HIPS, Rootkits, and other intrusions

Discussion in 'other anti-virus software' started by John Bull, Jun 16, 2010.

Thread Status:
Not open for further replies.
  1. John Bull

    John Bull Registered Member

    Joined:
    Nov 22, 2009
    Posts:
    904
    Location:
    London UK
    I am not wishing to go through all the pro`s and con`s of different AV systems - I know about most of them and the subject has been torn to pieces.

    What I want is an answer from people who have had experience with various AV programs - a kind of bar-room chat between experts.

    Until recently, I used Comodo IS-v3 with no problems, then when v4 came along the Firewall failed 5 times. I dumped it and went for AVG9 with Comodo-Pro Firewall. It all works fine, my system is clean and none of my security programs pick anything up.

    I have done my homework on the net and get much wimping that HIPS and Rootkit protection is not covered in AVG. Well, as far as I can see, it is not.

    I ask you, what AV system covers all threats ? Answer = NONE ! So we have to compromise.

    The reason I chose AVG is that it has AV, Anti-Spyware, Resident Shield, Link Scanner AND Email Scanner.

    I must have an Email scanner, so that is the primary reason for AVG.

    Other AV programs ? I know what they offer, but to install them in lieu of my AVG I would lose too much.

    As I use Sandboxie and confine all these creepy-crawlies to a stockade that I delete on log-off - what the hell does it matter about HIPS, key-loggers or Rootkit threats, they all get the elbow on shut down ?

    I once ran a Rootkit detection program (BitDefender) and what happened ? It listed 8 essential Comodo files as threats ! Not a lot of use eh ? If these Rootkit threat detectors cannot tell the good from the bad and the ugly, they are a waste of time.

    My purpose in asking Wilders this question is one of friendly discussion instead of having to rely on the hotch-potch information listed on the net.

    A kind of bar room chat without the beer.

    John B
     
    Last edited: Jun 16, 2010
  2. Matthijs5nl

    Matthijs5nl Guest

    All antiviruses do cover anti-rootkit protection, except for AVG Free. (Keep in mind 64-bit operating systems are not vulnerable to rootkits (they might be in the future) now anyway).
    In general antiviruses do cover everything, malware is malware. If your pc is clean you don't need any antikeylogger or anything, since your pc is clean. But it is indeed true that antiviruses got problems with specific types of malware, mostly crimeware/scareware/rogueware kind of stuff. That is why you need a layered setup (i.e. different type of protection: HIPS and antivirus, or sandboxing and antivirus, or just brains and antivirus) or a second-opinion. But most offer great protection against worms and trojans and others, there are also enough antiviruses which have great anti-rootkit protection.
    About Emailscanner: if an antivirus doesn't have an email scanner it doesn't me all attachments can infect you, they will get picked up the the normale file/system protection. An emailscanner is just a way of picking malware up earlier in the process.
    Also HIPS ain't a type of malware, in contrary it is a system to protect you, Host-based Intrusion Prevention System. If you have some knowledge about computers and so on a HIPS is a good option to use as a layer in your security setup.

    Next to that Windows, especially Windows 7 has great built-in protection mechanisms you can use as a layer (DEP, SEHOP, UAC, Windows Firewall, Windows Defender, SmartScreen-filter). Also a modern router adds to your level of protection. But most important is ofcourse some common sense: keep your pc up-to-date, avoid risky websites, use reliable download sites, don't click on strange ads, don't open attachments from unknown sources.
    Seriously with the combination of an up-to-date pc, common sense, AVG Free and SandboxIE you have great protection against all types of malware.
     
  3. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    Many complex trojans and especially rootkits can bypass the avs, also if they have some antirootkit feature. For this reason a real protection needs to be multi-layered, and the HIPS is the main - but not the only one -component of this.
     
  4. John Bull

    John Bull Registered Member

    Joined:
    Nov 22, 2009
    Posts:
    904
    Location:
    London UK
    Matthijs5nl
    What an excellent reply.

    I have Windows 2002 XP Home with SP3 and use Firefox 3.6.3, AVG9, Comodo Firewall Pro and SpywareBlaster for on-line protection.

    I also have off-line secuiry programs which I use regularly, some daily.
    Usual things like MBAM, A-Squared anti-mal, A-squared Highjackfree, Microsoft malicious software removal tool.
    I now rely heavily on Sandboxie to stop spurious threats outside of these security programs.

    John B
     
  5. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Depends on your 'peace of mind'. You can have all the windows in-built security you like, but if you think something got the slip, it'll bother you every time you boot your system up.

    Sandboxie you're fine, depending on how often you install files etc.

    Personally, I've always liked Mamutu, and running it with an AV, I feel as safe as I would with a sandboxed browser, but with a slight more convenience.
     
  6. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Avast Home offers more features than AVG in my opinion. Even beats it in shields and is tested as a better AV in recent years.

    It uses GMER for root-kit detection, offers boot-time scan, screensaver scan, heuristics, password-protected settings and so much detail in configuration (like read/write/both exclusions for each shield) that even I'm surprised that it's freeware.

    Highly recommend it to everyone who's interested.
     
  7. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    John if you learn Sandboxie well it will make a good team with any AV
    you use. I think AVG is about the worst you can choose for a Anti virus
    but Sandboxie is so good that it wont matter if AVG its your choice.
    You said you feel comfortable using AVG, so if I was use I ll keep it but
    make sure you learn the sandbox.
    Bo
     
  8. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,122
    Location:
    Pennsylvania.
    With proper restrictions on sandboxie and auto deleting when exiting its pretty darn powerful. I would have an AV installed just to scan files you download just to be on the safe side.
     
  9. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    Cheater87, I use Sandboxie like you my friend, with only FF allowed to
    run/start and internet access. Like you I also use NoScript. It makes a
    good team mate for Sandboxie.
    Bo
     
  10. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
    Some of the antirootkit tools have been useful to me for manualing cleaning the machines of friends and family members. One in particular would be Online Solutions Autorun Manager. though it is not necessarily a dedicated ARK tool it works like one. It comes in handy when a file is detected but not able to be removed by the blacklist AV's cleaning routines.

    As far as email protection goes; it used to be relevent to me because I used Outlook, but I have since switched to web-based mail. For me there was no reason to store email on my machine when my mail services servers are way more secure and are backed up too. This also eliminates the need for me to have my email scanned by a local AV. Any files or attachments I want to save are scanned by my real-time scanner and in case it is malicious and detected, I use an antiexecutable to prevent any damage.

    BTW MBRguard from Blue Ridge Networks would be a useful addition for you and will protect you against any current MBR based rootkits.
     
Loading...
Thread Status:
Not open for further replies.