HIPS Suggestion ?

What HIPS that equal or more powerfull than Kaspersky PDM ?

 

Hi,

just visit this page and you will get better information on this.

http://wiki.castlecops.com/Host_Intrusion_Protection_System_-_Comparison

=
ankupan

 

thank you

 

In my opinion, those HIPS using *similar* techniques as PDM, which are equal to or greater than PDM, are (in no particular order)...
OnlineArmor
System Security Monitor
ProSecurity
EQSec

 

which one is better ?

 

HUMAN MIND (common sense)

 

yeah thats true

 

Why choose? If one is good. two is better. three is best! Without going into 'philosophy' about layers it is plain common sense, you need a backup HIPS, and a backup for that backup and a backup for that backup for that backup.

That's what many of how most experienced posters like Bellagamin and Easter do.

 

I like ProSecurity, but you gotta try 'em all and see which runs best on your machine..

 

The one u like and ur system likes!

 

Lusher, that is not true in my case, plus it is pointedly insulting! With all your potentially helpful background, why turn into a trouble-maker?

I use ONLY one HIPS on any given image, plus DSA (as a firewall).

 

ill try them one by one

 

Isn't DSA actually a HIPS so why do you need another APP too?

 

DSA is a hybrid security app, providing a combination of firewall & behavior blocker capabilities..

As a firewall, DSA makes ports invisible to port scans and protects unauthorized entry the same as a dedicated firewall. DSA contains a layer-3 firewall using Stateful Packet Inspection (SPI) technology running in the background. DSA also provides protection for TCP, UDP, ICMP and and UDP Protocols.

If the user already has a firewall installed, DSA will detect that fact and will NOT activate its own firewall capabilities.

In addition to firewall capabilities, DSA has 3 behavior-blocker modules: System Anomalies, Email Anomalies, & Process Detection. Each of the 3 modules can be independently enabled or not enabled, at the user's option. DSA's Process Detection module basically duplicates protection offered by SSM, OA, & PS. DSA's two *anomaly* modules are non-duplicative.

IMO -- when used & configured properly, DSA is a useful hybrid that plays nicely & can strengthen most any security set-up. I mainly use it as a firewall, but I do keep the System Anomalies module active, with sensitivity set to ignore all but very extreme deviations from norms established by DSA's training period.

 

Your correct I tried it & it Works. DSA seems to act as a firewall. It makes a very compact setup .

 

bellgamin's recent DSA post has me installing it again. I always did like it and still do even though it comsumes more time to set the prompts then i like but i don't mind the trade off of extra time for more secure protection.

I like to see them sharpen it even more though, it's quite a nice addition.

 

A troublemaker for pointing out the truth?

Hmm I don't why you are so angry when I point out you use two HIPS. It's true that DSA has some firewalling capability but it's main purpose is still that of what we call HIPS. After all the real firewall is private firewall....

Moreover...

Exactly. The fact that they are non-duplicative (for the sake of argument) does not mean they are not HIPS....

You are essentially using HIPs functions of A and HIPS functions of B, and they don't overlap (or so you claim). Still sounds to me that you are using 2 HIPS!

If I have 2 cars , each with different features, would I still have 2 cars? You betcha!

So you do use two HIPS, I'm not sure why you want to deny that.

You want to argue about how your use of 2 hips is okay because they are "non-duplicative" go ahead, that's another argument altogether.
I mean I could run ProSecurity and Online Armor, and turn off features that are "duplicative" (I think some do that), so does that mean they are not using 2 HIPS?

I'm not sure what makes DSA so special when you use it, it's not HIPS? Just because it has firewall functions doesn't make it not a HIPS...

 

The only things special about DSA is that its internal ruleset is locked and completely untweakable, it comes with a firewall that is almost as inconfigurable as its HIPS component and cannot be turned off, and it comes with two anomaly monitors that I've yet to see prove to be of any use against a piece of actual malware (I can imagine the email anomaly monitor to be theoretically effective against mass mailers though, but not at preventing them from infecting your system).

DSA's simplicity is its own weakness. Locking the ruleset means it's already pre-configured for newbies, yet it means you cannot remedy some glaring omissions in the ruleset. Users only have a choice between entirely trusting or quarantining a program. One VERY annoying quirk about DSA is that if I want to block a program from connecting to the Internet, I have to quarantine it and cripple it from performing almost every other function - this wouldn't be so bad if the firewall part could be turned off. Last but not least, a firewall that filters only by application is an absolute nightmare for me. DSA is fine for newbies who don't like to configure their programs, but if you need to tweak its controls in any way, it just takes every possible opportunity to trip you up.

 

I can't really answer to all that but as a researcher/user who has not only used 2 HIPS together without problem, but at one point in time 3! i prefer if it's possible for my HIPS (preferably only one), to cover the ENTIRE SSDT Table with it's hooks, unhookable.

DSA, EQSecure, ProSecurity, likely others if i remember correctly cover a certain amount of positions with their security drivers in that table whereas i do know SSM hooks nearly all of those positions.

Is that needed? Is only a choice few adequate? Someone tell me.

 

Until you can find an exploit that bypasses your security program, and if you're likely to be vulnerable to that exploit one way or another, yes, only a choice few is adequate.

 

Given a choice between a HIPS that hooks only some and one that hooks a lot more or even all?? , the choice seems obvious to me.

 

The problem is, what does it mean, or what implications are there?

Unless you fully understand that, talks like these are merely obscure theory that intimidate people who don't understand them. On several forums I visit there were newbies who were concerned why their HIPS programs didn't stop ANI exploits, or that their antivirus software couldn't clean files in archives or had to reboot to delete trojans because they were running in memory at that time. Silly, and a waste of time.

 

To all:

Please keep the discussion centered on technical points, there are plenty of them out there if you choose to pursue them. If this thread continues along the current lines, it will be closed without further notice.

Blue

 

True, but a workaround is to use the program file from the Privatefirewall demo to tweak the DSA settings.

Start the Windows firewall when you install and the firewall component won't be activated.

Not true. Set "Require user approval for each alert and you can deny network access w/o blocking other actions.

 

Before we wander off too far in discussions of DSA, let me make clear that I replied to OP's request for HIPS suggestions by listing just the following four apps: OnlineArmor, System Security Monitor, ProSecurity, EQSec

I recommended those four because they provide broad-scope coverage -- the so-called "classical HIPS." I did not include DSA in that list because it is a specialized/hybrid security app -- not broad-scope like those I recommended. I subsequently mentioned DSA only to respond to post #8.

TWIMC, I presently use 3 separate image sets that include (respectively): (1) SSM + DSA, (2) ProSec + DSA, (3) OnlineArmor (has its own integral firewall). I have not personally used EQSec but included it in my list because of excellent reviews & tutorials provided here at Wilders by Kees & others.

To repeat my earlier comment, I use DSA as a firewall. True, it is untweakable as such, except as noted by Espresso. If one wants DSA's protection to be more tweakable, then s/he should use non-free Private Firewall -- the proponent of DSA.

As for me, I prefer to use DSA as set-&-forget firewall purely as a supplement to inbound control by my NAT router, & outbound control by ProSec & SSM, on their respective images.

By the way, there are some interesting discussions in Wilder's "Other Firewalls" forum as to the necessity for having ANY full-featured software firewall when a router &/or full-scope HIPS is present. A few examples: Hither, Thither, Yon, & there, PLUS alternatives to a firewall, & SSM et al without a firewall, & lastly SSM w/o firewall rides again.

As to DSA functioning as a firewall, please see Wilder's "Other Firewalls" forum threads at: here, & especially HERE -- in the latter, don't miss the comments by ciannicello (Chris Iannicello), Product Manager for Dynamic Security Agent.

As to various aspects of the effectiveness of DSA as a firewall & other capabilities, see tests by Matousec & nicM.

By the way -- some security "suites" (such as KIS) incorporate HIPS capabilities alongside SEVERAL other security modules. That doesn't render KIS as a "HIPS app" any more than is the case with DSA or Comodo or OnlineArmor or Safe'n'Secure or CoreForce, all of which have HIPS modules in conjuction with firewall modules &/or AV modules & (in OA's case) anti-spam & other various modules.

Thus, (for example) using Comodo with (say) SSM does not constitute using multiple HIPS unless one neglects to disable Comodo's HIPS module. So also DSA & so also OA & so also others in similar category. And (for example) using OA AV+ with (say) DrWeb does not constitute using multiple AVs unless one neglects to disable OA's AV module.

BOTTOM LINE- It is needful & helpful to occasionally call to attention the fact that using multiple firewalls, multiple AVs, or multiple HIPS can cause conflicts & instability. However, I believe this can & should be done without the use of sarcasm and personal insults, as was the case with earlier comments.