How are BBs different from HIPS?

[XhenEd]

HIPS:
Alert (block by default) all the way, unless instructed otherwise.
This is basically asking for credentials for any stranger wanting to get in a secured facility. For every door, ask for credentials.

BB:
Allow by default (except those pre-defined actions to be blocked at first or second instance), and wait for the launched program to meet the threshold of maliciousness. If it does, block it.
This is basically allowing the stranger to roam around the secured facility, but is monitored by a CCTV or any monitoring device, looking for patterns of malicious intent.

 

[AtlBo]

All in all, a HIPS will protect specific areas from access/modification (such as preventing AutoRun modifications, hosts file modifications, web browser home-page modifications, and things like this), whereas a BB will be monitoring for activity which shows a more clear identification of malicious software (e.g. attempting to patch a system file, attempting to drop an executable into the Windows folder, attempting to launch a fake copy of explorer.exe to trick the user, attempting to allocate memory/write memory/create a remote thread in an innocent process for DLL injection, etc.).

The definition between the two really depends on your own personal opinion on how they work and what product you're thinking of which include the protection mechanisms when writing the definition, since many vendors approach it differently - if you use an Emsisoft product then chances are you'll think of a Behavior Blocker as a mix of monitoring for malicious behavior (BB) while protecting against modifications to specific areas (HIPS) combined with the alerts, whereas if you use a product like GData then you'll just be used to malicious behavior being identified and the threat being handled with appropriately.

TerrakionSmash seems to have guided this discussion to an interesting place. Very good commentary and questions and thanks to all. Great and helpful comments in your entire post 38 Wave (and others), and I agree.

Based on your experiences, which are broader and no doubt more focused than mine, it does appear to me that developers are defining for themselves what HIPs and BB are on a developer by developer basis. Sorry, to speak like a mouse, this concerns me that we might not be able to speak to each other to describe protections if it is a continuing trend.

I would like to be clear about one thing if possible...I do not mean to intend to proclaim that PrivateFirewall is a good HIPs program. Just wanted to make sure that can be understood from any comments I may make on PF. Jeff_T is quick to point to users how inadequate the program is without being specific, and I feel this is a good service to users looking for answers. That said, its concept of rules per process was revealing to me of a "strict" set of rules that can be applied to every process. Take the smart out of HIPs concepts that we see in recent programs (Kas/Avast/AppCheck/Emsisoft etc.), and I feel you have actually HIPs as it has been known up until now. That said, what we see in PF (yes antiquated and basically useless), IS a set of HIPs rules. OK this isn't even remotely similar to any sort of standard set of rules as I think I would define them in the ideal sense (not even close). So what are the standard rules or what should they be? Is there a way to explain them so that everyone could say, "here are the HIPs rules"? Personally, I think I would say I think so, but I would like to know what they are or should be if noone has accurately chronicled a respectable list of them. Logically it would seem, this kind of list should lead to good communication on security and better protection. This is why I would like to see someone start with the concept of HIPs with the intention of redefining (for me defining) the rules.

READ ONLY IF EXTREMELY BORED OR INTO THIS TOPIC (not saying it makes sense I promise ):

Spoiler: Private Firewall/HIPs of the Past/HIPs of the Future

For an antiquated look at HIPs (and for those who may not have seen them), here is PFs answer to HIPs rules:

Well, to examine this list, "Copy screen content" sounds good, along with "Read Keyboard State (protect against this)", until one realizes that this might normally not be a problem with an application (and could be allowed), but then might in a specific set of circumstances be one (i.e. a certain MS Office file might cause a problem if I blanket allow). By the time all of these PF HIPs rules are analyzed, there is almost nothing left of any of them, except that they buy the user time to think. We can't forget, though, that every approved alert allows changes. By the time a user decides to terminate an executable from an alert, damage may have already occurred. This I feel cannot be overlooked with HIPs.

Some of the PF rules could be useful as a general setting in any state I suppose, such as the "Debug processes" rule (monitor for such), which can be a danger, or "Physical memory operations". Others would be good, but there is no way to apply the rule to a specific action of an executable. These rules simply lead to too many prompts. Program ultimately either is allowed to perform an action for everything associated with a rule or then for nothing. For nothing usually should mean to a user terminate the process and uninstall the program, because it isn't going to work anyway. Of course it doesn't mean this to them, so they get into the routine of barging through the rules to get what they want. Who can blame them with a list like this? Yes, it might give them pause sometimes. Not likely very oftenly though.

So why discuss antiquated PF rules? Weeell, for me, I guess because very similar rules are still around, even in good programs like Comodo. I think ESET has a similar type of HIPs available (though maybe it's paranoid setting?) also. Not sure about this. Clearly, noone has ever defined HIPs as they should be defined. I think we can say this for certain. Or at least if they have been defined, I haven't seen the definition (list).

So next I get to smart HIPs as only a theory. I am thinking more of a describable conflagration of monitored activities that add up to possible danger->HIPs rule. Wave described this very well. But can we actually harden a list of these for users and make them real (or can developers) for user to understand? I think so...honestly I really do. I would love to see this. They would have to fit into the overall scheme of protection somehow, though.

At any rate, maybe using the terminology "smart HIPs" could lead to an open door to a new set of rules that could be considered standard. Seriously, I would like a set of rules that could be applied similarly to PFs rules. OK, maybe some exclusions would be in order or some location inclusion/exclusion choices or exceptions of some kind, but what would this kind of list look like? I promise, I am CHOMPING to get into this topic after 4-5 years of NO Trusted Publishers and all rules set to generate a pop up from Private Firewall.

BTW, I think we are seeing "smart HIPs" already in security applications. Maybe some of these for a list could be picked from specific apps that already exist. Endeavoring to redefine HIPs, however, I suspect would require a tremendous amount of creativity and focused energy when actually seeking to complete this type of list. Also, building a list of this sort would ultimately be focused by the concept of "protection". This means a new set of HIPs rules should be derived with this goal in mind.

When I fully break this down, I think I end up with the idea that HIPs monitoring and HIPs alerts should be two different things. Maybe it's really "smart alerts" that would be what I would like to see. Well, avast seems headed down this road with its analyzer that pops up for sketchy software. I just want to define what the HIPs rules are->be they used for monitoring or for alerts. I don't care which. Just want to be able to talk about them and know what's happening underneath.

 

[shmu26]

security geeks have developed a language of their own, with terms such as HIPS, BB, anti-exe, etc -- all these terms are best learned from their context rather than from abstract definitions.
Just take a peek at the classic HIPS programs, such as COMODO and SpyShelter, and see what they do. That's "HIPS" in the security lingo.