- Nov 17, 2016
- 1,242
Are there any notable differences between the two aside from the scope of their protections?
How is HIPS a "dumb blocker"?HIPS, even more clever ones are just a dumb blocker following predefined rules and relying on user decisions.
I understand what you are saying better now, but that is the point in HIPS, because in some situations only the HIPS can protect the user as opposed to the BB based on sensible decisions. E.g. new driver installation (not actually deemed as "malicious" as it has genuine purposes however if it's allowed then potentially game over), hosts file modification (neither deemed as "malicious" as it has genuine purposes but blocking this can save you a lot of trouble), etc.I have yet to see HIPS that's not annoying as hell or actually does anything other than just asking user with "dumb" questions like "Wanna allow that?". Which is why I'm so fascinated over behavior blockers. They are clever, aren't annoying and have superior protection in most cases.
I have yet to see HIPS that's not annoying as hell or actually does anything other than just asking user with "dumb" questions like "Wanna allow that?". Which is why I'm so fascinated over behavior blockers. They are clever, aren't annoying and have superior protection in most cases.
It's a mixture of both, since it may ask for your consent to allow/block something which in itself is not actually "malicious" (but could potentially be abused for malicious intent), whereas other things it may alert about (e.g. ransomware identification) may indicate the program really is malicious due to the behavior being matched to something specific.For sure 360's HIPS is BB in my opinion, also. The logs kind of say so with File Protection, Behavior Blocking, Downloaded Files protection, and Web Threat protection logs. No mention of HIPS there, although I guess there may be HIPS elements that contribute to the block events at times. If so, the logs don't indicate so.
It's a mixture of both, since it may ask for your consent to allow/block something which in itself is not actually "malicious" (but could potentially be abused for malicious intent), whereas other things it may alert about (e.g. ransomware identification) may indicate the program really is malicious due to the behavior being matched to something specific.
No, it hasn't detected malware, it's identified suspicious behaviour which makes it question the intent of the program (e.g. whether it is malicious or not) - this is even stated on the alert.comodo( hips)malware detected
View attachment 128450
It probably is genuinely malicious, and based on the file-name I am assuming he got it from an external source providing packs of malware (or a list of downloadable samples), maybe VirusSign (since such services make sure the file-name is something like a checksum hash of the file)? (@aliali can you confirm?)I was going with the assumption (never a good idea for me!) that aliali had determined on his own that it actually was malware or knew, as in a malware sample.
seeing as that first prompt, the one for the initial execution, is the crucial one, what would you say are the vulnerable processes that should a user not be seeing under normal circumstances?The inherent problem with classical HIPS is that it will generate essentially the same type of alerts for both safe, legitimate files and malicious ones. The user then has to make all the decisions to Allow, Block (what type of block), and whether or not to create permanent rules based upon what they know about the file. Most users cannot differentiate between a safe and malicious file's actions from within the HIPS alerts themselves.
How to handle a file with HIPS begins with a pre-execution file inspection - where was it downloaded from ?, is it digitally signed ?, is the certificate a valid one ?, is it detected on VirusTotal ?, etc. Even then, every single file check can fail a user - from novice to those with heavy experience. Plus, it is considered way too much work and the vast majority of users will not perform a pre-execution inspection. Since most people will not bother with the file checks, it is rather pointless for them to use HIPS because it isn't going to protect the system if the user makes the wrong decision and executes a dodgy file and doesn't use the HIPS conservatively or properly.
Even HIPS with "smart" policies will allow things that it shouldn't and the end result is an actively infected system. Behavior Blocker is triggered by specific actions - as opposed to generic "smart" policies.
The only important HIPS alert for most people is the very first file execution alert. At that point, the user must decide to Allow or Block.
If one is surfing the web, and all of a sudden they see a HIPS alert for p9af8hrpe915.wfs, the right thing to do is block. But it should not come as any surprise that a significant percentage of users will select allow all the way through the run sequence.
Classical HIPS is a very good tool for controlling the execution of Windows processes that can be used to smash the system. Only an experienced user is going to know that RegAsm.exe, vbc.exe, powershell.exe, etc should or should not be executing under the specific circumstances of what they are doing on their system at the time of the alert.