Need HIPS Advice for AntiVir

Discussion in 'other anti-malware software' started by richrf, Oct 5, 2008.

Thread Status:
Not open for further replies.
  1. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    FWIW, our support forum on Castlecops has suffered the same latency as the rest of the Castlecops website. It is frequently very slow because of server upgrades and not abandoned by us - just abandoned by the internet as it is almost always impossible to get to.

    Our users don't post there either because they can't or because we direct everyone to just post to our support inbox, which is a much better place for us to interface directly with our users.

    I direct anyone with questions/doubts to the "Is Prevx good?" thread here which gives information about our timeline to release the next version of our product line.

    I hardly think that we have unfulfilled promises, but I will comment that our support is always improving (and has had flaws in the past) and we have been hiring a number of new people to aid in support.

    As I've said in the "Is Prevx good?" thread, if you have any problems getting through to our inbox or if you think your response is taking too long, please let me know personally and I will take care of it.
     
  2. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,339
    Location:
    Hawaii
    The decision to keep using Castlecops forums is Prevx's. The decision NOT to create a Prevx stand-alone support forum is Prevx's. The decision NOT to try to relocate the Prevx forum to one of the high-uptime security forums, such as Gladiator or Smokey's, is Prevx's. The decision to try & use Wilders as Prevx's de facto, "backdoor support" forum is Prevx's.

    Thus, I question the validity of trying to "put the blame" on Castlecops. The fix is simple -- start your own support forum.
     
    Last edited: Oct 5, 2008
  3. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Thanks for the recommendations bellgamin. Can someone briefly explain the primary differences between Mamutu and Malware Defender? Besides security characteristics I am also interested in reliability/stability/support. Thanks.

    Rich
     
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    There simply are very few users who use our Castlecops forum to justify the need for another support forum. A majority of the users that actually posted on Castlecops came from Wilders, hence our increased presence here on Wilders.

    As I've said, we much prefer that users come through our tech support inbox, but some users prefer to use forums. We will support them here or Castlecops or anywhere else for that matter.
     
  5. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well, this one made me laugh. You don't need another support forum, you need to move your Castlecops support forum to a site that's not down or unusable most of the time. Be it here or somewhere else doesn't matter much as long as the site is working. A support site that's down won't attract many users indeed, plus will make the current ones angry as a "bonus".

    ;)
     
  6. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    We are still exploring what we should do with the forum. It is definitely true that Castlecops is not a viable option in the long term, but we need to determine how much demand there really is for the forum in the first place before we decide where it should go.
     
  7. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,352
    Location:
    Milan and Seoul
    There's another possibility (I'm testing it at the moment with Avira), which is AntiExecutable from Faronics version 3.10. It's not a full fledged HIPS in the sense that it creates only a white list of all executables in your computer, and won't let anything new execute unless it receives explicit approval.

    Basically you are given 3 options when something wants to to execute: Allow, deny, add to the whitelist. It is rock solid, nobody here at Wilders was ever able to bypass it (as far as I know), and it is very light. The new version mainly made to comply with Vista, had a problematic start, but the latest update seems to work as advertised. Last but not least their support is one the best I've ever experienced.
     
  8. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,339
    Location:
    Hawaii
    A) Both Mamutu and Malware Defender are categorized as HIPS (Host-based Intrusion Prevention System).

    B) Mamutu is a type of HIPS known as a behavior blocker. Malware Defender (MD) is a type of HIPS known as a "classical."

    C) HIPS were developed to close the loopholes in blacklist-based security applications such as antivirus, antispy, & antitrojan programs.

    D) Blacklist-based programs identify malware by the use of signatures, which are something like "fingerprints of criminals." This works well EXCEPT FOR malware such as...

    --D1) Malware that is so new that there are not yet any fingerprints for it, OR...

    --D2) Malware that has the ability to change or disguise ("morph") its fingerprints.

    E) Mamutu & MD monitor what programs DO (their behaviors) rather than trying to examine their fingerprints.

    --E1) Thus, Mamutu & MD can often (not always) detect new or disguised malware WITHOUT using fingerprints.

    --E2) The kinds of behaviors that Mamutu & MD watch for are those behaviors which are more typical of malware behavior, and less typical of NON-malware behavior.

    --E3) For example, many malwares will manifest behaviors such as hooking the kernel &/or inserting a new service &/or over-writing a system file. Fewer NON-malware programs will attempt such actions.

    --E4) However, some small number of NON-malware programs do manifest a few malware-type behaviors. This fact can lead to FPs (false-positives). The dilemma...

    ---E4a) If the HIPS allows high FPs, it can generate user annoyance & carelessness.
    ON THE OTHER HAND
    ---E4b) Minimizing FPs can open holes for malware to sneak through.

    F) Thus, HIPS all strive toward a goal of achieving few FPs while at the same time achieving & maintaining strong protection -- not an easy goal to attain. Mamutu and MD seek to meet this goal in somewhat different ways. . .

    --F1) Mamutu has a bit more "intelligence" than MD, & is less configurable than MD. That is, Mamutu's programmers structured Mamutu so that Mamutu itself makes many (not all) of the decisions as to WHICH behaviors to monitor, WHAT specific "blips" (or combinations of "blips") should generate a pop-up alert, and so forth.

    --F2) MD covers a somewhat broader spectrum of behaviors than Mamutu but puts most decisions into the hands of MD's users. That is, MD requires its users to make many more configuration decisions than is the case for Mamutu. Also, MD generates more pop-up alerts requiring user decisions than is the case with Mamutu.

    --F3) MD monitors a somewhat broader spectrum of behaviors than does Mamutu. Consequently, MD requires the user to configure a LOT of parameters as to which behaviors to watch, under what circumstances, for which types of processes, etc.

    G) Which to choose? In my OPINION...

    --G1) For out-of-the-box security, Mamutu is a hair better than MD.

    --G2) For ease of configuration, the nod again goes to Mamutu.

    --G3) As to protection "over the long run" --

    ----G3a) In the hands of a knowlegeable user (or a user who is patient to do a bit of research from time to time) MD could end-up with slightly stronger protection than Mamutu.

    ----G3b) In the hands of an average user (or a user who is unwilling to do a bit of research from time to time) Mamutu could offer a better level of protection.

    --G4) As to "reliability/stability/support" I rank them equal on the first 2 factors. As to the third factor, Mamutu has a support forum. MD does not. Mamutu's forum has participation by its program developers as well as by an active community of users.

    H) More reading about behaviorists & classicals...

    Mamutu's blurb & MD's blurb & also Here & Here -- for even more, do a google.

    No offense but... AE isn't a HIPS at all -- full-fledged or otherwise. In fact, you must disable AE in order to install a new program or update an existing one -- right at the very times when security is most needed. Plus it affords no protection whatsoever against rootkits, internet exploits, drive-bys, XXS, email exploits, etc.

    AE is excellent IF used on a static system -- no changes permitted, a completely locked down environment -- such as a system used in a kiosk, or library, or classroom, etc. However, for such situations, far better protection is (IMO) provided by the likes of Returnil, Deepfreeze, ShadowUser, et alia.
     
    Last edited: Oct 6, 2008
  9. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,352
    Location:
    Milan and Seoul
    No offense taken, AE may not be categorized as a HIPS, but apart from that what you are saying about AE is inaccurate: In the new version you don't have to disable anything to install a new program, you get an alert (like all HIPS) which asks you - to allow-deny-add to the whitelist-.

    It will stop anything that executes:"Rootkits, internet exploits, drive-bys, XXS, email exploits, etc." Any malware in order to do any damage will have to execute at some stage. I think the only weakness are scripts.

    You can't compare virtualizers and AE in terms of protection: Virtualizers like DeepFreeze and the likes do not protect, they restore to a previous state. As a matter of fact Faronics designed AE to go along with DeepFreeze so that DeepFreeze could not be terminated by any malware.
     

    Attached Files:

    Last edited: Oct 6, 2008
  10. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,339
    Location:
    Hawaii
    Good information. I stand corrected. However, for whatever is NOT whitelisted, AE merely blocks anything & everything. The user is asked to allow or deny based on zero information, other than the fact that the process in question is either new or modified -- which no doubt the user already knew in the first place.

    AE's alerts provide the user with zero information upon which to base an accept/deny decision. A HIPS alert, on the other, provides information as to which rules or behaviors have led to a pop-up.

    As to AE versus virtualizers -- if user answers "allow" for a process which subsequently turns out to be malware, AE offers no means whereby that malware can be excised from one's system whereas a virtualizer does.

    IMO, a true HIPS plus a virtualizer is a much better security combination than would be anything in combo with AE.

    However, as noted earlier, AE is a good choice for kiosks & similar situations.
     
  11. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi guys,

    Thanks for the valuable information, and getting me up-to-date on what is happening in the world of HIPS. I use to use ProcessGuard, Online Armor, and KAV HIPS, so I am familiar with the different approaches.

    I usually like a full control HIPS which would lean me toward Malware Defender, but I would like a forum support which would lean me toward Mamutu. So I will look at both of them.

    In the meantime, I have installed DriveSentry, which is free for non-commercial use, with a small fee for auto updating features. Anyone have any comments on this product? Thanks.

    Rich
     
  12. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,352
    Location:
    Milan and Seoul
    I've had for a year ProcessGuard, RegDefend to protect the registry, System Safety Monitor for a short while, and recently D+ from Comodo. D+ was the one that was giving informed alerts, but ultimately they all came down to one and only decision: Either you allow or deny.

    Again, you don't seem to pay attention when I tell you that the new version has changed (see my attachment).

    If a HIPS recognizes malicious behaviour it isn't any different from a good AV's heuristics therefore either one is an expert in recognizing what's happening or one denies to be safe. What actually happens in real life is that if I'm downloading something intentionally from a trusted site, 99% of situations no malware is involved, and if any alert comes up without any interaction from the user, chances are that it is malware.

    You have your ideas about what HIPS are and can do, and you are right AE is not a HIPS the way it is normally understood, but in the end it achieves the same results (Let me say it again, many people tried to bypass it unsuccessfully).
     
  13. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi,

    I have also used all of these products in the past. Now, I am switching away from KAV, and looking at Avira, which seems to be the AV that you are running. Have you tried out DriveSentry? Is there a reason you chose AE over other HIPS, eg. Mamutu, Malware Defender? Thanks for any info.

    Rich
     
  14. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    I see, well you could solve this inconvenience by using a fairly new management tool named SuRun where you can easily grant higher privileges in an user account whenever needed. I´ve used this tool since member tlu announced about it here at Wilders. There are other similar tools as well, but I found this to be one of the better ones. There´s a dedicated thread about SuRun here.

    /C.
     
  15. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Thanks a lot. I will look into it.

    Rich
     
  16. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,352
    Location:
    Milan and Seoul
    No, I haven't tried DriveSentry, Mamutu, and Malware Defender. The reason I had AE with my XP system in the beginning was because like other members here at Wilders, we wanted to have a system protected by applications that were not dependent on daily updates. HIPS are very sophisticated programs that require attention to detail, timing, and above all good judgment. This is all very fine if you have this sort of inclination, but in the long run it can be quite pedantic if not boring.

    Bellgamin is right, the old AE (the XP version) was very tight, you had to disabled it to install any new program, on the other hand it was really impenetrable. The new AE (Vista compatible) had a buggy start, but the last update works very well, so far (I had it for just over a day), it has been completely redesigned, to share much more information with the user than its previous versions.

    Honestly, I don't need Avira and AE, Avira alone is an amazing program, and AE alone doesn't need anything as it will block any executable unless you allow(similar to ProcessGuard, but stronger). The reason I have Avira is that I thought the new AE without its present update had problems with Vista, I couldn't wait any longer (it took Faronics 4 months to get it right).

    I'd say that I chose AE more as a replacement to an Antivirus program than picking a particular HIPS. I also should mention again that AE has been designed to complement DeepFreeze, a well known virtualizer.
     
  17. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Thanks a lot for the detailed information. I remember AE when it first came out. I will revisit it, to see what it has to offer. Thanks again.

    Rich
     
  18. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,352
    Location:
    Milan and Seoul
    My pleasure.
     
  19. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,339
    Location:
    Hawaii
    I did look at your attached screen shot. The only guidance that AE gave the user on your attachment was "This action violates the acceptable use policy." In other words, AE merely uses a pat phrase to tell the user that he has attempted to install or excute something new or modified.

    IMO -- Telling the user that using anything new is a violation of "acceptable use policy" constitutes ZERO guidance as to whether to accept or deny.

    The following is a list of several of the many guidelines that are provided by one of my favorite HIPS when it gives the user an alert pop-up. That is, when the HIPS pops-up an alert, it will include at least one reason for the alert, such as those reasons listed below...
    ScrHunt04 06-Oct-08.gif
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Hypothetical example---
    Suppose that a user wants to try out "ProPad" -- an application that purports to be a powerful substitute for Windows Notepad. When installing Propad here are the alerts he receives...

    AE - "This action violates the acceptable use policy."

    HIPS - "propadsetup.exe is trying to register a debugger on the system"

    In response to AE's alert, I say to myself: "Yep, I am trying a new app."
    RESULT: I click "allow."

    In response to HIPS alert, I say to myself: "Huh! What's it doing THAT for?"
    RESULT: I hit the brakes & do some checking.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Bottom Line: AE indiscriminantly alerts to anything & everything that is new or modified, BUT with zero AI & zero guidance for the user. As I have noted before, AE can be a good adjunct for use on kiosks, in libraries, classrooms, etc. But for an active user of a dynamic computer set-up, AE offers little to no help at all in identifying the nature of potential security risks.

    For meaningful security alerts, it is my opinion that HIPS have much more to offer than does AE.

    Of course, Osaban might disagree - he has a right to be wrong. :D
    (Hey, Osa -- only keeding, mon. I greatly respect your comments, and have learned a lot from them.)
     
  20. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi everyone,

    For me, HIPS is a backup for my anti-virus. Ever since I put KAV in several years ago to replace Norton AV, nothing ever got by it, but it is always nice to have some backup security software, just in case the AV fails. Right now, since I am replacing KAV with Avira (most likely) it appears that DriveSentry may do the trick, but I will look at others that have been suggested. I may also look at the new Norton 2009 package, which apparently has some built in HIPS.

    Any other suggestions, for what I am trying to accomplish, is greatly appreciated. Thanks.

    Rich
     
  21. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I used to run AntiVir with SSM. For me, the AV was a supplement to SSM, which I consider to be the core of my defenses. Eventually, I removed all AVs from my PCs. On some friends PCs, I've installed SSM free with AntiVir. They've been using the combo for the last 2 years with only one problem. That was when AntiVir added a rootkit module to their AV. When it updated, it conflicted with SSM. Uninstalling the AntiVir rootkit module solved the problem. IMO, the rootkit module isn't necessary when a properly configured HIPS is being used. There's no way the installer for the rootkit will sneak past it.

    SSM has been around longer than most of the competing products. It's very stable. They have their own support forums. Some people complain that they don't update often enough, but SSM is a finished product with very few bugs. It's past the point of needing constant updating.

    Regarding Castle Cops, their site has been repeatedly attacked, thanks largely to PIRT. Those DDOS attacks are also responsible for much of the difficulty connecting to their site.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.