New configuration featurse in HIPS

Discussion in 'other anti-malware software' started by aigle, Oct 24, 2007.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    More and more HIPS are addings some unique and neat feature in their configuration that used to be absent in the past. From my experience with different HIPS, I can say that for me a HIPS should have following featurte( note that I am not talking of what a HIPS intercepts9 hooks, drivers etc), I am mainly talking of configuration features of a HIPS):

    1- Ability to enable/ disable global rules( present in NG and EQS).

    2- Ability to have diffrent profiles, U can switch between the profiles on the fly via hotkeys, very useful indeed. EQS has this.

    3- Ability to mark programms trsuted so they will not be monitored. Ng has it
    .
    4- Ability to put any application in one of the user made predefined policies( after that this appliaction will be treated according to rules set in this policy without any popups/ or very low popups( depends upon how u set rules for a pre-defined policy). It works as a sort of rule based sandbox and is a very neat feature. NG has it though in a basic node and CFP v 3 has it in an davanced mode.

    5- Ability to monitor the running processes anf to infor if an unknown/ modified process is running in the memory. SSM has this feature.

    6- Ability to lower an application,s right if it is started by an application which has inherently low rights by a predefined policy( it,s part of predefined policies and is presnt in NG).

    7- A white list( OA, CFP v 3 have it) with option to enable/ disable the white list. This is feature for novice.

    8- A short but smart black list( ThreatFire has it) with option to enable/ disable it.

    9- An option to scan a clean system and make rules automatically. PS has it and NG ahs it in a limited way.

    What do u guys think? Thanks
     
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Aigle,

    Nice observation. What I like about OA free (besides having an extensive white and blacklist), is the option to promised by Mike Nash ( https://www.wilderssecurity.com/showpost.php?p=1096213&postcount=184 )that you can allow unknow programs to start (with or without notification) with limited rights.

    This feature makes OA exceptional, because it can be used by in a very user friendly manner, picture this:

    1. At install a user needs to evaluate the unknown programs after installation of OA. This is the only user interaction required. What wpuld be great when a soft sandbox option would be available at install for all threat gates (web browsers, e-mail, P2P, chat, etc), so they would run in safer mode (= limited user rights).

    2. Next you can choose the novice mode, this will allow unknow programs to run in safer mode (with limited rights). An user who does not want to be warned for unknown programs (not in the white or backlist) could choose for this option. When a unknown program is executed OA will be send the details (when you choose the comminity protection program). Over time OA will include this unkown program in its white or blacklist and the program will be automatically classified with future updates

    Regards Kees
     
    Last edited: Oct 25, 2007
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    That,a a nice feature indeed! But what when u are going to run an installer unknown to OA in this setting. It will break the installation.
     
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Aigle,

    The observations you made proove that even under XP (with the admin security hole) Classic Anti Executable HIPS are getting more and more behaviour blocker capabilities (AO has some, NG has its filters and EQS does allow you to choose what to guard against).

    With Vista more and more software developers will make sure that their programs will run with limited rights. So I think behavior blockers will become the mainstrean HIPS like programs.

    Reason for thinking so:

    UAC is a kind of border patrol without police in a country. When you allow an elevation request (the border) the malware can do all it wants (no police), so the obvious loophole on Vista's defense is behavior blocking.

    Imagine the behavior blocker (for instance ThreatFire Pro) would be triggered after a program requested an elevation of rights. First thing to do is to check whether it is a known malware with its antivirus, when not the behavior monitoring kicks in. This would not only reduce the load of these programs (AV + Behavior Blocker) on CPU, but also fill in the weakspot of Vista.

    The ideal behavior blocker would also have a soft sandbox like containment to watch threatgates (like HautSecure now does). This is just an additional security layer on the limited rights user.

    PRSC was one of the first to offer a Vista64 bits compatible version (that is why we bought it). We have it running with HauteSecure Beta. Still PRSC could do better (I do not know howit protects) when it would go into high alert mode after an elevation request. Boclean's memory scanning was also one of the first to offer Vista64 compatible protection, so I think an intelligent (short) blacklist based on sniplets (smaller fingerprints) could make it easier for the behavior blocker to determine its sensibility profile (always a problem question for behavior blockers is where to put the thin red line).

    So I think descriptor table addicts (like Easter who is still on XP SP1) will loose their need to watch every hook in their OS kernel. What is your thought on this (other like Solcroft, etc are also invited to join this thread)

    Regards Kees
     
  6. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    EQSecure 3.41 has this.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Can u tell me where? Thanks
     
  8. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Click the down arrow in the prompt window where you get the menu that lets you "block and terminate process" and "remember temporarily". There's a new third option that lets you completely trust the process.
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks solcroft! I have noticed it but I could not find any such option in rules editor, may be it will appear only after I mark some process trusted?
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ok, I think I found out. When u trust an application, in Application Rules Tab, all rules for that application are converted to Allow. Am I correct?

    I think it was beter if they just make it easier to mark an application trusted/ untrusted by a single click like SSM. Now to mark an application trusted/ untrusted in EQS is a real pain as u have to click so many options. It must be via single click.

    Also when u opt for an application to be trusted in the popup( trusted rule is actually set for the parent not the child, although the option is at the bottom with the child. It,s very confusing- just like CFP v 3). It was better if they give two option- one above with the parent( Trust the parent) and one below with the child( Trust the child).

    I am still waiting for them to add one click enable/ disable MD5 checksum globally. :oops: It,s really a big weakness and hassle.
     
    Last edited: Oct 25, 2007
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Rightto! :) I been just recently fishing out that and some other little overlooked features. I was about to lose my mind getting it to Notify on other extensions and folders whenever for example ANYTHING! creates in the XP TEMP folders because those are usually the first places most go straight for and i for one want to identify them, and thanks to EQ, you can! ;)

    What you want to do in those cases is set what you want most guarded in the Global Rules, or as i named them, Universal Rules :D then in the Application Rules open out the branch to select your choices and it will unveil 2 settings to the right column when choosing Blocking Rules I go to Other Rules and checkmark Search Global Rules since it appears to be the Lead Controlling rules setting that establishes a pretty tight lock on about everything.

    Very Impressed! I am with EQSySecure plus it's GUI is a welcome change from the plain old hum drum looks of some.

    I also changed the Blacklist term to BANNED LoL
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    1- I have never used Blacklist in EQS? I wonder what is its use? I can easily deny/ block whatever I want via other rules.

    2- In my opinion GUI is clean and neat but it needs ome colors.:D
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    I agree, i would they much rather add an instant auto-start to our applications then the blacklist. Maybe over there they get whammed a lot by certain malware so they added it for sake of blacklisting the same repeat offenders when they drop in :D but you're right, when you BLOCK an action that sets a rule to a particular app and it stays that way, so beats me really just why they felt the urge to add it.

    In it's current and pretty cool form right now, they have a self-protecting Modules auto-start but did you see the delay? 1 minute at most :blink: During that time one could pick up all kinds of unwanted travelers don't you think?
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Sorry I did not understand it. Can u elaborate more?
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Sure, happy to.

    Configuration>>>(bottom menu) Set Auto-Start (Restarts Protect Modules if Forced Closed) 1 minute is the bare minimum, i don't get it, do you?
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ok, got it. I don,t use auto-start feature. Not so paranoid. My system is always clean, atleast so far.

    I enable-re-enable EQWs frequently and have set auto-keys for that.
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Would be cool if a HIPS could scan the C:\Program Files folder so that you won´t have to make all these process execution rules manually. And the ability to get a quick overview of rules is also nice, for example, it´s not really that interesting to see a list of all allowed executables, but it makes more sense to list all executables with certain permissions (allowed or blocked).
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    PS scans and makes rules. NG also to some extent. But these rules can,t be adavnced, simple allow rules.
     
  19. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    What's wrong with just using Learning Mode?
     
  20. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Well, learning mode takes a while to well, do the learning...

    If you are setting it up for someone, you have to systematically run every program in the system, have the HIPS learn about it etc.

    What Rasheed asks for is already in Online Armor (and PS I think), except OA scans the startup menu for programs only, puts those known to be safe (whitelist) as trusted, and lists the unknown ones for you to approve.

    OA only does this in the context of trusted/ not trusted though...
     
Loading...
Thread Status:
Not open for further replies.