HIPS Programs.

Hello Forum,
Do you really need a HIPS program,If so, which one of these is the easiest to set-up and maintain. SSM - Dynamic Security Agent - Prosecurity. I have my AV- FW-SAS Pro. and Boclean.Is this not enough?
Badcompany.

 

Hello Badcompany,

I am not qualified to answer your question, but I can point you to a recent thread in which I had asked a similar question.


http://www.wilderssecurity.com/showthread.php?t=172990&highlight=HIPS+novice


Best wishes

 

I dont think theyre necessary, but for easy-to-use Id suggest Prevx2, Cyberhawk, or Online Armor.

 

I'm currently running without one and don't think they're absolutely necessary either, however, I would say that if you're worried about something getting past your AV or otherwise slipping past your other security software, then it doesn't hurt to run one. I like ProSecurity Free myself...

 

I think they are quite critical in some situations.

 

Your security is not waterproof so HIPS is a must if you worry 2 much.

PS and OA all the way!

 

Yes, you do need a HIPS program. Other security programs (such as antiviruses, antitrojans, etc) depend on blacklists -- which are descriptive patterns of the bad stuff that is PRESENTLY known-to-exst. If a NEW bad stuff comes around, the blacklist won't recognize it, and will NOT block it.

HIPS do not use blacklists in order to recognize bad stuff. Instead, they will notify you if a certain process has never been seen before, or if a process is trying to do suspicious things, or if a process is trying to get into a sensitive area.

At a department store (for example) ---

1- A blacklist-based antivirus is like giving a security guard a description of Freddie-the hand, a well-known shoplifter who has been arrested many times -- 6' tall, blonde hair, pasty-green skin, walks with a limp, hunched-back, etc.

But along comes light-fingered Louie, who has never been caught.

2- A HIPS is like a roving security guard who follows Louie wherever he goes. That guard will notice and react to any suspicious behavior on Louie's part, SUCH AS: (a) loitering near the jewelry counter, OR (b) entering a fitting room with 2 suits, & exiting with only one suit -- and so forth.

HIPS will almost always spot a "0day" nasty like Louie. A blacklist-based application will seldom do so.

IMO, you need a HIPS that is (1) easy to use AND (2) good at its job AND (3) offers friendly/effective/fast tech support AND (4) is stringently maintained in an up-to-date status AND (5) is rock-steady stable.

My short list of HIPS that best meet all 5 of these vital criteria:

Online Armor

Prevx

DefenseWall

Dynamic Security Agent

 

Hello All,
Thanks for all your replies, much appreciated.And the story from bellgamin,makes things easy to understand, always an interesting poster. Going to try Prosecurity first, have read good things on this program and then DSA.
Badcompany.

 

I wonder why Bellgamin doesn't list ProSecurity.

 

PS not listed because it falls short on criteria 3,4,&5.

 

Hi, Bellgamin: Thanks for your informative inputs. I am running Prevx2 along with McAfee Desktop FW 8.5, BlackIce and Avast home. Would you suggest to add another one such as DSA(freeware) from your short list to my defense lineups? Your advice is much appreciated.

 

Pro-Security installed, very easy to install and configure. No difference in the speed of my Pc looking good. Disabled two boxes in Comodo: Monitor DLL's and Monitor inter-process memory.This was suggested in the Pro-security forum.
Badcompany.

 

Yep, PS is a good choice, I think you will like it...

 

As per all the tests so far, PS outshines all and this program has the least amount of system impact in terms of slow down etc. Considering all that, its a well rounded program with no surprises, does what its supposed to without any issues.

 

Are you using the free or paid version of PS? If you are using the paid PS, are those components of Comodo supposed to be disabled in the free version as well?

thanks

 

I'm using the full Trail version, but i think it applies to the free version as well.
here is the link for the forum. http://www.proactive-hips.com/forum
Badcompany.

 

When these questions arise, I am always amazed that I do not know a single person who has HIPS, yet they never get infected. I count myself in that group. Most use only AVG free, and some use Norton because it came on the system.

Until I become convinced by infection, I will continue to resist installing all the various HIPS, sandboxes, and who knows what all on my computer.

So from one who is not especially knowledgeable, but has remained clean since my first computer in 1999, my answer is "No" you do not need a HIPS program.

However, if you are determined, and it runs well on your system then go for it.

Best,
Jerry

 

After tring OA,SSM,GSS,Prevx and PG, i'm now trialing Pro Security.
So far so good.Very stable and no conflic's with my other software's.

 

Aside from users/members who might routinely or even occasionally practice unsafe surfing for research or other purposes, for some like myself, HIPS is opened up areas of interest normally not too much discussed before, except in circles of security/malware/rootkit programmers and others very well learned of Windows internals system makeup.

HIPS more extensively interrogates system calls and monitors areas such as SSDT Table and such in order to cover the likelihood of kernel-mode invaders who design to exploit deeper with stealth into the Windows core system.

I agree to a point if you practice safe surfing with the security programs mentioned, you're relatively safe from the severest of exposures to extreme forms of malware, but keep in mind, malwares such as rootkits continue to evolve and improve in an effort to bypass security protections.

At any rate another matter to consider which is wise would also to have a plan at the ready such as a good imaging + rollback program. It's not always malware that can threaten PC stability, but simple legitimate software programs and even the Windows system itself is less than perfect, and can suddenly within a matter of time be it update or otherwise without warning can disrupt/interrupt your system thus preventing it booting up.

Just a little something else to consider.

 

I've been a fan of SSM for about a year now. It serves me well. I run it on my main box & laptop.
Since the slowdown in development of SSM and my licenses nearly up, I decided to look for an alternative. I bought an "all you can eat" license for Pro-Security.

I installed it on my wife's machine and on my NAS box. The NAS is a Dell Deminsion 8200 connected 24/7 downloading movies, music... via P2P. Everything D/L's to an ext HDD. It also serves as my scanner repository so I can distribute scans to any box in the building.

In any case, PS is working well w/ zero impact on system. Installed 1.40beta version.

...screamer

 

Ah the bogeyman of rootkits and evolving malware...

The point is if safe surfing and practices suffices to keep one safe it will do so, regardless of the power of rootkits. After all the rootkits don't have any magical ability to get on. No matter how malware evolves it still gets on your computer in a few standard ways - security exploit, misconfiguration of your system or you are tricked into running them (social engineering). Evolution of malware has made them harder to detect and remove, but they still get on your computer in the same old fundamental ways.

Of course, if one can't guarantee that malware can't get in, rootkits make detection a little more difficult, but that's another story.

The main thing I would worry about now is the increasing use of zero day exploits. Who has the time to keep up with updating all the various security updates? I don't just mean windows, office, but also Quicktime, Flash, Java,
IM clients, email clients, browsers, pdf readers etc etc, and again this might be paranoid, but you might think you have the latest version, but some older version might be hiding in some corner...

And don't believe the hype that HIPS will definitely protect you... It might it might not.

That is why i appreciate the things Secunia is doing with their online scan and now their PSI beta.

If you rely on your security software to save your butt, whether it's some old fashioned antivirus or the most advanced HIPS promoted by the guys here, you will get nailed, it's just a matter of time.

Don't believe all the hype... Get the basics right.

 

To be fair HIPS today like SSM or PS are more like a nasty but dumb guard at the door who will keep asking questions on pretty much every action by pretty much every customer.

Lousie (or any customer) walks into the door, the guard will stop him, then ask the storeowner, do you want to let him in?

If the owner say yes, Lousie comes in and tries to walk to the back of the store to get something, again the guard will stop him first and ask the owner if he is allowed to do that.

Lousie then tries to take a loaf of bread off the shelf, again he is stopped.

Then he tries to walk to the cashier to pay, again he is stopped..

Then he tries to reach for his wallet to pay, again he is stopped..

So on so forth...

There are smarter guards of course, but they are way less effective (there's a reason why cyberhawk and Sana's safeconnect and even prexv do so poorly, i bet no one was surprised they sucked at NicM's test.)

(1) is the killer. (1) and (2) pretty much is a big tradeoff. (5) is also a problem. Even SSM which has the most history and one would expect to be most stable has ocassional problems, which is expected when you muck around with undocumented APIs.

(3) is hard too since many are one-man outfits like SSM and PS. Here perhaps Online Armor and Prevx has the edge.

 

Indeed, and exactly why it is most prudent and useful to keep a set of backup plans at the ready ALWAYS. This can be rollback + imaging apps in combo or one or another depending on which preference best suits for emergency and complete clean restore.

Theres nothing more reliable OR responsible then keeping exact backup copies of your entire system just for such occurances.

 

Pro security is the easiest for me, i let the wizard auto scan my system drive and after that theres only minimal pop ups to deal with.

 

Yes ProSecurity is easy to use -- IF & ONLY IF you blindly accept what Prosecurity's install wizard does, and you never try to actually USE Prosecurity's GUI in order to modify one of its pre-set application rules.

To get a feel for this fact, simply try using the GUI for Prosecurity's applications module in order to fine-tune the rule for a given process. For example, just TRY & set a "block" rule for wgatray.exe. I'm not saying that you won't be able to eventually get it done. What I AM saying is -- find out for yourself how slow & unstable Prosecurity's GUI really is.

Even the PSDeveloper recognizes this critical flaw.

I am not an enemy of Prosecurity. In fact, I am a fan because I actually ENJOY the complexibility & configurability of so-called "classic HIPS". I am fully persuaded that Prosecurity is *most likely to succeed* in eventually becoming the very best in that category.

However -- until Prosecurity has brought its GUI up-to-speed (literally!), I will not include it on my short list of HIPS that I recommend to others. My list is my list. Your list may differ. Fine -- that's why there's more than 1 flavor of ice cream.