AN OVERVIEW OF PERSONAL DESKTOP/HOST IPS 2

Publié le par Kareldjag


Other similar products


These products monitors some system's area like the registry in order to detect malwares behaviours.
They're not integrated (for most of them) at the core of the system (kernel) and then do not operate at a low level: except for specialized registry products (RegRun, RegDefend, Principal antivirus) and Trust-no-Exe, their effectiveness is really limited in comparison to exhaustive personal HIPS.
Most of them can be considered as antispywares, and a few of them (Winsonar, Winpatrol or Autorun3) are an interesting choice for a first approach and training of behavioural blockers.


Produits similaires

Ces produits se contentent de surveiller certaines zones du sytème comme le registre afin de détecter un comportement malicieux.
Ils ne sont pas intégrés pour la plupart d'entre eux au coeur du système (kernel ou noyeau) et ne peuvent donc pas intercepter les appels systèmes (API).
Hormis les outils de protection du registre type RegRun ou RegDefend, et Trust-no-Exe, ces produits offrent donc une protection incomplète et limitée.
Toutefois, certains d'entre eux comme Winsonar, Autorun3 ou WinPatrol se présentent comme des choix intéressants pour une toute première approche des bloqueurs comportementaux.


Registry firewalls and blockers/Bloqueurs et firewalls de registre


-GRR :Greyware Registry Rearguard (Update 01/04)

-RegDefend

Update 01/04: now Regdefend and AppDefend are integrated in one product:

Ghost Security Suite (beta)


-RegFreeze

-RegRun

-Resplendence/Principal Antivirus

NB. this product is not an antivirus (marketing strategy).

-Mj Registry Watcher


(and so on)


Registry and process monitors/Vigies de registre et de processus

-Autorun3


-Arovax Shield

-GeekSuperhero

-Viruskeeper

-Winfortress (integrates a sandbox)

-WinPatrol (free and paid version)

-Winsonar


Executables filters and applications firewalls/

Filtreurs d'exécutables et firewalls d'applications


-Foff

-ProcAlert

-SovietProtector (confirmation dialog box for any execution)

-Special Exe Password Protector

-Trust-no-Exe


NB 1. This product is interesting in a computer used by different users (childrens, friends and so on): the administrator can restrict access to applications and can prevent unauthorized installations.
The product acts as a service associated to a kernel driver, and is integrated in the control panel.
For a high level of configuration, it's suited to avoid the default configuration (access list by folders) and to operate executables per executables.
In this case, a free tool like ExeHound can be helpful.

Ce gratuiciel est intéressant pour prévenir l'exécution non autorisée d'applications (et donc d'installations de nouveaux logiciels sur le système).
Il est toutefois conseillé de configurer la liste des autorisations .Exe par .Exe (avec l'aide d'un outil comme ExeHound), et non par dossiers comme c'est le cas dans la configuration par défaut.

NB 2. ExeLockdown is a paid product based on Trust-no-Exe, but with two additional features: a password protection and a search engine for executables.
If we protect the administrator account, and only let other people to log as users only (limited rights), they have no access to the configuration (unnecessary password!); and if we use ExeHound as a search engine for executables, we finally get the same features as ExeLockdown.

 29.95 $! Isn't it the cost of CUPIDITY?



-Winblox

-WinPooch




 Personal HIPS: the Mini FAQ



-What is the best HIPS?

It's very difficult to give a radical answer to this kind of question (best antivirus best firewall etc).
The best HIPS is the one which works fine for you in relation to your criteria.
Some tests are available on this blog and show examples of HIPS abilities.
There's no best HIPS as long as it does not provide 100% SECURITY.
And as 100% does not exist, this HIPS (personal or corporate) is not ready to be borned.

-How can i test them in order to choose the more effective?

Testing HIPS is more difficult than testing scanners.
If we consider that personal HIPS prevent more malwares than attacks, we can distinguish 2 methods:

1. we compile a giant database of malwares (150 000 for instance) and we submit each sample to the HIPS.
This method seems interesting, but is not really serious (it could take months and months)...

2. we submit the HIPS to examples of malwares behaviour and see how it reacts.
More exhaustive is the kind of behaviour list, more exhaustive is the test.
This method, not perfect, seems more advisable and more easy to apply.

For more information it can be suited to make a Google/Yahoo search and to take a look at some forums such as Wilders and Catlecops.

-I've never used "behavioural blockers". What product should i choose for a first approach of HIPS?

-for a training before this first approach: Winsonar and Winpatrol (free);

-for the first approach: Online Armor and PrevX for instance.

-I don't like being disturbing by pop up alerts because i'm just a classical user with no particular knowledge about security threats. Then which product can provide a high level of security with a minimum of user's interaction?

HIPS based white list, with or without sandbox technologies.

-Which HIPS to choose for a family computer used by children and friends (with different age, level of knowledge, kind of surf and so on)?

-if the administrator wants to apply restrictions (no download or softwares installation for instance): HIPS pure white list;

-if the administrator permits more freedom to users: Geswall, DefenseWall, V-Elite.

-I'm an advanced user and i need a product for applying advanced rules and system's restrictions.
Which HIPS is recommended?

Neoava, Parador, SoftClan (Integrity2/SecuritySuite), System Safety Monitor, Viguard.

-There is HIPS available as freeware. Why should i open my wallet for a paid one?

Releasing softwares for free is a very nice and appreciated effort.
But the support is very limited for freewares.
With a paid software, there is a support, and often a forum where you can ask for questions, solve your configuration problems, share your experience etc.

-What is the best price for a personal HIPS?

It depends on the marketing strategy of the publisher: some producs require more Research and Development or more employees than others; and in this case can be quite expensive.
And some publishers expect that their marketing and advertising strategies will fish some unawareness users...
An acceptable price is between 30 and 40 dollars.
Over 50 dollars, the product can really be considered as expensive, even if it is sophisticated (in this case, the user can found professional HIPS for 100 dollars like Threat Sentry).

-Can i combine two HIPS additionally to my firewall and scanner?

It's always possible to combine two HIPS, and it's sometimes a good idea for some cases.
But it's recommended to avoid combination of two similar products (listed in the same catgory): it's often a source of conflits and incompatibilities.
For instance, it's not necessary to combine ProcessGuard with AppDefend, or AntiHook with Safe'n'Sec because they operate similarly.
It's more suited to combine an HIPS based anomaly detection with an HIPS based white list.
Example for a classical user who often banks online and has an Ebay and Paypal account:
Online Armor + GesWall or DefenseWall or AntiExecutable.

-I've heard that Buffer Overflows are a dangerous attack. Do i need to choose an HIPS wich prevents B.O exploits?

Buffer Overflows are considered as the Ebola of exploits, and there's currently no radical solutions to prevent them.
But it's impotant to not that these attacks target more corporate environments than home users.
Statistically, a home user has much more chances to be victimized by a spyware or a phishing attack (web spoofing) than by a Buffer Overflow attack.
Only 2  personal HIPS claim to have a Buffer Overflow protection ( PrevX and Ossurance Desktop), but consider that this protection is very limited.
Consequently, a Buffer Overflow protection should not be an important criteria for the choice.

-I've noticed that there's HIPS with firewall features. Can i use only this kind of HIPS as an alternative to my firewall?

CoreForce, Safe'n'Sec, AppDefend (Suite), Viguard Pro and Parador Security integrate firewall functions.
This is here an evolution of these products more generated by marketing strategies than by a dire necessity.
We can also notice on the other side that some firewalls (Outpost, Tiny, Kerio for instance) intgrate HIPS functions (application integrity control...).
Generally, it's better to have a product designed to do "one thing but very well" than "plenty of things moderately".
In this case, it's recommended to use your firewall as a firewall and your HIPS as an HIPS: no substitution from firewall to HIPS and vice versa.

-I've heard that some personal HIPS are very intrusive, and they communicate my IP and private informations. Should i worry about that?

Some products are really intrusive.
This the case of Buffer Zone, PrevX and in a minor way, CyberHawk.

But publishers have no interest in privacy violations.
Sony has done it with its kind of rootkit, and this event had really a bad influence for their public image.
Just consider that some publishers try to involve users in a community where they can share their information about suspect files, bugs, incidents and so on.
Fot the IP, this is not a problem: each time you update a software (antivirus, Windows etc), the publisher can get your IP.
But if there's any doubt about privacy violations, it's suited to analyze what kind of informations are sent.
With a protocol analyzer or a good sniffer, it's possible to know if private informations (name of the user and so on) are sent or not.
Ethereal is an open source and very good protocol analyzer, it's also possible to use trial version of some pro products such as Etherdetect or Network Packet Analyzer for instance.
If you're not familiar with sniffers, you can try SmartSniff (more easy to use).
At last ressort, you can contact privacy rigts foundations like Eff.org.

(.........)

For any other question, post it in a forum like Wilders, Castlecops or Dslreports.




Publié dans LINE DEFENSE

Commenter cet article

germanyflower 22/05/2010 11:54


Fourteenth of February is a day celebrated with love and affection all over the world, including Germany. People send candies, chocolates and flowers in Germany to those whom they love and have special relationships with. Words of love, affection and care
are shared amongst one another irrespective of them being lovers, family or just friends. Romantic notes and love letters are attached to these lovely gifts and feelings are expressed between one
and another. Love is in the air and people use this special day to express their innermost feelings towards one another. Even if people are oceans away they can still express their love to another
and send gifts through online services. Being far away from one another creates distances, but the intensity of affection for one another increases a lot more and this special occasion can be used
to send flowers to Germany and allow your presence to be felt. You can also sendflowers in Germany through the Germany flower shops who have special arrangements for such occasions. Each flower and its color has its own meaning
and symbol and can be selected according to the feelings you wish to express for your loved ones. Red colored flowers are a symbol of live, yellow colored flowers are used to express friendship,
pink represents happiness, white represents sympathy and orange represents enthusiasm. You can send out different colors of flowers depending on the relationship you have with them like red for
your wife or girlfriend, pink for your mother and yellow for your close friends. These flowers can be presented as a bunch or even as a single flower and will still have a lot of meaning for your
loved one. They may also be delivered in special arrangements like multicolored flowers or arrangements by florists created especially for Valentine’s Day While people send flowers in Germany they have other little traditions as well like baking small heart-are a tradition that the
Germans have on this day is the addition of the pig. You can find pigs offering flowers or stuck on to chocolate-shaped hearts as the Germans believe that they are a symbol of luck and lust. Though
these small gifts are offered and traditions are celebrated, Germany flower shops are what make the most
business as flowers are a gift that will never go out of fashion. In addition, each flowers meaning and symbol is the same all over the world. The fragrance and freshness of a flower will always
bring a smile and happiness to anyone’s face once they receive it. Through the help of online services you can easily send flowers in Germany within the same day without much hassle. All you have to do is take a look at the options
the Germany flower shops have to offer and within a couple of clicks the order is their responsibility.
These online services guarantee fresh flowers that are smelling beautifully upon delivery. In addition, the prices are affordable and the payment options are secure.


Flowers 17/01/2010 07:38



 


 


Just saw your post after watching great photos of some flowers in italy. Most of the people are searching for florists italy ,
  flowers
delivery italy   , italy flowers delivery , flowers
italy ,   flowers
to italy, The reason is because they want to greet their loved ones by sending flowers to italy. Yes you can also send flowers to italy
by flower shop italy
online.


 


Anyways that’s too much of my promotion! I really appreciate your post!




Flowers 17/01/2010 07:38



 


Flowers are one of the most beautiful signs of nature on this earth. Most of the people type flowers uk , send flower
uk or sending flowers uk to get the flowers delivered to their friends…
People  searching for online flowers uk , flowers delivery
uk , florist uk, flowers by post
uk  and flower shop uk
are all the same….On any occassion whether happiness or grief it is used to dislay either peace incase of happiness or the hope for peace in the
future incase of grief :) Now in this modern era, thank to internet which has made it possible for us to deliver flowers internationally to our colleagues, family and friends anywhere from the
world all from the one click on the mouse :) Thanks for the nice post anyway...


 




dissertation topics 26/11/2009 09:00


Blogs are so informative where we get lots of information on any topic. Nice job keep it up!!
__________________

dissertation topics


Hazard 07/08/2007 23:53

Great reading. Thanks for posting this. There is another tool claiming buffer overrun protection. See below. Cheers.

---------
BOWall

BOWall is the solution implementing protection against buffer overflow attacks for windows nt4/w2k/xp/2003. The protection is based on patching system DLLs by two methods.

1) Vulnerable functions monitoring

Patching exported strcpy, wstrcpy, strncpy, wstrncpy, strcat, wcscat, strncat, wstrncat, memcpy, memmove, sprintf, swprintf, scanf, wscanf., gets, getws, fgets, fgetws by adding the code wich checks for local frame base pointer integrity.

2) Preventing execution of dynamic libraries functions from writable memory

Patching exproted DLL functions by adding the code which checks for caller address. If caller address belongs to data or stack then program execution is blocked.

Both methods are implemented to detect buffer overflow or exploit activity, buffer overflow itself is not prevented.

-----------