Could @itman or any other experienced users here list some more good tips like the above one that is userful in answering HIPS alerts? I know little about the system, so I often fell it difficult to determine whether to allow or deny an operation when I try some HIPS softwares. Thank you very much.
To start, review existing default HIPS rules in a product like Outpost or Defense+ and make a determined effort to understand what they are doing. A broad general statement in this regard is they are protecting critical system processes, vulnerable Internet applications, and sensitive registry areas from execution and modification by malware. Next, understand the difference between offensive and defensive security protection. Behavior blocking is offensive protection. It will monitor select known and most unknown processes for known malware behavior. A HIPS is defensive protection. The vendor will establish rules to protect the areas noted in the first paragraph from modification or out of the normal process execution. The main distinction between the two is a HIPS doesn't care about what the source process is; it will treat all source processes as potentially malicious. Therefore, many HIPS vendors have to also create rules to allow known and verified(Microsoft code signed, etc.) processes to modify or execute other processes. Finally, HIPS vendors also provide sensitivity control options such as Defense+'s "paranoid" mode or running in interactive/policy mode that tightened HIPS monitoring. When you run a HIPS in highly restrictive modes, you need some understanding about what Windows system processes and applications do. Unfortunately, there is no way around that. For example, svchost.exe controls the running of system services and many systems applications such as execution and modifications of those applications. Likewise, explorer.exe will control the execution of many non-system applications. As long as svchost.exe and explorer.exe are protected by the HIPS from modification and are executing from their normal system directories, it is safe to allow whatever activity they are performing. The decision making process gets a bit grayer when dealing with system processes like taskhost.exe, rundll32.exe, and the like. For example, malware might have installed something to run as a scheduled task. There is the issue of protecting system files, directories, and registry areas where for example ransonware will install malware. Here your best guide is vendors such as bleepingcomputer.com that regularly post info on which and how such areas should be protected. Finally, the most flexible and powerfull HIPS's are those installed in Endpoint products. Note that these also have the least default rules established under the assumption that the HIPS will be configured by professional IT staff to conform to corporate security requirements. Also note that not all retail HIPS are "created equal." Outpost and Defense+ default rules and protections are visible to the user and some can be modified. Eset's default rules are hidden, cannot be modified, and are very basic in default protection mode. Eset's retail HIPS is very similar to their Endpoint product hence the assumption it will be configured by someone with system knowledge. On the other hand, Eset's HIPS is quite powerful in its protection capability based on my testing of it. -Edit- Continuing this, there are a few broad actions that can be applied to HIPS monitoring. If an "unknown" process starts execution or is attempting to modify existing processes or registry areas that have default HIPS rules defined, it should be blocked and checked out. By unknown process, I mean something that was not installed by you or by some Windows change such as Win Updates. By checking out, I mean you exam the process properties; - Is it a signed executable and who signed it? - Does its name look suspicious; abcdxyz.exe or is a non-binary file with a suffix of .com, .bat, or one of the scripting suffixes? - Was it recently created? - Is it located in directories that malware are known to install stuff; e.g. %AppData%, Windows temp, or Program Data directories etc. - However, malware can also install into the program or Windows directories. One practice is to create an "ask" rule for any process execution from the Program directories. That will permit you to create a "whitelist" of processes allowed to execute. You can check out the suspect software by using VirusTotal taking into consideration that these are signature based checks and will not detect zero day malware. Once I check out a process and I still feel uneasy about it, I will create a HIPS "ask" rule specifying that I receive an alert when it starts execution. That way I can monitor it using tools like Process Explorer/Hacker until I feel confident enough to fully allow its execution. Additionally, you also have to be vigilant when installing software downloaded from "iffy" or relatively unknown web sites. Even well known security software installs can have components that could trigger a HIPS alert. The rule of thumb here is if that software was downloaded from a "trusted" vendor web site and is security based software, it is OK to let it proceed installing. Non-security based software might have to be examined or monitored further as to why it is performing the actions that are triggering a HIPS alert. For fully trusted security software, you should create a HIPS rule to allow it to run with no restrictions to avoid constant future alerts. Finally, note that a HIPS monitors process and registry modification activities and will not protect you against software like PUPS and PUA's that are undesirable software but do not perform malicious system modification activity.
Nice speech. « A HIPS is defensive protection. » What is proactivity in a 64 bits system ? - a behavior blocker ( it is educated and asks few questions ). - heuristic ( dynamic heuristic + statistical heuristic ). No HIPS. A tool that asks a lot of questions is a dangerous tool.
I've have a lifetime license of OP pro since 2001. I have heard rumors, that it's almost dust. Does anyone know if there is any truth to these rumors?
OPFW pro will continue to work for a long time, it just won't auto-update presets after they stop the update server. you will need to manually tweak some rules for new software not covered by the old presets. hips will likely continue to work. OSS firewall component, same same. after they turn off the updates, you will, need to turn off they antivirus and other anti-malware modules and add a third party antivirus/antimalware to cover the gap. those few with outpost a/v only will have to look elsewhere when the siggy updates stop. agnitum is apparently going to make an announcement with more info mid jan, existing OPFW,OSS,OPAV licence holders may get a nice surprise...what, i can't say as yet. anyhow, the transition looks like it will be gradual rather than sudden. yandex apparently is taking on agnitum's crew to work on their browser's built in security, not to further develop outpost, but one never knows. they're still negotiating. hopefully they will have an english browser version (and other localizations). ...and by the way, the support forum will continue for the forseeable future, with the current crew continuing on till the bitter end. been fun for well over a decade, but all good things come to an end sometime.
OK, so Outpost is dead after all? That would be a shame. I never used it, but I did test it, it was one of the better firewalls with integrated HIPS.
not any more dead than winxp, vista, win7. many people still using them. OP, like them, may be unsupported (mainstream) & have no future development, but are still useable and have some user support online via forums. OP will of course have limited 'extended' support until the officially pull the plug sometime in the future. plenty of other firewalls still in use that have not been updated in years.
currently still continuing the improvenet, presets, and anti malware and antivirus signature updates for the currently supported versions. doubt we'll see any product version updates tho. we'll know for sure mid jan when agnitum has indicated they will make an announcement. there has been some indication that currently the updates are possibly to continue for at least a year or so, but don't quote me, all still up in the air. there is apparently more reasonably good(ish) news still to come, we are not at liberty to reveal the possibilities as negotiations continue...
@busy Thanks for this. Wish Agnitum well for the future, Outpost served me very well in the past (1st/early versions) Goodbye old friend
Did Kaspersky acquire Outpost? I hope Kaspersky replaces their firewall with Outpost. I tried using Kaspersky Security Suite several times, but I hate their firewall. Kaspersky by default allows almost all outbound internet request from applications. If you change that then Kaspersky will alert you every single time an application request outbound internet access even if you create an allow rule for the application. That forced me to either allow all outbound request by applications (which is how Kaspersky behaves by default), or be prompted multiple times each time I tried to launch something as simple as my web browser. It would not remember rules. I have to say it's one of the worst user-friendly firewalls I have ever used when not wanting to use default settings. I don't know about you guys, but I want to be the one to decide whether to allow outbound internet access for whatever may be on my machine. I don't want Kaspersky just allowing everything by default.
Hmm.. I just seen a thread here that says Yandex acquired Outpost. I wonder if Kaspersky owns part of their company. I will do some searching.
NO..Agnitum reached out to KAV and did this for everyone that was in support of its product for so many years new or old..its called looking out!! Agnitum is top solid company
Good Afternoon! What a Shame...but due to the Financial Times Worldwide...it's not surprising...especially in the Security Software World. But simply Putin...maybe Kaspersky will honour Lifetime licenses and offer us Former users Kaspersky Lifetime Coverage ...don't hold your breath ! Would be nice if Kaspersky utilized the Agnitum Firewall...again don't hold your breath. Sincerely...Securon
Yes I cant complain.15 years Ive had outpost license ,and never had any nags or troubles activating it ,no matter how many times I installed or uninstalled it.The firewall will probably be good for a long time to come too,and the beauty of the suite is you don't have to install the malware module and can use that as just a firewall too.
Remember its in a BETA install right now and I have it ready to load just waiting for someone to do the same here is the 'english' web site 82.2 Megabytes exe file..large https://browser.yandex.com/#thankyou
