Recommendation for a simple HIPS?

Hi,

I use Kerio 2.1.5 as my firewall and need an suggestion for equivalently simple and lightweight HIPS to complete my "suite", preferably free. Until now i have used Sandboxie for that, but the process of getting downloaded files out of the sandbox is increasingly boring me.
My security model is simple: allow only executables i have predefined, everything else is blocked. This computer is used by my mother too, so i need a "silent" mode, just like in Kerio (block all not explicitly allowed without notifying, but keep log). I don't need kernel/driver/registry protection, as it will be irrelevent with only whitelisted apps running.

Thanks in advance.

 

You could try a behavioural blocker such as Prevx or ThreatFire.

 

There is also System Safety Monitor Free Edition.

 

Almost all hips are lightweight.

A very good free choice is Real Time Defender, including network protection, which you may don't need since you have kerio, so you can disable it.

 

SSM is being abandoned from further development and the developer gave away a key to unlock the paid version. You can try it and if you are happy drop pm for the key.

That would be my 2nd choice for free hips after RTD

 

tilkov asked for a silent hips to lock the applications that are not "whitelisted" by him..

1. You can try Malware Defender that has a Silent Mode, but it is not free.
2. Otherwise just try EQSecure 3.41, create your rules throught Learning Mode, and after set the popups time value to -1..
I think it would be possible

I don't know if RTD or SSM has a sort of Silent Mode.

Regards,
kronos

 

if ur looking for a simple HIPS, ive heard EQS 4.2 wuld fit the role perfectly.

 

You can try Returnil's Anti-Execute module.
There are two settings.
- Block activation of all programs not on the White List
- Deny all if there are no rules

Returnil is primarily a virtualization app, but I if you don't need this part - just ignore it.
The Anti-Execute is easy to configure, but it's not a full featured HIPS. You can just block programs and driver loading.

Cheers

 

SSM is the right tool for the job. It's got very advanced rules and silent mode. Thanks a lot!

 

There is a (quite hidden) tool available for free in windows which by default allow executables from program and windows folders and denies any other executable. It is called SRP.

A member of this forum (Sully) has even created a free security tool called Pretty Good Security (PGS) which allows you to configure precisely SRP.

If your level of expertise is good enough, or if simply you are used to Hips, you might consider trying it:

https://www.wilderssecurity.com/showthread.php?t=244265

http://mrwoojoo.com/PGS/PGS_index.htm

 

Returnil's Anti-Execute module allows something similar, and also notifies you when something tries to load a driver.

For full (and currently maintained) HIPS...

Threatfire: lightweight, behavior based, allows custom rules and rather paranoid settings if you want. In my experience though, it makes my computer very slow when used in combination with PCTools Antivirus; if you want to use it with an antivirus it might be better to use Avast.

PCTools Firewall: yes, it has decent HIPS functionality, though nothing to protect from keyloggers (I guess they leave that to Threatfire).

COMODO: Defense+ is very comprehensive. I will say, though, that some people are a bit weary of anything from COMODO Group, due to very unethical behavior by that company (selling SSL certificates to known malware makers). I figured that was a once-off screwup at first, but since they continue to do it...

Online Armor: No Advanced Mode in the free version and keylogger protection is stripped out, so it's kind of crippled, but the HIPS is still there and very good. The paid version seems to offer some of the best protection available.

Edit: Threatfire looks like the best option to me in this case, because it can be easily set up to be silent.

 

hi Gullible Jones how can you make threatfire silent?i have no idea how and that was the reason why i run/stay away of it thanks in advance

 

Set it to quarantine anything suspicious by default (in Settings).

(DO NOT DO THIS with a sensitivity setting of 5, or it will quarantine just about everything! Even 4 is probably pushing it.)

 

thanks alot very value info i didnt know

 

Threatfire is probably the best program for your requirements.

 

thank you makav

 

Be sure to also set TF to creat a restore point before doing so and add other security software to the trusted list, otherwise you are asking for troubles.

 

I second that thought!

Effective, light, and it won't mess with the system stability.