Whats up with all this new talk...

Discussion in 'other anti-malware software' started by dja2k, Aug 1, 2005.

Thread Status:
Not open for further replies.
  1. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    I am reading here that people are starting to put down ProcessGUard and Regdefend with this new talk about HIPS. Now I hear talk about OA (Online Armor), Anti Hook, and more about Safe'N'Sec.

    What do you guys think? I mean all you guys that are Processguard + Regdefend followers and those of us that add RegRun as an extra defense. You think our line of defense is getting old with this new and upcoming programs? Is it time for a change?

    I don't think we need that many programs that do the same thing running together case as they say with two active antiviruses, they my conflict and make things worse. Don't get me wrong, I am not ready to change, but if it is time, then let it be. What are you guys using, it would be nice to see lists. And for the other people that have answered my other threads before, lets see if you still use the same programs you recommended me before or are you considered traders, haha.

    dja2k
     
  2. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    I'd say, yes give OA a try - but of course, I'm a little biased :)

    If you send me a PM, I'll send you an eval key.


    Mike
     
  3. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    dja2k,

    I wouldn't take either PG or RD off the table with respect to functionality, they have as much as you will ever need, buts that's only one part of a programs characterisitic when considering whether to use it. You can see what I have available on demand and what I'm running realtime here at the moment. Right now I'm looking at SafenSec and the driver is for the functionality available to the people I support - the rest of the family at home.

    PG was and is great for me. I knew what to do with the popups as they occurred, but as Mike Nash has mentioned elsewhere, and I know I have as well, there is the issue of popup fatigue as well as being equipped with the necessary system knowledge for more casual users. Putting some type of intelligent and adaptive front end into these programs is, in my personal estimation, critical. This is somewhat new ground so you will see all the various options somewhat feeling their way around, as are potential users. So far I like what I see with SnS, and that's where I've focused for the present, but it is still developing. Same with OA, read the various threads related to OA and you will see a number of positive comments. This also applies to the other options (Prevx, etc.) that one could employ as well. I don't know what other peoples objectives are, but mine are simple - good protection with a minimal impact on realtime system responsiveness, a minimal number of requests for user intervention upon detection of a potential issue while maintaining suitable protection, and a good description of the situation and options when user intervention is required.

    These options do not necessarily provide more protection than, for example, PG and/or RD, but they may be more suitable for the mass market at this time. The intrinsic protection afforded by these various applications is only as good as the decisions made by the user when prompted for action. In general, and as I note above, I feel that providing an intelligent and dynamically adaptive front end which filters the mundane and not critical events from those characteristic of a possible intrusion is where the future lies. As potential threats change, the definition of mundane may be somewhat fluid, hence the need of an adaptive solution either through updates of general behavioral rulesets reflecting potentially malicious operations or through maintainence of white/black lists of applications and/or system operations.

    Would I change my protection? Well, it depends on the situation. If I were the sole user on one PC and I was comfortable with the intervention requests from PG/RD/etc., probably not. On the other hand, if I was continually getting requests on what to do with this or that dialog box, I'd keep an eye on the various programs mentioned and probably try a few of them out.

    Blue
     
  4. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi dja2k,

    Online Armor seems to be a very nicely defined product, with lots of excellent security, compatibility, reliability, and support characteristics. However, it is a new product, and because it isn't as "transparent" and "configurable" (i.e., adding and substracting security definitions) as ProcessGuard and RegDefend, I will be staying with WormGuard, PG and RG for the time being. This combination is a known quantity to me, and it is going to be difficult to beat this as a security combination for the time being - especially since I am very comfortable with them.

    As Blue recommends, there are free trials and it is certainly worthwhile to test Online Armor if you do not have PG and RD installed. If you do, then I do not see any significant reason to switch at the moment - especially if you have a good AV in place, since the AV is going to still do the vast majority of work and provide the most security for the time being.

    Hope this helps,
    Rich
     
  5. ---

    --- Guest

    You know what I think?

    I think you are perfectly safe. There will always be something newer, something that claims to, or actually provides more protection eg OA and it's ability to rollback plus antispoofing methods, but the question as always is whether you will need that additional protection.

    Given that lots of people don't even use HIPS, the fact that you use Regdefend+Processguard makes you one step above 99.999% of people already.

    Add the knowledge that comes from understanding malware generally, you are as safe as you can be.

    Of course, if you are like most of us, caught up in this for fun as a hobby, I say go for it!

    But if you are really not interested in computer security, except for the minimum to get by, I don't really see the need to read this forums daily or even weeky.
     
  6. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    I disagree. What I am discovering is that so-called "legitimate" companies are just as likely to invade a user's privacy as the "bandits" are - and products like ProcessGuard alert me. Apparently, my actions on my computer have become free-game for the "free-market system".

    Until Microsoft designs an operating system that puts control of the computer back into the hands of the user (or another operating system with such control has widespread usuage), I feel that products lilke ProcessGuard provide valuable services.

    Rich
     
  7. mikkey

    mikkey Guest

    All i'll say is
    ProcessGuard
    Regdefend
    Proactive

    There, think that'll get Rich's attention.

    There comes a time when the word obsession needs to be used...
     
  8. myopinion

    myopinion Guest

    I know plenty of people who only use a AV, FW, Firefox, MSAS (or another anti-malware like say BoClean) and maybe Ad-aware and/or Spybot, and they never have any problems whatsoever!

    I think all this HIPS talk is just that, a bunch of talk. But when it comes to the real world, it's not really necessary. Plenty of people get by without them, and the people who don't probably don't even use an up to date AV, or just don't care much about computer security.

    How many times, I wonder, have these HIPS programs ever REALLY been necessary in real world situations? Could the same problems have been stopped by your AV/FW/AS/AT in most cases? From what I've seen, the answer is yes.

    So all these people are spending, spending, spending for protection, in most cases, they'll never really need. They could probably have all the protection they'll ever need with just their AV/AS/AT/FW. Using something like PG, AH, Safe'n'Sec etc...is just an added measure of security that most will probably never need.

    But not to say you shouldn't be using HIPS or other IDS software, if you want to, just that I don't feel, from what I've seen, that they're really that necessary. But like another poster said, if it's your hobby, then go for it. ;) :D
     
  9. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    It depends upon individual perspectives. If you trust MS (MS AS) to decide what should or shouldn't run on your system, then MSAS is a very good solution. If you trust that KAV will have all of the definitions for zero-hour attacks, very quickly, then KAV is an excellent solution. If you trust all of your vendors, that they will not "intrude" and do things on your computer and collect information with clear permission (sometimes hidden in the fine print), then there is no reason to be concern.

    I am not so trusting. I would like to have a personal say on what runs and what doesn't run on my machine. What gets installed (services/drivers) and what doesn't. What hooks my screen and keyboard, and what doesn't. For this reason, I appreciate that ProcessGuard and Online Armor (as examples), give that "Right" back to me. This is simply my individual right to determine what happens on my machine.

    Rich
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Well put, Rich, and an important point.

    I would hope we could beome less critical about setups, and instead, focus on discussion of the various products and users' experiences with them.

    What someone else decides to do is her/his own business, and we should be grateful for the myriad selections of fine products that are now and becoming available.

    I like Spy1's comment in another thread:

    --------------------------
    Please bear in mind that what works fine for me does just that - works fine for me, my computer set-up, my other programs..., etc.

    I can neither tell you it will work as well for you (since your set-up and applications are totally different than mine), nor hazzard guesses or make pronouncements about things I haven't a clue about.
    --------------------------

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
    Last edited: Aug 1, 2005
  11. ---

    --- Guest

    I don't think anyone is critising setups. The original poster asked if it's necessary to go beyond PG+Regdefend, some of us said no in varying degrees, Richrf said yes.

    I don't know why Richrf though started declaring his right to use whatever he wanted, unless he wanted to act like a victim. That was never in question.

    Of course, everyone has the right to do what he or she wants.

    Still the meaning of the word "overkill" seems to be lost on some. But hey, it's their right , no question. It's their right to disagree on whether it's overkill as well of course.

    Just as it's my right to advise most people that they don't need to run 4 different HIP products at the same time. Or keep up with the Jones for security software.

    I suppose when someone else recommends that you should run Regdefend,Processguard,Wormguard,KAV it's okay? But when people sugguest that it's isn't strictly necessary, it's critising setups??
     
  12. myopinion

    myopinion Guest

    I completely agree with those comments ---.

    I wasn't insulting anyone's setup either. I was simply pointing out that not everyone HAS to have the latest and greatest IDS type programs to be safe on the internet.

    On one of my computers for example, I only have Tea Timer, WinPatrol, Firefox, Pest Patrol and my AV/FW and I've never had any problems on that computer in years. And that's usually more than many other people I know, and they don't seem to have any problems either.

    I don't think anyone should feel threatened by my recommending different software than what they feel is the ideal setup. But perhaps they are offended when others come along and show that it really isn't necessary to go to such extreme lengths to be safe on the net, or maybe they're trying to justify their expensive purchases by accusing others of criticizing who disagee with them.

    At any rate do what you like. I'm not telling anyone to do it one way or the other. I'm just posting about what I've seen work for myself and others. Some of us use what others may call an unsafe minimal setup and still do just fine. ;)
     
  13. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    I was not offended at all. I was merely pointing out, that there is a significant, qualitative difference between relying on other vendors to protect my machine (via signatures, heuristics, and their own internal decision making process), rather than relying on myself.

    I, personally, would like to be the final arbitor of what runs on my machine - not MS, Spybot, Norton, or anyone else. Just like I decide who I allow into my house. Somewhere along the way, things really got wierd on the PC, and vendors decided that they were entitled to put software and and other things on my machine. The "bad guys" came along, and simply decided to take advantage of the "facilities" in the OS (Windows) that the "legitimate companies" were exploiting. Not surprisingly, government goes along with it, because big companies make tons of money intruding into my space. It is as if I let every traveling salesperson/fundraiser into my house.

    This is a significant difference between the classical "AV" approaches and the HIPS approach. HIPS closes the doors, and only opens them if I say its OK. Whether or not it provides more protection than signature/heuristic approaches, I have no idea at this time. But it does make me in charge of my own machine and my own life.

    Rich
     
    Last edited: Aug 1, 2005
  14. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Actually, this is quite a bit of protection, but not sufficient for you to know whether or not your machine has been really compromised. It is unfortunate, but it is the state of affairs with the Internet nowadays.

    RIch
     
  15. Hippsornot

    Hippsornot Guest

    Provided you know what you are doing. Lets hope you do, and that's it's not a case of 'thinking' you know what you are doing. If you allow something that you believe is safe and turns out it's not then you could be toast. That's the problem with HIPS applications - The decision is mostly left to the user. And that is very dangerous unless you are really clued up.
     
  16. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    What advantages does HIPS software have over "traditional" approaches and what are the disadvantages of HIPS?
     
  17. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    If I don't know what I am doing, then I am no worse off than I was before. However, there are ways for HIPS vendors to "smarten up" the alerts, to assist users during the learning process. Online Armor has begun to add these assists in their products, though lots more can be done.

    HIPS is a very valuable addition to my security. If something happens out of the ordinary, then my gut reaction is to reject - i.e. "rejection by exception". It actually does work beautifully. For example, when I seemingly benign program tried to load a new driver/service, I replied "No". It was the right move. Without HIPS, it would have been able to load the driver because I would have no idea that it was trying to do so.

    Rich
     
  18. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Depending upon the quality of the HIPS product, it can:

    1) Alert the user whenever a new, untrusted executable is attempting to gain access to system resources.

    2) Alert the user if the new executable is attempting to perform some action which would be considered potentially damaging or malicious.

    3) Provide guidance to the user with additional information about the executable and possible actions the user can take as the process continues its execution path.

    Basically HIPS is a way for a user to know what is trying to run on the users machine and what it is trying to do - espececially if it is deemed abnormal.

    The classical AV/AT approach:

    1) Attempts to used automated means identification signatures or heuristics to identify a process as a potential Bad Guy. If potentially Bad then the user will receive an alert. This identification can be done during On Access (before it begins to process) or while it is processing.

    An analogy could be made like this:

    1) Classical: A person wants to gain entrance to a home. The person's fingerprint is compared to a set of known Bad Guy fingerprints or "profiles". If the fingerprint is not on file, then the person is allowed in, no questions asked. No way to stop it. Therefore, any Bad Guy who is not "known" is let in.

    2) HIPS: Any "new" person is stopped, no matter what, and not let in unless specific authorization is given by the owner of the home. Period. The owner of the house decides whether to let the "unknown person" in. If the person is trying to enter in the middle of the night (an Exception situation), it is wise to reject the person. Otherwise, the owner of the house can ask for more details before letting the person in. If, the owner mistakenly lets in a Bad Guy, the owner can use a camera to follow the Bad Guy around, and if the Bad Guy tries to do something naughty (like steal some goods), the owner can catch this action, before it is completed, and ...... hmmmmm .... kill the Bad Guy legally. :D

    HIPS provides LOTS more information and control.

    Rich
     
  19. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    We have the advantages and now what are the disadvantages of having a HIPS program installed?


    Starrob
     
  20. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Depending upon the HIPS program, it may be a "slow learner" and provide too many alerts (alert incorrectly on non-exception conditions) that are difficult to understand. This is a refinement process. Online Armor, has been stellar in this regard. It will be interesting to see how other users react.

    Should a user incorrectly allow a Bad Guy in, the user is no worse off than the user was before with a simple AV solution. In this case, the AV let it through and the user let it through. However, with a HIPS product, there may be more opportunities to "catch the mistake", since the HIPS product can also guard the "precious goods" within the house - i.e. multiple lines of interior defense.
     
  21. ---

    --- Guest

    Of course, in most cases, the actions taken by the "Bad guys" is not as straight forward as 'steal some goods' , so some guessing is required.

    Letting a stranger in, sadly in most cases can't be avoided, if you want to trial software, in such cases which I personally find very common, the HIPS is useless really despite Richrf's motto of 'catch them before they start'.

    So I prefer that HIPS try to be smarter in catching actions that are almost likely to be done only by the bad guys.

    Well if you don't consider the monetary cost , effort of checking compatiability, of handling popups etc that is.

    As mentioned popup fatigue can be a bad thing, leading to users clicking yes just to get rid of it. A very bad habit...
     
  22. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    No problem at all. The few bucks I spend is no more than an evening out. The couple of pop-ups I receive is a whole lot easier to handle than scrolling down and clicking on a list returned by Google. But I guess, it is possible to find something wrong with anyything. In fact, let's get rid of Google all together since it returns way to many listings.
     
  23. ---

    --- Guest

    Yes. For you.

    Strange change of topic.

    Google? Yes, I would prefer relevant results to a million irrelevant ones. Pointless to index, a billion billion pages, if it's ranking algothrims place useless pages first.

    What's your point again?
     
  24. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    The point is:

    1) An extra two clicks a day isn't all that painful,

    2) An extra $20 a year isn't all that draining,

    3) An extra couple of decisions more in my life isn't all that stressful,

    and ...

    There is such thing as making a mountain out of a molehill.

    However, I do find it interesting that people like to throw around loaded labels like "paranoid", in order to put fear into people .... Or maybe I am just being too paranoid.
     
  25. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    HIPS stands for what?
     
Loading...
Thread Status:
Not open for further replies.