Ok, lets argue this some more.

Solcroft,

We discuss a lot, but I will give you credit for this one

 

Well consider this, what is the point of HIPS warning if you do not "recognize" the fact?

Psychologically it feels good that you have a chance to prevent it (and i believe this is part of the reason why some of us, myself included like HIPS), but whether it really makes a difference is continguent on whether you do actually recognize it...

 

Absolutely none at all!

To reword it to a more correct question: what is the point of using HIPS if you do not "recognize" the fact?

You fail to recognize the problem is not the software - it's the user.

 

Er no.

I was simply pointing out that the software giving you a chance to "recognise" malware is just part of the equation if you want to be protected.

The idea of having a chance in principle of protecting yourself is very seductive imho to the extent that I have read many saying HIPS provide you 100% security.

What such people actually mean is that it provides close to 100% security IF one responds correctly .... But that's a big if...

At this point , someone like you will jump in and talk about "blame" , , I don't think this is about assigning whose fault it is, but the bottom line is at the end of the day will you get infected? If yes, it doesn't matter who's fault is it.

That said, If i were the vendor, i would love arguments like the one you presented. It is far far easier to have software report on a zillion things, and letting the user make decisions then trying to do something like Threatfire (which you adore) is doing....

 

Point well accepted, with the exception of "big if", and only by those, mostly members like us who are ever so curiously cautious when presented by a HIPS prompt of some exotic or not so exotic filename but also the origin path leading to the Target.

What HIPS affords users, for those who desire to better shield against & prevent unknown intrusives, is almost the same as an AV, it throws up an alert at us with (hopefully) enough details to do a quick search if in doubt at all. My personal fascination in HIPS is how it makes full use of immediately SUSPENDING AT-ONCE any file before it's code/signal can then be released to the system and make for disruptions if thats it's intent.

 

In comparisons with AV's, even the best, and i mean to take nothing away at all from their usefulness, so you'll never get an arguement out of me that they are totally useless (although i quit running them) + (On-Demand Only For Research/Unpacking/Identity), AV's have a proven record of being bypassed and thats not always their fault, but still they can and are evaded occasionally. A HIPS on the other hand can compliment an AV and capture an incoming new bad, suspending it long enough for the user to conduct an internet search whereas with an AV alone, if evaded, the package is distributing it's payload untouched untill complete. That's why it looks even AV's are implimenting HIPS-like features in some of them because thats a wide-open limitation for them.

 

On the other hand, I do. It helps the user in distinguishing where the weak point in his setup is - his software, or himself - and what needs to be changed from that point onwards. Being fatalistic and resigning to saying "if it happened, then it happened" is rather pointless IMO, and doesn't make for anything to discuss constructively about at all.

I don't quite agree either. An argument can be correct and yet entirely irrelevant at the same time. A software can provide 100% security and yet be useless in unskilled hands, and if 85% of the online population has no idea how to use your product, then whatever snazzy arguments you have in favor of your product are entirely moot.

Personally, I find a classical HIPS quite pointless, but I will wholeheartedly argue that they're extremely powerful when used by someone who knows what he's doing.

 

Hardly. It's not so much being fatalistic, as in being realistic.

It is hardly a comfort to say that I am 100% secure (a statement you foolishly made and now are forced to defend it by harping on the difference), and still get infected everyday...

As usual, the bottom line is we don't really disagree (I suspect half of the arguments you have with other people is the same). I see You have made a statement that HIPS are 100% secure earlier and have being forced to defend that statement.....


If there is any difference between us,the problem lies with the phrase "someone who knows what he is doing". While it is trivial to say that if one shouldn't use HIPS if one isn't capable of using it (something you have insisted on asserting a dozen time), what isn't trivial is determining whether one fits into this class (and there are several degrees of being knowledgable)! You seem to gloss over this...

Exactly. But people fall for snazzy arguments...

For example the whole HIPS provide 100% security argument.....(without taking into account the high possibility of user error)....

 

you discuss a lot? or do you mean argue?

 

Would you care to explain why that statement is foolish, rather than simply saying so?

There is no difference; rather, it's you who's trying to undermine the software by saying it isn't effective because the user ignores its prompts, which is a completely ridiculous argument. Following your logic, I can state that every security software on the planet provides 0% protection - because the user ignores their warnings and/or turns them off. Antivirus software are useless because users disable them. Sandboxes are useless because users don't run programs isolated. Limited User Account is useless because users elevate their privileges for every program. I hope I don't have to explain why this is a completely absurd statement.

Let's be honest: it's you who's introducing an illogical element to the discussion just for the sake of proving me wrong, because you cannot debunk the fact that HIPS do provide 100% protection otherwise.

 

Ahh Lusher giving you credits ass well

 

Sorry Pete,

Thought it was quiet a smart remark of Lusher, which applied both to the thread's topic as to the Solcroft - Kees arrguments.

 

Notice I did not say that HIPS provide 0% protection either. That should be enough for you to realise what is the problem with your argument. I define how secure as how likely you are going to be infected at the end of the day taking into account all factors. And among this factor includes the not insignificant factor of user error...

Your argument assumes and all or nothing and that a user either is totally stupid and will ignore everything and one that reacts correctly all the time....... In reality, the demands on users who use AVs (for example) is less than the demands on users who run dumb hips....

Sigh, this thread is aptly named indeed.This has the hallmarks of a classic Kees-Solcroft argument over essentially nothing , so excuse me if I don't play.

Kind of like an argument over which interpretation of the necker cube is correct... Seen in one way, using one definition, x is true... in another y is true.

If you want to define being 100% secure even if this actually means you ends up with a 50% percent chance of getting infected... then fine.

 

And the problem with such a definition is that you can simply come up with any arbitrary value as you please for the factor of user error, and use that to make just about all sorts of claims according to your own fancy.

If that's really what you want to do, then I will have to agree with you that this whole thread is an exercise in futility.

 

Lusher:
Imagine a perfect computer, with a perfect OS, flawless, ultra secure. No bugs, no vulnerabilities.
This OS will not prevent you from installing what you want, since it is your computer, to be used by you as you please, right?
What is security in this context? What your arguments translate here is that security is 0% since the user will install malware. What's the point.

Back to reality.
Most of todays malware/all malware start by execution.
You're visiting a website/ reading a document/ reading mail - execution prompt - yes or no? (or no prompt at all..)

What remains are those vectors Ilya mentions. But, they are not out there, or we haven't seen them for a long time. They can and should appear sometime in the future, but today is today.

Headache, brain crashed just now. What did i forget?

 

Is it really arbitrary to believe that use of HIPS leads to a higher possibility of error compared to AV? Or that User A is inherently more knowledgable than B and hence can operate HIPS with lower error rates and hence is less likely to be infected (or more secure)...

Of course if you want to say something like "A is 84.56788% secure in conditions X,y,z" , that's obviously not very practical .... But so what?, are we really talking about those levels of accuracy? Besides that's an epistomological issue anyway....

Or as I said do we prefer users to say as you do that this HIPS is 100% secure, but they can get infected with a 50% probability?

 

Not exactly, but it's completely pointless and irrelevant for reasons already mentioned.

You seem extraordinarily determined to continue dragging the discussion onto the users instead of the software. I don't know, perhaps some people really are interested in discussions where they can simply claim anything according to their fancy.

Absolutely, yes. It's more likely to produce useful results than what you'd rather talk about.

 

All automated products fail and all HIPS fail...

I think the issue is more about the AI lacking appropriate variables to feed from when making decisions pertaining to processes. Too many unknown processes and too many changes to known ones on too short intervals to be able to adapt quickly. This leads to the algorithm encountering unknown conditions it cant resolved with the only logical conclusion, being to submit a request to the user as an alternative strategy... Makes complete sense to me. (Behavior based algorithms discussion not included here).

This state of affair by the way is the weakness that render HIPS so powerful when compared to fully automated software ie AV's... as well as kill HIPS effectiveness when users fail to answer appropriately which is bound to occur due to user ignorance.

However what we need is more cooperation from the developers with the creation of a global registrar and process database where anyone producing something for public release would be required to submit and certify every single files or be blocked outright by all security products. End of the story! The rest would be handled by Behavior blockers in case of programing errors and the odd slip through that bypass filters...

Also the current system of applications signature has obviously failed to ensure safety. Perhaps due to poor management.

Forcing registration and certifications would cause all kinds of issues but perhaps this is ultimately the only viable long term solution if we are ever able to achieve 100% effective and automated security.

Without this too many products generate too many variables that remain unanswerable and thus creates an impossible condition for any software to resolve effectively with 100 % accuracy, and as such the only viable solutions will always be to have users fully interactive with the process instead of a fully automated system...

My predictions: Users will complain and bitch about having to make decisions with security tools for a long long time to come as cooperation such as mentioned above is "highly" unlikely as it requires, countries, politicians, lawmakers and developers to agree to cooperate and standardize process/executables and so on based on Registration and certifications as well as to provide enforcement....