Personal HIPS Tests

Hi Stevio,

Your approach has merit. It may be that a vendor undertakes such a venture.

One thing that is constantly in the back of my mind, is that ventures (especially substantial ones) are unlikely to attract large sums of investment capital, unless it can be shown that there is a large future recurring revenue stream. The problem then, from financing ventures that indeed provide a great amount of long-term security (sort of like a bolt-lock on a door) is that such a venture cannot show such a stream. The security implemenation is, in fact, too good. Just an interesting manifestation of the capital marketplace.

By the same token, there are tons of vendors who are making extraordinary amount of money, by taking advantage of security and privacy holes. I am talking about companies who collecting information about people and then using or selling this information in order to "sell through" products. (This includes the very largest vendors such as MS). They have absolutely no interest in closing the "doors" into a user's systems, because they utilize these doors to collect the information that they need (e.g. scripts, cookies, etc). These same "doors" are the vehicle for "bad guys" to do their nasties. Thus, there is a conflict because the fox is guarding the hen house.

Regards,
Rich

 

In relation to comparison of HIPS and AV's. I think they'll eventually merge (which to me would only make sense).

 

I kind of hope not. I prefer that products specialize in the task at hand.

I'm sure everyone's familiar with the old saying "Jack of all trades, master of none"?

Besides, it more or less seems to take the whole "choice" factor out of the equation, and to me, that is simply unacceptable...

 

I'm afraid that as long as you are dealing with a annoymous individual, even one with a web site, you are taking a risk.

Downloading from a reputable site, usually means that the site has virus scanned it, but that alone is not sufficient or even effective since I assume you from virus scan it yourself.

Of course, even in such cases, the risk can be reduced by only using well known freeware.

As for your experience about never getting infected, all I can say is, you could just be lucky. Or you don't really trial that many. The point is, the risk involved in using software from indidivuals that cannot be held responisble always entails a pretty high level of risk.

 

Hi JR, yup I know what you mean, and in many ways I agree with you.

However, the major reason I think this will happen is economic/business reasons.

AV's have always been aimed at 'mums and dads' as Mike Nash likes to say about Online Armour (a hips of sorts). Their main aim has been to remove malware without user interaction...which is what the vast majority (likely read 'billions') of people are used to. It's proven that people like this method. However...HIPS are making a gradual, but increasing impact (just see how many new ones are coming out).

Still, the new HIPS programs aren't likely unlikely to eat into AV's share of the security market - seeing as they are positioning themselves as a second line of defence....but someday (probably next 2-3 years I would guess)....some big AV company will decide to add a HIPS to their AV as a 'marketing tool' to gain greater market share.

It's already happening in AntiSpyware circles...example Giant (now MS) Antispyware - they are already including a form of HIPS into their software...finding it to be more effective than scanning alone. A much more thorough HIPS would increase this.

AV companies are snapping up spyware companies.

Actually AV companies seem to snap up anything that increases security that is complimentary to their AV. And HIPS are definitely complimentary.

That said, I don't think standalone HIPS will ever die, so people will still get a choice of how they want to secure their systems.

 

Hmm Rmus, I don't find your examples surprising at all. Heck I myself don't always run with all the big guns.

I stated that the ZA pro crowd are people who try to be serious about security. This means they are usually more willing to put up with little intrusions for the sake of security.

This does not mean they are definitely safer!!

This does not conflict with the fact that some people who use Norton are not serious about security.

Like you, I believe that if you are experienced and careful you can make do with almost anything.

My main point of referring to Norton users is the VAST majority of them do not care about security and are using it because it is there.

I do not imply in any way Norton is a inferior product.

 

Can you describe the instrusions? Did the process actually run? Were they fully patched? What were the browser configruations?.

Richrf to be honest, you are the only one I have ever come across in security forums that seems extremely hostile to the idea that it is possible to tighen the security of your computer so as to reduce reliance on external software.

You have attempted several times in the past to ask people to "Renumerate" steps that one can take to tighen security, increase user awareness, common sense etc.

But there is almost always no answer because I think the question has being done to death on several 'how to do' sites and many including msyelkf have taken your questions to be rhetorical, but if they are not, please say so.

All it tells you is "people who are willing to spend money and time to install and use Zone alarm, are willing to use HIPS". Period.

Or merely to keep up with a known software. Whether HIPS is a decision driver is irrelevant in any case, we still get a group of above normal users.

It's a logical extension, not simple (in terms of programming).
Deciding whether a process should be allowed to connect outwards is pretty much similar to deciding if it should start. I grant you that HIPS is the next step up in complexity.

But at least we know we have users who are used to regular prompts coming from security software .

Of course, everyone's trade off rate between money and time is different so it's hard to say if learning basic security tips is more expensive.

Still, it seems to me that the better strategy is to avoid placing yourself in a situation where you have to rely on security software to save you. Hence user awareness is in the long run much more superior.

But as you state, among your friends (including yourself??), you don't really do common sense or if you like user awareness.

So maybe that's the problem?

 

Is this based on your own experience?

I have not found this to be true. A similar statement was made in another thread some time ago, so I conducted a survey of friends, neighbors, and found seven people who use Norton products. On questioning them I found that they do care about security; they didn't follow all of the ins and outs that people here at Wilders do, but they were fairly knowledgeable about being careful about emails, downloading from sites, etc. And they know how to keep up to date.

All but one used Norton on recommendation from others; one saw it advertised at CompUSA

I understand that. Right now, NAV is leading the AV poll over at DSL:

http://www.dslreports.com/forum/remark,13857322~viewpoll=1



-rich
________________
~~Be ALERT!!! ~~

 

The interesting thing to note about .reg files is that by itself windows does give you a second opportunity to bail out, as it prompts a "do you want to merge this into registry" window after you run the reg file.

Adding Scriptdefender and it's irk, merely adds yet another Yes prompt you have to click, I'm not certain if this is really useful.

That said, some like wormguard actually try to analyse the script and tell you what its actions are going to be, so there is some value there. Too bad that does work for others.

The sad thing is, windows doesn't do that for other equally dangerous actions, may of these actions are merely a click away. Click once on your browser by mistake, and it installs ActiveX, runs a java applet etc that could be deadly.

It would be nice if the operating system gave you some option such that certain actions needed to be confirmed twice. This would prevent misclicks from dooming you.

 

Isn't that the truth!!

-rich
________________
~~Be ALERT!!! ~~

 

Rmus,

Do you really disagree that by proportion, users of Norton who are security hobbyist are likely to be smaller than say users of
a lesser known brand?

Or are you trying to defend the use of Norton, or perhaps you want to make the point that there are super guru users of Norton?

If so, I agree. But I contend that it's obvious that due to the size of its users on average the vast majority of Norton users
are going to be lesser skilled than a lesser brand of AV.

And also due to its market size, Norton users are likely to be much closer to the average user.

Yes. Some times they ask me what antivirus to use after their Norton trial runs out. I often give them a list of names, they typically recognise Norton (obviously) and Trend (it's popular in work places) and surprisingly Panda.

Also some simple deduction.

Unless you are interested (and by interested I mean obessed like the people here), you only hear about a few main stream antiviruses or they are already installed.

It's doesn't take a big leap to figure out the vast majority of Norton are not going to be security hobbyists or experts by proportion since they can't use what they haven't heard of.

There's also the snob factor at work, people learn a bit about security, and they think Norton can't be good because Average Joe uses it. Or they got infected once using Norton, and they blame it.

The reverse factor is at work, for lesser known brands for less experienced people, they don't seem comfortable when I recommend KAV ,AVAST etc.

On the other hand if you use ProcessGuard or better yet online armor!!, I'm pretty sure you fall into 1 of the 2 groups

a) You are one of us (in the sense of security hobbyist) here, or are going to be.
b) You were encouraged/forced/tricked/scared into it by one of us (a smaller group)

An extreme example to be sure. But one that illustrates my point.

I suppose it hinges on the words "care for security" and sampling.


Anyone with some technical background (and these days almost everyone!!) , would know all this. Of course, the way some people here talk, it seems that all this is not really common knowledge . <shrugs>

We could also discuss the degree in which someone cares for security, or how much effort one is willing to take for the sake of security (or what he thinks is the sake of security).

I would argue that most but not all Wilders member are willing to experience amazing amounts of inconvenience just to feel safe. More so than many real experts I bet.

This goes beyond technical knowledge, the willingness to put up with prompts from security software, to handle incompatiabilities from half a dozen kernel levep programs. Etc.


People can tolerate AVS because they are quiet. Set and forget. They are trained to react to prompts from AV, because they can be sure such prompts are usually accurate. Hence they put up with it.


Can they be trained to handle HIPS with prompts that are a reaction to non deadly actions? Will they have the knowledge to react correctly (Prevx stats tell us 50% don't!)? Or will they just get lazy and say yes to everything? Even if they have the knowledge, are they willing to put up with that?

I'm highly suspect that outside a security hobbyist, HIPS are just too noisy , at least for the current state of art.

Most of them are even noiser than firewalls, and how high is the take up rate for firewalls with outbound protection? How many of these users of firewalls are really using them correctly? We don't know.

Taking away the decision from the user by automatically stopping a none white listed process is one option, but not all users will be willing to put up with such an approach on their own computers, espically if it turns out the action is wrong.

Or perhaps there is some really clever way to be 95% accurate with such guesses.....

 

I don't think anyone doubts that HIPS have a way to go, especially in terms of user-friendliness.

However, the concept of HIPS is just an extension of the concept of IDS which no one seems to mind all that much...winpatrol for example. I've used it for years, and it's still helpful today (though I don't use it as much).

Winpatrol brought up perhaps as many popups as a well configured HIPS, and none of them threw me much....granted HIPS haven't achieved the same level of understandability that winpatrol achieved (probably because they try to cover more area).

 

The term IDS was initally used for firewalls. IDS signatures were used to detect annomiles in network traffic, and were traditionally monitored by highly trained network admins.

I'm not certain if the term IDS should apply to winpatrol.

I know there is supposed to be a difference between the 'D' in Detection and the 'P' in Prevention, but me thinks the reason why HIPS is popular rather than HIDS is because the former is more 'HIP'.

In any case to be logical, wouldn't purely monitoring tools be called HIDS?

Whether Winpatrol merits enough to be called detection or prevention is something I suppose you could debate on

I never really managed to catch the difference.

I agree that Winpatrol is the most popular HIPS (or HIDS if you prefer) program even then it's probably not that well known except among fairly skilled users. From the user point of view Winpatrol can basically do everything Regdefend can do (leaving aside technically implementation which most people don't care and the fact that winpatrol monitored registry keys are harded coded).

However, one thing you miss is that Winpatrol lacks execution launch protection, which adds to the noise by quite a bit. Also the behavior set chosen by Winpatrol is a small yet well chosen one IMHO that doesn't alert too often.

Autostarts? Easy to understand. BHOS? Well not so easy, but basically it's some program that runs with IE... Changing browser homepages? Changing hosts file? Well okay a bit harder still..

Unfrotunately, a lot of people here think Winpatrol isn't sufficent since it doesn't catch more exotic behavior like dll injection for example. The cost of adding all this of course means the typical HIPS that Wilders members favour is going to be way more complicated than Winpatrol.

If HIPS programs stayed within the Area covered by Winpatrol I would be a lot more optmistic, but the problem is HIPS are now driven by features demanded by 'advanced users' who demand protection from all sorts of advanced threats, hopefully this won't lead to over complicated programs.

 

I have nothing to base an observation like that on.

I'm not trying to defend anything. I had read observations like the one you offered, and I was curious, so I asked around. Those I sampled ranged from the average home user to two who work in the computing industry.

The "caring about security" is your term, and I took that to mean that a person had some knowledge of computer security, versus one who did not.

I don't know how you can make such a statement without doing a scientific poll.

Well, I don't use any of those products, nor any of the others that people have mentioned.

Well, I don’t tolerate it, I can't be sure such prompts are usually accurate, and won't put up with it, which is why I don't use any AV. So you can't speak for people other than yourself

I'm not, which is why I don't use any of those products. I follow kareldjag's tests because I'm interested in how certain exploits are being dealt with, and I've corresponded with him on other matters, hence the interest.

Again, unless you've conducted a poll, that's just speculation. I am interested in security, so by your observation, HIPS shouldn't be too noisy for me, but they are, which is why I don't use any..

All security plans have to start with assessing risks, and then design a setup that gives the user the peace of mind that she/he is secure. I don't see how you can know what users would be willing to put up with unless you ask them, hence, you should speak for just yourself.

Regards,

-rich
________________
~~Be ALERT!!! ~~

 

Hi Guest

I've heard of the firewall based IDS, which only ever seemed to me to be for enterprise environments.

From everything I read, the different between IDS and IPS was, IDS monitored (detected) and reacted after the event (often through polling), and IPS prevented (in repsonse to a trigger) (often through hooking)

Of course I could have understood what I read wrong. The boundary between the two may be blurry as well. Happy for any more info, even if it's only a definition

 

I have on other threads. In all cases, the products involved were up-to-date, both at release level and database level.

I just think it is totally impractical. Even the list you linked to is just the beginning in a long journey of data acquisition, decision making, purchases, fiddling around with computers, and possibly fighting off infections because some malware got through. Education is a never ending process. Locking down a system, if it is possible, to prevent any kind of exposure, is a one time event. I prefer the second, if it is at all possible. Lacking that, as close as possible to it.

Yes. Most people make their decision in the marketplace. Most end up buying software because they do not have the time, background, or inclination to read Brian Livingston's book. So the marketplace speaks.

The best situation is when the security software totally prevents foreign executables from entering into a system, if the user so desires. In a public arena such as a library or school, it apparently is possible to invoke a lockdown structure, as has been demonstrated by DeepFreeeze/Anti-Executable model.

 

Every one has a different philosophy concerning computer security. I doubt anyone can argue another into agreeing with their Solution.

As for education.....Only those that actively seek the education out and truly want to learn will be receptive to the type of education that will result in "safe computing".

I learn new things every day from all the interesting theories that people have about computing.

One thing I do find strange when I go to all these security sites is seeing all these people with some spyware, virus or trojan infection. Sometimes, I wonder how people run into all these infections and I don't.

I think it is because I acquired a set of habits over time that keeps my computer free of that stuff. I think it is my habits and a few tweaks rather than my software that keeps my computer virus free.


Starrob

 

I also like spy1's comment in another thread. He's referring to a specific product in this case, but it can apply across the board:

---------------------
Please bare in mind that what works fine for me does just that - works fine for me, my computer set-up, my other programs that run in ShadowMode, etc.

I can neither tell you it [ShadowUser] will work as well for you (since your set-up and applications are totally different than mine), nor hazzard guesses or make pronouncements about things I haven't a clue about.
----------------------

Also, kareldjag's comment in the original post:

---------------------
NB. I'm currently using none of them and don't recommend specifically one of them: as usual, it's better to try products by yourself.
---------------------

I agree wholeheartedly with your assessment.


-rich
________________
~~Be ALERT!!! ~~

 

I have lots of friends who have been using computers for a long time, and one day they just got nailed (this includes me). Anyway, that is what introduced me to security. Chances are that many of the millions of people who purchase security have had similar experiences. **** happens.

Rich

 

It may happen to others but that just makes me just wonder more why it is happening so much to others and why not to me.

I am just not running into a whole lot of threats with the exception of when I specifically seek it out. I think I am in more danger of infection when I intentionally seek the stuff out then at any other time.

I think most threats go away when a person turns off javascript, java and only surfs security sites....lol which is how i spend maybe 75% of my time on the internet


Starrob

 

I never get drunk, because I hardly ever drink. But that's my lifestyle. To each his own. People do get infected in the most innocuous ways (I think I can safely say that almost all of my friends have encountered serious virus infections even with one of the popular AVs in place), and why it hasn't happened to you I do not know. Maybe you are lucky? Maybe you are infected and don't know it? Since you do not have any security or monitors in place, this could be case. It wouldn't be the first time that I went to someone's computer who thought they were in OK shape, only to find it loaded with trojans and keyloggers after a KAV scan.

 

As I said earlier in the day, I don't believe in luck. I am more likely to believe in playing percentages.

I seriously doubt I am infected...LOL.....The percentages that I am infected are quite low.

.As for security software that is in place....no one knows everything that is on my computer. Some have tried to guess but I have given such serious head fakes that people mostly amuse me with their guesses because they are so far off.


Starrob

 

One can play the percentages, or one can put security in place that will monitor/prevent. I prefer the second approach, that is why I have auto insurance - though for sure there are plenty of drivers who drive without it. As you say, you play the percentages. I don't. Totally different philosophy.

 

Putting security in place that can monitor/prevent is just one way of playing the percentages. One person can load up their computer to take care of every concievable threat they can imagine and have very low percentages that malware will get on the computer.

Another person can do it with virtually no software at all and with "education" can get the percentages very low.

There are a virtual endless multitude of ways to lower the percentages of malware entering a computer. None of them on a absolute level are "right" or "wrong" but they can be on a relative level right or wrong for you.

There are many ways to get the same job done.

It is all about personal philosophy and sometimes I think people take their philosophy too seriously when they percieve others may not agree 100%. I think this is the basis of most debates that almost turn into flame wars on this board but that is another story.

Right now, I think it is time to think about something other than computer security. I am off to watch some real movies on HBO.....so I'll break out the popcorn again.....and yes, the popcorn is tasty.....LOL



Starrob

 

Not exactly sure why this disagreement is continuing.

Not everyone needs extra security. Some people who have minimal security surf the net for years without becoming infected...but they tend to visit only a select few, trusted sites <some with hardened settings>

However, seeing as about 60% of the internet is porn related, it's fair to say that a rather large percentage of People visit porn sites.

-A decent percentage no doubt use P2P networking.
-Many use IM's.
-Almost everyone uses email.

-Some people do internet banking, some don't.
-Some people keep financial info on their computers some don't
-Some people keep ID info on their computers, some don't
-Many have been hacked, some haven't
-Some have spent hours recovering their computer, others haven't

-some view the internet as a playground...other's don't
-some people think the internet should be safe, ignoring the reality...other's observe the reality
-some people are paranoid about their privacy, others aren't

Some people know enough about the design of windows and the internet to harden their system to a state where they know they won't get infected <I think>...most don't know enough to say that for sure.

If a person is happy that minimal security works for them, that is fine...but they no doubt have a particular set of circumstances/knowledge/views that may not apply to another.