sophos Hips trial

Discussion in 'other anti-virus software' started by ravin, Oct 2, 2006.

Thread Status:
Not open for further replies.
  1. ravin

    ravin Registered Member

    Joined:
    May 2, 2003
    Posts:
    241
    Location:
    South Carolina
    Last edited: Oct 2, 2006
  2. Tweakie

    Tweakie Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    90
    Location:
    E.U.
    Well. It's not really an HIPS. It's something similar to Norman's Sandbox, Bitdefender's B-HAVE/HiVE, ESET advanced heuristics, ISS VPS (?), etc.

    Malicious code is prevented from executing at all, whereas runtime HIPS can only interrupt code that has already partly executed.

    That's different from KAV proactive defense module, Panda TruPrevent or (I think) F-Secure system control.

    I wonder which company will first offer both types of defense: behavioral heuristics plus HIPS. Maybe both could use the same ruleset, to some extent...
     
  3. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    Hi,

    This is not a sandbox, it is an emulation environnment. Instead of checking code, it runs it in a protected emulated area, checks what it does and decides wether it's good or not.
    Real sandboxes are DW, sanboxie...

    These are heuristics (guessing from actual code if it will perform malicious actions)

    This is an application controller. Some actions, based on rules, are forbidden.

    So, sophos hips looks more like norman's sanbox than any other product, as on their sire they say:
     
  4. Tweakie

    Tweakie Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    90
    Location:
    E.U.
    This is a matter of definition. Norman called it "sandbox" because it decides if the studied program is a malware by comparing the status of the "virtual environment" before and after execution, rather than relying on a log of called API functions (although the sandbox can also output such detailed logs).

    These are functionnaly similar to Norman sandbox: emulating the malware, taking a decision based on its actions. See the "BehavesLike", "Dropped", GenPack" from BitDefender. According to Anton Zajac, NOD's advanced heuristics works in a similar way: "The second is even more sophisticated. It's based on virtual PC technology. We throw a file into a confined section of the memory where the entire computer is simulated with all its devices, memory, drivers, etc. Then we let the file--which arrives through e-mail--run in this confined, virtual PC environment. In this confined environment, our system can make a very good, educated guess regarding the malicious nature of a file. " NAI/McAffee filed patents describing similar methods. F-Prot uses the same strategy, at least for some malware (I guess it's not limited to VB): http://www.av-experts.org/weblog/?p=36

    Implementation differs, but the fundamental principle is the same: emulate the executable, log its actions, decide if it is malicious.


    [About KAV PDM] This is an application controller. Some actions, based on rules, are forbidden.


    I never used it, but I thought it was a little bit more than that: trying to guess from various actions of the executable (~API logging) it it is malicious or not. Contrary to McAffee VirusScan Enterprise that relies on a set of fixed rules to allow or forbid some specific actions (eg. prevent execution from the temp folder, prevent connection to IRC server, etc.) Another ability of KAV is to "roll back changes".

    Norman, Bitdefender, NOD and probably others (I wonder how Antivir's and VBA32 work). Anyway, none of these programs fit in the commonly accepted definition for "HIPS".
     
Loading...
Thread Status:
Not open for further replies.