Author Topic: Host Intrusion Prevention System  (Read 64512 times)

0 Members and 1 Guest are viewing this topic.

Dieselman

  • Guest
Re: Host Intrusion Prevention System
« Reply #105 on: March 31, 2011, 06:59:36 PM »
A firewall with HIPS was a great idea back in the vulnerable days of XP 32 bit. But since most pc's have Windows 7 64 bit on them there is no real need for a HIPS. Online Armor,OutPost and Comodo all have HIPS. Even KIS has a HIPS. NIS uses Sonar which is a BB. Avast has a BB. The need for a 3rd party firewall has decreased with the advanced in security in Windows 7 along with the advancements in Windows 7 firewall. I cannot stress this enough....................System Image. If you keep one then you will not worry anymore.

MAG

  • Guest
Re: Host Intrusion Prevention System
« Reply #106 on: March 31, 2011, 07:10:19 PM »
Hmm....
I have tried to follow the arguments (and ignore the many distractions) in this long thread.

My (inexpert) conclusion is that I still see so many reports of fake AVs being installed without a peep out of behaviour shields that I will stick with my HIPS for now.

But thanks for all the info.

Offline BJ_GeOrgE

  • Avast Evangelist
  • Sr. Member
  • ***
  • Posts: 350
  • prevention is better than cure
Re: Host Intrusion Prevention System
« Reply #107 on: March 31, 2011, 07:44:00 PM »
Hmm....
I have tried to follow the arguments (and ignore the many distractions) in this long thread.

My (inexpert) conclusion is that I still see so many reports of fake AVs being installed without a peep out of behaviour shields that I will stick with my HIPS for now.

But thanks for all the info.

i totally agree with you..trid to follow up but the last 7-8 pages are way off topic..i wonder why the moderator didnt lock or close the topic..anyway glad you managed to find information and make a conclusion ;)
OS:Windows 7 Professional 64-bit SP1
Antivirus: Avast Free v8.0.1497/Firewall: Windows Firewall/On Demand: Malwarebytes Free Edition/Other tools: CCleaner

MAG

  • Guest
Re: Host Intrusion Prevention System
« Reply #108 on: March 31, 2011, 08:15:23 PM »
Thanks - hope it helped you too in some way.

Forgot to mention - in deference to the conflict theorists I also intend to uninstall avast BS for the time being.

Dch48

  • Guest
Re: Host Intrusion Prevention System
« Reply #109 on: March 31, 2011, 11:01:35 PM »
Drakul, it is a way of speaking, coz BB or HIPS are "generally" associated to FW; like u say "the scope of a sniper rifle" (of course the scope is not fusionned with the rifle and sure, u can use the rifle without the scope, but less effectively.)

Comodo Firewall is renown because his HIPS component (called DEFENSE + ) is a very very effective aspect of it. i used it since long time, believe me ^^ when u install Comodo Firewall, D+ is automatically installed, u cant uncheck it during the installation (like the BB of avast),  then activated, but u can disable it later. it is why we used to say Comodo FW has a HIPS integrated (coz it is installed automatically).

if u take it word by word, Comodo is a FW with a HIPS component.(like the airbag of a car is a component of its securiry alongside the seatbelt)

comodo released first the firewall & D+ then added the antivirus to become a suit. it is why the AV of comodo is not among the top one actually if used without D+ (still young but improving at every release).

i use MBAM ans SAS too but i dont want their realtime aspect, it make them a bit heavy for my taste. i prefer IMMUNET as a "companion AV" using a cloud system. Immunet is designed to run alongside with most other AV.
One part of this is wrong. If you get just the Firewall installer for Comodo, you can install it without the HIPS. I have done it. All you do is when you get the 3 options for how to install (I think they're called Max security, normal security, and Enterprise strength Firewall), you choose the last one, and what you wind up with is a 2-way Firewall with no HIPS component.
I'm on XP but after using D+ in Comodo for a year, I refuse to use any kind of HIPS again. I am using just the XP Firewall and I'm also behind a NAT router.

Dieselman

  • Guest
Re: Host Intrusion Prevention System
« Reply #110 on: March 31, 2011, 11:46:31 PM »
Good points    Dch48. Although Comodo with D+ is pretty much worthless. I am also behind a 2Wire Gateway w full NAT.

MAG

  • Guest
Re: Host Intrusion Prevention System
« Reply #111 on: March 31, 2011, 11:49:52 PM »
Good points    Dch48. Although Comodo with D+ is pretty much worthless. I am also behind a 2Wire Gateway w full NAT.
I think you mean Comodo without D+

(don't know if it's true or not - I just supect that is what you meant)

Dieselman

  • Guest
Re: Host Intrusion Prevention System
« Reply #112 on: April 01, 2011, 12:28:38 AM »
Yes that is what I meant. Sorry typo. Thanks for catching it.

sded

  • Guest
Re: Host Intrusion Prevention System
« Reply #113 on: April 01, 2011, 12:30:50 AM »
Since there is a break in the fun, might as well flog this again with a simplified view.  The attachment is from OA, but D+ is quite similar.  A HIPS monitors the behavior of processes for any of the items called out in a list of potential malware activities.  The list can be set up to allow, block or ask, and hopefully after your system has run for a while you have sorted out everything into allow and block, with ask only for new processes.  Or for new actions by known processes.  Unfortunately, this is about the same list of activities you might look for malware to do.  The greatest utility of HIPS today is probably for making YouTube videos.  You sit someone down at a console, tell him that every popup will be malware, and ask him to decide to block or allow the popup.  Even one of the morons/idiots referred to earlier in this thread can probably handle this assigment.  You only score badly if you are "popup deficient".  If you sit him down with the same scenario and tell him that some of the popups might be malware, some might not, then you may end up with a lot of false positives and a bad score-so most testers don't do this.

But neither of these situations have anything to do with a user's problem.
The typical user will install new programs, see upgrades installed by existing programs, see some programs in new modes that were not previously accounted for, maybe even see some malware occasionally.  So now there might be dozens (hundreds?) of popups in say, a week, saying things like "process xxxx would like to set a global hook-  allow or block?".  Global hooks are almost universal methods of monitoring messages within the system, used regularly by much of the software environment, and also much used by malware.  And pretty much a black art as far as users are concerned.  In a purely statistical sense, most all of what everyone sees will not be malware (unless you are a very nasty boy  ;) ).  So you get used to hitting "allow" since you will be right at least 9x% of the time and if you hit "block" you will need to figure out what to do next.  And when the malware comes around, you may well be conditioned to hit "allow" for it also, unless there is a glaring message from the HIPS like "THIS IS MALWARE AND IF YOU ALLOW IT YOU ARE DOOMED".  So lots of debate on the real utility of a HIPS except for things like  Matousec advertising.  There were even some studies at the RSA Conference where a reasonably high percentage of users hit "allow" even with such a dire message.

So what can you do to help the user besides telling him "explrer.exe wants to set a global hook-allow or block?"  Avast! actually uses a combination of approaches.  One is the behavior blocker, where you look for patterns of behavior that are more indicative of malware than safe programs.  But even here there can be a lot of overlap between malware and safeware behavior.  Thus an opportunity for a HIPS to interfere-If you block (or allow in some cases) early with the HIPS, the BB never gets a chance to look for the pattern.  Another is sandboxing, where if you are uncertain and want to be safe you can run the program and capture the results in a sandbox until you can make a decision on its safety.  This can cause a lot of repeated executions, but allows the gathering of additonal data without endangering your system.  And same issue with a HIPS involved.

Of course all of this only occurs after best efforts of the firewall to not let the connections be made in the first place and to remove malware on the AV side so it doesn't get into your system at all, but with the tremendous rate of malware growth, there will be something to look at.  So lots of static analysis beyond mere signatures.  Whitelisting of known good programs is currently popular, although the problem is complicated by lots of existing unsigned programs with questionable pedigree.  Blacklisting just can't keep up with the current malware barrage.  Heuristics, even AI driven heuristics show up in several systems.
 
I kind of like the Prevx approach, but there are lots of moral objections to it-like privacy; there is no opting out.  All of the users are treated as collection nodes, with a data center (cloud) monitoring them in real time.  The hope is that after the first few users get hosed, you can get out the word to the rest of your clients quickly.  As long as you are not one of the earliest hosees, has some promise.  And it is difficult to imagine a very large user community being talked into it.  But glad I am not in the antimalware business.  :)

Dieselman

  • Guest
Re: Host Intrusion Prevention System
« Reply #114 on: April 01, 2011, 01:02:42 AM »
sded good explanation. But honestly I find HIPS rather annoying. I tried OA 5.0 and was disgusted at how many pop ups I had even after selecting "Trust everything". Yes there is a learning curve but I would rather be infected with a rogue then deal with "Hey do you want xyz.exe to run?". Whatever. 90% of of the average pc user would go nuts using a HIPS. People are too paranoid now a days. Why use so much security? Why even bother turning on your pc if you are going to be so paranoid. Who cares if you get infected. Its not the end of the world if you prepare for it.

I did a test...........4 of them as in matter of fact. I completely uninstall NIS,which I was using at the time and disabled WD and Windows Firewall. I went to MDL and download about 30 malicious links. I had rogues everywhere. I rebooted and could not even access anything. My pc was useless. I popped in my Kaspersky Rescue CD and did a complete full scan. After that clean up I was able to use my pc normally and then clean up with MBAM and HMP. I also used Pargaon and mounted a new image. Both ways, 2 each worked just fine. A new image was faster and cleaner. Whats my point...............Relax people and enjoy your pc's. Stop packing on the security and think smarter. HIPS is a great means of protection if your willing to deal with all the pop ups. Especially the one which asks you "What color underwear are you wearing?".

Mounting a new image from external HDD = 1 hour
Using the Kaspersky Rescue CD,MBAM and HMP = 3 hours
« Last Edit: April 01, 2011, 01:17:37 AM by Dieselman »

sded

  • Guest
Re: Host Intrusion Prevention System
« Reply #115 on: April 01, 2011, 01:22:48 AM »
I have seen reports of "forgetting" and believe OA is working it as a bug; rarely see unexpected popups myself.  But I have been importing settings through the various betas.  One thing worth looking at periodically is the trusted status in the "Programs" tab to be sure that trustable processes are in fact trusted.  And yes, I make an image whenever there is a significant reason.  Fortunately, with gmail, I will never lose my mail anyway.  But still need to watch the firewall itself for backdoors and such that send data out.

timcan

  • Guest
Re: Host Intrusion Prevention System
« Reply #116 on: April 01, 2011, 01:33:42 AM »


 

Mounting a new image from external HDD = 1 hour


Hi, what size image file? just curious, thanks  :)

Dieselman

  • Guest
Re: Host Intrusion Prevention System
« Reply #117 on: April 01, 2011, 01:38:33 AM »
Well the image is compressed of course when its on your external HDD. I have a 320GB internal and a 500GB external. My internal drive has about 100GB on it. So I still have plenty of room.

Dieselman

  • Guest
Re: Host Intrusion Prevention System
« Reply #118 on: April 01, 2011, 01:40:12 AM »
I have seen reports of "forgetting" and believe OA is working it as a bug; rarely see unexpected popups myself.  But I have been importing settings through the various betas.  One thing worth looking at periodically is the trusted status in the "Programs" tab to be sure that trustable processes are in fact trusted.  And yes, I make an image whenever there is a significant reason.  Fortunately, with gmail, I will never lose my mail anyway.  But still need to watch the firewall itself for backdoors and such that send data out.

Well your an OA mod (aka former Comodo mod) and can deal with HIPS. I use to like it but just got sick and tired of clicking "allow,allow,allow". If I want run something on my pc then thats what I want to do. I don't need to questioned about it. Its my pc after all correct.

sded

  • Guest
Re: Host Intrusion Prevention System
« Reply #119 on: April 01, 2011, 01:49:03 AM »
Yes; I also have an AIS license for one of my computers and often remove OA and do beta testing of Avast! with that configuration.  Also run Avast! free and Windows 7 firewall on yet another computer as baseline.  But since OA has gotten pretty quiet for me (and I don't know why it doesn't for all users if you trust everything) not really intrusive.  If I still got lots of popups it would be fixed or gone.   I ran Kerio 2.1.5 for years before I ever even heard of a HIPS.  :)