The BlueZannetti model of software security pretty much preaches * AV * AT (memory scanner) * Firewall * HIPS However since he wrote this almost a year ago, the 'HIPS' arena targtted at home use in my view has split into at least 3 different and fairly distinct classes. So this is my model and theory of how the HIPS market looks now for wilders members... Don't get me wrong I admire Kareldjag's far more detailed HIPS classification (anomaly detection, white listing, virtualization etc), but I think my way of looking at things might perhaps be more useful to users and also seems to be a better match to how people are perceiving things. 1) 'Classic' HIPS , System firewall ,dumb behavior blocker The first class is represented by ProcessGuard, Appdefend, SSM, Prosecurity etc. Some call it 'classic HIPS' , 'system firewall' or even policy based behavior blocker. You know the drill, you set the rule to monitor a certain system state or behavior and when it occurs you are alerted and given a chance to block it. Of course the article above was in the context of an administrator of a network system, in the home user context such a HIPS results in a lot of popups. The pros are obvious, full control to user, the computer can't fart without your permission. The cons are equally well known, Too intrusive with many popups, too difficult to use for beginners. The next two classes of HIPS can be seen as different attempts to solve the problems of too many popups and simplify use for beginngers (though historically the concepts they are based on are very old of course). 2) Sandboxing (with or without virtualization) The second class is represented by Sandboxie, Green Border, Bufferzone, Defensewall etc. Called 'Sandbox HIPS' , these security programs allow you to run untrusted programs 'isolated' from the rest of the system, so even if something goes wrong it cannot effect the rest of the system. I personally feel Geswall and coreforce are also sandboxes. I think Notok (or it could be some one else) was first here to make a distinction between sandboxes with virtualization and those without and this might be yet another split among the sandbox products. Ilya argues that Defensewall has virtualization (process virtualization) but not file system virutalization. Of course this is if we buy the sense 'virtualization' is used in the first place of course as compared to 'real' virtualization in vmware. We could make further distinctions but I don't think it is productive. Sandbox advocates like Ilya argue that Sandbox HIPS are superior because they are easier to use, they typically don't popup warnings at the user, and if the sandboxed process violates one of the rules, it is just blocked silently. The disavantage of course is that for most part, if some app you are trying to run sandboxed fails, you can't do anything about it. 3) Behavior blockers , the smart ones The last class of HIPS is what some have taken to call behavior blockers (though I personally feel all HIPS except sandboxes are behavior blockers, SSM is just a dumb behavior blocker!). These are 'smart', expert-based systems that do not alert on just any behavior, but only if it is likely to be malicious. This article explains it thus That sounds a lot like cyberhawk doesn't it? Also see Safe N Sec with its 'Intelligent Decision Maker'. To some extent also Prevx and its heuristics settings.. And perhaps KAV 6's PDM. Panda's TruePrevent (to be removed)? The line between a smart expert based behavior blocker like cyberhawk and a dumb policy based behavior blocker like SSM is not always 100% clear though. After all the 'smart system' is made up of a couple of simple rules in sequence, or just a well chosen rule. At times SSM reacts exactly the same as Cyberhawk (to a dll injection for example, both react 100% each time). One thing I notice is that most of these smart behavior blockers tend to have hidden rules. This kind of makes sense, since you don't want the bad guys to easily find out what is being detected and hence work around it. On the other hand, some (like the A2 squared author) have argued that with the right IDS rules it doesn't matter if the rules are made public. The pros of this class of products? Much fewer false alarms (arguably the concept of false alarms makes no sense with other types of HIP!!), much easier to use. The cons? Lack of control, uncertainity about how effective it is. Some of this uncertainity is because users here just can't test with a leaktest (arguably the most common form of 'testing' here) to judge it's effectiveness. Other considerations and trends Arguably, there can be a 4th class to account for execution control, process filtering, or whatever you call it. Kareldjag calls products like anti-executable ,Abtrusion Protector that only do this, HIPS pure white list. In my classification, there is no need to create a special category for anti-executables, as they will fall into the first class of HIPS. Might not be historically or technically correct, but i think not worth making a big point. There's also a new trend with Notok/Prevx is driving with the buzzword "community". Trying to distinguish themselves from their rivals, Prex1 coined the term CIPS? They hype themselves as not just a behavior blocker! Community based warning systems are not new, but from what I can interprete from what Prevx1 is saying they have pretty muched licked the problem of automatic analysis of malware samples with little or no human intervention!!! Time will tell if this will result in yet another HIPS class. And there also seems to be a trend towards combining approaches which makes sense of course with HIPS adding blacklisting (despite huge protests by a certain ErikAlbert). So dear wilders members which of these 3 types of HIPS do you favour? Knowing most people here they will end up with all three!!! Already I see people recommending the free Cyberhawk + SSM! Why stop there? Add Geswall or Sandboxie!