Battle Anti-Executable vs. Behavior Blocker vs. HIPS vs. Anti-Exploit: BEST AGAINST 0-DAY Threats/Exploits

Status
Not open for further replies.
ifacedown

ifacedown

Level 18
Thread author
Verified
Jan 31, 2014
888
Alright. The title said it all. I am asking about the components mentioned above. Some of the abilities mentioned above are part of a security suite (for example, Emsisoft has Behavior Blocker, PrivateFirewall and OnlineArmor has HIPS). Well, I am not asking about the protection/capabilities of the entire security suite, but ONLY the said components above. Hence, I am asking the efficiency of the above components APART from the Antivirus/antimalware engines (and firewall), may it be signature/local-based or cloud based.

So, the best protection against 0-day and exploits? Pls elaborate. Also pls mention specific products... for there are many.

THANKS much.
 
Sort by date Sort by votes
ifacedown

ifacedown

Level 18
Thread author
Verified
Jan 31, 2014
888
saket said:
all these components are very different from each other hence cannot take each others place
you can use good hips like comodo
instead of a antiexecutabe
best BB are from bitdefender ,eset and kaspersky
and for antiexploit malwarebytes antiexploit and hitmanpro.alert

if you are an advanced user you can use HIPS efficiently to block many zero day exploits but not all of them
Click to expand...
Thanks.

Here: http://www.wilderssecurity.com/threads/malwarebytes-anti-exploit.354641/page-39
it says that MalwareBytes anti-Exploit blocks payloads right on the 1st layer, where HIPS and anti-executable could be bypassed and infect the system
 
Upvote 0 Downvote
H

hjlbx

Virtual sandboxes protect, for the most part, the physical system from a permanent infection... so they are worthwhile.

An anti-executable (default-deny) is agnostic and will block all files - both Trusted and Untrusted.

A good AV protects the browser, an anti-executable prevents the launch of unknown files and malicious scripts, and a sandbox is good to evaluate an app.

If I were given only one choice to protect my system, that will offer good protection and usability for typical use, then it would be a behavior blocker - specifically Emsi's behavior blocker.
 
Upvote 0 Downvote
R

rocky

I can't answer this with alot of confidence without the sandbox as a option. If sandbox was an option then one product would come to the top and give you all of them , in my opinion . So using what options you set I would go anti-executable ( VooDooShield ) and I still wouldn't add the antivirus.
 
Upvote 0 Downvote
ifacedown

ifacedown

Level 18
Thread author
Verified
Jan 31, 2014
888
rocky said:
I can't answer this with alot of confidence without the sandbox as a option. If sandbox was an option then one product would come to the top and give you all of them , in my opinion . So using what options you set I would go anti-executable ( VooDooShield ) and I still wouldn't add the antivirus.
Click to expand...
Well do you mean to say that without Sandboxie, you will put VoodooShield on top?

Can Sandboxie prevent 'infected' sessions? Like for example, with ShadowDefender, it can 'undo' infections, but it can NOT prevent infection. (I mean preventing an infected session where data could be stolen)

My question here is not about virtualization or sandboxing, but preventing infection.
 
Last edited:
Upvote 0 Downvote
ifacedown

ifacedown

Level 18
Thread author
Verified
Jan 31, 2014
888
hjlbx said:
Virtual sandboxes protect, for the most part, the physical system from a permanent infection... so they are worthwhile.

An anti-executable (default-deny) is agnostic and will block all files - both Trusted and Untrusted.

A good AV protects the browser, an anti-executable prevents the launch of unknown files and malicious scripts, and a sandbox is good to evaluate an app.

If I were given only one choice to protect my system, that will offer good protection and usability for typical use, then it would be a behavior blocker - specifically Emsi's behavior blocker.
Click to expand...
I am not asking about virtualization, or sandboxing, because an infected session would also mean stealing data (am i right in this?), virtualization (like ShadowDefender) only 'undo' infection, but a stolen data is already stolen.
 
Upvote 0 Downvote
nsm0220

nsm0220

Level 21
Verified
Sep 9, 2013
1,054
ifacedown said:
Well do you mean to say that without Sandboxie, you will put VoodooShield on top?

Can Sandboxie prevent 'infected' sessions? Like for example, with ShadowDefender, it can 'undo' infections, but it can NOT prevent infection. (I mean preventing an infected session where data could be stolen)

My question here is not about virtualization or sandboxing, but preventing infection.
Click to expand...
yes in a web bowers long you don't put you personal info in the bower that you sandboxed in and as for files in sandboxe just make sure you hit run file in sandbox before opening it you should be fine
 
Upvote 0 Downvote
cruelsister

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,147
ifacedown said:
I am not asking about virtualization, or sandboxing, because an infected session would also mean stealing data (am i right in this?), virtualization (like ShadowDefender) only 'undo' infection, but a stolen data is already stolen.
Click to expand...

Yes and no- For something like Shadow Defender you are entirely correct. SD is what is termed a Reactive security product (restoring your system after it has been active). Although products of this type will get your system back to a previous state, as you surmise it won't stop any active malware from stealing and transmitting data. To use a Barnyard parallel, it's like locking the Coup after the chickens have got out (assuming a Coup has a lock).

A Proactive approach is more effective as well as being current- Remember that any malware that attempts to steal whatever data MUST have two separate components- one to do the stealing locally (i.e. on your computer) AND a mechanism to send this data out to the Blackhat server. The new wave of Enterprise security solutions which rely on Sandboxing technology will also have as an adjunct module that will prohibit any sandboxed file from accessing the network in any way. The theory here is that there is no harm in someone attempting to rob your Safe if by doing so they will be forever locked inside of it.
 
  • Like
Reactions: Davidov
Upvote 0 Downvote
ifacedown

ifacedown

Level 18
Thread author
Verified
Jan 31, 2014
888
cruelsister said:
Yes and no- For something like Shadow Defender you are entirely correct. SD is what is termed a Reactive security product (restoring your system after it has been active). Although products of this type will get your system back to a previous state, as you surmise it won't stop any active malware from stealing and transmitting data. To use a Barnyard parallel, it's like locking the Coup after the chickens have got out (assuming a Coup has a lock).

A Proactive approach is more effective as well as being current- Remember that any malware that attempts to steal whatever data MUST have two separate components- one to do the stealing locally (i.e. on your computer) AND a mechanism to send this data out to the Blackhat server. The new wave of Enterprise security solutions which rely on Sandboxing technology will also have as an adjunct module that will prohibit any sandboxed file from accessing the network in any way. The theory here is that there is no harm in someone attempting to rob your Safe if by doing so they will be forever locked inside of it.
Click to expand...
Ok, let me ask, so Sandboxie is capable now of locking in your data so it won't be sent to the servers?
 
Upvote 0 Downvote
H

hjlbx

ifacedown said:
I am not asking about virtualization, or sandboxing, because an infected session would also mean stealing data (am i right in this?), virtualization (like ShadowDefender) only 'undo' infection, but a stolen data is already stolen.
Click to expand...

Virtualization protects only the physical system; it does not protect data.

An anti-executable will be the best solution, but you still need to protect the browser and system data just in case the anti-executable fails.

Anti-executables are rock-solid, but it is human error that leads to an infection - e.g. forgetting to turn AE back on after disabling it.

ifacedown said:
Ok, let me ask, so Sandboxie is capable now of locking in your data so it won't be sent to the servers?
Click to expand...

Sandboxie does not protect data. No virtualization protects data. Although, you can set Sandboxie to only allow apps run sandboxed to have a low restricted access to resources.

One of the best ways to protect data is outbound notifications from firewall. Plus, if you use an AV product that protects personal data.

The best protection on the local system is a default-deny posture while using an armored browser and a good AV. That can be achieved with an anti-executable and Quarri MyPOQ along with ESET NOD32.
 
Last edited by a moderator:
  • Like
Reactions: Moose
Upvote 0 Downvote
ifacedown

ifacedown

Level 18
Thread author
Verified
Jan 31, 2014
888
hjlbx said:
Virtualization protects only the physical system; it does not protect data.

An anti-executable will be the best solution, but you still need to protect the browser and system data just in case the anti-executable fails.

Anti-executables are rock-solid, but it is human error that leads to an infection - e.g. forgetting to turn AE back on after disabling it.



Sandboxie does not protect data. No virtualization protects data. Although, you can set Sandboxie to only allow apps run sandboxed to have a low restricted access to resources.

One of the best ways to protect data is outbound notifications from firewall. Plus, if you use an AV product that protects personal data.

The best protection on the local system is a default-deny posture while using an armored browser and a good AV. That can be achieved with an anti-executable and Quarri MyPOQ along with ESET NOD32.
Click to expand...
Thanks so much! Now I am better understood. Okay, researching Quarri now...

A question, I heard from others ago that HIPS covered much more processes than an anti-executable. Is that correct? Or anti-executables covers them all?
 
Upvote 0 Downvote
ifacedown

ifacedown

Level 18
Thread author
Verified
Jan 31, 2014
888
hjlbx said:
Virtualization protects only the physical system; it does not protect data.

An anti-executable will be the best solution, but you still need to protect the browser and system data just in case the anti-executable fails.

Anti-executables are rock-solid, but it is human error that leads to an infection - e.g. forgetting to turn AE back on after disabling it.



Sandboxie does not protect data. No virtualization protects data. Although, you can set Sandboxie to only allow apps run sandboxed to have a low restricted access to resources.

One of the best ways to protect data is outbound notifications from firewall. Plus, if you use an AV product that protects personal data.

The best protection on the local system is a default-deny posture while using an armored browser and a good AV. That can be achieved with an anti-executable and Quarri MyPOQ along with ESET NOD32.
Click to expand...
I am on Quarri website... where is the download? Do I have to download it?
 
Upvote 0 Downvote
H

hjlbx

ifacedown said:
Thanks so much! Now I am better understood. Okay, researching Quarri now...

A question, I heard from others ago that HIPS covered much more processes than an anti-executable. Is that correct? Or anti-executables covers them all?
Click to expand...

Classical HIPS in full interactive mode will alert for all software actions - good, bad or unknown. Although, in that case you will spend all of your time responding to alerts. HIPS is slowly, but surely, falling out-of-favor because it can be so user dependent and require too much interaction.

Anti-executables are much more manageable in my opinion - they block everything that is not white-listed.

But they do not protect against everything - such as a software vulnerability exploit. MBAE is good, but if you use Quarri MyPOQ only for financial transactions, then you only need MBAE during normal use of your browser.

When it comes to IT there are so many security holes it is an exercise in futility to try to catch every single one - that is the ones that are known - and does not even consider all the undiscovered vulnerabilities.
 
  • Like
Reactions: Koroke San
Upvote 0 Downvote
jamescv7

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
HIPS and BB can be both blend together like Comodo Internet Security with autosandbox for unsurable programs that can run isolated and depends on the category of probably malicious actions but it needs really a user knowledge to understand it since everything based on ruleset defined.

Perhaps for better optimization concept is Virtualization, Anti-Executable and BB (with cloud protection like Emsisoft Anti Malware Network) as we need to make it easily identified and straight to the point as possible.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Gandalf_The_Grey
    • Like
    • Wow
Google Project Zero detected record high 0-day exploits in 2021, but it's not all bad news
Replies
0
Views
594
News Archive
Gandalf_The_Grey
Gandalf_The_Grey
A
    • Like
    • Applause
Battle Need Help Choosing Between Three AVs
Replies
36
Views
3,268
Software Comparison
a090
A
Trident
    • Like
    • Hundred Points
    • +Reputation
New Update Prevention-First Kaspersky
Replies
30
Views
4,438
Kaspersky
Xeno1234
Xeno1234

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top