Silent HIPS of the future!

Discussion in 'other anti-malware software' started by dmenace, Jan 4, 2008.

Thread Status:
Not open for further replies.
  1. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
    I'm just thinking about the idea that HIPS will be silent like an AV app in the near future...

    Classic HIPS that ask questions about every action an application makes are no longer for this world. Their era is coming to an end from an innovation point of view. These HIPS induce "lazy clicking OK" and even so if you want to make a correct decision you can't without knowing the inner workings of every program. Say firefox requests low level keyboard access. You know this is ok but what if firefox was tampered. A change in the hosts file redirects the autoupdate to a malicious IP address? which downloads a malicious update of firefox...

    These days we have intelligent behaviour blockers using intelligent algorithms, a point based system, or white lists to reduce alerts and false alarms. But these are still flawed - they still require the user to make the decision and are more and more like AVs relying on known behaviours. All it takes is one truly unknown behaviour to bypass such programs. What if the System Shutdown Simulator's Shutdown Call was executed as a scheduled task (run windows\system32\shutdown.exe -s)?. This is just a simple example to show that these programs have limitations in the behaviours they monitor.

    So what would the HIPS of the future be? And here is my answer - silent, eliminating the user all together. How? Well it's already here... Stop focusing on detecting new behaviours, leak test methods etc, but rather combine the following features:

    Encrypt key strokes completely using a technique like key scrambler... no user input required. Defeats all key loggers without prompts.

    Generic buffer overflow protection to prevent unpatched software exploits. Such protection found in WehnTrust, Comodo Memory Firewall, DefensePlus etc... Once again no user input required.

    Sandboxing / System Freezing - Rather than asking for each behaviour e.g. Load a service / driver, sandbox the action and allow it to run without it affecting the actual system. Once again no prompts. Examples Sandboxie, Returnil etc.

    So the HIPS of the future is already here. Just combine all these features of separate softwares into one HIPS and you've got one heck of a security program - a powerful HIPS with no prompts!

    :thumb:

    Edit spelling
     
  2. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Key strokes encription is a "snake oil", unfortunately- just remember about "TranslateMessage" keylogging technique. If any app may get a keys input- there is always a chance malware can intercept it.
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    DMenace,

    My list of truly silent HIPS:
    1. DefenseWall
    2. GeSWall
    3. Primary Response Safe Connect on Vista64 with UAC in quiet mode
     
  4. baerzake

    baerzake Registered Member

    Joined:
    Aug 18, 2007
    Posts:
    44
    defensewall is a Silent HIPS, you will never to feel it is running in your system.
     
  5. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I second that, if the DW-icon wasn't there, I would forget, I have it on board. :)
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I agree with you. I never liked security softwares with multiple choice questions, like "Yes" or "No".
    I have 50% chance to answer right, that's not security, that's gambling.
     
  7. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Faronics Anti-Executable is also very quiet, unless you try something new.
    Also very simple to understand and acts immediately without questions, because the answer is always NO.
     
  8. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    Silent hips is just right for me but not for many others here wish to have full control over their system.

    Silent hips: threatfire, norton antibot, prevx.
     
  9. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    1. The problem is that full control doesn't mean full defense.
    2. Most of the people just need to do their everyday work, they don't need to have a full control.
     
  10. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    There is also no such thing as full control. There are plenty of programs that offer full annoyance, yes, and too many people are mistaking this for full control.
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I agree that it doesn't mean the same thing, but I like to have my pure system partition (Windows + Applications) back as it was, when I created it. That is full control.

    The only thing I have to do is to stop any possible execution of malware immediately to protect the contents of my system partition and data partition completely. That is full defense, easier to say than doing it.

    The last difficult problem is NEW stuff, which is more based on trust, than anything else, unless you have knowledge enough to check them out.
     
  12. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks:

    If I need a program to perform a particular task, I would give it a chance to fulfil. And trust it, not to control it fully.

    If I want to be its boss and treat it as a slave, why do I need it in the first place, I could have written a application myself !

    Silence is golden ! I respect those apps which work tirelessly in the background, not those which make a lot of noises and deliver nothing but headaches.
     
  13. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I agree with that principle, unfortunately too many security software don't know how to be quiet.
    That's why I created an off-line snapshot in my computer to do my work and hobbies without any disturbance of malware and anti-malware and it works also faster.
     
  14. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Good points Perman. But on the converse side when you've gone from something like SSM to Threatfire (at the time Cyberhawk) it's actually quite difficult to convincve yourself that is in fact doing anything at all such is it's quiteness :D

    I'm sure it was, but SSM was in a way quite reassuring, in that it made sure you darn well knew it was doing it's thing ! ... and it was most certainly the boss and me the slave to it's most exacting demands :ouch:
     
  15. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, OldMonk:

    I 100% know what you are saying.

    There always a clear distinction exists between a highly visible one (such as SMM) and a lowly profiling one (such as TF,PRSC). But, at end of day, they all achieve one same thing, that is protecting our a--. Should we call it, time and money(if any) well spent ? Take care.
     
  16. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Agreed. That this there goal.
    Also agreed :D (in the case of SSM - a lot of time)

    You also
     
  17. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    SSM is still much better in this regard than some overbloated HIPS out there; in fact, it's one of the best. If I ever had to give up ThreatFire, I'd go right back to SSM Free.
     
  18. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    No argument from me there Solcroft :)

    In terms of fine-tuning, it certainly packed a punch. Disengaing the GUI was a nice touch, too.

    Bit liking pulling up your drawbridge and having a moat the size of the Pacific for your enemies to cross :D
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    I don´t think that we will ever see quite HIPS, and that´s because they would then have to be able to recognize 100% of all malware, this will never be possible. And besides, if you don´t ever want to see an alert, and fall prey to "lazy clicking", then classical HIPS is clearly not for you. It´s for the people who want more control, and want the ability to "analyze" an app after execution. As you might know, scanners can´t spot all malware, so a "clean" file may in fact be not so clean. This is where the HIPS can play an important role. Of course, some knowledge is required, but like I said before, it´s not exactly rocket science.

    Sounds like a good protection method, but according to Ilya it´s not bulletproof. But I agree, HIPS must be able to stop most keylogging methods.

    Yes, another nice feature that could stop a lot of exploits. But I wonder if process execution control would stop these attacks also.

    Yes, even if TF is a so called smart HIPS (designed for dumb people? Just kidding guys! :D) it will still ask you questions, but it´s a lot less noisy so it´s becoming more popular. Still, it can be bypassed when it´s not monitoring a certain behavior or if there is some kind of programming error, just like all other HIPS.

    Well yes, but sandboxes are different from classical HIPS. HIPS can alert you about stuff when you´re installing tools on your real machine (not in the sandbox) and that´s what you will be doing most of the time. And besides, you can´t sandbox everything, you can´t sandbox "driver loading", and if you allow "code injection" in the sandbox, then malware may still be able to take control of your sandboxed apps/system, and that´s no security.

    What´s wrong with SSM Pro? And such a statement is quite surprising to me since SSM can be one of the most noisy HIPS, especially with process and registry control enabled. And we all know how much you hate "false positives" alerts. :blink:
     
    Last edited: Jan 5, 2008
  20. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
    Wow, very interesting to read everyone's replies!

    Clearly there is already some relatively quiet hips software out there like DefenseWall.

    Just to make my initial argument a little more clear I wanted to discuss the idea whether or not it is possible to create a truly silent hips (even more silent than threatfire) that does not monitor individual behaviours but rather uses some of the ideas I mentioned above.

    By the way, Ilya when will DefenseWall 2.10 come out? I've read at Gladiators the help file is complete?
     
  21. jp10558

    jp10558 Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    27
    Personally, I just don't trust the vendors to make the right choice. Or, let me rephrase - they can't know what the right choice is, because it's different for everyone.

    For instance, all the quite HIPS let IE6 execute on XP. For me, if IE is starting, it's likely I didn't start it as I use Opera pretty much exclusively. The 15 times a year I start it to prove to my ISP the problem is THEIRS, I'm happy to click "OK".

    Just like my firewall should not auto allow IE out, and I'd prefer to lock it down to my ISP page, speedtest and WU only.

    Similarily, Adobe quicklaunch/version cue whatver - sometimes it's easier to just kill with the HIPS than to try and figure out how to disable it from the prefs...

    I could go on, but just because a program is "safe" doesn't mean *I* want it executing, or talking to the internet.

    Then again, I don't like stupid HIPS like Vista UAC - I *do* want it to give me a chance to have it remember a setting.

    I'm very interested in Comodo v3 with D+ - a very noisy HIPS, but very finely tuned and remembers your settings. Plus you can go to whitelist mode if you want. I really think the slider is a great idea - set it to "Don't bother me mode + use my already set rules" most of the time, but if you're trying a new app, set it to paranoid.

    Plus it helps you learn about Apps. I found out at work that Firefox wants to access the screen directly (which enables screenshotting), + wants access to the service control system, wants to make relayed DNS queries + lots of stuff to load google that I can't see why it needs them. Especially when I denied them all, it still worked fine! Mozillazine was strangely silent about my queries too.

    Maybe all apps do this (I haven't started using Comodo at home yet), but it would be nice to understand why they want certain accesses - and the silent HIPS would just allow it all.

    The above said, the average user wants the PC to figure it out for them. This can only work if they basically are not in control, so these silent company remote controlled HIPS are probably the way to go - but I'd like to have the option to limit outgoing info about my PC (to the HIPS vendor) and let ME make the choices. Even modern AV tell you they've found something, and ask you what to do (they just don't find stuff very often anymore).
     
  22. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Unfortunately, no. Not unless you block the vulnerable programs, like IE, RealPlayer, Yahoo IM etc., from running in the first place (meaning you don't get to use them).

    You can sandbox driver loading. The driver runs isolated inside the sandbox, as demonstrated by Sandboxie. I'm not certain if other sandboxes do this, though.

    Also, allowing code injection inside the sandbox is no problem. The manipulated process will be able to do no harm anyway, since it is sandboxed as well.


    Like I've said, SSM is far from the most noisy HIPS. I've used quite a few, and I think I know what I'm talking about. If I had to pick a worst, it'd be Comodo D+, hands down. Meaningless and redundant alerts all over the board. Notepad.exe requesting keyboard + SCM access? Come on. :mad:

    I do know how to use a dumb HIPS, it's just that I feel TF's product design has superceded them in general.
     
  23. baerzake

    baerzake Registered Member

    Joined:
    Aug 18, 2007
    Posts:
    44
    I also want to know:(
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Never knew this. Is it a new feature?
     
  25. baerzake

    baerzake Registered Member

    Joined:
    Aug 18, 2007
    Posts:
    44
    This is impossible. sandboxie is not VM.:cool:
     
Loading...
Thread Status:
Not open for further replies.