Author Topic: AIS Firewall vs HIPS  (Read 8489 times)

0 Members and 1 Guest are viewing this topic.

Offline justinlee

  • Poster
  • *
  • Posts: 400
AIS Firewall vs HIPS
« on: June 11, 2011, 10:11:44 AM »
Ok, i know this has been covered before so apologies for starting another thread about this but i am still a little confused even after searching Google. I understand some of the differences between AIS firewall and a HIPS firewall but what i don't understand is why people choose for example, Comodo over the AIS firewall???

I have always just used AIS' firewall and have never had problems. So, what i really need to know is...

1. Why would someone dump AIS firewall and go with a HIPS?
2. What are the main advantages/disadvantages of HIPS?


Because so many people here appear to use HIPS and am thinking of trying myself but really do not know if it is worth me doing so  :-\
« Last Edit: June 11, 2011, 10:24:49 AM by justinlee »
Windows 7 Home Premium (64-bit) SP1,
Intel Core i5-2410M @2.30GHz, 6GB RAM
AvastFree Antivirus & ZoneAlarm Free.

MAG

  • Guest
Re: AIS Firewall vs HIPS
« Reply #1 on: June 11, 2011, 11:11:01 AM »
It seems you don't actually have to remove AIS FW to try a HIPS (D+).

I got the advice below from Tech - I can't claim to have tried it myself yet, but it comes from a trustworthy source :)

Disable avast firewall permanently.
Boot.
Install Comodo firewall + Defense+.
Boot.
Disable Comodo firewall.
Boot.
Enable avast firewall.

My concern was the rather poor record of non-HIPS AV/FW systems in stopping fake AVs

http://forum.avast.com/index.php?topic=78415.msg647715#msg647715
« Last Edit: June 11, 2011, 11:17:36 AM by mag »

Offline justinlee

  • Poster
  • *
  • Posts: 400
Re: AIS Firewall vs HIPS
« Reply #2 on: June 11, 2011, 02:36:34 PM »
But why would you choose a HIPS firewall? What are the main benefits over AIS' firewall? If everyone is going for a HIPS firewall it is suggesting that AIS firewall is not sufficient.

Why is AIS firewall not HIPS??
Windows 7 Home Premium (64-bit) SP1,
Intel Core i5-2410M @2.30GHz, 6GB RAM
AvastFree Antivirus & ZoneAlarm Free.

rdmaloyjr

  • Guest
Re: AIS Firewall vs HIPS
« Reply #3 on: June 11, 2011, 02:42:22 PM »
I recommend WinPatrol with AIS, WinPatrol has all the HIPS that I need. :)

sded

  • Guest
Re: AIS Firewall vs HIPS
« Reply #4 on: June 11, 2011, 03:06:17 PM »
See previous discussion at http://forum.avast.com/index.php?topic=78200.msg647021#msg647021 .  But a HIPS is for those who want to watch basic functions of a process that might (or might not) indicate malware and allow/deny them for other reasons.  See attached OA list; others are slimilar.  The HIPS can cause a lot of questions for new programs, so HIPS extensions try to use better messages/whitelists/blacklists/sandboxes/ whatever to cut down the load on the user.  And still refer to themselves as HIPS.  But if you get a message that "program xyz wants to set a global hook" (real HIPS message) you had better know what a global hook is and have some idea whether it make sense for that application to make an allow/deny decision.  Or have faith in the non-HIPS functions that have been added.
Avast! firewall is set up as a quiet firewall, assumes that it is too difficult for the mainstream user (most of the 160M) to figure the HIPS piece out, and it is better to rely on system elements like behavior shield, netshield, and the automatic sandbox to provide protection and make fewer mistakes.  HIPS programs seem to be migrating to these additions in any case.
So people will argue endlesssly about the value added vs the nuisance value of HIPS, and how to make them more accessible to the average user.  Whoever that is (Hint:doesn't come to the forum and has never heard of Matousec or a global hook  ;) ).
But like others have said, you can add in a HIPS and see if you think it is useful enough to keep.  I don't use one with AIS, just when beta testing OA.
« Last Edit: June 11, 2011, 03:21:58 PM by sded »

DBone

  • Guest
Re: AIS Firewall vs HIPS
« Reply #5 on: June 11, 2011, 05:29:01 PM »
I have WinPatrol Plus along side of AIS, and it works well. 

Nesivos

  • Guest
Re: AIS Firewall vs HIPS
« Reply #6 on: June 11, 2011, 07:13:08 PM »
see more discussion of this here

http://forum.avast.com/index.php?topic=57229.0


The easiest and best way to improve the security of your Windows system is to use Windows 7 x64. :) :) for starters.

Quote
Avast!'s GMER Technology Gets Top Score in Rootkit Detection Tests
GMER version 1.0.15 wins comparative test of 12 anti-rootkit programs by Anti-Malware Labs

The biggest risk is to people running the 32 bit operating systems such as Windows XP. "We find that most of our behavior-based rootkit detections are on 32 bit systems," explained Mr. Trs. "With a 64 bit operating system, users are safer as this does not allow drivers to be loaded without a certificate, significantly reducing the chances of rootkit infection."


https://www.prbuzz.com/technology/46112-avasts.html

« Last Edit: June 11, 2011, 07:34:37 PM by Nesivos »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: AIS Firewall vs HIPS
« Reply #7 on: June 11, 2011, 09:20:19 PM »
Why is AIS firewall not HIPS??
Because one thing is a firewall and a different one a HIPS program.
They could be bundled together (like Comodo, Online Armour), but not in avast case.
They want to have a silent firewall and HIPS is, by definition, a "noisy" technology.
The best things in life are free.

Hermite15

  • Guest
Re: AIS Firewall vs HIPS
« Reply #8 on: June 11, 2011, 10:22:10 PM »
@the OP: comparing apples to apples would be a good thing to start with ;)

Offline JuninhoSlo

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 849
Re: AIS Firewall vs HIPS
« Reply #9 on: June 12, 2011, 12:08:41 AM »
Does HIPS firewall give you better protection than Avast Firewall? 

bellgamin

  • Guest
Re: AIS Firewall vs HIPS
« Reply #10 on: June 12, 2011, 12:10:37 AM »
A sample (not exhaustive) list of *typical* classical HIPS abilities:

1- Enables the user to make very extensive configurations.

2- Can often detect zero-day malware/threats/exploits that might be missed by blacklist-based security apps.

3- Leaves most decisions to the user. That is, it alerts the user to what MIGHT be a nasty, and gives the user choices such as Allow, Block, or Kill -- with sub-options of "This Time or "Always".

4- In the hands of a careless or lazy user, a classical HIPS will be of less value than a Behavior Blocker (BB). Why? Because BBs tend to make many decisions based on artificial intelligence ("expert-based"), and thus present fewer alerts requiring user decision. HOWEVER, in the hands of a conscientious user who enjoys doing a bit of research from time to time, a classical HIPS gives very VERY powerful protection.

5- Process Execution- The HIPS alerts its user whenever any unknown process (a process not on its whitelist) tries to execute and gives the user choices such as...

a- Allow it to start (once)
b- Allow it to start and add it to the white list of approved applications
c- Block it from starting (once)
d- Block it from starting and add it to blacklist
e- Terminate the process

6- Child/Parent control- Allows user to specify not only which processes can start, but also which processes (children) can be started BY which processes (parents).

7- Process Termination- HIPS can protect specified processes from termination attempts (including thread suspension methods) or give the user a chance to intercept such termination attempts.

8- Process Modification- This feature protects critical processes from being manipulated and modified. This includes attacks such as code/memory/ injections as well as protection against remote thread creation/suspension/injection.

9- Access to physical memory- Blocks access to physical memory, which allows kernel access.

10- Global hook control- Provides control of hooking done by windows program, that is often but not always associated with keylogging. Some HIPS also provide blocking of other keylogging polling techniques like GetKeyState, AsyncKeyState.

11- Service/Driver control- Alerts to software that requires drivers and services. Such programs if malicious can be dangerous because they work in ring zero (kernel access).

12- System Shutdown protection- Warns whenever a process attempts to shut down the whole system.

13- Network control- Enables user to control network connections on a process-by-process basis.

14- Startup control-registry- Monitors and blocks changes to registry relating to auto startups.

15- Startup control-files -- Entries in registry keys are not the only way for malware to register themselves for autostartups. HIPS monitor such file and directory locations as well (e.g startup folder or old style win.ini type files).

16- Some HIPS can protect or monitor any specified file or folder.

17- Monitor sensitive areas- Provides warning when files (win.ini, hosts, system files, etc.) are being modified/deleted or if new files are being added.

18- Block low level disk access- Provides warning when low level disk access e.g access to \Device\Harddisk0\DR0 occurs. This can prevent such as Killdisk-type trojans that trash your hard-disk.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE 1: A HIPS is a type of firewall. There are TWO main types of firewalls:

1- "Conventional Firewall" -- a firewall between the Operating System and the internet.

2- "Classical HIPS" -- a firewall between applications and the kernel of the Operating System.

NOTE 2: Most stand-alone firewalls (FW) include BOTH a conventional FW & a HIPS-type FW.

4 examples of apps with BOTH types of FW (conventional FW & HIPS-FW): Outpost FW, Private FW, Online Armor FW, Comodo Firewall. In each example, the HIPS components can be "switched off" &/or not installed.

NOTE 3: WinPatrol : HIPS :: Toy Poodle : Rottweiler
  
« Last Edit: June 12, 2011, 12:14:13 AM by bellgamin »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: AIS Firewall vs HIPS
« Reply #11 on: June 12, 2011, 01:11:05 AM »
Does HIPS firewall give you better protection than Avast Firewall? 
If you think on firewall work, no.
If you think in general security, yes. But it's another program, not the firewall itself.
The best things in life are free.

Nesivos

  • Guest
Re: AIS Firewall vs HIPS
« Reply #12 on: June 12, 2011, 01:43:44 AM »
Does HIPS firewall give you better protection than Avast Firewall? 
If you think on firewall work, no.
If you think in general security, yes. But it's another program, not the firewall itself.

Isn't that the integrated version of GMER?

Dch48

  • Guest
Re: AIS Firewall vs HIPS
« Reply #13 on: June 12, 2011, 02:03:47 AM »
If you want to be notified of everything every application wants to do (99% of the time safe and necessary)to be able to function then you will like a HIPS program. If, on the other hand, you just want ease of use while still maintaining a high level of security, then you will find HIPS extremely annoying and would prefer the approach Avast,and Norton, use in their firewall implementation.

Offline justinlee

  • Poster
  • *
  • Posts: 400
Re: AIS Firewall vs HIPS
« Reply #14 on: June 12, 2011, 02:15:41 AM »
Thanks for all your replies this helps me a lot :)
Windows 7 Home Premium (64-bit) SP1,
Intel Core i5-2410M @2.30GHz, 6GB RAM
AvastFree Antivirus & ZoneAlarm Free.