Six HIPS Programs Reviewed and Rated

Here is a link to "Six HIPS Programs Reviewed and Rated" by Gizmo. Congratulations to Ilya Rabinovich and DefenseWall for a job well done!

http://www.techsupportalert.com/security_HIPS.htm

Peace & Love,

CogitoErgoSum

 

Thanks for the link.

It only validates my decision in making 'BufferZone' an important part of my security setup. And seems Cyberhawk is a real 'up & comer'. Biggest disappointment IMO, had to be 'Online Armor'.

 

I think it's a valuable review. It's a diferent approach. But still there was one thing that bugged me. I emailed him to clear my dought.
Yes it's about Prevx1 lol. You see i don't expect it to warn me of everything potentially dangerous in the unknown apps. I expect it to clean if i did something foolish like running a malware. He didn't say if it was able to detect and clean after a day or so as advertised.
For prevention i've realized already that sandbox is the way.

 

tobacco, you are very welcome.


Peace & Love,

CogitoErgoSum

 

Hello,
Well done, Ilya!
Mrk

 

I am abit puzzled about the part with Keylogger Detection in this test. I dont expect DW to detect keyloggers - if we by that mean detect and warn me. I expect DW to protect from keyloggers by not letting them out of the box and deactivating them at reboot or when I hit the BIG RED BUTTON (= "fast sandbox reboot") before I go banking or do other sensitive password browsing.

Maybe Ilya will comment on this here or at the DW-forum.

Best Regards

 

I love tests that shows that software that I use does (at least fairly) well.
I believe that the concept behind software such as Cyberhawk and Prevx1 (non intrusive) is the way to go for the "average joe" (and me, even though I don't consider me self as such anymore)

 

Yes, it is. 100% of keyloggers protection is not exists. But I'm always try to improve DW's security level in balance with easy of use...

 

Ilya, well done.

Thanks for the fix in release 1.72 of user interface load. I can use DW with SSM (user interface disconnected) again. Works flawless.

Inbound firewall of NatRouter + Antivir free + SSM free + DefenseWall for me is all I need.

 

Thanks for posting the link to these tests,
found the results interesting, wife has been
using the trial of Defense Wall now for a few
weeks and loves this program.

Regards,

Wake

 

Let me be the first to say well done Cyberhawk team!!!

and as Gizmo said "DefenseWall blitzed the field"

 

2 questions:
Defense Plus is the HIPS + Firewall?
And i can't find prices anywhere. Just curious.
Anyway congrats from me too

 

Wake2, you are very welcome. Happy to hear that your wife loves DW.


Peace & Love,

CogitoErgoSum

 

Seems I am going to have to buy it for her,
early xmas present, and what she says she
likes best about this program is ease of use.

Cost is reasonable to for $ 29.00

Someone - heres the link to the DefenseWall
site you can take a look, shows the costs
and explains the differences .


http://www.softsphere.com/programs/


Regards,

Wake

 

Interesting tests. I wonder why the tester chose to include DefenseWall (a sandbox) in the HIPS group instead of in his recent tests that exclusively dealt with sandboxes? Conversely, I wonder why the tester included only one sandbox (DW) in this test of HIPS, whereas he excluded the other sandboxes that he has tested? Isn't this somewhat a mixing of apples with baseball bats?

WHY was DW (a sandbox) omitted from sandbox testing, then included with testing of NON-sandboxes. Just wondering

Or, if the tester is going to compare a sandbox against HIPS, then why not include something like ShadowUser to fully complete the weirding-out of his tests of "HIPS & whatever else catches his fancy?"

In any event, it seems to me that a sandbox app doesn't exactly need to RECOGNIZE a malware, whereas Cyberhawk, Prevx & the others that were tested do. Instead, a sandbox mainly just blocks/excludes ANYthing that has its origin in the activities of *untrusted*apps. Right?

On that basis, a program such as DeepFreeze or ShadowUser would have a perfect score every time that it was operational. NOTHING would get in!

Or am I quite possibly missing something here?

In closing, may I add that I wish that the representative of a commercial app would refrain from commenting in threads which compare his app against competing products. Unless it's done to correct an inaccuracy, it just seems rather unfair to me.

 

Sadly, GesWall(similar to DW) is not included

 

yes lets cry together. But he did review it in the previous. He just didn't explain how it failed the malware test.

 

Those are my exact thoughts

 

No DefenseWall is a HIPS based on restricting access rights. Some people call this a sandbox

When you look at different HIPS, they can be characterised by the basic approaches they use. HIPS often use different approaches in one solution. That is why it is so confusing to understand them.

At the highest level there are 3 main approaches (1, 2 and 3) with each some sub-approaches (the A's and B's).

1) Using signature based reference lists.

A) black list approach
This is common in most AV and anti-spy applications

B) white list apporach
This is common part of classical HIPS applications (like SSM, Antihook, Dynamic Security Agent, ProSecurity, Process Guard, Appdefend, et cetera).

2) Using intelligent pattern recognition

A) heuristics or code patterns recognition:
These actively or passively scanning parts of code for potential malicious activity, the idea is to recognise code patterns in a intelligent way whether the code has good or bad intentions. Heuristics is becoming an important add-on to AV-programs. Some have even artificial intelligent rules engines to eveluate those code patterns.

B) behavior blocking or application/process behavior patterns.
This type of security software recognises potential dangereous behavior (like dll or data injection, or adding a hidden process/registry entry). The intelligence and limitation of this type of security software that an anomaly (strange behavior) is not per se malicious. Most of the classical HIPS also use this as a part of their security approach (e.g Antihook, SSM, PG warn/prevent when software tries to inject dll into another process). Some firewalls (like Comodo) apply this on network level and some innovative AV's have extended their heuristics with behavior blocking.

3) Seperating the execution environment.
These fall into two main classes (with each two sub-approaches). The classification gets 'blurred' because the term Sandbox and virtualisation are used together. Therefore in Netherlands we use this type of classification.

A) access right restrictions ("sand boxing")
This approach is aimed at restricting the rights the user has to perform. This type of protection has two main differences:

- The ones which only affects "privelage restriction" of programs.
Examples are DropMyRights and Amust Defender, this are also called "Sandboxes". The down side of these privelage restriction is that it also limits the user in functionality.

- The ones which also effect the "privelage restrictions" of files which are created by those programs.
Examples are GeSWall and DefenseWall. They remember the trusted or untrusted state of the files created. The advantage of this type of programs is that they use "seamless security": no restriction in functionality and no seperation of file and or operationg system. Seamless is sometimes also called virtualisation (one of the reasons for confusing).

B) Virtualisation.
This approach is aimed to allow the user to make bigger changes in the registry and file system because they do not really affect the underlying system.

- Virtualisation affecting the file system only
This type of programs seperate the virtualised applications from the file systems. So they make the changes in a seperate file layer. The changes can be turned back afterwards. Examples are Sandboxie and BufferZone. This type of programs also apply rights restrictions (in side and out side the virtualised file system).

- Virtualisation also seperating the OS-system
This type of programs seperates the virtualised system including OS from the protected system. Some applications require n another OS in the virtualised system (like VM Ware), others seperate snapshots of the same OS (First Defense ISR).


When you want to go for few pop-ups CIPS (like PrevX or DataSentry) and Behavior Bloackers (CyberHawk) and access restriction HIPS (DefenseWall) are the best options.

 

No SSM

 

i was disappointed with Online Armor. hopefully version 2 will be much improved.

 

The autor did not focus on classical HIPS, only Process Guard was added to the mix
IMHO, the important misses are GeSWall, Buffer Zone and Socket Shield

 

nop tested before

http://www.techsupportalert.com/security_virtualization.htm

 

Why SocketShield? SocketShield filters malicious scripts from web traffic, it doesn't contain any behavior blocking features. It's a great program, but wouldn't apply to those kinds of tests.

 

No, DefencePlus is a hardening tool for old-styled processors without NX/XD bit, it is not a HIPS. The price is $39, lifetime.

Thanks a lot everybody for your kind words! v2.0 is coming...