Ok, lets argue this some more.

Ok, people posted why they would choose either a AV or a Hips over the other. But both will not protect you completly. Both will miss some types of malware. Both basically end up doing the same thing just in a different round about way. I mean for argument sake, I could go with Eset or Avira on the AV side and do just as well if I went with Prevx or Threatfire. Or the other way.

It justs seems there isnt a distinquishing factor that makes one preferable over the other. And dont give me that scan crap because the reality is after you scan with a AV one time and all is clean, if you dont do a scheduled scan anymore, it really is then a Hips. Again, the malware has to act, then is caught by either solution.

I know I am missing something here so please, help this dumb ass out. Because to me, if I have a AV that detects over 95 percent, that is just as good as a Hips that catches 4 out of 5.

 

Wrong.

That's where your whole argument, that they're both equal, falls apart.

 

trjam, if they are all executable, HIPS catches 100%.

 

Well, not really 100%, but about earnest 90-95% of them.

 

Ah, then those are not executables. Are you referring to exploits, scripts, buffer overflows?

 

Is that DefenseWall's success rate?

Because a well-enforced default-deny policy using a classical HIPS like SSM has a 100% success rate against executable malware. Period.

 

Ok

As I see it, folks were asked to if they could have ONLY one choice, would it be AV or HIPS.

We all should know that one of the mantras repeted often here is the need for layered security. That isn't an option if you can choose ONLY AV or HIPS.

Both are always playing catch-up in some form or other so neither on their own are sufficient IMHO ( by the way, 4 out of 5 adds up to 80% protection but we know that that doesn't equate as a direct comparison to say an AV's 95% protection - they are different.

@trjam

The distinguishing factor is that for the most part, the user must know what the HIPS is telling him/her.

However, again just my opinion, if a user becomes an expert in say SSM, the amount of layering is reduced compared to a user who relies on their AV to bale them out.

For me now, it is HIPS over AV but I want the added protection of sandbox/virtualization.

Main reason being I don't have to rely so much on others to play catch-up and I don't have to update daily or run what can be a resource and time-hungry scan.

But I do have to trust my own actions and pay the penalty if my actions are wrong.

 

solcroft, in my reading reviews about Prevx, TF, Norton Antibot and others, the reviews say they caught all of something and only X of Y. I am just saying that for any of either choices they both are not fool proof. Now I cant argue about SSM because I dont know a lot about it, nor do I have the ability to set one up like you. But for the average user, the out of the box solution reaps about the same reward.

And both basically wait for something to happen then act. Like I said, if you take the weekly scanning of a AV out of the equation, then to me you have similiar apps basically doing the same thing with close results.

 

Not really, since HIPS can prevent a process from starting, and that includes malware. Prevx note, can block execution.
The problem here is the user, and his source for programs.

BTW, i wonder why DW can't have that too, off by default perhaps, but an option. *whistles*

 

Those programs are not HIPS. They're more like antivirus software - identify the bad, and block it. And like every automated computer algorithm that tries to identify and sort objects, they can be fooled.

A HIPS is entirely different. Nothing unauthorized is going to run without your express permission. That's it, full stop.

Wrong again. They may trigger at the same time, but they use completely different methods to react to different programs. An antivirus has the advantage of making the decision for you. On the other hand, you're guaranteed to have the opportunity to protect yourself with HIPS, something an antivirus can never offer you.

Look at it this way. Fooling antivirus software is so easy, it's more frightening than amusing. Static heuristics? Garbage code, code obfuscation, packers. Dynamic emulation heuristics? Make the file unemulatable, i.e. include code that the emulator cannot process, modify the file header, runtime-pack the file, etc, and the heuristics emulator becomes a piece of useless crap. Packer detection? No go, creating custom packers is trivial nowadays. Tricks like server-side polymorphism only compound the problem. All the major malware that make the headlines (Storm, Zhelatin etc) are not detected by ANY antivirus when they're released, because their makers have specifically tweaked their code again and again until it bypasses all scanners before they release it. That's a zero percent detection rate for you, until the vendors get hold of the sample and play catch-up.

Pick one from HIPS or AV. Man, what's so hard about it?

 

Ok, then for argument sake, HIPS can prevent a process from starting where lets say the Guard for Avira will detect it on activation. Is one really better then the other.

 

Its not that it is hard, I am trying to show to those like me, the common or simple way of explaining the differences. By doing it this way it allows us common folks the ability to understand the role of each in a way that we can understand. And TF and others were specifically mentioned as Hips in my other thread so that is why I referenced them here.

 

Yes.

Avira will miss - ProcessGuard won't.

 

Not always.

http://www.techsupportalert.com/Security Tests/HIPS/Security Tests - Process Guard 3.15.htm

 

Ok, to make it simple:

-if the AV has a signature for it, it will block, quarantine and delete; if it doesn't, infection occurs;

-SSM/PG/PS rely on the OS mechanism to fire up a process, any process - this makes sure you run only what you want, what you say so.
This leaves you the responsibility (which you had anyway) to carefully select your programs (safe programs), and don't install screensavers like nudegirlz.exe . If you do, get another computer just to fool around with that (imo).

 

Note that tests like that one refer to detection and blocking of malicious behavior after execution (ie, you have to click allow in PG to run the tests/trojans).

 

I still aint buying all of this. AVs use hueristics to to assist with malware that isnt detected by signature. The plus side is the AV makes the call for you but hopefully the right call.

Hips acts on behavior and/or execution , and some make the choice for you and some point it out to you and allow you to. Hope you are real educated when it comes to choosing.

In closing, a false positive or missed detection is equal to a poor choice or decision with a Hips.

Sounds like a toss up to me. I still say there isnt anything that makes one better then the other when it comes to picking only one.

 

Unfortunately, if the malware can't execute, it can't do any of those either.

 

You asked for the discussion, and the facts are here for you. If you choose to close your eyes, though, that's none of anyone else's concern anymore - do as you wish.

Why blame the user's own deficiencies on the software? If they're not knowledgeable enough to settle for the absolute protection of a HIPS, then they'll have to make do with antivirus software. Trying to insinuate that HIPS is only just as good as an antivirus just because the user lacks the technical know-how to use it, is just the sour grapes mentality.

 

I am not closing my eyes or being rude. I appreciate all of this. I am yes, making my own choice, but that doesnt mean others will make the same from reading this. It doesnt hurt to discuss issues like this, it does help to educate those of us who are not as fortunate to have the background of knowledge in this field like you and others do. We only get better at understanding by listening to folks like you. The hard part sometimes is deciphering your logic.

 

I understand your opinion. This is best in a more stable/static machine, where you install only known good safe programs and nothing else.

There is the other problem, but not so relevant since it seems almost all malware is an executable.

 

trjam,

SSM offers a free version of its software. Try it for a day or two, on default rules (don't modify anything), and you'll see what I mean.

 

I will do that. I think I did once and had some issues on install but will try again.

 

To stop the confusion, first we need to define HIPS. For some (me included) HIPS includes all security software which isn't signature-based. For others (solcroft), HIPS are what I define as classical HIPS. So, we have:
- Classical HIPS: They prompt you about everything. You're in charge of your own security. SSM, EQSecure, Process Guard, PS are examples of classical HIPS.
- Behaviour-based HIPS (or blacklist HIPS): They operate in a similar way to AVs but with higher success. Why? Because they watch the actions of software in real-time and they aren't fooled by packers, code obfuscation, anti-emulation tricks and the such. A process sending zillons of mails is a mass-mailing worm, no matter what code it has (i.e. which tricks are used to bypass file scanning). Prevx, Threatfire (both also use whitelists, blacklists and a community database), Norton Antibot/PRSC, KAV's PDM, F-Secure Deepguard are examples of behav. analyzers.
- Whitelist HIPS: They build a database of all executable on your disk and deny any new executable. Anti Executable is a example of a whitelist HIPS.
- Sandbox HIPS: They basically restricts what a given software can and can't do. Usually they deny acces to kernel, rights to install drivers/services, access to keylogging APIs/functions, injection of code in trusted processes, etc. Some (Sandboxie for example) also redirect read/write operations to a container which can be deleted at a later time. Examples of sandboxe are Sandboxie, GeSWall, Defensewall, Bufferzone, SafeSpace.

A classic AV only controls/hooks the filesystem (read/write operations) and that's enough for file scanning. But malware writers have many tricks to bypass file scanning, so the odds of an AV detecting new malware on a given file are low. OTOH, a HIPS (specially a classic HIPS) hooks many operations (execution, code injection, registry access, physical memory access, etc) so when a file executes it will be caught by whitelist HIPS or classical HIPS or when it tries to do malicious actions it will be caught by a behav. blocker or if it's executed inside a sandbox it can do very few things and its malicious payload will be rendered useless.

 

Social engineering, unknown driver-level vulnerabilities plus browser-executed scripts. That are the threats HIPS can't protect.