Other similar products
These products monitors some system's area like the registry in order to detect malwares behaviours.
They're not integrated (for most of them) at the core of the system (kernel) and then do not operate at a low level: except for specialized registry products (RegRun, RegDefend, Principal antivirus) and Trust-no-Exe, their effectiveness is really limited in comparison to exhaustive personal HIPS.
Most of them can be considered as antispywares, and a few of them (Winsonar, Winpatrol or Autorun3) are an interesting choice for a first approach and training of behavioural blockers.
Produits similaires
Ces produits se contentent de surveiller certaines zones du sytème comme le registre afin de détecter un comportement malicieux.
Ils ne sont pas intégrés pour la plupart d'entre eux au coeur du système (kernel ou noyeau) et ne peuvent donc pas intercepter les appels systèmes (API).
Hormis les outils de protection du registre type RegRun ou RegDefend, et Trust-no-Exe, ces produits offrent donc une protection incomplète et limitée.
Toutefois, certains d'entre eux comme Winsonar, Autorun3 ou WinPatrol se présentent comme des choix intéressants pour une toute première approche des bloqueurs comportementaux.
Registry firewalls and blockers/Bloqueurs et firewalls de registre
-GRR :Greyware Registry Rearguard (Update 01/04)
-RegDefend
Update 01/04: now Regdefend and AppDefend are integrated in one product:
Ghost Security Suite (beta)
-RegFreeze
-RegRun
-Resplendence/Principal Antivirus
NB. this product is not an antivirus (marketing strategy).
-Mj Registry Watcher
(and so on)
Registry and process monitors/Vigies de registre et de processus
-Autorun3
-Arovax Shield
-GeekSuperhero
-Viruskeeper
-Winfortress (integrates a sandbox)
-WinPatrol (free and paid version)
-Winsonar
Executables filters and applications firewalls/
Filtreurs d'exécutables et firewalls d'applications
-Foff
-ProcAlert
-SovietProtector (confirmation dialog box for any execution)
-Special Exe Password Protector
-Trust-no-Exe
NB 1. This product is interesting in a computer used by different users (childrens, friends and so on): the administrator can restrict access to applications and can prevent unauthorized installations.
The product acts as a service associated to a kernel driver, and is integrated in the control panel.
For a high level of configuration, it's suited to avoid the default configuration (access list by folders) and to operate executables per executables.
In this case, a free tool like ExeHound can be helpful.
Ce gratuiciel est intéressant pour prévenir l'exécution non autorisée d'applications (et donc d'installations de nouveaux logiciels sur le système).
Il est toutefois conseillé de configurer la liste des autorisations .Exe par .Exe (avec l'aide d'un outil comme ExeHound), et non par dossiers comme c'est le cas dans la configuration par défaut.
NB 2. ExeLockdown is a paid product based on Trust-no-Exe, but with two additional features: a password protection and a search engine for executables.
If we protect the administrator account, and only let other people to log as users only (limited rights), they have no access to the configuration (unnecessary password!); and if we use ExeHound as a search engine for executables, we finally get the same features as ExeLockdown.
29.95 $! Isn't it the cost of CUPIDITY?
-Winblox
-WinPooch
Personal HIPS: the Mini FAQ
-What is the best HIPS?
It's very difficult to give a radical answer to this kind of question (best antivirus best firewall etc).
The best HIPS is the one which works fine for you in relation to your criteria.
Some tests are available on this blog and show examples of HIPS abilities.
There's no best HIPS as long as it does not provide 100% SECURITY.
And as 100% does not exist, this HIPS (personal or corporate) is not ready to be borned.
-How can i test them in order to choose the more effective?
Testing HIPS is more difficult than testing scanners.
If we consider that personal HIPS prevent more malwares than attacks, we can distinguish 2 methods:
1. we compile a giant database of malwares (150 000 for instance) and we submit each sample to the HIPS.
This method seems interesting, but is not really serious (it could take months and months)...
2. we submit the HIPS to examples of malwares behaviour and see how it reacts.
More exhaustive is the kind of behaviour list, more exhaustive is the test.
This method, not perfect, seems more advisable and more easy to apply.
For more information it can be suited to make a Google/Yahoo search and to take a look at some forums such as Wilders and Catlecops.
-I've never used "behavioural blockers". What product should i choose for a first approach of HIPS?
-for a training before this first approach: Winsonar and Winpatrol (free);
-for the first approach: Online Armor and PrevX for instance.
-I don't like being disturbing by pop up alerts because i'm just a classical user with no particular knowledge about security threats. Then which product can provide a high level of security with a minimum of user's interaction?
HIPS based white list, with or without sandbox technologies.
-Which HIPS to choose for a family computer used by children and friends (with different age, level of knowledge, kind of surf and so on)?
-if the administrator wants to apply restrictions (no download or softwares installation for instance): HIPS pure white list;
-if the administrator permits more freedom to users: Geswall, DefenseWall, V-Elite.
-I'm an advanced user and i need a product for applying advanced rules and system's restrictions.
Which HIPS is recommended?
Neoava, Parador, SoftClan (Integrity2/SecuritySuite), System Safety Monitor, Viguard.
-There is HIPS available as freeware. Why should i open my wallet for a paid one?
Releasing softwares for free is a very nice and appreciated effort.
But the support is very limited for freewares.
With a paid software, there is a support, and often a forum where you can ask for questions, solve your configuration problems, share your experience etc.
-What is the best price for a personal HIPS?
It depends on the marketing strategy of the publisher: some producs require more Research and Development or more employees than others; and in this case can be quite expensive.
And some publishers expect that their marketing and advertising strategies will fish some unawareness users...
An acceptable price is between 30 and 40 dollars.
Over 50 dollars, the product can really be considered as expensive, even if it is sophisticated (in this case, the user can found professional HIPS for 100 dollars like Threat Sentry).
-Can i combine two HIPS additionally to my firewall and scanner?
It's always possible to combine two HIPS, and it's sometimes a good idea for some cases.
But it's recommended to avoid combination of two similar products (listed in the same catgory): it's often a source of conflits and incompatibilities.
For instance, it's not necessary to combine ProcessGuard with AppDefend, or AntiHook with Safe'n'Sec because they operate similarly.
It's more suited to combine an HIPS based anomaly detection with an HIPS based white list.
Example for a classical user who often banks online and has an Ebay and Paypal account:
Online Armor + GesWall or DefenseWall or AntiExecutable.
-I've heard that Buffer Overflows are a dangerous attack. Do i need to choose an HIPS wich prevents B.O exploits?
Buffer Overflows are considered as the Ebola of exploits, and there's currently no radical solutions to prevent them.
But it's impotant to not that these attacks target more corporate environments than home users.
Statistically, a home user has much more chances to be victimized by a spyware or a phishing attack (web spoofing) than by a Buffer Overflow attack.
Only 2 personal HIPS claim to have a Buffer Overflow protection ( PrevX and Ossurance Desktop), but consider that this protection is very limited.
Consequently, a Buffer Overflow protection should not be an important criteria for the choice.
-I've noticed that there's HIPS with firewall features. Can i use only this kind of HIPS as an alternative to my firewall?
CoreForce, Safe'n'Sec, AppDefend (Suite), Viguard Pro and Parador Security integrate firewall functions.
This is here an evolution of these products more generated by marketing strategies than by a dire necessity.
We can also notice on the other side that some firewalls (Outpost, Tiny, Kerio for instance) intgrate HIPS functions (application integrity control...).
Generally, it's better to have a product designed to do "one thing but very well" than "plenty of things moderately".
In this case, it's recommended to use your firewall as a firewall and your HIPS as an HIPS: no substitution from firewall to HIPS and vice versa.
-I've heard that some personal HIPS are very intrusive, and they communicate my IP and private informations. Should i worry about that?
Some products are really intrusive.
This the case of Buffer Zone, PrevX and in a minor way, CyberHawk.
But publishers have no interest in privacy violations.
Sony has done it with its kind of rootkit, and this event had really a bad influence for their public image.
Just consider that some publishers try to involve users in a community where they can share their information about suspect files, bugs, incidents and so on.
Fot the IP, this is not a problem: each time you update a software (antivirus, Windows etc), the publisher can get your IP.
But if there's any doubt about privacy violations, it's suited to analyze what kind of informations are sent.
With a protocol analyzer or a good sniffer, it's possible to know if private informations (name of the user and so on) are sent or not.
Ethereal is an open source and very good protocol analyzer, it's also possible to use trial version of some pro products such as Etherdetect or Network Packet Analyzer for instance.
If you're not familiar with sniffers, you can try SmartSniff (more easy to use).
At last ressort, you can contact privacy rigts foundations like Eff.org.
(.........)
For any other question, post it in a forum like Wilders, Castlecops or Dslreports.
par Kareldjag
publié dans :
LINE DEFENSE