The Perfect HIPS ?

Just thought I'd start a thread asking what you think the perfect HIPS should consist of <irrespective of how hard it would be to program it all into one HIPS> :

I personally think it should sit at the kernel level, and should do/have :

-Whitelist the computer drivers/exe's etc upon install

-A firewall

-Registry Protection <incl Autostart & DLL injection>
-Global Hook protection

-Internet Browser Protection (for home pages, toolbars etc)
-Decent cookie manager
-Hosts file protection
-Prevent service/driver installation whilst surfing net (or ask user)
-Ask user if exe runs whilst surfing the net

-Script Analyser (for scripts from all sources)

-if an unwhitelisted exe makes changes outside of it's Windows folder/registry region, have popup warning stating such, and ask if they are installing a program (I think this idea would work properly - haven't seen it anywhere)

-Prevent modification to any computer whitelisted executable by any nonwhitelisted script/program, unless added to the whitelist

-Prevent the reading of address lists (in email, IM etc) by outside programs (anything not the email, IM client etc)

-Have an trusted install feature, so that you don't have to disable the HIPS to install, but still get warnings about certain things (like a new autorun program, dangerous scripts etc)

Lastly, although I know this steps on AV's areas, I believe it should keep a signature database of the months top 10,000 Malware (this would take some of the decision making out of our hands, but make the HIPS much quieter, and much more intelligent. 10,000 would make any realtime scan quick, and if it didn't have the signature, it would revert back to normal HIPS function). Only problem with this idea - to keep track of what the top 10k were, you'd have to have a reporting function in the HIPS, and I know not everyone would like that (so option to turn it on or off).

Can't think of any more idea's for now. Have fun making some more suggestions

 

Hi Vikorr,

A welcome idea for a topic. I would like to suggest the following.


First of all the importance of starting with a clean PC from day one when the HIPS is installed. If this means doing a reformat and a fresh install of the OS etc, then so be it.

Whitelist the computers dll's also.

Folder write protection Allow/Deny popup.

I think the AV idea might work better if the HIPS worked in tandem with the AV/AT etc, and just called on them to verify things etc when required to do so.

Boot sector tampering prevention/warning Allow/Deny popup, with possible Google etc lookup beforehand.

Motherboard tampering Bios/Video card etc prevention/warning Allow/Deny popup with possible Google etc lookup beforehand.

Encrypted HOSTS file, along with protection.


I don't believe in a one for all App though, as this could lead to Big problems if the App should go down for any reason. For example, a firewall should be a firewall and Nothing else.

Also all Apps should be written in as Highly effecient code as possible, and bloat free. I am a firm believer in having both a simple interface for non techies, and a much more comprehensive one for those that wish to explore further and understand things better.

If i think of anything else i'll post it.


StevieO

 

Hi Guys,

A couple of comments seem appropriate as I've already disclosed some of the upcoming OA facilities and this seems like a good place. I won't comment on stuff OA already does as that's fairly well documented here, and on the site - and as we have around 40 pages of concepts and ideas, I won't list it here.

In the 1.2 release of OA, we're planning to implement powerful registry protection as I have said before. Part of this will be centrally updated rules with plain english descriptions and guidance. For example, a program trying to add itself as a Winlogon notification as some malware has done (stripping rights off the logging on user) would receive a detailed (and red) warning.

Services and device drivers - I've already got code that will protect device drivers and services - but also centralised whitelist as well which includes signature verification (ie MS or other signed code). In this way (like the OA program blocker) the user is not bothered with making decisions if we already know what the answer should be based on the whitelist. The last thing we want is people to make bad decisions based on "popup fatigue".

There are also plans for more extensive protection options for folders and files. For example, as a programmer I want to be able to do repeated builds of my exes and not have OA stick its nose in each time... so my "build" directory would be exlcuded from monitoring. In a similar vein, I don't want *any* program accessing my "personal finances" folder without my explicit consent (read, write, delete).

The other thing that has become clear - we have focused OA on ease of use, but it seems that it's also highly desirable for the experts around here to have full control and visibility of what's going on. So, we'll likely have a couple of levels of operation... ranging from "Expert, show me *everything* control freak" down to "make decisions for me."

We do have plans for an integrated firewall in OA - but this will likely be in a release 1.4 of the product. As people have already pointed out, there are existing personal firewall solutions that already work well - so this is a nice to have for OA, rather than a critical hole. But, it is coming.

More than anything I am interested in listening on this thread to see what people want to see - and if it fits in with what OA is supposed to do, then it will surely be added to our list. We want to make OA the "no brainer" decision for protecting computers.

@Vikorr - I would not be concerned about HIPS programs stepping on the toes of AV companies. Programs like OA already step on those toes to some extent (mail filter could easily check attachments for viruses) and personally, I think that AV will need to adapt or die.

Mike

 

@StevieO... man, you beat me by seconds!

It's obviously best to start with a clean PC and keep it clean.. but it should still give some protection/recovery capability even if not. Speaking from a purely commercial perspective, if OA required a reformat and rebuild to install I don't think we'd sell many.

Some neat ideas in there... but it's late here, so I'll have to leave it 'till tomorrow to copy and paste them into the OA to-do list.


Mike

 

Hi,

I think an HIPS product has to do one think really well - that is, to stop the "bad guys" as early as possible so as they cannot perform any malicious work. Stopping the bad guys from updating a registry or any other system file/database may already be too late.

To this end, the HIPS should be comprehensive in its knowledge of "executable portals". Any vulnerabilities in this area: e.g. scripts, dll injections, inadvertent executable permission, could be fatal to the user. So all "entry points" most be covered. In addition, the user should be given as much information as possible concerning the executable event. Security Task Manager, for example, has a database of "user reviews" of executables to assist users in making their decision.

Refining the "upfront" user decision making process is critical to mass-market acceptance. While all of the other features (e.g. monitor registry/system file access and updates) are interesting, I think the more decisions that a user has to make, the more likely they are going to make the wrong decisions. So the key is to 1) minimize the number of decisions that have to make by concentrating on the key "choke points" and 2) provide as clear direction and information as possible so as to ensure correct decisions are made, where necessary. Automation, of course, is desirable where plausible.

Rich

 

Although I didn't exactly list it, my thoughts on what HIPS should protect from (not how they should protect from) are :

Internet
-Browser
-user downloaded files
-driveby downloads
-IM
-server
-attached files
-address list
-P2P
-server
-downloaded files
-Email
-attached files
-address list
-VOIP
-don't know if secure it is, but even if so <once more if it accesses a place it shouldn't>
-Other
- any other internet vehicle I missed
-General
-scripts/exe's etc not access areas they shouldn't whilst Broswer etc open

Installations
-vital changes (autostarts etc)
-exe's etc accessing area's they shouldn't

Exe etc monitoring
-same as installations

Mike, thanks for the info on the direction of OA. StevieO and Rich, I like those thoughts. Quite agree that even with all those features, that it should be as light on system resources as possible.

More ideas/criticisms ?

 

The whole "I want to catch them as early as possible" motto is a nice one, but that's covered by execution protection only. HIPS covers far more than that.

Scripts? Fair enough, Though unless you have a exploit in the application , most of the scripts will be executed by you double clicking on them.

Dll injection could only happen if you had already run a rogue process, so that isn't one of your "executable portals" (did you coin this funny phrase?).

Also, I'm not sure how the system could figure out if an execution was "inadvertent". Could be cool though if it was possible. Maybe mind reading powers?

I'm afraid like it or not, you have to set them run a bit, before the system can even begin to determine if it's a possible baddie.

 

Maybe, maybe not. The company that solves the "tough problems", will be the one that wins in this marketspace. "Me to" products will be numerous and undifferentiated - and unlikely to return on the investment in any substantial way (e.g. AntiHook). The "me to" vendors will end up like the AT vendors, scrambling for some small differentiator that will keep them afloat. Hopefully, some vendors will take the time to analyze the problem and come up with unobvious and unique solutions. I believe it is possible. It just takes one person with one special insight that possibly no one else has had.

Rich

 

This is why I like the idea of having white/black lists (with central database) and/or an AV type integration (or maybe calling on the AV to scan as suggested previously) - can tell upfront in 'most' cases, and if not, then revert to 'traditional' HIPS method.

The above hopefully solving that problem.... and the problem, as Mike put it, of 'popup fatigue' (and/or lack of knowledge of what the popup means)

 

A-squared ?
Version 1.7 beta personal - is really pretty nutts, as well as unique

Tower of Power play a tune called "What is Hip?".

As another side note I'm thinking the real answer might be Charlize Theron?

Sorry for the Humor... really - how about a-squared? You say IDS I say tomato.

 

Worms and trojan droppers are among the most prevalant threats out there, and many do not require any user interaction to run, often achieved with mobile code (ie, scripts).

Wtf? Investment generally means you get money back. If you buy a winter coat, and it's durable and works well, that's still an expense.. an expense of living in a climate that gets cold in the winter, not an investment. It may be high quality, but that's not the same thing. If your investments require you to give them additional money every year without any payout, it's time to find a better investment.

I also wouldn't judge a product by it's uniquness to the market. There were plenty of registry monitors around when RegDefend came about, and file system filter drivers were nothing new when Prevx came to be. It's all stuff that's already been done, just given a new face with some new features. It's just going to take some time and feedback before they start figuring out how to make these generic protection programs suitable for the masses. It will probably be the company with the largest R&D and marketing budgets that really "win", then there will be plenty of smaller companies to come along and do it better. Personally I judge products by their features, reliability, stability, and ease of use. I'd rather base my decision of a product on it's own merits, rather than it's place in the market or any other such abstractions.

There have been plenty of groundbreaking ideas in this world, most just go by the wayside unless they come at the right time and in the right place. Until it happens, I doubt any of us will be able to see what the right 'formula' really is.

On the topic at hand, to me the ideal IPS would be something that thoroughly covers all entry points (internet, email, program installations), fortifies existing common security applications (ie, blocks termination, hooking, etc.), then covers the most crucial infection points (ie, stops keyloggers, rootkits, etc., from installing, and generically blocks exploit behavior). To top that off it needs to be light on resources, unintrusive, easy enough to use that I can put it on my mom's machine, and customizable enough for people like myself to configure around other software, security or otherwise.

 

Maybe it's not entirely possible to figure out inadvertent - but let me give you a real example...

Without OA:
I received a zipfile which contained a nice little "screensaver" - double clicking on it and it failed... it opened up a notepad window saying "unpack failed". Ah well, the free screensaver was no good.

But, of course I knew it was nasty so I ensured I had OA running to test it and see what *really* happened - the sucker dropped a few files in windows\system32, set them to auto run, dropped a couple of batch files - one of which was to give the exes it had just dropped access thru the windows firewall! (dont get me started about API's on firewalls )

Now, obviously I did this as a test to see what OA did... but, if you double clicked on a "screensaver" and you got:

0 - A warning - the EXE is trying to start
1 - A warning telling you that batch files were being executed
2 - A warning saying that the EXE was being set to auto run
3- A warning saying "this 'lil sucker is trying to write to windows/system"
EDIT: OA doesn't do point(3) just yet...

Finally, followed by the notepad window. Of course, by this stage you'd be wondering what was going on (and, using OA as I did, I was then able to block the exe and rollback the file and reg changes it made).

The point is this - I "intended" to open a screensaver to see what it looked like.. and all that nasty stuff started to happen. The screensaver was my intent, the rest was not.

Mike

 

Oh yeah,

Add to my list, a HIPS that

Handles
-svchost.exe properly
-rundll32.exe properly
- and maybe services.exe (though not exactly sure about this exe)

 

Rundll32 we already handle correctly, and I believe svchost as well

(Assuming by correctly, you mean "dont trust RunDLL, trust what runDLL runs"

Mike

 

Yup, that's what I meant.

 

Yes, ... or another way to put it, minimizing the number of decisions a user must make, and at the same time maximizing the chances that the user will make the right decision, while all the while maintaining the highest level of system integrity.

Rich

 

Yes, I agree. And a HIPS product that could follow the action and provide feedback to the user , that something ain't kosher is far more valuable than simple pop-ups. I think these type of capabilities will differentiate HIPS products in the future, as opposed to how many "system objects" are being tracked and being alerted on.

Rich

 

Good job Mike.

Rich

 

I wouldn't look at it like this. Investment, means putting resources into something while expecting some value returned at some future date. I think I good ROI is very important to a company, and good value important to customers. Everyone, should theoretical feel that it was a "good investment" with a good return.

Unique features tend to drive the market. For example NOD32's heuristics vs. KAV's signature database. When a potential customer comes along and asks why should I purchase A instead of B, companies better have a good story or else their product is very short-lived. Notice how lack of differentiation is driving AT vendors out of the market.

In the case of HIPS, I believe it will be the "ease-of-use" that drives the market - as opposed to "number of objects that are protected". There is lots of potential in creating friendly interfaces, as Online Armor is beginning to demonstrate, though I believe lots more can be done. I am sure Mike would agree.

Rich

 

Sure... we've already had good feedback and suggestions for improvements and enhancements to the product, so watch this space

Personally, I think another major factor will be support - the accessibility and availability of the sort of support that people want, in a way that is appropriate for the user.

 

Totally agree. If a user has their questions answered - that's 99% of it. It is all about "building a comfort level".

Rich

 

Of course, you don't want to have to call/email that support too often. That could lead to some well chosen swear words I would think.

But in the event that you do need to contact support, a prompt response can increase a persons good impressions of a company/product.

 

This just sounds more like pompus marketing speak to me, and I think it would probably drive away anyone with real money, the ones that are fully aware of what investments are all about. Quality would probably be a better focus, IMO. Insubstantial, really, I just don't see why you keep bringing it up.

Versus Norton and McAfee's market share?

This I very much agree with I'd add customer respect/appreciation to this too, as we all here know *cough*, although I think that plays more than a 1% part. This all seems to be already present with OA, however

One thing I can add to my above list is intelligent decision making. This is something that you don't see very often, except by a few like Principal, LOM Heuristic, and possibly Panda's TruPrevent (haven't really used it, but it's the impression I get). I wouldn't want to substitute that for the standard alerts, just add it to them.. "this process is behaving very suspiciouslly and warrants further investigation. It has been shut down in the meantime. Would you like to submit it to us for further analysis? [yes/no]"

 

Well, here's the current plan for OA support:

1) - Free support in the OA forums; It's going to be manned by Tall Emu guys including myself, Ben, Chris, Scott, Darryl and Justin (the new guy). We're all based in .au. I have also agreed with a guy in the USA (subject to us actually selling one or two copies of OA ) that he's going to work for us as well, which extends the amount of time someone is available to respond to queries.

2) - Premium Phone support, using Wombat, our remote desktop support tool. The idea here is that the user with problems can sit there on the phone and ask "How do I do this...?" and listen/watch as we help solve the problem in real time. Because our phone system is VOIP-based, we can seamlessly (in theory at least) transfer calls between the US and AU locations depending on time of day and operator availability.

By providing this mixture of support - some free, plus an additional paid option, it means that we can keep people who are happy with electronic support supported, but also - those who need extra assistance can get it on a user-pays basis. (We've done some discreet field-testing with this - without the voice part - Sydney to Seattle, Geneva and London - no problems)

While we haven't finalised pricing or timing on the premium support, it will be priced high enough that we can recover the costs of providing it, but not so expensively as to make it unfairly expensive.


Mike

 

Hmmm ... I really need to bone up on that part of the computer industry.

Rich