WHIPS (Windows Host Intrusion Prevention System)

Discussion in 'other anti-malware software' started by BrendanK., Mar 13, 2009.

Thread Status:
Not open for further replies.
  1. BrendanK.

    BrendanK. Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    520
    Location:
    Australia
    I found this bit of software very interesting as you can add what you want to be detected and blocked.

    You can choose your own system calls, which I think is really smart, because if you come up against a new threat you can just add a new system call for it.

    There is also a database in which you can find the specific rules you want. It's called an Access Control Database (ACD) that contains all rules defining system behavior.

    Oh...Did I mention it is OPEN SOURCE and FREE? :D

    http://whips.sourceforge.net/objective.html

    Here's a demo for it:
    http://www.robertobattistoni.it/video/whips_demo.htm
     
  2. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    cool:thumb: thanks:thumb:
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Is anyome put this new one thru any legitimate acid test yet?

    Any new HIPS can become of immense interest while they all have different models & methods that they work at to ensure it hopefully becomes at some point a very interesting and useful project for all.

    EASTER
     
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well it does not work on Vista according teh documentation, but it has a Vista install directory

    It is a do it your self HIPS to contain system calls. So for instance ThreatFire does not intercept system shutdown (because in 99,9 of the time it is legitemate action), with WHIPS you can set to intercept the API call which f.i. SystemShutdownSimulator sets. Only allow Explorer to close down the system.

    Maybe I will give it a try in the future. The overhead per system call interception varied from 27% to 9% according to the proof of concept document. So maybe I will write a few rules to intercept system shutdown, going into debugging mode, acquiring backup priveledges etc.


    Gave it a try but could not get the agent working to enter rules

    Cheers
     
    Last edited: Mar 14, 2009
  5. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The demo looks very interesting. I like the syscall filters. It says it's compatible with 2K so I'll set up another testbox and give it a try.
     
  6. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    It requires Net Framework to be installed. Couldn't get it to work on 2K. The system would reboot when the service started, endless cycle. Couldn't launch the agent.
     
Loading...
Thread Status:
Not open for further replies.