Discussion in 'polls' started by sukarof, Nov 10, 2006.
I am a bit curious about what makes people decide on what HIPS or CIPS to use.
in choosing prevx1, i tested teh application myself and i grew fond of it.
the fact that its a CIPS rather than HIPS also played a factor.
If I have to choose, it's the level of annoyance. I don't want to see any popups reading "ntkernel.exe" is trying to eat itself" or such. And then, the simplicity of the solution.
Any security software that prevents installation of malwares has priority #1, because if malwares succeed to install themselves, I get two and more serious problems :
1. I have to stop the execution of these malwares.
2. I have to remove these malwares completely.
Upto now, I only solved one of these three problems : complete removal.
Finding the right (combination of) softwares to solve the other two problems is my actual project.
Prevx1 is one of these softwares to prevent installation of malwares :
- It's one of the first softwares, that makes HIPS userfriendly. I respect that.
- I like its general character, kind of all-in-one anti-malware.
- I like the community spirit.
My preference still goes to Anti-Executable, because it works with a local whitelist.
HIPS are just an outline.
[[sorry for the double post]]
A couple months ago, I had a friend who teaches at a major university in the US send me an executable that she had received from one of her students. The executable was attached to an email that was clearly written by the student and sent with the attachment rather than being generated by a worm or other type of malware. This was obvious by the text of the email that referred to something that had been said in class the previous day as well as referred to the executable. The student said in the email that it was a video that she woudl be interested in. Clearly this was a red flag as it was in fact an exe file. I got the file and checked it with NOD, which said it was clean. I sent it to virus total, and one of the checkers there said that it was suspicious. I imaged my computer with Acronis, exported a known good ISR snapshot, turned up all of the levels on my security apps, and ran the file. That sucker attempted multiple changes to registry, tried to terminate multiple processes, attempted to modify services, and made repeated attempts to make outbound connections. System Safety Monitor caught it all except for the outbound connection attempts since I'm not running the beta with network controls (Jetico caught the attempts, however). After denying everything it tried to do, I did some investigating with comparing snapshots, images, etc and it appeared that SSM prevented any "infection." I knew at that moment that I had made a sound purchase. Of course, I did restore images, etc to be 100% sure, but I'm fairly confident that I would be perfectly fine if I hadn't.
Same here. After evaluating and testing SSM I am really satisfied.
I had to vote "other" as both 3 and 4 fit equally. I've been using/testing SSM since Max was the developer, version 1.8 or 1.9? My testing is limited to Win98, which the "experts" consider unsecurable. The majority of my testing would qualify as "combat" condition testing, visiting malicious and drive-by sites, opening infected e-mail, and trying to contact as much malicious code as I could find. I'm completely convinced that SSM can protect my old box from malicious code, well enough that I don't run a resident AV anymore. IMO, when used with a good tight ruleset and a firewall, SSM can protect a PC from anything except bad decisions by the user. I'm also convinced that a user can safely run a Win98 unit on the internet, protected by SSM and a good firewall, as long as they excercise good judgement when responding to SSM's alerts.
As for why I would choose HIPS over CIPS, not including OS compatibility problems, I'm not comfortable with letting someone else, whether it's a company, individual or community, decide what is and isn't acceptable or allowable on my PC. I'm not willing to give that amount of system access to someone I don't personally know. I'm not convinced that the server that a CIPS depends on is completely immune to being compromised and possibly being used to compromise the users or that the CIPS would continue to reliably protect my system should the server be subjected to an extended DDOS attack.
+I like a HIPS that can be tested, & wants to be tested, and makes improvements instead of excuses when test results are a bit unfavorable.
+I like a HIPS that calls itself a HIPS & doesn't make up advertising fluff to make it sound like its program is some new sort of amazing invention that no one has ever thought about before.
+I prefer a HIPS that has its own ACTIVE support forum.
+I prefer a HIPS where the hands-on staff is more than one person.
+I prefer a HIPS that first seeks to iron out bugs and customer problems concerning its CURRENT version before turning its major attention to the addition of more & more & more bells & whistles.
+I like a HIPS that does a really REALLY good job of uninstalling itself for those users who change their minds.
+I like a HIPS that shows ingenuity and subtlety in protecting its software from piracy, so that the burden of such protection is NOT placed upon users (via such crapola as "activation").
I test it for myself. That's my vote, but i 1st read about it. I go for concepts and check if they work.
I also chose "other". Think about it... a HIPS can stop a malicious process from even getting its wheels spinning. I love how SSM works. Attempting to even launch a leaktest, for example, results in a prompt: "Parent process abc is attemping to launch child process xyz". Like herbalist says, only a poor decision by the user can get you in trouble. As for the pop-ups so many complain about, once you create the necessary rules to allow/disallow, they will practically come to a complete standstill. Just run in "Learning Mode" for a day or two to expidite the process and reduce the pop-ups. That is all it takes.
I was using Kerio 2.1.5 firewall (terrific little firewall) with SSM beta, but Agnitum's latest 4.0 version of Outpost Pro is excellent. I'm a paid subscriber so I'm running it with the latest beta (596) of SSM with NOD32, 2.7 RC1. The three security applications run beautifully together, even on my P4 1.7 GHz, 512 MB RAM machine, and likely afford me Fort Knox-like protection. Crackers...go to Hel1
That's a pretty big "only"....
Depends on how static your system is and the range of activities and software you use and do. For me there are some activities I do only once a month, or even once a year, Lots of popups for me. Just the other day, I was firing up this accounting package and .........
Also one wonders how many popups you really get after 1-2 days of training.
Human memory is extremely subjective and what may feel like little popups to you might actually objectively be quite a large number, particularly if you don't mind answering popups.
It would be nice if the HIPS implemented some tracking of the number of prompts produced. Some software already display "X number of attacks blocked", and when I look at them, I see a *huge* number.... Assuming that this is proportional to the number of prompts generated.....
Depends on who's making the decisions. I have confidence in my decision making ability regarding the alerts.
That depends on the user. I trust my judgement as well. I know what executables are on my system and what they do. Anything I don't recognize gets denied. Apps like SSM are more suited for those who know their systems. It's also much better suited for systems that are finished, as in configured and equipped the way the user wants it. For these, it's the ideal tool to lock it down and make sure your system doesn't get modified or compromised. HIPS is a much less ideal choice for users who aren't familiar with the processes on their systems and the functions they perform. It's also not a good choice for those who are always installing something new or changing what software they use. For those, the prompts don't go away because their system is always being changed. SSM is designed to prevent changes, whether they're desirable or not. It makes it very inconvenient for those who are always adding or removing something. HIPS, especially SSM is a bad choice for the casual user and for anyone who either doesn't want to or doesn't know how to properly respond to what the alerts tell them. Users who just click thru the alerts to get rid of them can cause all kinds of problems from allowing malicious code to blocking critical system processes.
herbalist, you always seem to say it best
I look for 2 things in a HIPS program:
1. It must work well, stopping most malware
2. It needs to make most decsions without my input. I don't want constant popups and alerts that I won't know how to handle anyway
Personally, I love the pop-ups. They provide me a way of learning how many of the system's processes influence and interact with others within the Windows environment. For example, it's quite an eye-opener just to see how much of an active role explorer.exe has on so many other processes and applications.
Absolutely, plus in addition.............
A solid HIPS program (Such as SSM to name one) are important more so now than ever. It goes without saying that the malware populous is increased greatly and continues to grow even more stealthy recently, with the introduction of adventurous rootkit coding going on, makes HIPS a MUST! for at least staving off most if not all threats of forced intrusions.
I do a lot of local research and continue to experiment with different scenarios to ensure that the HIPS i turn to, can in fact meet those type challenges and if discovered lacking in some area, pass on that concern to those developers for their review & opinions.
On XP Pro i'm testing a modified rootkit as recently as today that only RKunhooker was able to find under the [CODE HOOKS DETECTOR] and offered a dll location then striked the code back to default. BOTH process and dll were completely hid from other Rootkit Detectors (Including IceSword 1.20, Gmer, RKdetector etc. ) and since the cmd shell was compromised, command-line scanners was helpless to even load. RKunhooker action, released the rootkit files from their cloaking and they surfaced safely. Oddly enough of all things an old freeware i used a lot on my 98SE [FileMapbyBB] box did in fact identify the dropped files in WINDOWS as having been there at all but of course they rapidly went ghost.
Point is, HIPS is VERY IMPORTANT for PC Security today, even for the average user although as herbalist points out, many users can make just one fatal mistake and to coin an old phrase, then their hooked or rooted .
System Safety Monitor is still my personal choice plus if your so-inclined, is a wonderful program also for learning a lot of your windows code instructions along with plenty areas of interest that can be compromised in a moment of time.
Well if by best you mean long wordy sentences with no paragraphing....
As far as I can tell SSM seems to be great for windows 98, all you people here singing the praise of SSM and helping with the development are mostly win98 users right?
I hope they got enough testers for XP people, now that win98 support is dropped.
Also I wish I had your confidence that I would never make a mistake when replying to prompts. I guess that is why you guys using SSM have never being hacked or infected before....
SSM can certainly be prompt-heavy to start with (unless you use Learning Mode), but this is a very good way to find out how your system "normally" operates (which programs need to set hooks, which try to send network traffic, what programs and parameters are used for common functions).
It is this knowledge that is probably the most important in determining when things are amiss but at the same time it does mean that SSM is not well suited to the casual user who isn't interested in what goes on "under the hood". For those that are, SSM is one of the most fully-featured system firewalls out there (the term "HIPS" seems inappropriate here - "host-based" means everything including anti-virus/trojan scanners).
Must not forget that.
A point made several times, but it's too late now.
do u have any advice or suggestions for users who dont want to learn HIPS or just click allow to everything?
Don't use one - simple as that. They require judgement and if a user does not wish to exercise this they will be useless. Stick with a malware scanner and use safe hex to reduce your chances of being hit with a zero-day exploit.
yes that is the obvious answer. but heres what im saying: HIPS are supposedly "VERY IMPORTANT" yet people would have to learn and configure the program.
anyone not wishing to do so can excuse themselves from using the "VERY IMPORTANT" HIPS.
Separate names with a comma.