Ok, lets argue this some more.

Discussion in 'other anti-malware software' started by trjam, Jan 15, 2008.

Thread Status:
Not open for further replies.
  1. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Ok, people posted why they would choose either a AV or a Hips over the other. But both will not protect you completly. Both will miss some types of malware. Both basically end up doing the same thing just in a different round about way. I mean for argument sake, I could go with Eset or Avira on the AV side and do just as well if I went with Prevx or Threatfire. Or the other way.

    It justs seems there isnt a distinquishing factor that makes one preferable over the other. And dont give me that scan crap because the reality is after you scan with a AV one time and all is clean, if you dont do a scheduled scan anymore, it really is then a Hips. Again, the malware has to act, then is caught by either solution.

    I know I am missing something here so please, help this dumb ass out. Because to me, if I have a AV that detects over 95 percent, that is just as good as a Hips that catches 4 out of 5.
     
  2. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Wrong.

    That's where your whole argument, that they're both equal, falls apart.
     
  3. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    trjam, if they are all executable, HIPS catches 100%.
     
  4. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Well, not really 100%, but about earnest 90-95% of them.
     
  5. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Ah, then those are not executables. Are you referring to exploits, scripts, buffer overflows?
     
  6. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Is that DefenseWall's success rate?

    Because a well-enforced default-deny policy using a classical HIPS like SSM has a 100% success rate against executable malware. Period.
     
  7. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Ok

    As I see it, folks were asked to if they could have ONLY one choice, would it be AV or HIPS.

    We all should know that one of the mantras repeted often here is the need for layered security. That isn't an option if you can choose ONLY AV or HIPS.

    Both are always playing catch-up in some form or other so neither on their own are sufficient IMHO ( by the way, 4 out of 5 adds up to 80% protection but we know that that doesn't equate as a direct comparison to say an AV's 95% protection - they are different.

    @trjam

    The distinguishing factor is that for the most part, the user must know what the HIPS is telling him/her.

    However, again just my opinion, if a user becomes an expert in say SSM, the amount of layering is reduced compared to a user who relies on their AV to bale them out.

    For me now, it is HIPS over AV but I want the added protection of sandbox/virtualization.

    Main reason being I don't have to rely so much on others to play catch-up and I don't have to update daily or run what can be a resource and time-hungry scan.

    But I do have to trust my own actions and pay the penalty if my actions are wrong.
     
  8. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    solcroft, in my reading reviews about Prevx, TF, Norton Antibot and others, the reviews say they caught all of something and only X of Y. I am just saying that for any of either choices they both are not fool proof. Now I cant argue about SSM because I dont know a lot about it, nor do I have the ability to set one up like you. But for the average user, the out of the box solution reaps about the same reward.

    And both basically wait for something to happen then act. Like I said, if you take the weekly scanning of a AV out of the equation, then to me you have similiar apps basically doing the same thing with close results.
     
  9. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Not really, since HIPS can prevent a process from starting, and that includes malware. Prevx note, can block execution.
    The problem here is the user, and his source for programs.

    BTW, i wonder why DW can't have that too, off by default perhaps, but an option. *whistles*
     
  10. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Those programs are not HIPS. They're more like antivirus software - identify the bad, and block it. And like every automated computer algorithm that tries to identify and sort objects, they can be fooled.

    A HIPS is entirely different. Nothing unauthorized is going to run without your express permission. That's it, full stop.

    Wrong again. They may trigger at the same time, but they use completely different methods to react to different programs. An antivirus has the advantage of making the decision for you. On the other hand, you're guaranteed to have the opportunity to protect yourself with HIPS, something an antivirus can never offer you.

    Look at it this way. Fooling antivirus software is so easy, it's more frightening than amusing. Static heuristics? Garbage code, code obfuscation, packers. Dynamic emulation heuristics? Make the file unemulatable, i.e. include code that the emulator cannot process, modify the file header, runtime-pack the file, etc, and the heuristics emulator becomes a piece of useless crap. Packer detection? No go, creating custom packers is trivial nowadays. Tricks like server-side polymorphism only compound the problem. All the major malware that make the headlines (Storm, Zhelatin etc) are not detected by ANY antivirus when they're released, because their makers have specifically tweaked their code again and again until it bypasses all scanners before they release it. That's a zero percent detection rate for you, until the vendors get hold of the sample and play catch-up.

    Pick one from HIPS or AV. Man, what's so hard about it?
     
  11. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Ok, then for argument sake, HIPS can prevent a process from starting where lets say the Guard for Avira will detect it on activation. Is one really better then the other.
     
  12. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Its not that it is hard, I am trying to show to those like me, the common or simple way of explaining the differences. By doing it this way it allows us common folks the ability to understand the role of each in a way that we can understand. And TF and others were specifically mentioned as Hips in my other thread so that is why I referenced them here.
     
  13. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Yes.

    Avira will miss - ProcessGuard won't.
     
  14. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
  15. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Ok, to make it simple:

    -if the AV has a signature for it, it will block, quarantine and delete; if it doesn't, infection occurs;

    -SSM/PG/PS rely on the OS mechanism to fire up a process, any process - this makes sure you run only what you want, what you say so.
    This leaves you the responsibility (which you had anyway) to carefully select your programs (safe programs), and don't install screensavers like nudegirlz.exe . If you do, get another computer just to fool around with that (imo).
     
  16. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
  17. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I still aint buying all of this. AVs use hueristics to to assist with malware that isnt detected by signature. The plus side is the AV makes the call for you but hopefully the right call.

    Hips acts on behavior and/or execution , and some make the choice for you and some point it out to you and allow you to. Hope you are real educated when it comes to choosing.

    In closing, a false positive or missed detection is equal to a poor choice or decision with a Hips.

    Sounds like a toss up to me. I still say there isnt anything that makes one better then the other when it comes to picking only one.
     
  18. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
  19. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    You asked for the discussion, and the facts are here for you. If you choose to close your eyes, though, that's none of anyone else's concern anymore - do as you wish.

    Why blame the user's own deficiencies on the software? If they're not knowledgeable enough to settle for the absolute protection of a HIPS, then they'll have to make do with antivirus software. Trying to insinuate that HIPS is only just as good as an antivirus just because the user lacks the technical know-how to use it, is just the sour grapes mentality.
     
  20. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I am not closing my eyes or being rude. I appreciate all of this. I am yes, making my own choice, but that doesnt mean others will make the same from reading this. It doesnt hurt to discuss issues like this, it does help to educate those of us who are not as fortunate to have the background of knowledge in this field like you and others do. We only get better at understanding by listening to folks like you. The hard part sometimes is deciphering your logic.;)
     
  21. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I understand your opinion. This is best in a more stable/static machine, where you install only known good safe programs and nothing else.

    There is the other problem, but not so relevant since it seems almost all malware is an executable.
     
  22. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    trjam,

    SSM offers a free version of its software. Try it for a day or two, on default rules (don't modify anything), and you'll see what I mean.
     
  23. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I will do that. I think I did once and had some issues on install but will try again.
     
  24. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    To stop the confusion, first we need to define HIPS. For some (me included) HIPS includes all security software which isn't signature-based. For others (solcroft), HIPS are what I define as classical HIPS. So, we have:
    - Classical HIPS: They prompt you about everything. You're in charge of your own security. SSM, EQSecure, Process Guard, PS are examples of classical HIPS.
    - Behaviour-based HIPS (or blacklist HIPS): They operate in a similar way to AVs but with higher success. Why? Because they watch the actions of software in real-time and they aren't fooled by packers, code obfuscation, anti-emulation tricks and the such. A process sending zillons of mails is a mass-mailing worm, no matter what code it has (i.e. which tricks are used to bypass file scanning). Prevx, Threatfire (both also use whitelists, blacklists and a community database), Norton Antibot/PRSC, KAV's PDM, F-Secure Deepguard are examples of behav. analyzers.
    - Whitelist HIPS: They build a database of all executable on your disk and deny any new executable. Anti Executable is a example of a whitelist HIPS.
    - Sandbox HIPS: They basically restricts what a given software can and can't do. Usually they deny acces to kernel, rights to install drivers/services, access to keylogging APIs/functions, injection of code in trusted processes, etc. Some (Sandboxie for example) also redirect read/write operations to a container which can be deleted at a later time. Examples of sandboxe are Sandboxie, GeSWall, Defensewall, Bufferzone, SafeSpace.

    A classic AV only controls/hooks the filesystem (read/write operations) and that's enough for file scanning. But malware writers have many tricks to bypass file scanning, so the odds of an AV detecting new malware on a given file are low. OTOH, a HIPS (specially a classic HIPS) hooks many operations (execution, code injection, registry access, physical memory access, etc) so when a file executes it will be caught by whitelist HIPS or classical HIPS or when it tries to do malicious actions it will be caught by a behav. blocker or if it's executed inside a sandbox it can do very few things and its malicious payload will be rendered useless.
     
  25. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Social engineering, unknown driver-level vulnerabilities plus browser-executed scripts. That are the threats HIPS can't protect.
     
Loading...
Thread Status:
Not open for further replies.