What's the best IPS program available?

Hi,

Can anyone advise me as to what the best IPS program, or combination of programs, is available at this time, and why?

I'm considering going with either Prevx 1 or Online Armour, but what about the freebies available like AntiHook, Process Guard (free version), Prevx (free) or even programs like WinPatrol, MSAS or other free programs?

What protection is in Prevx 1 or Online Armour that I couldn't have using a combination of AntiHook, Prevx (free), MSAS along with my firewall (ZA free) and AV for example?

Are P1 or OA really that much better than using AH, MSAS, Prevx (free) & my AV/FW? Or perhaps there is another combination of free (or mostly free) programs that can compete with Prevx 1 & Online Armour that you know of?

Thanks for any replies.

 

Hi autumn dreams,

First of all, I do not think you realize how complex is the question you are asking. But I will try to suggest some ideas for you which I hope will be helpful:

1) I highly recommend kareldjag's site, which I think provides the most comprehensive information on this subject that I have come across.

http://kareldjag.over-blog.com/article-382176.html

The site is a bit difficult to navigate, so if you have problems, just ask.

2) My current IPS configuration is:

a) WormGuard: detects malicious actions within various types of scripts
b) ProcessGuard: detects unauthorized executables and asks me for positive permission. Also prevents the installation of unauthorized drivers/services, keyloggers, and rootkits.
c) RegDefend: prevents against unauthorized registry updates.

All of these products have delivered as promise, are very stable on my machine, and use neglible resources.

I am very satisfied with the above described configuration though some of the other products have other strengths and weaknesses. In this thread, Message #119, Mike, in answer to a similar inquiry of mine, provides a good description of Online Armour (which is looking very good to me) as compared to ProcessGuard.

I tried out Prevx Pro and Safe 'N' Secure and passed on both of them for reasons that I have explained in other threads. You can search for discussions on these products by using the Search function.

Recently ZoneAlarm has introduced some IPS capabilities into their system. I have no idea yet how well they work, but I suspect that this may be the beginning of a larger trend.

I am sure you will be getting lots more information from other users, who have had different experiences. I would start slowly and build up, as you gain familiarity with products. Of course, take advantage of trials, but even with trials be careful. There have been instances, (and I have experienced them first-hand), where installation of IPS products has corrupted systems making them unusable. So, if you can, either choose products that are well tested or have an image copy of your hard drive handy.

Hope this is at least a start,
Rich

 

Between Prevx 1 and Online Armor, I say Online Armor, as it covers more, and will be adding a lot more in the future. I have both, however, and like them both. They are good products in their own right, and both have first class support.

To tackle the others, Prevx Home will most likely not be supported in the future. Until Prevx 1 leaves beta, I wouldn't count on that one. MSAS would be a good compliement to all of them as it covers different things, but don't know that I would count on it for everything, as it primarily covers areas dealt with by spyware, not malware at large. PG is great, but it's a little techy, which brings me to my main point.. the one thing that the Prevx (not PrevX, folks ) data has shown is that most people were just 'allowing' most alerts, letting malware infect their system. With an IPS, it is crucial that you understand it's alerts and how it works, otherwise it will not do you any good. This goes back to my recommendation of Online Armor.. it's quite easy to use, stops things on multiple fronts, and if you make a bad decision you can go back and easily undo the damage by going into the Programs screen and hitting 'Delete' to remove everything the malware has done, and keep it from coming back.

Ultimately, however, what you need to do is try some out and see which one makes the most sense to you. You can always post questions here for any help you might need. It's not like an anti-virus or anti-trojan scanner, that is pretty much set-and-forget. An IPS will give you a lot of control of how your system works, too much control only works against you if you don't know how to decide whether to 'allow' or 'deny' the sometimes cryptic messages it will give you about everything that takes actions covered by the IPS. These will include many legitimate apps and sometimes even system functions.

That said, however, an IPS can potentially give you much stronger protection than any scanner, as long as it's used properly.

 

I have tried and used a number of these (H)IPS programs and my current favorites are SafeNSec and Online Armor.

At the present time SNS is a more mature product than OA and IMO it has, on my particular computer setups, a slight edge until OA implements more registry control.

You need to work out where the present holes are in your present security setup and then decide whether you need one or multiple IPS programs to cover these gaps.

I would look at some of the recent threads here on some of these programs as they give a good idea on aspects such as stability and features.

Apart from some problems with my system tray icon I have found SafeNSec stable. Set it on Strict Policy and the number of pop-ups you see are few and far between yet it is still doing its job.

OA is at the present time very promising but it is still in beta and it still needs some minor bugs worked out. However, a first initial gold release is nearly there.

If trialing, as richrf points out, using an imaging or roll-back program would be a good decision.

 

Haven't had too close a look at online armour yet. Probably because I already paid for PrevX Pro (now switched over to PrevX1).

In relation to Kareldjag's tests. In most ways they are very good information, but for some products the tests are very misleading. The PrevX test is one of them. PrevX's strength has always been the prevention of installation of malware, however Kareldjag's tests rely mostly on the the programs running the tests being already installed....defeating the purpose of the test <most of them anyway>.

Another semi-criticism of Kareldjag's tests is that they test programs for protection against things that the products don't claim to protect against...but this is still useful info to know when trying to put together a security system.

Anyway, the different HIPS/similar products that I know of so far ...PrevX, Online Armour, Safe-n-Sec, AntiMalware, Panda TruPrevent...and perhaps to a lesser extent Shadowsurfer, Abtrusion, DeepFreeze/ShadowUser, ProcessGuard. I'm sure there's more, but can't think of them off the top of my head.

As for comparing individual products against another - this could be (and has been) the subject of whole threads in themselves.

 

I found out about this wonderful Free program on here from one of your members a few months ago. It works on other OS's not just XP.


Winsonar 2005 XP Freeware Edition is a program specifically designed for process monitoring and system protection from unknown processes: the program detectes new processes permanently installed into memory while system is working off-line, offering also an active Internet protection, by optional automatic termination of any unknown process trying to load itself into memory when the system is on line.

http://digilander.libero.it/zancart/winsonar.html


StevieO

 

I fully agree with that.. that's why I don't recommend those blogs. I'd rather focus on giving info on the effectivness within the scope of each app. There's a lot of very different ways of preventing infection, users are best off knowing how each of them go about it, not just whether an app will cover a specific behavior; malware can't do any of those memory tricks if they can't get into memory in the first place. I do commend Kareldjag on the time he puts into stuff, though.

For Winsonar, it should be noted that it doesn't prevent processes from running, only allows you to terminate them afterwards. In many cases this may be too late, and may be difficult to remove. IMHO, the free version of ProcessGuard would be better.. but again it comes back to what's right for the individual.

 

Actually Winsonar does kill ALL unknown processes stone Dead whilst connected to the internet.

Once you have allowed whatever Apps etc you want to run when initially prompted for on the first launch of them after installing Winsonar, then Nothing else will run at all.

It also a port scanner built in on standy should you choose to run it, plus numerous other really useful tools you can use.

If you havn't downloaded a copy yet then i can highly recommend it, and as it's completely Free you have nothing to lose, but plenty to gain.


StevieO

 

Don't get me wrong, WinSonar is not a bad little app, but I wouldn't rely entirely on it's execution prevention because it terminates the process after it's run, rather than blocking it from executing in the first place. If the malware protects itself against termination (some do) then WinSonar wouldn't be able to stop it. As an example I protected Process Explorer with ProcessGuard, and it had no problems starting. What it is good for, however, is the automatic port scans and tools it provides. You could easily use both, if you wanted.

 

Hi Notok,

I do see what you mean, but i don't feel it is a very fair comparison.

If someone has PG then they won't require WS, as PG already blocks .EXE's.

For those that don't have PG then WS is a must have i would say. It has performed flawlessly ever since i installed it, and proved to be a very worthwhile addition to mine and others security defences.

I'm pleased you acknowlege that it is a good App, and that it has many other really useful tools also.


StevieO

 

I rely on Tiny2005 and it's capable of running next to PG and RD!!!

so for me this is my ips program (ids too )

 

Tiny gave me a headache !