starts to get intrusive (from the POV of none -security freaks) , whether you start using anti-exectuables, or just start running in a restricted account or run a full blown 'HIPS' that monitored a hundred and one things....

    The rest of us compensate by being far more paranoid than reasonable of course. Remember a security expert, doesn't mean one always advocates the most secure settings whatever the cost, but that one knows what are realistic threats, and what are the best trade offs.

    Let's not be so high and mighty here. The problem is that of trust. If you decide to trust Sony, and install some bundle, and it requires that you run with admin rights, then you would be nailed. It's easy in hindsight NOW to say you shouldn't trust sony........
     
  25. sosaiso

    sosaiso Registered Member

    Joined:
    Nov 12, 2005
    Posts:
    601
    "The problem is that of trust."

    What about MS installing spyware on computers. I mean, a "genuine advantage tool". :T

    If you can't trust the people making your OS, can you trust those securing your OS? Not to get paranoid here.

    I know people who think even antiviruses are intrusive. [Mostly multitasking gamers who think that the real time protection and a firewall make them start lagging.]

    But I believe someone has said before. HIPS are a new thing. They aren't perfected yet. They require a lot of interaction, and those that don't require interaction may make the wrong decision.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.