Looking 4 info on classic HIPS software

Discussion in 'other anti-malware software' started by spindoctor, Dec 26, 2006.

Thread Status:
Not open for further replies.
  1. spindoctor

    spindoctor Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    83
    I'm thinking of adding a HIPS programs that falls into the category of classic HIPS. Not looking for a sandbox type app - e.g. Geswall, Sandboxie, Defensewall etc...

    I was looking into Cyberhawk or maybe ProSecurity. SSM still seems somewhat too advanced for me at this point.

    But I can't seem to find out exactly what areas Cyberhawk protects you against. For example, does CH protect you against new start up entries? Does it have any registry protection? Does it run at kernel level? Will CH block new driver installs and Windows hooks? I guess a link to exactly what CH protects against would be great. I didn't see a fully complete listing of what exacly CH does on their website, just a buch of general info.

    As for ProSecurity, I tried the free version and it does seem decent, but I got a TON of popups and I'm not really looking for such a busy app. But then it does have most of the features I'm looking for, such as decent reg protection (I think), blocking of driver installs and Windows hooks, blocking of new Windows services being added, runs at kernel level, is compatible with other security software (like KAV, Comodo and other similar software - at least I think it is) etc...

    I would really like a HIPS program that will provide solid protection against the areas I listed above, but if possible still have a mininal level of popups. So would you guys recommend CH or PS for the areas of protection I'm looking to cover or maybe something else?

    Thanks for any assistance.
     
  2. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    CyberHawk is a behavior blocker not a classic HIPS, though i dont know much more on how it works.

    Id recommend OA, but its current version doesnt offer the features u want. v2.0 should though.

    Also, have u run ProSecurity in learning mode? After a while, u can turn it off and there shouldnt be many pop-ups.
     
  3. spindoctor

    spindoctor Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    83
    Ok, thanks WSFuser. I didn't know CH was just a behavior blocker and not a HIPS. So I guess CH is out then because it can't really be providing the level of security that I'm looking for and could probably be shutdown, bypassed or manipulated by some kinds of malware more easily than I originally thought.

    I've tried OA in the past and wasn't too impressed with it. Maybe like you said in future versions it will be more appealing and have the features I'm looking for. But till then I'm looking for something else to run.

    Maybe I just don't understand PS yet, but I don't want to run it in learning mode too long because I don't want programs like Firefox being able to run without PS giving a warning first. I just don't want to keep getting popups after the first warning.

    What I mean is I want a HIPS program that will warn me once when something tries to run and if I let it, then keep silent and let the program run without additional popups. Unless I close and restart the program again. I guess I'll have to fool with PS some more to get it running the way I want with fewer popups.

    Ideally, I would like a kernel level HIPS program that combines most of the features of WinPatrol free version or Arovax Shield, along with something like ProcessGuard full version and has a powerful registry defense somewhat like RegDefend, not a registry poller like WinPatrol. That uses a minimal amount of resources and won't popup warnings too often. Oh yeah, I don't want to have to have a couple degrees in computer science just to handle the thing either.

    Do you know if ProSecurity 'full version' covers all of these areas? Or will I need something else to cover some of the features WinPatrol or Arovax shield protects against, like new start up programs or BHOs being added?

    Thanks again.
     
  4. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    ProSecurity's full version has registry protection which should cover startup entries but i dont know about BHOs or other stuff.
     
  5. egghead

    egghead Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    443
    Location:
    The Netherlands
    Try Safe"n"Sec ;)
     
  6. TECHWG

    TECHWG Guest

    Prosecurity must be run in learning mode for as long but safe as perios as you can, this makes PS learn your daily habits and it then knows about what software you use. The longer you "prepare" PS in learning mode, the less popups you get. Also when you are installing something you should use install mode.

    I would also like to add for the next version or two, the developer is creating several things that some of which will improve PS in these fields including for beginner users. I can not elaborate on what these functions are, but servicer to say they are going to improve its usability to a wider public i think.
    So i would say keep your eye on PS and see what the new update(s) may bring.

    WG
     
  7. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Same here - I found SSM far too confusing - more likely to let me do harm than good.

    I would suggest that you give ProSecurity a go. You can turn learning on an off as an when you want to. even though I had run learning for a while I found that I had missed a number of rarely used programs and options. My solution, rightly or wrongly, has been to turn learning on again and let it sort the mess out.
     
  8. TECHWG

    TECHWG Guest

    Good idea long view, some people find SSM too confusing and dangerous for a basic user, although on the other side, some people dont like PS for they dont like the GUI or they prefer the software they have been used to for the most time. Its the choice of the user. If someone does not like SSM, i would suggest they check ProSecurity and just give it a go to see if they like it or not.

    WG
     
  9. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Personnally, what I like with Prosecurity is the fact that it looks and feels a lot like Process Guard but with more and better protections. Being an ex-Process Guard user, it makes me feel at home! ;-)

    Best regards,
    Atomas31
     
  10. TECHWG

    TECHWG Guest

    The main things are that it gives you as much control as it can with its feature set. I mentioned before that ProSecurity will have new features in the new version(s) very soon that will help the new user to HIPS while still giving control to the advanced users. This meaning that the advanced users can still maintain the same level of control they enjoy with ProSecurity while providing better - easier - features that a new person to HIPS protection can optionally enable if they wish. I also like the Interface, however not identical to Processguard, i see how it is a friendly interface for people who have used PG for sometime :thumb:
     
  11. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    ProSecurity shows great promise, but so far it seems evident that it's produced by a 1-person development staff. As was demonstrated with DCS/ProcessGuard/TDS, that situation can sometimes auger future difficulties in the long-term staying power of a security application.

    Another "classic HIPS" that manifests extremely high credentials is Abuse Shield. I gave it a sustained trial & was quite favorably impressed with its stability and the VERY informative nature of its alerts. Further, the proponents of AS provide users with an extensive online database of processes (good & evil) to help users make informed decisions concerning the occasional alert pop-ups.

    My "mainstay" HIPS remains SSM, ever since the time I first read tons of favorable comments on forums at Outpost/Agnitum, DSLR, CastleCops, as well as here at Wilders. The SSM staff is large, competent, responsive, friendly. The SSM forum is quite active and very helpful. As for SSM's alleged difficulty, I am 76, and am by NO means a computer geek. Even so I have always found SSM quite simple to use. So do my teen-age granddaughters.

    However, if someone wants great set-it-and-forget-it HIPS protection, with a 3-minute learning curve, then it might be best to seek beyond the "classic" HIPS category and instead go for a community-based HIPS such as the excellent PREVX1.
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Some info on training SSM free versus PS free

    SSM: Start SSM in learning mode. Open all most used aps and allow all running processes. This should reduce most pop-ups. SSM learns while giving the lowest rights (tick marks). Next uncheck (deselect) notify user and start all other programs (will take you an average 30 to 45 minutes). Next select notify user and start your e-mail, P2P, internet, chat programs. You will get pop-ups, but you want to check programs which interact with the ouside world. To me the advantage is that you will only give the minimum rights needed and you do not get a lot of pop-ups.

    PS: Has a nice general and specific set of rules. My advice is to start PS in learning mode, log out and in a few times (due to the misterious reason that PS does not has a predefined set of rules for the XP OS and you do not want to exclude yourself from using your PC). Then reduce the general set of rights. Next open your most used programs. It should help when PS has some more help info on how to use general versus specific settings. By design this dual rights feature makes PS more easier to setup than SSM. Because the documentation not yet has a 'user journey' approach it is hard to find how to set general versus specific rights. This is a pitty because programs can easily get to many rights (thus making PS less effective than SSM).

    I prefer SSM free over PS free while PS paid has a minor extra features over SSM.

    Regards
     
  13. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    How many people are involved in the development of SSM? In another thread Mike Nash says the OA team is 6 people ? I figure the SSM team is around that if not smaller?

    So the question is how many man team is considered stable?
     
  14. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    I don't know what you mean by this. Could you expand ?

    Thanks
     
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    ProSecurity has a tab with general/generic process/application right settings and process specific settings (both have question mark=ask user, x=not allowed or V=allowed). When you allow a new process by pop-up, it will be allowed to do the things you marked with V. When you do not staighten this out first, the granular control feauture of PS will not be set properly (to wide rights).

    SSM in the contrary gives a program limited rights, when for instance it needs a library SSM will throw a pop-up asking again. With SSM you will get 'tight' fitting rights, neccessary for the enormal operation. Should any malware be able to infect this program, the program is not allowed to do any more than its infected donor. Granular control is intended to give a program just enough rights as it needs.

    Althoug SSM user interface is something less user friendly than PS, the journey of the customer is thought out better. I think that is why experienced classic HIPS users favour SSM over PS (also the option to disconnect the user interface is a smart way of prohibiting other users of a PC to allow a program extra rights, because they do not understand the pop-ups/questions asked of the classical HIPS).

    From a IT-security point of view PS is easier to use, but SSM is easier to operate (!), meaning that a power user can set up the system and other users are not asked questions. They will only notice that in the worst case something does not work (better than allowing a malware to slip through after a pop-up question).
     
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    In general an IT develop team of a architect/designer and three developers/programmers is an efficient/stable team.

    A stable company is a different question. Small single IT-product companies have on average an expected life time of three to seven years when they do not show double growth figures of 20% or more. In niche markets small single IT-product companies tend to live longer when they are the winners of the first wave (10 to 15 years).

    Venture capatalist analist make an art of determing this kind of rules of thumb. To be honest I do not think these questions can be answered, real life will show.
     
  17. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    You are missing the point. As usual.
     
  18. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Thanks - but how do you straighten this out ? So far I have tended to just let learning sort things out. some pop ups I have allowed have resulted in ask rather than allow but so far this has not caused any problem that I can see.
     
Loading...
Thread Status:
Not open for further replies.