How to use HIPS properly?

Discussion in 'other firewalls' started by jo3blac1, Dec 11, 2012.

Thread Status:
Not open for further replies.
  1. jo3blac1

    jo3blac1 Registered Member

    Joined:
    Sep 15, 2012
    Posts:
    739
    Location:
    U.S.
    The title says it all. How do I distinguish a malicious process from a normal operating system function. Often times HIPS messages just ask me if I want SVHOST to do this or that? What would be considered action that is initiated by a malware? How do you know whether SVHOST is really trusted or has fake signature? How do you know if SVHOST is safe or not? There is about what... 12 SVHOSTS that are initiated by services. There is a bunch of malware that pretends to be part of these services. How do you know which one is what?

    For example I read somewhere on this forum that if Java is asking your FW to make an outbound connection then it is probably up to no go. Well I have a software that requires Java to make outbound connection. Otherwise it doesn't run. These are the problems that I am facing with HIPS and FWs... How to distinguished what is allowed and what is not and what is a safe action.

    UPDATE: Okay guys thanks for your input. I am looking for more general rules on what to watch out for.

    1.
     
    Last edited: Dec 12, 2012
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    You don't that is the problem with HIPS. HIPS looks at all possible attack vectors, asking do you allow or not. Because people are affraid they are infected, they take the totallitarian approach of a dictatorship, guarding and spying on there own citizen's and monitoring every move they make.

    Better to define several levels of containment, for instance with user rights and or integrity levels. Other approach is to limit the rights of entry points (web, mail, USB, CD, etc), put a high surveillance on them (by HIPS, Behavioral monitor or AntiVirus or Whitelisting) or virtalize the changes they make.ᷱ
     
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Just don't set up your HIPS so it gets into semantics. It doesn't need to analyze how one trusted process interacts with another trusted process. Only install known, trusted applications then use your HIPS as a whitelist governor to monitor the system to deny unauthorized executables and possibly, if you want to go a little deeper, dll's.
     
  4. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Ok, every non expert when comes in contact with a HIPS, faces the same problem. I am not an expert, so my take on HIPS is this:

    - Try to observe first what is the "normality" in your computer. You won't be able to spot the abnormality, if you don't know the normality. Example: Application ABC.exe never asked before to use global hooks, but now it does. That's suspicious. Time for a scanner. In the meantime, deny.

    - Unprovoked requests are suspicious. You are happily working with your PC like you 've done for months and while you browse, suddenly an unknown exe (in XP days, it was a classic having a request initiating from IE's temp files) wants to run or a browser helper object wants unseen priviledges. Why not deny first.

    - When in doubt, deny and see if your legit applications runs. If it does, no need for further priviledges. I have as general rule: "Simple apps want simple things from your HIPS, complicated want much more". When apparently simple apps ask for the stars, they get my attention.

    - Knowing the names the true paths of windows services is of help. smss.exe in system32 is legit. smsss.exe is not and neither is smss.exe in C:/Windows.

    - An application that is downloaded from a reputable site, is more secure than one from a random website.

    - Simple task applications, should not ask for complicated priviledges. An application that isn't supposed to connect to internet (either by nature or because you 've disabled updates), shouldn't have anything to do with svchost.exe suddenly asking outbound request. A Pdf file shouldn't want to set global hooks or capture your screen. A "no dvd patch" for your latest game, shouldn't ask for dll injection on your IE. I mean, use common logic.

    - There is a "point of no return" with HIPS. For example, you execute a malicious file and allow dll injection of a legit service. Too late for tears.

    - A Sandbox can help "try" with considerable safety an exe while observing the behaviour of the exe from the HIPS' pop up.

    - If you have the doubt about what to do, you can always upload the suspicious fellow to Virus Total before proceeding. A bunch of antiviruses is better than one.

    - If you suspect you messed up with a decision and might be infected, it is wise to select the image software of your liking and restore to a previous image. :D

    This said, if you eliminate the danger of self-infection by running infected installers from dubious sources and malware masqueraded as "crack/no dvd patch", then your task is much simpler, because the main gate becomes your browser and annexed objectes (Flash, Java, etc), that may be hit by an exploit while you happily surf. But then, you get into the category of "unprovoked request". I mean, you don't do anything, you don't launch anything, you 're just browsing and suddenly you are bombarded by popups that want to do something. Well, deny! :D

    EDIT:

    - Important: Always be familiar with the processes that while your installation is clean, have internet access. Windows services that never before wanted out and now do, could be suspicious. In my PC, svchost.exe never had to be allowed incoming, so if i were to get a request, i 'd see alarm bells. Always be suspicious when a new application wants to ride on the back of windows services or browsers. Malware often wants to phone out, so injections on processes that are usually allowed out, should be seen with suspicion.
     
    Last edited: Dec 11, 2012
  5. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Oh, you may want to run firewall leak tests (if you google, they will come up), to make some practice. They use techniques that malware uses (or may use), so you can become more "trainned" in what you could expect. Of course legit applications may use them too, but still, it's better than nothing.
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    My take: different levels of PC knowledge, different approaches

    I assume my system is clean. Do not use any (third party) security, use only what is provided by the OS (Win7 Ultimate), see sig

    My Wife's laptop, Explained the UAC colouring system to her (unsigned app triggers an orange warning, she only runs signed apps, so orange is very suspicious). Installed a smart AV with BB and browser containment, let the application monitor threatgates with extra attention and do all the decision making (intercept before UAC at Win7 default does). She has freedom and normally no security question to answer. See https://www.wilderssecurity.com/showpost.php?p=2155294&postcount=27724.

    My mother's laptop (nearly 80 years old), runs only defensewall HIPS and FW, with HitmanPro on demand. She just applies three simple rules:
    a) don't install from mail
    b) download with IE, when smartscreen allows download, right click check with HMP, when okay I can install
    c) run DW with right click 'run as trusted'. Set UAC to auto elevate, but also deny unsigned programs to elevate (Vista)
    She is a complete PC illiterate who learned to use a mobile phone and PC in 2007 (at age 75), ergo she does not have to answer questions.
     
    Last edited: Dec 11, 2012
  7. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    My take currently is:

    I assume my system is clean. I only download things from softpedia or reputable open source. I only have WinPatrol steadily running, on occasion an antiexecutable or in the past Comodo or nothing at all. MBAM (on demand) never finds anything, to the point that i had to search for malware just to make MBAM get a jolt :D But when you come back at Wilders, paranoia strikes back. :D

    For computer-illiterates, i 've used in the past with huge success, Sandboxie free.
     
  8. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    That is exactly the problem with using HIPS... unless you want to try to analyze every single little thing that happens on your system (which will drive you crazy), then it's just not worth it. Better to use other methods of keeping clean and safe IMO....
     
  9. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Yup! But when you first encounter HIPS, it's logical to have the questions he asks and you usually also have... patience.

    I agree that it's not worth to analyze everything, with something like Comodo for example, which will go you step by step all the way of the installation. "Secure" downloads should be treated as such and skip the exhausting detective work.

    Personally i reserve the "full treatment" only on obscure applications that i 've never seen before. Otherwise the main benefit is that HIPS warns on "unprovoked requests" and on "apparently innocent files" (wow, i clicked to a jpeg my friend emailed me and it wants to set global hooks, gee, should i let it?" :D

    Sandboxes are much more hassle-free, but their weakness comes when you want to run something outside the sandbox.
     
  10. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Oh, a last note on HIPS tactics in case you fail.

    Despite what would think after reading Wilders all day about the evil rootkits, much malware out there isn't supersophisticated and leaves quite visible traces. Like new startup registry entries, new service, new process running in the task manager, unexpected outbound request. Things that even WinPatrol can bark about.

    A friend of mine had Comodo, but he really doesn't understand anything from D+, but he likes it anyway,so... He phoned me because "i tried to run a keygen, it showed me many popups,i allowed, but it never worked". It never worked, because it wasn't a keygen. He couldn't remember what Comodo was telling him, but he did remember he gave registry permissions. I told him to run Autoruns and he had an unknown startup entry.

    If you see such a thing or even if you realize that you clicked the wrong "allow", RESTORE an image and you 're done (even better when the imaging program overwrites the MBR too). It's not even worth it to try "eradicate" the infection if you have an image around.
     
  11. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep, data backups to NAS plus montly image backup and data sync to USB drive and a decent Router with FW and long WL pass phrase
     
    Last edited: Dec 11, 2012
  12. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    Hahahaha the only way to use a HIPS properly is to read all pop ups and Google anything you don't get . . . :D
     
  13. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    That could be a full time job.... :)
     
  14. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen
    Deny for default and allow for exception. :D
     
  15. jo3blac1

    jo3blac1 Registered Member

    Joined:
    Sep 15, 2012
    Posts:
    739
    Location:
    U.S.
    Are registry permissions usually one of those privileges that I should rarely give? I mean some common sense hints are quite useful. I kind of new to the HIPS business. I did try several other HIPS before and didn't like them too much. Now I want to give it a 2nd try.
     
    Last edited: Dec 12, 2012
  16. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    You should try a HIPS like Online Armor or Comodo which has some nice automated features that will reduce pop ups a LOT! :D

    That's how i learned how to answer HIPS . . . yeah i had a lot of time back in high school. :rolleyes: :D
     
  17. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Unfortunately most Windows programs do write something in the registry. You can't go on a rule about it. The thing is, again, you must use common sense. An application for example that isn't supposed to run at startup, shouldn't be needing a registry startup entry... In his case, since "they keygen didn't work", i suspected that it was malware that had added a startup entry for itself, cause it's a logical thing for even the lowest of the low malwares to do...

    Plus, a keygen shouldn't need anything fancy to work. It's just reproducing an algorithm. Same story i said for "nodvdpatch". A "nodvdpatch" for a "game", that tries to change things at system level, should raise an eyebrow and be sent to virusTotal. Again, with something like Sandboxie to try them first, you get to see better their behaviour while staying safe and you can allow all pop ups to see how far they want to go. Often, some popup comes which is blatantly showing they 're malware. I mean, let's say that they start with obscure popups, so you say allow, at some point, you see it wants to hook your keyboard. Why would a nodvd patch want to hook your keyboard? A Keylogger would want that!". So, at that point, even if you were fooled in the previous popups, you should start ringing bells.

    That's the attitude! :thumb: Nowdays HIPS newbies are way too comfortable with HIPS having "auto-features". Remember back when Process Guard, Ghost Security and System Safety Monitor were the only HIPS, plus you had an extra "registry monitor" just to be safe? Most of the time you had to answer every single popupm because trainning mode would allow anything, so out of fear, i was going step by step, pure paranoia. :D Pop up rain coming for left and right! :D And yeah, time seems infinite where you 're in high school, doesn't it? If i were to do now the pop ups that i was answering back then, i 'd shoot myself. But i guess, at that age, you have close to infinite patience, because even a "pop-up parade" seems a game. :)

    Practice makes perfect (well, maybe not perfect, but it helps a lot) and google is always your friend, that's for sure.
     
    Last edited: Dec 12, 2012
  18. guest

    guest Guest

    Well the same happens with the Firewalls and nobody cares...
    https://www.wilderssecurity.com/showpost.php?p=2153240&postcount=1314

    I use SpyShelter in one of my computers when I have doubts about a popup I just click on send file to VirusTotal, 3 seconds later I have the answer.

    And then there are many gold rules, the experience, and the logic will tell you.

    The HIPS is quite useful, imagine you have open an exe and then you realize you shouldn't, you allow the first popup, but nothing happens, the exe is not working as you expected and you have downloaded from a new an unknown site, so this starts to be a little bit suspicious. You can block the rest of popups asking for special rights (kill and block) so your system will be partially infected (not enough to allow the malware to do its purpose), now you can send the file to VT or investigate a bit more, do an scan on demand...
     
    Last edited by a moderator: Dec 12, 2012
  19. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    Hahahaha that's my story with HIPS the only difference is that i never got to use any of the HIPS you mentioned, i started with Malware Defender and since then i always have a HIPS in my security setup and do all the pop ups manually. (I disable Auto features such as allowing signed files, using the cloud ratings/whitelists etc.) :D
    I gotta admit that i don't find answering pop ups fun anymore but i just do it. Hahahaha
     
  20. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    A decent person shouldn't need to mess with keygens either.
     
  21. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Yes, better double check something. Nobody cares because most people would like something miraculously effective, while they don't have to ever do anything. Do you know how many people are there that install HIPS or HIPS/firewall combo, without having the slightest idea of what they are, just because "a friend of mine who knows about PCs use it" or "I found a review" or even worse "I googled, found a "Matousec" where it was 1st".

    I even had a friend who thought that Sandboxie would protect his browser simply because it was sitting on systray, even if he had launched the browser outside Sandboxie.

    Other people just click "allow" always, or "i gave permission inbound because i had this program asking me before and i had allowed and nothing bad happened".

    I mean, i used to try to explain some friends that they should just use what they feel they understand, but now i 'm too tired to bother anymore. "You want Comodo? Fine, let's install it, yes it's awesome in leak test, good luck".


    Yeah, many undecent things shouldn't exist in this world, but they do. So when a friend calls you because his keygen didn't "work", i spare him the moral preaching (which i know it wouldn't work, since someone who is determined not to pay for software, since he prefers spending the money on football tickets and the girlfriend, won't pay for it no matter what i say. Maybe if his wallet turns fatter he will, but for now, i know he won't.) and see if i can give him some advice.


    I leave the campaign for eradicating the undecent things to the goverment, Microsoft etc. There are drugs, thefts, crimes, prostitution, hunger, copyright violations, they can start from wherever they want.
     
  22. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Classical HIPS in general, are for patient-persistent people with control-freak traits and an eye for detail. Most people can install it, but since the XP days, i 've lost count of how many friends got infected, because after a few days they got "trigger happy" and clicked allow and an IE activeX delivered them a trojan dropper. The story was always more or less the same "Well, i always clicked allow and all was well, i couldn't imagine that this time it was different".

    Instead, the HIPS "lives" for that single time that is "different". You may have to click 10000 times "allow" and still be ready to click "block" then 10001st time. And most people who aren't keen in security software and don't have self-control and self-discipline, just can't do it. By then they 've become "allow" addicts. And that's why despite the will of many to have HIPS, few can use them with profit. But you can't convince them about that, until they see it with their eyes...

    Sandboxes are much simpler solutions for most people, but many insist on installing things they can't handle.
     
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada

    A full time job analyzing every HIPS alert is not far at all from absolute truth :D Most HIPS can easily be "toned down" to alert only on unknown executables and dlls, and that's all that's really needed.
     
  24. jo3blac1

    jo3blac1 Registered Member

    Joined:
    Sep 15, 2012
    Posts:
    739
    Location:
    U.S.
    how about keylogging, screen capture, etc... how are you gonna take care of these guys?
     
  25. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,854
    I've tried HIPS before but even with their new whitelisting and such, they still seem too annoying, and certainly not for the average user. I think policy-based programs like DefenseWall and AppGuard are the way to go. I do wish there was a standalone program like Avast!s auto-sandbox that will isolate a suspicious program and run it, analyze it, and then run it outside if it was determined to be safe (Sandboxie is not that).
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.