HIPS verses Anti-Executable

Further to what Rmus said about wscript.exe

Here's how i've disabled it, but you have to quick in renaming both.

 

Another way to control the script engine is to use Registry Files to toggle Enable-Disable:

Disable:

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]
"Enabled"=dword:00000000

Enable:

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]
"Enabled"=dword:00000001

----
rich

 

Hey Rich,

Do you think it would be a good idea to block the actions of scrobj.dll?

Thanks,
Toby

 

Sorry, I don't know what that is.

----
rich

 

So conversely I could just disable autorun.inf and I will not have to worry about U3 smart drives or anything else?

Is it possible for malware to hide itself on the USB drive so that I cant see it, even if autorun.inf is disabled? What if the malware had infected one of the non-malware files on the drive? And I then run the "clean" file. I assume that I will get infected right?

 

So which are the scripts that should be disabled? Will there be any loss of functionality in disabling scripts?

 

Ah ok. I don't have those problem, as I share or believe in noone_particular's particular philosophy.

It ultimately boils down to user's preferences, situations and needs. Using HIPS entails a lot of user's patience and time, and willingness to learn. A better alternative like this antiexecutable or LUA-SRP will better suits them. Update us, how this go along. I might try this in the future.

 

That would seem to be the case.

If your Windows configurations are set to display hidden files/folders, then no.

Sounds logical.

----
rich

 

I mean, Noone_particular and I are totally free from the vicious 'update' cycle of softwares including the operating system. We no longer need those patches or updates that further add complexities which add another holes to be patched.

Nice to hear, it goes along very well. As you have said it, if there are simpler ways of doing it in achieving the same ends, why not choose the simpler one.

 

I think at this point in time, much of the softwares have fully matured already. Much of the updates are really patching some bugs and vulnerabilities, adding some eye flavor etc not much on added functionality. I don't need some cloud computing, etc. You have heard of oldversion firewalls that withstood the test of time, adding HIPs further add more protections. I also have buffer overflow protections in place.
Btw, I rarely use firefox as I find it sluggish. I often use the oldversion browser with lots of multiple vulnerabilities published but still I find it more stable, those vulnerabilities didn't scare me from using it.

What more features do I really need, a browser is just a browser to me. What do I do to the computer is mostly browsing, multi-media and using some office applications. Most of what functionalities that are added most of the time I don't use or will never use. If I deem fit to upgrade, I do so with not much hassle. Few notable exceptions include Sandboxie from which for every release is much more stable, hardened, faster in an ever small size form. For now, the added features in most applications are all eye candy to me and most are really just bug fixes or pure bloat. The 'simpler it is the more stable and faster' is my credo. With that I might try your set-up with those added tweaks you suggested one of these days.

 

well........
1.Hips tell you when a trusted programme is changed i doubt AE does that
2.Hips today offers verification of files through options like OASIS/Defense net/OP improvenet i doubt AE can do likewise
3.Hips have install mode/learning mode i doubt AE has them
4.AE has effective allow/deny function so what ever executes you are aware and in control but so does Hips but it offers the option of allowing once/blocking once/making rules that offers much tighter control than a white-black list of AE
5.Hips use sha-256/md5 verifications from server side i don't know AE can do that....

 

the more the merrier sadly isn't true for securing a pc.Wilders these days is awashed with paens of sbie/hips/bb/cloudies and what not this layered bussiness has really got stuck that many now have 2-3 bb/as etc.Just having a good av ex-avira,a pure simple firewall like keiro 2.15 and if desired something like TF/mamutu is more than enough so much for AE/Hips

 

My guess is he didn't recommend it because for some people it would be a counterproductive setup. Some people use the command prompt for useful things. I do. I would certainly not want to disable it.

But for someone who doesn't need scripts or cmd.exe for anything, sure, you could block them. If your anti-executable (that word annoys me for some reason - perhaps because it sounds like it considers executables to be something bad, which is quite an "interesting" view on things) allows for a decent level of configuration, you could simply block it all, for example wscript.exe and cscript.exe for Windows Scripting Host, and shscrap.dll for those boring shell scrap files. That way, your anti-executable could be used to very effectively block a whole lot of scripts. That is, if you don't want to use the other methods to do this.

There is no 100 % security in any scenario where users actually have to do diverse and complex tasks with a general purpose computer system (such as occasionally copy new programs on the system and then execute them - for example, a Firefox update). There simply isn't. 100 % security would require a perfectly flawless system, and so far no complex thing made by humans was flawless. What exists is "good enough" and "close enough." So there's really no point in all the "Is this 100 %?" questions that we so often see. The answer is always "No, it's not 100 %, but for your needs, it may well be close enough or even too much." That's pretty much all there is to it. That may sound like one of them "philosophical" arguments, but I assure you it's not. Software has flaws, vulnerabilities get exploited, bad things happen. If one falls into believing they're somehow 100 % safe, that only makes it easier for people who want bad things to happen to make them happen - a false sense of security. Still, even in such a case it might still be very hard to make those bad things happen, which is of course the goal - "good enough" security that does not damage usability too much.

As for HIPS vs AE? In my personal view, sometimes simpler is better. If I had to choose between those two and had no other choice, then I'd go with AE. Lighter, less stability problems, and less questions. On the other hand, if you regularly execute applications that you really don't trust and consider suspicious and believe you need to constantly watch what they do, then HIPS would certainly be for you. Me, though, I'd sooner just avoid executing stuff that I don't trust.

 

Thanks for posting this reply,seriously.

SSJ has a mission of achieving 100% security and it is quite laughable in an attempt to achieve something thats not attainable in computer security

 

You're welcome. I'm just pointing out the obvious, which is pretty much all I ever do. I should change my forum name to Captain Obvious, but I figured that would be taken and the rank would be wrong, too, so...

I'd still say no. 100 % in theory? That depends on whether it's a poor theory or a good one. A poor theory would assume some kind of perfect world, where no vulnerabilities exist, in which case 100 % would be possible. On the other hand, if the theory assumes a perfect world, then no security measures are needed at all, because no-one will be bad. But then, this is poor theory. A good one would assume that vulnerabilities happen because humans have been observed to be imperfect, and then 100 % would be impossible in theory as well as practice. So, that's basically where it goes... In theory 100 % is impossible because in theory humans are not perfect, so some vulnerabilities happen. In practice, 100 % is impossible as well as ridiculous because humans are not only imperfect but just blatantly incompetent and sloppy quite often, so loads of vulnerabilities happen instead of just "some".

Or in other words, the options are: 1) 100 % is impossible in theory and in practice, when the theory is based on scientific empirical observations. 2) 100 % is impossible in practice but possible in theory, when the theory is based on vivid imagination and ideas instead of reality - in other words, when the theory is stupid.

I think looking for a lighter, cheaper and less bothersome but still reasonably secure setup is always a good goal. I myself highly appreciate light setups that may not provide vast levels of control on which Windows DLLs my trusted programs can load at any given time, but consume little CPU time or memory and waste little time grinding my HDDs and cost nothing and introduce no new and potentially vulnerable code into the system which I intend to use for productive purposes instead of messing around with random software. It's not for everyone, but neither are HIPS products or mountain climbing. Whatever works for you, as they say. I think searching for and experimenting with setups that don't involve HIPS is a perfectly decent thing to do. It may lead you to a setup that is better for you, and increases productivity and enjoyment.

One can argue levels of security endlessly, but we should ask ourselves, does it really matter whether security setup X offers exactly the same level of security as setup Y or if it's worse or better, if both offer a reasonable level of security that is enough for our needs? The most important thing to anyone should be that the level of security is reasonable to them, not whether something else offers eeeeven better, but at a larger cost. But Windows security discussions have an unfortunate habit of gravitating towards paranoia and extremes and it's easy to get caught up in that. Something like: "Oh no, my HIPS fails this Zubutu-zabutu leaktest that first has to get on my system, then get executed with admin privileges, and only then can it root my system. Oh no, oh no, I need to switch to another HIPS that doesn't fail this Zubutu-zabutu leaktest. And when it fails the next test called Xibutu-xobutu, I have to change again. Is there no security??!!11!?" That kind of thinking is what is laughable, if one wants to use that word. Security is not 100 % impenetrable security software, it is an ongoing process with a critically important human element. Sure, one is entitled to having hobbies, and it's an entirely valid hobby to switch security software every month in search of the one that fails the least in all kinds of leaktests - but no-one should call this a some kind of requisite of "security", it's just "playing around" instead. If someone mocks others for not using a HIPS, consider carefully whether that's the kind of person you should be taking any advice from. On the other hand, if someone calls a quest for 100 % security laughable, they may not be extremely polite, but they are still 100 % correct...

 

ummm..i see a new thread tittle there

well so user discretion is paramount right then hips provide a better information about the unknowns and i doubt anyone would intentionally install a known malware

 

I'm not surprised at all. After a few people have preached to deaf ears in a couple of threads about LUA+SRP they have probably wearied a bit.

Although I must say, as I read your first posting the thought did occur to me that with LUA+SRP you wouldn't need any of this crap

 

Configure? I don't have it configured, but I do run it.

 

Hi Rmus thanks for responding. How exactly do I set windows to display hidden files/folders? And in the latter case how would I know if the malware had/had not infected the clean file?

 

There isn't really much to configure unless you have a lot of apps installed in weird places. Take a look at this.

 

Can OA premium be configured to block ALL unknown executable binaries by default?

 

Sorry. I have a nasty habit of taking things quite literally, and I'm annoyed by phrases like 100 % security. I think I understood what you meant - trying to block all malware vectors - and I'm just saying that doing that with 100 % reliability in all scenarios, even without user error involved, is not possible, due to the issue of vulnerabilities for example. All we can do is get "close enough." Even if everyone who has posted in this thread is fully aware that 100 % security is impossible, it's worth sometimes stating the obvious, because there may well be people reading this thread at one point that believe security can be 100 %, since marketing from various companies constantly tells them something that sounds a lot like that. So, my point is simply this: Would a sandbox/firewall/anti-executable/scripting disabled type of setup be strong? Sure. Would it be 100 %? No. And I'm not saying that because I think some Wilders member doesn't know that, I'm saying it because I think it's worth saying.

The perfect world part was simple in response to the idea that 100 % security is possible in theory. As far as replacing HIPS with AE, I would not say it's necessarily maintaining the same level of security. That is why I said it's not important to consider whether X gives the same security level as Y, as long as both give a reasonable level of security that is enough for you. Personally, I would say that HIPS and AE both provide more than enough. Unfortunately, this is complicated stuff and the answers depend on the scenarios we're dealing with.

Would AE provide the same level of security as some HIPS in a scenario where the user accidentally doubleclicks on a malware attachment in an email or a browser exploit tries to run some trojan .exe file it dropped in the browser cache folder? Kind of - both should prevent the malware from running immediately and infecting the system. Would AE provide the same level of security as some HIPS in a scenario where the user intentionally allows a file to be executed with admin privileges, without knowing the file is a malicious rootkit dropper that tries to load a driver to do its evil thing? No - the HIPS might be able to prevent the driver from being installed and could warn the user, and the system could perhaps avoid getting completely owned, whereas the AE would not do anything at all after the file was allowed to execute and would simply sit by as the system got owned. So, there are differences in the levels of security, depending on what kind of security you mean and want. If the only requirement is that random executables be blocked from running, then both AE and HIPS can do the job pretty effectively - and for many people this is all they want.

As I said before, I find simpler to be often better. I would rather choose AE than HIPS. LUA and SRP is the kind of "paranoid" combo that I like, which offers a high level of protection even though it has its flaws like anything and is not invulnerable in any way. It is, however, far more than "good enough" to avoid any dangerous malware currently known to be out there if the user isn't a complete disaster.

Basically, threads like this can be either long or short depending on how deep you want to go. Short answer is that AE provides a good enough level of security, especially when one remembers to consider the possibility of scripts being used to execute code without "permission" from the AE. Long answer is that in some scenarios AE beats HIPS and in some it loses to HIPS, and then follows the boring account of various scenarios with various what-ifs.

 

A good point to make would be that you run it conjunction with LUA and SuRun - this way it gets easier to manage AND more secure.

 

Good point. I assumed (which one shouldn't do) that LUA is also being used, as I don't see much point in SRP without it, that would be a half-baked solution.

SuRun has really made things easy for us LUA users. Some of the other attempts at a similar app that I've tried were either buggy, didn't do what it said on the tin or were just tedious to use.