And membership in general includes yourself right? that is why you took offense? lol. And if my comments struck you as being derogatory, that is because they were meant to be in part. As I said, if you put aside your ego for the moment, and see what is going on, you would agree that this is indeed going on to at least some extent. You can even find threads or posts where people express discomfort about the product they are using, because they see a lot of people are trying some other newer product. (Don't ask me to link to the posts/threads, they will just get deleted because that would single out people) Besides I'm including myself in the condemnation. Are you referring to the leak tests comment? Right. I also explained why I described what is popular. No need to apologize, you have not mistaken to the meaning of my statements. I have never shied away from saying unpopular things. Except maybe the SSM and win98 comment, which was a crack about how many SSM users use win98. Because obviously SSM supports win98 and the rest don't. Should have just come out and said that.
What makes you choose a HIPS. In relative importance (in terms of availability of information) 1) Leak tests and other tests by vendors 2) Recommendation/ adoption by experts/gurus 3) Lot of people posting , talking about the product 4) Lots of posts by vendor providing support and/or boasting about their product 5) User friendliness and stability 6) Real world performance against malware. 1) Leak tests and other tests The problem as I see it is that 99% of posters here are not really qualified to tell if a product is superior to another in providing protection. That includes myself and probably you too herbalist. So we rely on tests created by other people. This also explains why leak tests or any other tech produced by vendors to hawk their products are such a big deal on these forums (even though people pretend that they don't matter much when asked straight out). The problems with relying on leak tests alone to assess technical merit is the difficulty with interpretation of results. Also relying on tests created by security vendors has obvious drawbacks in that their product will definitely pass , while others won't. So most new products already give you one reason to switch. 2) Recommendation/ adoption by experts/gurus Then There is the "follow the leader" strategy. Some guys are perceived as being technically component, and if they throw their support behind some product, suddenly it looks a lot better. A point that is not lost on many vendors (see trend of getting long time posters here to join the team). 3) Lot of people posting , talking about the product There's the "wisdom of the crowds" method. If a lot of people are talking about it, it probably is worth looking into. Lots of 'hobbyist' in this forum, so any new product that is halfway decent will definitely get some buzz. So any new product that is talked about a lot gives you another reason to switch. 4) Lots of posts by vendor providing support and/or boasting about their product Then there is the "nice developer taking time to post here" reason. I have noticed that if the developer takes time to establish a presence to post here, the product immediately gain fans. Never mind if the developer's comment is "you are right, our product stinks, we will work on it". I have seen cases where literally within a few days, posters change from condemning the product from being useless and nearly a rogue product to considering it as a top notch product and demanding that tests conducted months ago include it! What is the difference? Simply the developer coming here and posting. Never mind if the product hasn't changed at all. Typically any new product will have favourable views on 1-4. That alone is sufficient in many cases to cause one to start playing with it seriously. In theory 5-6 should be deciding the factor on whether one rejects or accepts it, but in most cases, anything that gets past 1-4 has a high chance of winning through. 5) User friendliness and stability there is look and feel , user friendliness, stability etc. Assuming that the above two factors are favorable, "look and feel" probably isn't such a big factor as befits a "techie" product. Also unless the developer fouls up in a huge way, most people won't care since all their competitors aren't really models for usability anyway. And in any case, it is fairly easy for the GUI to be changed ............ Stability is of course important. And if a thread starts off with people posting problems, it is a bad sign and the vendor has to do a lot of damage control.... If the problem is bad enough, no one will even borther to try , but these days where we all have vms and spare machines this isn't such a big factor. Stability is probably the biggest stumbling block to acceptance, particularly when people run a lot of overlapping security software. But I have found that this isn't that big a problem as I thought ,because the conflicts can sometimes be pretty subtle , I seldom get a case of a total BSOD (though not unheard of). 6) Real world performance against malware/ personal experience. This one looks great and in theory should be the ultimate factor (assuming stability) . But who in the world actually manages to get this data?? Let's face it, most people here have computers guarded more tightly than fort knox and are paranoid when surfing to boot, so what real world threats testing are we talking about?? Certainly if you just go about surfing (even into 'dangerous sites') fully patched (browser fully locked down), armed to the gills wtih every security program on the planet while testing your new addition, nothing is getting through obviously. The rare threat that gets pass all your defense and is blocked by your new addition will probably not occur unless you test for 1-3 years maybe. And that's assuming your new addition is superior (you might replace with a weaker option!). By then you will already be invested emotionally ....
Very interesting point of view Devil´s Advocate You address the point of testing methodology and the repeatability of results. For the end user is almost impossible to test new apps, specially HIPS Most of the people posting here look for holes or gaps in their security setups or ask for more features. My position is to keep the smaller possible amount of running applications. For example: -A powerful AV preferably with web scanner -A good firewall/packet filter with some amount of component monitor -A sandbox/policy management/virtualization app like Sandboxie, GreenBorder, BufferZone, DefenseWall, GeSWall, etc. Alternatively but not preferably is to use some antispyware(covers registry, browser setings, etc) This is very easy to maintain and covers almost all areas with very few gaps and overlaps. Throw any malware at this setup and see the results Don´t forget the basics: backup strategy, NAT/SPI router, system and application hardening and common sense If you like, add a backup malware scanner and/or a classical HIPS. Both provides little security gains I don´t believe in smart AI, in community databases, in redundancy apps
.... this is actually a rather interesting discussion. Although fads were mentioned, I tend to view the rise and fall of discussion more a consequence of "lead adopters" discussing the latest offerings than simple following of fads, though I'm sure their are components of both. As for myself.... I really can't say that I follow these. I'd say that most attempts at tests of this type of product yield some convoluted combination of the intrinsic capability of the product and presumed or assumed user knowledge. Even if I try to get beyond this, they say very little to me. It's a factor if I can understand or make sense of what they're saying. This will get me to look, take a test drive, and maybe comment on my experience. Personally, I have mixed feelings here. Support is good, boasting can be a downer. I also have mixed feelings in that a lot of the support is with regard to beta testing. While beta testing is fine, it really shouldn't run in parallel with product development, which does seem to be the norm in many cases these days. On a personal scale, this is (1) with me. If they don't pass muster here, it's a deal breaker. As noted, stability problems can be subtle and difficult to diagnose. More typically, it is real world performance against perfectly valid applications. Any user of a HIPS type product will have oodles of experience on this count. That seems to be an unfortunate fact of life. Overall, I've been rather disappointed with the evolution of the HIPS type of products to date. They're simply still not ready for the market en mass. Ultimately, they fail with respect to user friendliness in my estimation simply because their alarms are too indiscriminate and too obscure for a typical user to adequately address. Some products seem to be getting close to suitable, but there is still some distance to go. I realize many users employ these applications for purposes of control, not unlike a firewall. With a firewall, I can get my head around the concept of talking to the outside world - allow or block. I really have a hard time getting around many of the alerts provided by HIPS applications. At the level of allow/block execution, I'm fine and I think most users would be as well. If it is more esoteric than that, then it can be hit or miss; sure - I know what many alerts do mean, however and unfortunately, many elude me as well. If it is control a typical user wants, I can see the merit of that, it is not unlike the control I desire when using a software firewall. However, I do believe that realistically that means pure execution control only. Applications that go beyond that result in a pure guessing game for most. Blue
What about sandboxes-like HIPS such as DefenseWall, GeSWall, Sandboxie, etc?? IMHO, they are very close to user friendliness. In general, security alerts are away of understanding for most computer users. This includes AV alerts
For clarity's sake on this end my choice is BOTH, and in retrospect to the imposed dangers fashioned on XP by malware writers as well as Microsoft's limitations in the performance arena, have found 98SE far superior in many aspects to this very day. (Will run circles around XP) Velocity tests and my own eyes and reflexes bare that statement out. Back to Topic. somewhat... In reality HIPS as such has slammed the door tighter on common (malware)interuptions than anything Microsoft is produced to date and that is by design in case anyone is been sleeping. After all, how else could soft creators, both freelance & commercial ones, draw onto this platform to display their art and us end-users enjoy the vast variety of programs to share with in those efforts. Disappointment goes with the territory when it comes to HIPS or any other security type programs for Windows PC systems, but one should focus on the core reason for that, and it's not the security vendors who are trying (and performing!) to fill the gap "deliberately" left wide-open by Micro's engineers. It certainly doesn't make their efforts any simpler to have to sift thru thousands of hours of reports, in-house research, and code modifications to accomadate as many configurations and platforms as possible in order to keep errors at a bare minimum in the face of so much that's required from them. Looking at this from the point of needing/wanting the most simplistic and least user-action as concerns HIPS, once you've gone thru an initial series of prompts of course, (akin to firewalls naturally), then there you have it. Your choices are written in stone or in this case in a ruleset that becomes a "new default" for your system and keeps things safe for both your machine & conscience IMO. Personally speaking, and from working feverishly over the years on various HijackThis Logs in security forums from end-users battered & confused by un-announced forced internet intrusions in the form of malware & their bad programs lodged in their good machines, HIPS IMHO is the ABSOLUTE best approach ever to come into play here with these computers since sliced-bread.
I haven't gone down that road as yet, I've been occuppied with some other things over the past year. At some point I'll probably give them a whirl. Blue
I personally would have deleted the attachment straight off on the basis of being told it was a video when it was not that kind of file. That would have been, for me at least, the best prevention against the executable trying to do anything.
I'm not saying these products don't work. As far as I've been able to discern, they all work as advertised with some variance in the net impact on overall system stability, which typically gets wrung out with sufficient testing. I've tested many of these products, sometimes for extended periods of time, they do work. Well, if you accept the lead adopter scenario I mentioned, that always has associated disappointment. Realistically, part of that gap arises from the desire to impart dynamic functionality to the OS. That can be used for good, but many have used that as a route to bad. I'm trying not to focus on what the capable hands of many here are able to do since we are a very small niche market that is now completely saturated with offerings. I'm trying to articulate why none of these options has seemingly penetrated the mainstream user population - and that's not only as discrete products, but also as modular components in mainstream suites. Again, it does depend on the specific product to some extent. I'm sure many users can make it through that initial series of prompts and provide answers to alerts. However, have those answers risen above the level of pure guess? I take it as a given that many users here will provide an informed answer, but the majority of users won't be able to. Again, I am not saying the approach is wrong, but that the current implementations may not be quite there yet for the masses. It really comes down to the operating costs and inconveniences a user is willing to bear. I realize that a consideration of inconvenience does have to include at least a passing thought to a rebuild in the event of real problems. If a nonexpert coworker or family member were to ask me what to do, and my usual suggestion of a router/"strong" AV or suite/firewall was not adequate, I would not be pointing them to HIPS type solutions at present aside from the embedded HIPS starting to emerge in some suites. Rather, I'd probably mention approaches like AntiExecutable (static machines only), Prevx (dynamic or static machines), and ones along these avenues. In some respects, they are not that different from HIPS in that they can be used to control execution at some level, but they stop there. If you decide to run an application, it is handled without second guessing the programmer as to what functionality is allowed or needed. If that application is new to the system (AE) or unknown/known bad/known caution to the "community" (Prevx), if will either be denied by default (AE) or you will given an opportunity to block execution (Prevx). I don't think these offerings are quite there yet either, they just seem a whole lot closer IMHO... ...but I could be wrong.... Blue
was an early adopter of ProcessGuard and never had any reason to stray but know Im considering the next gen so what is written here, with additional research and then trials
I think HIPS type programs are highly overrated and not needed, although I do find the community based concept behind Prevx very interesting.
Other. I hate HIPS. I downloaded ProcessGuard only because when I left Returnil for ShadowDefender,there was no equivalent of the Anti-Execute module in Returnil 2008. I have few programs installed,so I was able to open them all,allow them,and quieten the beast down to a tolerable level.
Actually i like it more when "Proven in "combat" - ie catches the bad stuff in "real life"" But most of the time i base my opinions first on forums then i try it
Using it in real life, I became fond of Prevx when it stopped Kizar's iStealer 5.0 while others didnt even after reporting for over 3 days.
HIPS programs seem too sticky, kind of like walking across a floor spread with industrial glue. Would much rather use standard account in Win 7.
I am new to HIPS but I will share my opinion. 1. It must be used by lots of people on any forum I use. That way if I have a problem I know someone will most likely know the answer. 2. It must be user friendly, I dislike answering ton of Pop-ups. 3. It must be FREE. I dislike paying for security software, because I never have extra money to spend.
