I've quite finished the methodology.
I've decided to choose a real-life infection approach; and consequently, it means more time for searching malwares and less time for blogging...
In the first part of the methodology, the self-protection is tested (process, service and driver) with other malware behaviour patterns (dll injection etc).
In the second part, we submit the HIPS to various situations (scenario) and malwares:
-physical access (keylogger installation in DOS mode, boot from CDRom or floppy disk),
-client/server side attacks and infections (example: social engineering attack via mail with attached files, URL obfuscation),
-malwares: many trojans, backdoors, virus, worms, keyloggers, rootkits (HxDef and Fu) and spywares.
Some of them are not deteced by the majority of antivirus and scanners engines (even KAV), other ones are only detected by a few of them (like Ewido, which seems to have an excellent detection of french and german malwares).
I've also added two or three tests in order to distinguish HIPS abilities: some of them can prevent downloads (Anti-Executable) or detect any new file like dlls (Zorro PC Protector).
Moreover, some tests have been integrated:
-to proove that there's no security software which provides 100% security,
-to show that scanners like antivirus are still necessary in many cases (boot/MBR virus).
Most of all, there will no rating and awards:
- each HIPS is different and uses its own technology,
-we can't proove that the HIPS lambda is the best,
-the goal is to show their abilities and to demonstrate that they're recommended in combination with the firewall and the antivirus.
-i don't wish to give any particular advantage in this business to a specific product or publisher: neutralty is a necessary rule for the ethic.
There is a place in the market place for all:
-because there's different level of "know-how" (beginners, classical, intermediate or advanced users),
-each user needs to choose a product available in his native language: english is just one of these languages.
Currently, we're three testers only, and hope that other users will join us: more we'll be numerous, more precocious will be the results publication.
It's often more ineresting to do things than to read them: it's always a good piece of experience.
As i've reached the size limits for image storage, the tests will be published on