Six HIPS Programs Reviewed and Rated

Discussion in 'other anti-malware software' started by CogitoErgoSum, Nov 15, 2006.

Thread Status:
Not open for further replies.
  1. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
  2. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    Thanks for the link.

    It only validates my decision in making 'BufferZone' an important part of my security setup. And seems Cyberhawk is a real 'up & comer'. Biggest disappointment IMO, had to be 'Online Armor'.
     
  3. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I think it's a valuable review. It's a diferent approach. But still there was one thing that bugged me. I emailed him to clear my dought.
    Yes it's about Prevx1 lol. You see i don't expect it to warn me of everything potentially dangerous in the unknown apps. I expect it to clean if i did something foolish like running a malware. He didn't say if it was able to detect and clean after a day or so as advertised.
    For prevention i've realized already that sandbox is the way.
     
  4. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    tobacco, you are very welcome.


    Peace & Love,

    CogitoErgoSum
     
  5. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    Well done, Ilya!
    Mrk
     
  6. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    I am abit puzzled about the part with Keylogger Detection in this test. I dont expect DW to detect keyloggers - if we by that mean detect and warn me. I expect DW to protect from keyloggers by not letting them out of the box and deactivating them at reboot or when I hit the BIG RED BUTTON (= "fast sandbox reboot") before I go banking or do other sensitive password browsing.

    Maybe Ilya will comment on this here or at the DW-forum.

    Best Regards
     
  7. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    I love tests that shows that software that I use does (at least fairly) well. :D
    I believe that the concept behind software such as Cyberhawk and Prevx1 (non intrusive) is the way to go for the "average joe" (and me, even though I don't consider me self as such anymore)
     
  8. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Yes, it is. 100% of keyloggers protection is not exists. But I'm always try to improve DW's security level in balance with easy of use...
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Ilya, well done.

    Thanks for the fix in release 1.72 of user interface load. I can use DW with SSM (user interface disconnected) again. Works flawless.

    Inbound firewall of NatRouter + Antivir free + SSM free + DefenseWall for me is all I need.
     
  10. Wake2

    Wake2 Registered Member

    Joined:
    Apr 30, 2005
    Posts:
    205
    Thanks for posting the link to these tests,
    found the results interesting, wife has been
    using the trial of Defense Wall now for a few
    weeks and loves this program.

    Regards,

    Wake
     
  11. betauser2

    betauser2 Guest

    Let me be the first to say well done Cyberhawk team!!!

    and as Gizmo said "DefenseWall blitzed the field" :thumb:
     
  12. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    2 questions:
    Defense Plus is the HIPS + Firewall?
    And i can't find prices anywhere. Just curious.
    Anyway congrats from me too:)
     
  13. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Wake2, you are very welcome. Happy to hear that your wife loves DW.


    Peace & Love,

    CogitoErgoSum
     
  14. Wake2

    Wake2 Registered Member

    Joined:
    Apr 30, 2005
    Posts:
    205
    Seems I am going to have to buy it for her,
    early xmas present, and what she says she
    likes best about this program is ease of use.

    Cost is reasonable to for $ 29.00

    Someone - heres the link to the DefenseWall
    site you can take a look, shows the costs
    and explains the differences .


    http://www.softsphere.com/programs/


    Regards,

    Wake
     
  15. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Interesting tests. I wonder why the tester chose to include DefenseWall (a sandbox) in the HIPS group instead of in his recent tests that exclusively dealt with sandboxes? Conversely, I wonder why the tester included only one sandbox (DW) in this test of HIPS, whereas he excluded the other sandboxes that he has tested? Isn't this somewhat a mixing of apples with baseball bats?

    WHY was DW (a sandbox) omitted from sandbox testing, then included with testing of NON-sandboxes. Just wonderingo_O

    Or, if the tester is going to compare a sandbox against HIPS, then why not include something like ShadowUser to fully complete the weirding-out of his tests of "HIPS & whatever else catches his fancy?"

    In any event, it seems to me that a sandbox app doesn't exactly need to RECOGNIZE a malware, whereas Cyberhawk, Prevx & the others that were tested do. Instead, a sandbox mainly just blocks/excludes ANYthing that has its origin in the activities of *untrusted*apps. Right?

    On that basis, a program such as DeepFreeze or ShadowUser would have a perfect score every time that it was operational. NOTHING would get in!

    Or am I quite possibly missing something here?

    In closing, may I add that I wish that the representative of a commercial app would refrain from commenting in threads which compare his app against competing products. Unless it's done to correct an inaccuracy, it just seems rather unfair to me.
     
    Last edited: Nov 15, 2006
  16. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Sadly, GesWall(similar to DW) is not included :'(
     
  17. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    yes lets cry together. But he did review it in the previous. He just didn't explain how it failed the malware test.
     
  18. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Those are my exact thoughts
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    No DefenseWall is a HIPS based on restricting access rights. Some people call this a sandbox

    When you look at different HIPS, they can be characterised by the basic approaches they use. HIPS often use different approaches in one solution. That is why it is so confusing to understand them.

    At the highest level there are 3 main approaches (1, 2 and 3) with each some sub-approaches (the A's and B's).

    1) Using signature based reference lists.

    A) black list approach
    This is common in most AV and anti-spy applications

    B) white list apporach
    This is common part of classical HIPS applications (like SSM, Antihook, Dynamic Security Agent, ProSecurity, Process Guard, Appdefend, et cetera).

    2) Using intelligent pattern recognition

    A) heuristics or code patterns recognition:
    These actively or passively scanning parts of code for potential malicious activity, the idea is to recognise code patterns in a intelligent way whether the code has good or bad intentions. Heuristics is becoming an important add-on to AV-programs. Some have even artificial intelligent rules engines to eveluate those code patterns.

    B) behavior blocking or application/process behavior patterns.
    This type of security software recognises potential dangereous behavior (like dll or data injection, or adding a hidden process/registry entry). The intelligence and limitation of this type of security software that an anomaly (strange behavior) is not per se malicious. Most of the classical HIPS also use this as a part of their security approach (e.g Antihook, SSM, PG warn/prevent when software tries to inject dll into another process). Some firewalls (like Comodo) apply this on network level and some innovative AV's have extended their heuristics with behavior blocking.

    3) Seperating the execution environment.
    These fall into two main classes (with each two sub-approaches). The classification gets 'blurred' because the term Sandbox and virtualisation are used together. Therefore in Netherlands we use this type of classification.

    A) access right restrictions ("sand boxing")
    This approach is aimed at restricting the rights the user has to perform. This type of protection has two main differences:

    - The ones which only affects "privelage restriction" of programs.
    Examples are DropMyRights and Amust Defender, this are also called "Sandboxes". The down side of these privelage restriction is that it also limits the user in functionality.

    - The ones which also effect the "privelage restrictions" of files which are created by those programs.
    Examples are GeSWall and DefenseWall. They remember the trusted or untrusted state of the files created. The advantage of this type of programs is that they use "seamless security": no restriction in functionality and no seperation of file and or operationg system. Seamless is sometimes also called virtualisation (one of the reasons for confusing).

    B) Virtualisation.
    This approach is aimed to allow the user to make bigger changes in the registry and file system because they do not really affect the underlying system.

    - Virtualisation affecting the file system only
    This type of programs seperate the virtualised applications from the file systems. So they make the changes in a seperate file layer. The changes can be turned back afterwards. Examples are Sandboxie and BufferZone. This type of programs also apply rights restrictions (in side and out side the virtualised file system).

    - Virtualisation also seperating the OS-system
    This type of programs seperates the virtualised system including OS from the protected system. Some applications require n another OS in the virtualised system (like VM Ware), others seperate snapshots of the same OS (First Defense ISR).


    When you want to go for few pop-ups CIPS (like PrevX or DataSentry) and Behavior Bloackers (CyberHawk) and access restriction HIPS (DefenseWall) are the best options.
     
  20. [suave]

    [suave] Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    218
    No SSM :(
     
  21. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    i was disappointed with Online Armor. hopefully version 2 will be much improved.
     
  22. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    The autor did not focus on classical HIPS, only Process Guard was added to the mix ;)
    IMHO, the important misses are GeSWall, Buffer Zone and Socket Shield
     
  23. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
  24. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Why SocketShield? SocketShield filters malicious scripts from web traffic, it doesn't contain any behavior blocking features. It's a great program, but wouldn't apply to those kinds of tests.
     
  25. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    No, DefencePlus is a hardening tool for old-styled processors without NX/XD bit, it is not a HIPS. The price is $39, lifetime.

    Thanks a lot everybody for your kind words! v2.0 is coming...
     
Loading...
Thread Status:
Not open for further replies.