What is the best HIPS out there ?

Discussion in 'polls' started by IcePanther, Jun 9, 2006.

?

What is the best HIPS software ?

  1. Antihook

    1 vote(s)
    0.4%
  2. Ghost security suite

    31 vote(s)
    11.6%
  3. Online Armor

    60 vote(s)
    22.5%
  4. PrevX

    38 vote(s)
    14.2%
  5. Process Guard

    29 vote(s)
    10.9%
  6. System Safety Monitor

    54 vote(s)
    20.2%
  7. Other.... (please specify in your post)

    54 vote(s)
    20.2%
Thread Status:
Not open for further replies.
  1. dylanfan

    dylanfan Registered Member

    Joined:
    Feb 10, 2006
    Posts:
    187
    I'm on XP¨SP2.

    I have a laptop, which I use as if it was a screen, i.e. I have mouse and keyboard usb-connected to the laptop. Might be related to the cpu hyper-high usage I have since two latest SSM versions have this low level keyboard access control ?!
     
  2. herbalist

    herbalist Guest

    Aigle,
    Sorry about the delay getting back to you.
    I just finished creating a couple of test rulesets in learning mode, with the UI connected throughout both runs. I used Win98 for this, but I doubt the results would be any different on a newer OS.
    I left SSM in "block process creation" (default setting) for the first run. On the 2nd run, I Used learning mode and Paranoiac setting together.
    On both settings, the rules that were made for processes that started before SSM loaded were "allowed" rules. On the "advanced properties" screen of the individual rules for these processes, the default action for both parent and child is "allow". This includes any process launched from HKLM....RunServices. On win98, SSM is started from the HKLM.....Run, and doesn't load until the user logs in. On the DOS based systems, you can manually add an entry for SSM to RunServices and uncheck it's own autostart entry if you want it to start earlier. This works on 98/ME units with one user profile. It will work on multiple user 98/ME PCs, but all profiles will be on the same ruleset if you do this. If you need separate rulesets or filters for different user profiles, leave its "start automatically" option as is.
    The difference is in the rules made for processes started after SSM starts. When the block process creation setting is used with learning mode, the rules made for most (not all) new processes are of the "allow" type with "allow" as the default action for parent and child.
    When the paranoiac setting is used with learning mode, nearly all the rules for newly started processes were the "advanced" type, with the default action for "parent" set to ask. The default action for "child" remained as "allow".
    The rules created in learning mode using the paranoiac setting permit the new processes to be started only by the parent process(es) that was used, while the "Block process creation" setting makes rules that allow all parent processes. This assumes that the parent process is already permitted. You won't see any difference in behavior until you disconnect the UI. As long as the UI is connected, nothing is blocked unless you specifically make a blocking rule.
    Learning mode doesn't stop all prompts. On mine, if I used "Send To" to send a file or folder to a process that there was no rules for, I am prompted. If a rule existed for the process that "Send To" directs the file/folder to, then I wasn't prompted.
    Paranoiac setting and learning mode work together well, at least they did for me. The main difference in how you treat the learning process is that you need to launch the processes you will be using from all the locations they would be started from. If your browser starts your media player, you'll need to launch it with it as well as using explorer to do it. You can also manually add (or remove) processes from the parent listing on the advanced rule menu. Make sure you're thorough with your AV software, launching it from everything it's integrated into and run the full update process for it. Rules for CD burning software can also be complicated. At times, a process is a parent and child to another instance of itself. If you're up to it, get to know what process each process on your system starts (the parent) and is started by (the child) and gradually edit the existing rules to match. Be very careful with system processes used during bootup. I used Process Explorer to get the parent+child settings accurate. On the DOS based systems, you can manually add an entry for it to RunServices, which gives you the opportunity to see any "run once" processes that aren't normally visible. Take your time and save copies of the ruleset as you go. One more thing. SSM can make separate rulesets for each user. If you're set up with multiple user accounts (or profiles on the older systems) wait until you finish the global configuration (for all users). You can edit it to account for any differences you may want to add for different users and save the result as a user configuration. This is where SSM is extremely useful on 98/ME. You can block any individual user from accessing any program or executable (like regedit) and allow it for yourself. The filters are also user specific and work on system files and folders as well as web pages. On a familt PC, want to keep the kids and their friends out of the control panel or the Internet Explorer options screen? SSM made this easy.
    Rick
     
    Last edited by a moderator: Jul 20, 2006
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Just noticed this today with free version, 2.0.8.577, services exe is giving these spikes. Anybody noticed it?

    If i exit from SSM, services exe spikes stop.
     

    Attached Files:

    • ssm.JPG
      ssm.JPG
      File size:
      148.8 KB
      Views:
      12
    Last edited: Jul 20, 2006
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Thanks for the detailed reply. But from the screen shot I posted before it apperas that the rules are made with specific parent child relationship always. There is no option for two modes while in learning mode. But they are applied differently when u are in disconnected GUI(paranoid mode-- allowing only already existing rules with specific parent child relationships and process creation mode--{ where parent shild relatioship is ignored-- not sure about this though}). Am I correct? I wil try to ask in theor forum when I get some tume to post there.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Aigle

    Go to Preferences>Modules>Services and change the polling to a higher number.

    That will cut down the cpu spikes.

    Pete
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Thanks. This way I can decrease the no of spikes. But the spikes are normal in any case u mean?
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Yes, until they change the services stuff from polling.
     
  8. herbalist

    herbalist Guest

    Aigle,
    The easiest way to see this would be to duplicate it on your system. In the SSM folder you'll find 2 files named global.cfg and global.dat. Shut SSM down and rename these 2 files. On mine, I just altered the file extensions to .cff and .das so SSM wouldn't recognize them. Then restart SSM. It'll launch with only a couple of rules listed. Leave the UI connected and select paranoiac setting and apply the changes before you enable the learning mode. Start a short list of processes, including a few that launch processes of their own. Save the ruleset under a temporary name, like test1 or take a couple screenshots.
    Shut SSM down again and delete the new clobal.cfg and global.dat files, then launch SSM again. Run thru the process again, UI connected but in Block process creation setting. Apply, then enable learning mode. Launch the same processes as before. You'll see the differences in the rules.
    When you're done, shut SSM down again and delete the same 2 files as before. Change the 2 files you renamed back to global.cfg and global.dat. You'll be back to your original ruleset and settings.
    I took a screenshot of the 2 different rulesets I made in the above manner.
    Learning mode + block process creation setting.
    Learning mode + paranoiac setting.
    The processes used aren't identical in both, but there are enough that are listed in both to show the difference.
    Rick
     
  9. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    does SSM still use polling ?
    I tougth it moved to kernel...
    Or it's only in the paid version.
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    It has for registry stuff, but still uses polling to monitor services.
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Thanks, I will do it later. My ISP blocks ur uploaded snapshots by the way, so I can,t see them.
     
  12. dylanfan

    dylanfan Registered Member

    Joined:
    Feb 10, 2006
    Posts:
    187
    Here are two snapshots I took from my 580, while no particualr program is running, no AV and so on...
    Any advice?
     

    Attached Files:

  13. dylanfan

    dylanfan Registered Member

    Joined:
    Feb 10, 2006
    Posts:
    187
    and...
     

    Attached Files:

  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    It,s just too much and highly abnormal to me. I will suggest to post in their forum, u will sure get reply there. Infact I have no idea. Is it constantly like this or some spikes only?
     
  15. dylanfan

    dylanfan Registered Member

    Joined:
    Feb 10, 2006
    Posts:
    187
    Constantly like this, as soon as 580 detects the keyboard and I instruct it to allow always.

    No such thing on the free version.
     
  16. EASTER.2010

    EASTER.2010 Guest

    SYSTEM SAFETY MONITOR continues to get my vote without question or second thought.

    It covers all thats ever needed watching over on my 98SE/XP Pro dual drive units and is effectively ended unwanted and unneeded forced intrusions entirely. Case Closed.
     
  17. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,374
    Location:
    Milan and Seoul
    I don't know about "the best", but I've had now for a year ProcessGuard full + RegDefend. I don't see why I should even try others as the main reason for HIPS, for me is to have security applications protection against termination and registry protection.

    I can happily declare that the latest version 3.405 is as stable as 3.150 on my system.
     
  18. Rui

    Rui Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    141
    Location:
    Portugal
    SSM without any doubt
    Rui
     
  19. ESQ_ERRANT

    ESQ_ERRANT Registered Member

    Joined:
    Jul 13, 2006
    Posts:
    72
    I agree with Osaban to a "T". I have used ProcessGuard (namely, the purchased/complete version) plus RegDefend as my primary HIPS defense for several months now. Admittedly, I have not tried SSM, that others have mentioned in this thread to be their favorite, and I do not know if I would find SSM superior to the combination, ProcessGuard plus RegDefend, were I to trial SSM. Nonetheless, I have found ProcessGuard 3.150 plus RegDefend to have been both very effective and very stable on my system.

    As I draft this reply, I have just uninstalled PG 3.150 and installed PG 3.405 as its replacement. I trust that the newest version of PG will be as effective and as stable a program as the version I just removed.

    Note: I have tried the Ghost Security Suite, RegDefend and AppDefend, which at the time -- and I haven't checked since -- was in beta, and may still be in development, but I had stability problems when using the Suite on my system. Hence, I use the RegDefend component of the Ghost Security Suite, alone, with PG as my primary HIPS. The two programs appear to get along well.
     
  20. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    SSM. Even as an unregistered user of the free version, I had my query answered within 24 hrs after sending it.
     
  21. Dina

    Dina Registered Member

    Joined:
    Jul 28, 2006
    Posts:
    107
    wow thats nice. i dont have any installed maybe i should start with ssm.
     
  22. TonyDownUnder

    TonyDownUnder Registered Member

    Joined:
    Aug 31, 2006
    Posts:
    46
    It's Ghost Security for me. RegDefend and AppDefend work flawlessly and the Security Suite uses very little system resources. It plays nicely with firewalls AV and Antispyware apps. It has similar features to Process guard but I find the Ghost interface easier - though it doesn't look the best.;)
     
  23. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Best for me = freeware + 1 paid

    I use
    - PrevX home (free) for Memory violation and shielding of vulnareable XP ares
    - ProcessGuard (free) to control program startup and proces modification
    - ANTIVIR free
    - DefenseWall (30 dollars life time license) as extra sandbox layer for LimeWire, Internet (IE7) and Outlook Express
    - Key Scrambler (IE plug in for free) to fool any key logger (works on https sites)

    I do not use an outbound firewall. Use my Nat-routers inbound firewall. I first tries to set up sandboxing with GeSwall (free). Could not get it working completely hassle free (delayed write errors, printing via HP spooler, etc.), so I opted for DefenseWall (which worked hassle free out of the box).

    Did some security testing (by Googling the test programs used by Kareldjag) and was safe with all the test I could find and execute on my PC. Only some leak test fall through, but stealing of data is prevented.
     
  24. xuesisi

    xuesisi Registered Member

    Joined:
    Mar 2, 2007
    Posts:
    71
    tiny i like
     
  25. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    I find ghost security suite to be the best for me. Its lightweight, stable and easy to use.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.