Which HIPS?

HIPS stands for (H)ost-based (I)ntrusion (P)revention (S)system. So, I believe, there is some misunderstanding. DefenseWall is definitely a HIPS. But, there are four main types of it- classical HIPS (this type of HIPS is fully described by bellgamin above), blacklisting HIPS (so-called "intellectual blockers"), whitelisting HIPS and sandboxes (with virtualization and policy-based).

So, if you take into account that Ohmy already have a sandbox HIPS and want to play with a classical one, DefenseWall discussion is really a bit offtopic here.

 

Yes, but the following items:
1. Buffer overflow (there is a specialized software for it).
2. Children parent control.
3. Process execution.
4. Network control (this will be added soon).

 

Hello bellgamin,

You are very welcome.


Peace & Gratitude,

CogitoErgoSum

 

Dear Bellgamin,

I am afraid you make a wrong assumption. Classical HIPS all sort of mention the same features. More and detailed features seem to be a qualification of better protection.

Problem is when you look at the hooks they cover (simply run AVZ for instance) , you will notice that they all choose a DIFFERENT subset of the SDDT to cover, which means THEY DO NOT COVER ALL ATTACK VECTORS! . Many of the classical HIPS failed dramatically against the System Shutdown Simulator of Dmenace, simply because THEY DID NOT COVER THIS ATTACK VECTOR.

There are smart classical HIPS (like AntiExecutable) which recognise this limitation and choose to focus on one aspect of execution control, in stead of all the features you mention (to be classified as classical HIPS), ergo it passed the SSS test. It is better to cover 100% from one angle (to stop the chain of events) than cover 99% for 70% (or 60% depending on the hooks set).

Policy management is one of the oldest and most reliable implementations of security (existed before Antivirus), this is also the reason it is incorporated in almost every OS. Porgrams like geSWall and DefenseWall are pitching on this aspect, because policy management is an effective way to prevent/stop the chain of events of a malware attack. The ironnical reader might state that we only need those programs becasue we buy XP home in stead of XP Pro, vista Home instead of business. This is true, because few PC users have the knowledge to set up policy management through the build in capaciy of their OS properly.

Post stating effect of missing SSDT handles by interfering security aps https://www.wilderssecurity.com/showpost.php?p=1307379&postcount=9

Looking for your response my dear Bellgamin

 

I think I provided a pretty dadgummed good overview of the scope of classical HIPS. It was not my goal to differentiate the relative effectiveness of various classical HIPS. At present, I know of NO *highly regarded testing organization* that is testing the relative effectiveness of HIPS. The ONLY persistent tester I know of is Aigle, right here at Wilders.

For this reason, selecting which program to use from among the various HIPS is largely a matter of "by guess and by golly". Often, advocates of one particular HIPS versus another particular HIPS base their judgments on anecdotal assertions and how few pop-ups an application generates.

All too often it is "flavor of the week" mentality that decides which HIPS is the darling of Wilders posters. One week it's EQSecure. Last week it was "Prosecurity has returned as Realtime Defender -- everybody grab a copy Wowee wow wow!" And this week it's Malware Defender so that anyone who speaks against it is "not very bright."

I offered a general definition of what consitutes a classical HIPS -- & offered examples -- in order to get the discussion back onto apps that truly fall into the classical HIPS category. Then along comes Kees, dissing my list because he is able to conceive of exceptions, alluding to "failures" and "data", but not putting any specifics into evidence to help people learn any further facts as to (a) WHAT is a HIPS? AND/OR (b) WHICH HIPS does a good job?

No bloody wonder some of these HIPS proponents throw in the towel. They invest long hard hours of time in carefully & painstakingly designing a HIPS -- which takes an incredibly in-depth knowledge of the inner workings of Windows, of the attack vectors of bad guys, of systemic weaknesses, etc -- and then people come along and say their HIPS is useless because it had the temerity to pop an alert about an actual suspicious threat, or the GUI isn't very pretty, or someone says, "I used it and I didn't like it. I much prefer (such & such) HIPS -- it has never let me down."

Did anyone ever stop to think how brutally UNFAIR it is to adversely affect some poor guy's ability to earn a living -- by criticizing the guy's program based on vague generalizations, innuendos, and anecdotes -- totally unsupported by evidence or data of any kind?

I think it must be very discouraging when someone produces a classical HIPS that is, by its nature, a very complex security app, and then sees it being compared it to an altogether different type of security app, as though the other security app was the same thing but a lot simpler.

In this particular thread, we see people comparing the simplicity of Defense Wall against any classical HIPS -- as though DW were one & the same thing as, say, SSM or Defense+. Doing that is sooooo grossly unfair & off-topic.

If someone wants to start a thread covering "Which KIND of HIPS is better? Easier to use? Most effective for *average users*?" then, yes, DW should stand high up on that list. But bringing in a pure behavior blocker (such as Threatfire) or a policy-sandbox or such to compare it against a full-on classical HIPS -- as though TF or DW actually WERE a classical HIPS -- is not only off-topic, it is also bloody unfair to the producers of classical HIPS and to the readers who actually want to discuss classical HIPS.

Finally, when I tried to point out that DW or Threatfire or whatever is not fully comparable to a classical HIPS, then all the fan-boys & "flavor of the week" advocates think their respective darling is being insulted, so the thread is now drifting toward becoming yet another pissing contest.

In closing may I say, "I used DW for 2 days and my dog got rabies, my daughter caught the measles, and my computer turned into an X-box. So I uninstalled DW and now use no security at all, so everything is okay again."

VERY scientific, wot?

 

I didn't want to quote your whole post Bellgamin because those long quotes tend to get annoying...I don't like to even read my own posts when they get quoted. But, in response to your post, I give you a standing ovation. I don't mean to knock any posters here, but what you describe happens exactly the way you describe it. I'm sure some of it has to do with how in-depth some here test these applications, and of course opinions vary based on experience and also who deems what threat more concerning than another, nevertheless you are right on the money.

Too many times some damned know it all comes up with a test based on some theory or own opinion (I'm casting a glance at the "leaktest" fans right now), and if the application passes every other test under the sun, but not this new one, suddenly that app is no longer useable. I prefer some apps over another too, we're human, we do that, but we're only shooting ourselves in the foot if we go about defending tooth and nail our personal "flavors". Guys, what is important here is that these tools work and they work effectively with as little complication as possible. Looking good is the very last thing you should be concerned with in a security app. I might have an app so danged ugly it looks like somebody ran over it with a Mack truck, set it ablaze and put the fire out with a snowshovel, but if it offers me tight protection with minimal fuss, it stays.

 

Unfortunately,we are being subjected to more and more of these types of replies recently.

Kees,an acknowledged expert,gently propounds some sound technical points,but instead of a moderate reply in kind from which we could gain knowledge,we are blessed with bluster and going off at at tangent

A simple discussion of the points raised would have been more appropriate.

 

While I certainly meant no offense to Kees or anyone else, I still stand by my agreement with Bellgamin regarding how apps are treated often if they do not conform to a particular persons standards or does not have this or that bell or whistle. I honestly was not even commenting on Bellgamins original explanation of HIPS, Kees disagreement, or anything even related. I just added in my agreement regarding his complaints of the "flavor of the week" syndrome, nothing more, nothing less. My apologies if my post was misunderstood.

 

dw426,

Sorry-a misunderstanding-was referring only to Bellgamins post-I should have been specific.

 

Well I have Vista and cannot use Threatfire or Mamutu. TF screws up my keyboard and Mamutu conflicts with Ad Muncher. Any other HIPS for Vista? Is Realtime Defender the same as version 1.43 of ProSecurity? From what I remember PS 1.43 still had issues with Vista. Not sure I really need a HIPS with Vista as I have UAC enabled, Avira Premium and SAS Pro running. Any ideas?

 

RE What is a HIPS
Shakira discussed HIPS adequately in her song "Hips Don't Lie", besides Chakira interpretation there are enough definitions available Wikipedia, Gartner Group, Kareldjag, etc. You only made it sound that only HIPS with classical HIPS charateristics represented were the HIPS to offer complete protection.

RE Which HIPS does a good job

I have two arguments why classical HIPS will be less effective in practise when comparing them to behavioral HIPS (based on blacklisted intrusion patterns) or Policy management HIPS:

• The design flaw of classical HIPS.
• Adding features is increasing the wrong decision chance by the user.

The design flaw of classical HIPS
I have experience with SSM and EQSecure (posted the first "how to" of EQSecure at Wilders). Classical HIPS defense architecture is to monitor all possible attack vectors (prevent non whitelisted events). Due to the simple fact that they do not monitor all possibel attck vectors (of the SSDT), means that their implementation is always a best guess of their development team. Factually you can check every clasiscal HIPS on its hook setting with Anti Rootkit programs. So this is a claim everyone can check for them selves.

(classical) HIPS like AE take a different approach, it tries to excel on one core aspect: the application firewall aspect. So the AE team has made an extensve analysis of all hooks in regard to this aspect and have achieved a near 100% coverage on this sole aspect. This, their build in list of all files containing executable code and their whitelist data base makes it a very succesfull HIPS (although it has far less features than D+, SSM, PS or EQS).

The weak spot of classical HIPS: the user
Increasing features and control granularity means increasing the knowledge demands of the user who is confrontated with the pop-up decisions. This limits the usablity of classical HIPS to PC users with a very thorough knowledge of what is happening on their PC.


Last remark
Due to the twist your taking the discussion into, I can only give you credits (yeah your are right) on the other aspects of your response. Although I do not think I contributed to the decline of former (classical) HIPS by adressing their weakspot as to outline that a HIPS is not the solution for all problems. Think of the so called bodyless malware (is executed on one computer in the network and affects the others). Luckily chances of being hit by such malware is the equivalent of being victim of an airplane accident.

Greetings Kees

 

Has anyone mentioned Dynamic Security Agent? It's pretty lightweight, as far as performance goes, and doesn't give too many popups. It does have network control and a basic incoming firewall. A memory leak has been noted by myself and others, YMMV.

 

And here's the same thought in a song (quoted in part) from Hawaii-nei...

Guilty.

Point #1 is True -- but can you name ANY security application of ANY genre that has no flaws? I think that you cannot.

The closest-to-perfect security apps that I know of are (IMO) Sandboxie & imaging programs. (Oh where has gone Eric with his "boot-to-restore" concerto?)

As to Point #2 -- are you inferring that you sometimes make wrong decisions?

Again, I ask you to name ANY security genre that has no flaws. A HIPS should be a layer in the user's security wall. NOT the "be all & end all."

My offering HIPS definitions was a reaction to the introduction of DW into a discussion of HIPS. I still do not consider a policy-based sandbox to be a sub-category of HIPS -- but others disgree, so there is always room for discussion. My point is -- such discussion should usually take place in a thread devoted to that topic.

In any event, DW is policy based, and I wonder how effective policy-based security will be in the long run? Policy-based systems largely follow the simplistic rule that "everything that is not explicity permitted is forbidden." Your example of AE (AntiExecutable?) is a one of the more extreme one of these types of apps. IMO, a policy-based HIPS mostly follows the concept of "One strike & you're out."

I prefer "expert-based" HIPS because they generally evaluate a *series* of actions before deciding whether a given process is up to mischief or not. Threatfire more or less falls into this category. Under some circumstances a given behavior is allowed, and under others, it is blocked. Take the matter of accessing system files. This action can be an activity of malware, but many benign apps also do this. However, it is the case that nasty processes will also try to modify a startup area in the registry before accessing system files. Thus, an expert-based system might not block (or pop-up) about a process trying to access a system file until after that process also undertakes other action(s) that typify malware actions. The drawback of all this is that the expert-system has to allow a malware to do a certain amount of activity BEFORE flagging it for blocking.

The answer, of course, would be for the expert-based system to force a process to run inside a sandbox (or emulator?) before it blocks or allows it. Is there an expert-based system that has this ability? If there IS one, I'll buy it -- but I know of none. I expect they will come soon (I hope).

The classical HIPS aspires to be an expert-based system, but puts the user into the place of its "expert." I enjoy TRYING to fulfill that role. Many folks do not.

Don't forget "experts-at-large" such as Kees & Alcyon & some others here at Wilders.

To wit --- Alcyon's rule set enables any EQS user to reap the benefits of Alcyon's extensive knowledge. The same is true with respect to the excellent configuration tips and rules for other HIPS that you have provided in threads here at Wilders. In other words, there is more than one way for a user to get an expert on the job when using a classical HIPS.

However, I again cite the example of my elementary school computer users, who all have become fairly adept at using classical HIPS. They study & learn much more using a classical than would be the case if I allowed them to use something like DW or TF.

If all critics were like you, it would be truly wonderful. Why? Because your criticisms actually help to improve HIPS. Your criticisms are POSITIVE, because they point out specific areas that need improvement. What I detest are critics of the NEGATIVE type, who speak in generalities and offer no evidence or substance or suggestions whatsoever. I expect that a security programmer's attitude toward negative critics is much the same as a fireplug's attitude toward dogs.

It's like there is a discussion of different models of automobiles. Then along comes someone saying, "Automobiles are no good. You can get there faster in a jet plane."

 

.

Yes this was mentioned,but speaking from experience did not notice any memory leak using XP
There may be problems when using Vista generally.
An effective HIPS but noisier than Threatfire,DefenseWall.
Am currently trialling DW-seems terrific!

edit;This thread started with the OP requesting a HIPS "that you would recommend for a average user",which would indicate K.I.S.S.

However a good in depth article here CastleCops

 

Ant this is been my sticking point every since SSM first came out. Compare SSM's hooking at the SSDT Table level as you say with AVZ, ICE SWORD, etc. and the measured differences point this out clearly.

Sysmon.sys fills more of these attack vectors by hooking them more then any other HIPS in existence. An incredible list that works.

Other HIPS expose gaping gaps by leaving an awful lot of attack vectors wide-open for malware/rootkit attachment and maybe even displacing the protective one's themselves by virtue of this limited coverage.

This is why i support SSM's design policy to hook at as many levels in the SSDT Table as possible and in doing cover equally as many attack vectors where rootkits and their drivers can lodge themselves in the same table.

EASTER

 

I didn't know that. Good information. Thanks!!!

 

Sorry I did not intended to say that no software can be 100% testes, what I wanted to say is that classical HIPS don't cover the ground they need to cover. It is a mis interpretataion that with EQS for instance or D+ you know what is going on in your PC. The thing is that you know it of max 60% of the events of which the development team of your classical HIPS has decided that they cover for 95% of the zero day attacks.

The example of AE should make it clear that focussing on one attack vector (starting executables) is a much better apporach than trying to cover them all.

Do not miss out on LUA and SRP in an XP environment or when you not technical skilled or bought the wrong OS version GeSWall and DefenseWall.

Yes, often: that is called a learning curve Problem with us (old farts) is that it becomes harder to accept feedback/criticism with increasing age. Although youngsters also have some difficulty accepting feedback (even with the positive feedback approach).
The virtual world is much more forgiving to mistakes than the real world. I have not found the boot-to-restore-image functionality on my Son of nearly seventeen now. Would make bringing up children a lot easier.

OKAY

Bill, AE ensures security policy, but is not a policy based HIPS, it is a classical HIPS focussing on preventing unwanted execution. As for DW and GeSWall, they are so good and user friendly because they use the inverted whitelist approach: only restrict a few programs which could be source of external data/code on your PC, what is not mentioned is trusted, only the mentioned are untrusted (running limited rights). Policy management enforcement through the OS itself or security software will always have a future because all OS-ses are build around this principle.

Keep an eye of Rising. Norton and ThreatFire, A2 Malware (with ikarus engine). I guess the AV's will develop such functionality to enhance active heuristics.

.
Thanks, like the humoreous twist in your posts, when I ever go to Hawai, I will PM you, so we can have a drink somewhere.

 

Ahh at last somebody who supports this insight. Not just somebody, but a Wilders member who did extensive testing for XPoff (If I recall his acronym properly) and was given credits for that when he joined Microsoft

Thanks Easter

Regards Kees

 

Sorry? One strike of what? In fact, all the sandboxes just make an environment malware can't live with, wherever they are policy-based or virtualization-based.

 

If you hook mode SSDT entries it doesn't means you cover more attach vectors.

 

I thought that DSA v2 cut down on the number of alerts dramatically since v1.x. I tried it on XP SP3 a few days ago and it froze up on me.

 

Thanks Ilya

Then could you pls explain why they even bother to set so many SSDT hooks to begin with? I agree this alone does not and cannot cover ALL attack vectors, but it must be useful for some of them or why do they bother?

Curious, thanks

EASTER

 

I have no idea.

 

Me either. Probably a question more suited toward it's developers themselves.

Still, this hooking routine from the SSDT Table to the Shadow Table appears to serve a serious purpose in helping to alert to violations on certain of those code instruction tables.

Interesting material, i'll continue to study this further.

EASTER

 

Per your comment, I have placed these apps firmly under my scope.

I have seen you comment favorably about Rising's HIPS in other posts. Can its HIPS module be run separately, or must I also run Rising's antivirus module?

I sincerely hope you do! Have you ever been to a sushi bar? Also, what is your preference -- a good single malt, or...?
~~~~~~~~~~~~~~~~~~~~~~~~

For instance, it is okay for InternetExplorer (IE) to access the internet, but it might NOT be okay if IE initiated modification of a system file.

In other words, sandboxes don't have much of an "Ask the user" capability. This factor makes them more simple that a classical HIPS, but (IMO) it also makes them less flexible for fine-tuning.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Ilya, are you saying that more hooks to SSDT might not cover more attack vectors?

OR -- Are you saying that hooks to SSDT is a totally useless thing to do?
~~~~~~~~~~~~~~~~~~~~~~~~~~

Do you mean that you do not know the answer to Easter's question? Or do you mean that classical HIPS are hooking SSDT for NO reason whatsoever, and those hooks are therefore stupid and useless. Or what DO you mean?