Which is the best way to learn to use HIPS?

Discussion in 'other anti-malware software' started by RootAccess, Apr 25, 2008.

Thread Status:
Not open for further replies.
  1. RootAccess

    RootAccess Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    64
    Hi

    i have lots of free time.

    many popups ask about things I don't know

    for example, control set wants control of svchost

    i say allow all but that's not the best way right? How to tell good from bad prompts?

    THANKS
     
  2. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Thats the downside of HIPS. They depend on user choices...
    Maybe you could start using a behavior blocker like ThreatFire. There are far less popups, it's easy when you don't have the experience.
     
  3. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408

    Agreed.
    I've tried many classical HIPS and Behaveral blockers, my fav though is the policy based.
     
  4. RootAccess

    RootAccess Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    64
    i already have threatfire

    how did you learn how to use hips... starting out?
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    RootAccess,

    I think most of us started with an easy one like ProcessGuard, switching over to SSM free, EQSecurity, D+ etc.

    After testing many I agree with LoneWolf, have a look at GeSWall or DefenseWall. The next version of DefenseWall 2.4 will be amazing with resource protection of classical HIPS to go on untrusted programs and lots of build in lists.

    At current DW is one of the strongest. DW and TreatFire is a strong combo when you have a relative new CPU.

    Regards K
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I don't like security softwares with multiple-choice questions. If a software doesn't know the answer, why asking me ? I'm not the expert.

    I have 50% chance to answer right, that's not security, that is gambling. If I'm wrong I infect myself, that's suicide.

    Even ThreatFire was too much for me, that's why I use Anti-Executable, which says always NO.
     
  7. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    My neighbor's daughter Kelli is taking computer science at our state university. Here is a summary of what her Computer Science professor recommended when she asked him about using a HIPS on her home computer...

    A- To begin with, he recommended that she select a HIPS that gives good information when it pops-up an alert. That is, the HIPS should provide alerts that are very clear and detailed as to exactly WHY it has issued an alert. Furthermore, each alert should also indicate the "risk" factor of the type of action that it is alerting you to. (According to him, any HIPS that frequently leaves you wondering WHY it popped up, and WHAT to do about it, is poorly designed and shouldn't be used.)

    B- Secondly, he told her to be reasonably certain that her computer is clean of malware BEFORE installing any HIPS. {Reason: when the HIPS is installed, it will be put in "learning mode" and, during that time, will accept all actions & processes as being "safe."}

    *** Kelli told me that she did two scans before installing HIPS -- for the first scan she used her computer's installed antivirus. For the second, she used an online scan by Prevx CSI.

    B- Thirdly, he told Kelli that, after installing the HIPS, she should put it into "learning mode" and then do each and every computer action which was part of her daily, weekly, and monthly routines. In other words, he wanted Kelli to show the HIPS the activities and programs and processes that are usual, normal, and safe.

    *** Kelli told me that it took her a little over three hours to install & "train" the HIPS she selected. Since then, according to her, the HIPS has rarely popped an alert, and she has easily understood all of them so far. (Your mileage may vary, of course.)

    P.S. Kelli selected her security AV and her HIPS based on her professor's recommendations. Without naming brands, I can tell you that Kelli's professor greatly respects the technical proficiency of two guys named Mike -- Mike, the antivirus guy; & Mike, the HIPS guy.
     
  8. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    This case is useful only for classical and blacklisting HIPS. "Professor" is definitely unaware of sandboxes and whitelisting HIPS.
     
  9. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I would never consider my computer as clean, after running two scanners in an used system partition, that has been on-line.
    A fresh installation from scratch is the only way to get a clean and unused system partition and you can do this only one time.
     
  10. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Scanning with two, four or more antivirus softwares doesn't mean you're clean even if they say you are.
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Question : can you configure a classical HIPS in LEARNING MODE completely without internet connection (= off-line) For example : SSM ?
     
  12. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    I believe the prof is quite aware of all types of security apps. In addition to teaching, he is a principal in 3 nationwide consulting firms.

    The OP appeared to center on classical HIPS. That is what Kelli wanted & installed, so that is what I reported on. No slight was intended to other types of HIPS -- I have great respect for Ilya & for his superb security app (DW), as does Professor Gleason.

    @Eric- Yes, you can. However, those HIPS that monitor connections (such as SSM & ProSec) would not be "fully trained" about that specific aspect of those processes that connect (e.g., Email clients, browsers, etc). Thus, after shutting the learning mode, one should still expect pop-up alerts when using the internet. Furthermore, some HIPS have databases of trusted apps - if an app was on the trusted list, it would not likely generate many (or any) pop-ups, even if it had not been fully trained.
     
  13. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Regardless to what any one says it sounds like pretty sound advice to me.
     
  14. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Ah, I see. She asked for a classical HIPS choice advise. Yes, this case it is 100% reasonable. I was just wondering why he mentioned learning mode as there are HIPS types that doesn't have it by design. Now it is clear for me. I just thought Kelli asked for overall HIPS, but she asked about special type of it.
     
  15. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,

    The best way to learn HIPS is to understand how the operating system works. Once you know what calls what where and when, then understanding the prompts becomes a simple matter.

    Installing HIPS and then trying to figure out what happens is a topdown approach. I prefer bottomup. Get the fundamentals, everything else is easy.

    I can say I've personally gone through this in Linux. You'll never fully control the system unless you understand the basic. And I'm getting more and more and deeper into the roots. And then, things that happen around feel simple and natural.

    For instance, you can correctly guess registry prompts, but that does not mean much, if you don't understand the structure of the registry and what it does.

    Mrk
     
  16. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Sound advice indeed.

    There are a number of quick and dirty "cheat-sheet" methods that allow you to use a HIPS to somewhat reasonable effect without knowing just what the hell is going on, but to craft effective policies and wield such a tool to its full potential, one really needs to understand the underlying OS functions and malware principles.
     
  17. Dogbiscuit

    Dogbiscuit Guest

  18. Makav3l1

    Makav3l1 Registered Member

    Joined:
    Nov 26, 2007
    Posts:
    241
    Use one.
     
Loading...
Thread Status:
Not open for further replies.