HIPS question for egg-spurts

Discussion in 'other firewalls' started by bellgamin, Jun 18, 2018.

  1. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,153
    Location:
    Hawaii
    If you are about to run a trusted program, which of the factors on this picture would you OFTEN set to "Ask" just to be on the somewhat paranoid safe side? ScreenHunter_01 Jun. 18 12.56.gif
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,768
    Location:
    U.S.A.
    It depends on the program. Specify a category; for example - browsers.

    Also, the way a HIPS works is you are creating rules to protect the process, file, registry area, etc. against malicious activities by unknown or untrusted processes. Or you are restricting what a activities a known process can perform such as execute, create a child process, etc..

    Conversely, a behavior blocker is monitoring a process for maliciously activities against other processes. Here a process's trust or reputation status would factor into what activities should be monitored. Likewise behavior blocker rules are global in nature whereas HIPS rules are specific.
     
    Last edited: Jun 18, 2018
  3. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,153
    Location:
    Hawaii
    Itman -- I understand that. What I am asking for is "IN GENERAL". For example, a very few programs should ever initiate a shutdown, or logoff, or write to a protected registry area, or terminate a process. So an "Ask" popup (not a "Deny") would be a stimulus for an occasional "pause & consider".

    A casual user of, e.g., Private FW (with HIPS) can easily get into the habit of quickly doing an "allow always" for, say, 7-zip, or his beloved email client, or any number of other long-used & trusted apps. An "allow always" puts every item on the list in the allow column, as shown (real example) in the picture.

    Unfortunately, those apps would then have big power to screw things up if ever they were contaminated. On the other hand, if the "allow shutdown" item was designated "ask" instead of "allow", then -- if I got a popup saying my trusted browser is attempting to shut down Avast" I *might* ask myself "WTF?"

    IMO, blanket "allow-always" can be a hazard if that option puts "allow" on every item in the list I have shown.

    In other words, WHICH items on the list should have to be intentionally placed in the allow list instead of automatically being placed there by "allow always"? To put it another way: Which are the most *dangerous* powers on that list?
     
    Last edited: Jun 18, 2018
  4. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,061
    Location:
    UK
    Which hips is this?
     
  5. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,534
    Dusting off old notes...
    All. None. It depends.
    You'll get as many answers as people who used Private FW.
    For what it's worth, on Windows7 I paid special attention to:
    Terminate process
    Set hooks
    Promiscuous or raw sockets
    Adjust privilege
    Physical memory operations
    Write protected registry
    Manipulate protected file objects
    Terminate threads
    Set windows hook
    Initiate shutdown
    Installers, temp use, always a thing to watch.
    And I was always confused, so don't take my list seriously.
    OA and SSM and Outpost and Private all use different words. It's confusion galore in the HIPS world.
     
  6. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,061
    Location:
    UK
    hmm private firewall looked different to me options wise when i tried it.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,768
    Location:
    U.S.A.
    Private Firewall is a "re-bagged" version of the commercial Dynamic Security Agent product developed cira 2004 with certain commercial features disabled.

    It can best be described as a combo anti-exec and behavior blocker. When an undefined to it process attempts execution, you will have to specify what Windows API's you want to monitor for the process. Note that the previous posted screen shot of action descriptions correspond to Win API's; e.g. "set windows event hooks" corresponds to SetWinEventHook and "set hooks" corresponds to the SetWindowsHooksEx API, etc.. Per the PFW .pdf:
    I believe it has default predefined Process Inspection rules for Win trusted system processes, browsers, and other select app processes. I also believe the process "trust/untrusted" status factors into what default rules are created for it. All I will say is PFW is "ancient" software minimally maintained by the developer. By that, I mean it has only been updated for new Windows OS version compatibility; not so for apps that use new features in those versions. I also question its current API monitoring capability since numerous new API's have been created since the Win XP days.

    Again what you have here is a commercial product designed to be configured by system pros with Win OS internals training.
    Bottom line - they are all potentially dangerous.
     
    Last edited: Jun 19, 2018
  8. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,153
    Location:
    Hawaii
    HIPS = Host-based Intrusion Protection System. HIPS have dropped out of favor because they make you actually stop & think.

    @ trott3r- The picture I showed above is the HIPS component of PrivateFW (PFW), free at HERE -- its home base. The HIPS component is labelled "Process Monitor" on PFW's GUI. To view the list I have shown above, I right clicked any one of my computer's processes listed on the Process Monitor, & then I clicked on "Custom Rules". That Custom Rules list is PFW's HIPS.

    Over & above PFW's HIPS & firewall abilities, it has a rather odd but powerful component that looks like this...
    ScreenHunter_01 Jun. 19 09.52.gif

    That panel used to be a stand-alone called Dynamic Security Agent. It enables me to train PFW so that it knows some stuff about the idiosyncracies of each & every process on my computer, such as how much cpu each process *normally* uses, & its normal thread count. PFW lets me set a flag as to how big a percentage deviation from *normal* should cause it to alert me. In the picture above, PFW is set to alert at a deviation of 60% or more.

    On this same panel, PFW also lets me view Parent & Process lists so that I can mess with allowing or disallowing access. (I have never felt competent to mess with PFW's settings here.) Finally PFW monitors email volume, sets norms, & tells me about major deviations. (I have never enabled that aspect of PFW's monitoring.)
    ~~~~~~~~~~~~~~~~~~~~~~~~~~

    @ act8192 - Ah yes, OA (Online Armor) & SSM (System Safety Monitor) -- great HIPS they were. I still have a copy of SSM stuck away somewhere on my desktop computer. Also Dr. Solomon & a VERY old copy of Mcafee AV.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    @ ITman -- still more words but no answers. Ah well, I see you do not worship in the temple of oldies but goodies. As I recall, PFW's last full version issuance was sometime in 2008-09. That's not exactly ancient (I, on the other hand, AM ancient. 87 that is.)

    PFW is not a rebagged verion of Dynamic Security Agent (DSA). PFW includes DSA as a tab, which I pictured above. PFW's HIPS component was never a part of DSA, and the FW portion of PFW is much improved & configurable, versus the invisible but competent FW included in DSA.

    I get it... you are an IT & know a lot more than me & you are not a fan of PFW. No problem. Actually, I wish I could find something as light & friendly as PFW, with a HIPS, but I don't want to pay the excessive price demanded by SpyShelter, & Comodo's FW with D+ is simply too manipulative in installing unwanted stuff even though I was careful to uncheck that stuff during installation of the FW. In any event, my main *SECURITY* app is not a FW nor is it an AV. It is AOMEI. With AOMEI -- not a cough in a carload... & Bob's your uncle.

    Aloha to all from Hawaii,
    Bellissimo
     
    Last edited: Jun 19, 2018
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,768
    Location:
    U.S.A.
    Emsisoft has changed a lot of things in the recent versions but I believe you can still create custom application rules. The thing to note is the monitoring options are by potential malicious behavior which is the correct way to do so these days:

    Emsisoft_Rules.png
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,768
    Location:
    U.S.A.
    There is also ReHIPS that a lot of Wilders folks liked. The current ver. is however $50 - ouch: https://rehips.com/en/

    Appears the prior free ver. is also still available: https://rehips.com/ReHIPSSetup 2.2.0.zip
     
  11. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,808
    Location:
    Europe then Asia
    just for info, ReHIPS isn't a HIPS, it is a sandbox app with Application Control module.

    closest thing to Geswall.
     
    Last edited: Jun 19, 2018
  12. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    10,715
    Location:
    UK
    That screenshot was from the Emsi firewall by the way which is no longer available.
    The latest EAM versions do not have all those options available under Behaviour Blocking ..Application Rules.
    The Application Rules allow you to either Trust or Block a selected file.
     
  13. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,734
    Location:
    Poland - Cracow
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,229
    Location:
    Canada
    Hi bellgamin,

    I'm afraid you're making things far too difficult on yourself with an all-out HIPS. You'll spend more time toying with it trying to find the "perfect balance" between security and usability than you will just simply enjoying running the programs you use. I've gone down that road before rather extensively, before I came to my senses and realized they're a waste of time. A basic anti-executable is okay, even monitoring dll's such as what AppLocker can do, but that's the most I'd recommend trying to control. If you choose to install whatever programs on your O/S, then it's probably wise to simply allow them to run unfettered, as long as you don't install crapware. If you're still using Win XP, then please do yourself a huge favor and ditch it for something more modern, or even a beginners Linux distro.
     
  15. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,808
    Location:
    Europe then Asia
    +1 with @wat0114

    1- check the downloaded file hash with the hash mentioned in the vendor site.
    2- check it in VT.
    3- install it if clean.

    then forget HIPS' crap and use SRP or anti-exe.

    i can't agree more, unless you live in a 3rd world country running intel pentium 2-3 machines, there is no reason to use XP.
     
    Last edited: Jun 21, 2018
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,890
    Location:
    The Netherlands
    It's very simple, just about ALL of those behaviors can be used by malware, but there are certain ones that may trigger too many alerts from trusted apps. For example, "open threads" and "open processes" are quite common and there is no way to know if it's going to be used maliciously or not.

    I believe he thinks it's fun, but I know what you mean. To me, HIPS should not be monitoring everything, only the most important stuff. For example, I often get alerts about certain registry keys being modified, without knowing just how risky it may or may not be, so it's pointless to monitor them.
     
  17. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,153
    Location:
    Hawaii
    You are right... mostly. Online Armor's HIPS was fun. So was System Safety Monitor's. PrivateFW's is still easy/fun to configure, & tames reasonaly fast. But NOT the HIPS in CommodoFW or SpyshelterFW. If one has the patience & smarts to fully & skillfully configure those two HIPS, then he or she is waaay ahead of me.
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,890
    Location:
    The Netherlands
    To clarify, I don't think it's fun having to respond to zillions of alerts, but I do think it's fun to have full control over app behavior. I tried to run without HIPS for 3 months but I felt insecure. SpyShelter is actually not that difficult to manage, but if it's too overwhelming, you should run it in "Auto Allow" mode which will make auto rules for signed processes from trusted companies.
     
  19. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,153
    Location:
    Hawaii
    Actually I only gave SS a 10 minute trial because matters arose that demanded my attention & I just never got back to figuring out SS.

    In the past ~5 years I have had just 4 infections. Three were quickly detected by AdInf, a simple file integrity checker, & the other was spotted by Herd Protect. All 4 were quickly remedied by restoring a clean image. Even so, like you, I feel more secure with a good HIPS in place. I shall give SS a more extensive trial. Thanks for the suggestion.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,890
    Location:
    The Netherlands
    But weren't you bothered by the high price? And BTW, I was thinking that perhaps you should go for auto-blocking solutions. For example, tools like HMPA, AppCheck, SimpleWall and KeyScrambler. These tools will automatically block ransomware, keyloggers, and banking trojans.
     
  21. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,153
    Location:
    Hawaii
    Yes, their price is high. When they first began selling SS the price was quite a bit less, as I recall. I suppose they were hoping for a mass market. When the mass market didn't materialize, they raised the price to what a niche market (security experts & hobbiests) would pay. SS : BMW :: ZoneAlarmFW : Yugo.

    I am now running Webroot Safe Anywhere (WSA) on one of my laptops. With WSA + EXE Radar PRO + OSArmor I should be just fine (I keep telling myself). ;)
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,890
    Location:
    The Netherlands
    I guess so, but I still think that sometimes you can make more money by offering stuff at a lower price, I doubt they made the right decision. At this price point I wouldn't buy a yearly license, especially because it needs to be improved a lot.
     
  23. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,808
    Location:
    Europe then Asia
    HIPS are dead, don't waste money on them.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,890
    Location:
    The Netherlands
    Depends on the user of course, it was never a huge market anyway.
     
  25. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,153
    Location:
    Hawaii
    Not dead for Comodo, SpyShelter, & NOD32. Besides, there is no way to waste money on Comodo's HIPS adjunct -- it's free.
     
Loading...
Similar Threads
  1. bellgamin
    Replies:
    42
    Views:
    4,970
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.