Is there a standalone highly effective HIPS product?

Mohan Rajan

Level 2
Verified
May 7, 2016
85
thanks for answers. I am used to hearing people bash spyshelter mercilessly, and not just on MT. It sounds like there is another side to the story.
I don't know the reason for sps bashing but that could be because sps keeps popping details frequently and users get irritated sooner than later.
Nobody wants popups constantly appearing. and if they do users just keep pressing ok without reading.
This is one way to infect a system. called click weary.
 
5

509322

Thread author
thanks for answers. I am used to hearing people bash spyshelter mercilessly, and not just on MT. It sounds like there is another side to the story.

I know what you're talking about - and it isn't bashing.

Pointing out factual limitations of a product isn't bashing.

SpyShelter is a HIPS. HIPS is just a tool for the user to block execution\actions via alerts. In contrast, our product just blocks, generates a block alert - but the user doesn't have the option to allow it within the alerts. They have to go through extra steps which are meant to give them pause. In other words, the user should investigate and not simply allow.

The anti-ransomware protection SpyShelter offers is essentially the same as that in AppGuard. The first layer is to block execution, and the second are protected folders. If the user does make a mistake by letting ransomware run, then files saved to protected folders won't be encrypted. Protected folders are file vaults more-or-less.

User Space is going to be encrypted. And if its an MBR modifying or really tough screen lock ransomware, then the system is toast - and the file vaults are useless.

So, it all goes back to blocking in the first place to ensure the system is unmolested.

I use SpyShelter on two test systems along with AppGuard - not so much for protection but instead to study process run sequences and to capture command lines. It's just convenient for me.

It's a good product.
 
Last edited by a moderator:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I don't know the reason for sps bashing but that could be because sps keeps popping details frequently and users get irritated sooner than later.
Nobody wants popups constantly appearing. and if they do users just keep pressing ok without reading.
This is one way to infect a system. called click weary.
I didn't install the kernel hooks, and I disable the keylogger protection. That way I can set SpS to "ask user" without getting useless prompts every time I try to open a Word doc or something.
 
5

509322

Thread author
I didn't install the kernel hooks, and I disable the keylogger protection. That way I can set SpS to "ask user" without getting useless prompts every time I try to open a Word doc or something.

You create permanent allow rules within the alerts and there should be no additional alerts for the actions.

Not creating permanent rules needlessly makes the experience with the product bothersome and tedious.

On top of it, you can run browsers, office suites, archivers, etc - commonly exploited programs - as Restricted Apps and not have to deal with any alerts.

The kernel hooks and anti-logger protections are part-and-parcel to SpyShelter's protections; both should be used for optimal security.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
You create permanent allow rules within the alerts and there should be no additional alerts for the actions.

Not creating permanent rules needlessly makes the experience with the product bothersome and tedious.

On top of it, you can run browsers, office suites, archivers, etc - commonly exploited programs - as Restricted Apps and not have to deal with any alerts.

The kernel hooks and anti-logger protections are part-and-parcel to SpyShelter's protections; both should be used for optimal security.
I definitely like the Restricted Apps module. That is a nice addition to the suite.
But I don't get consistent results from the anti-exe prompts. When I execute an unrecognized file, even one without a digital sig, I often do not get a prompt.
To test it, I downloaded a couple new programs from Cnet, they did not have sigs, and I opened the installer, and went through a couple steps, but did not see a prompt from SpS. I did not complete the installation process, but I should have seen prompts right away, like I see with NVT ERP.
 
5

509322

Thread author
I definitely like the Restricted Apps module. That is a nice addition to the suite.
But I don't get consistent results from the anti-exe prompts. When I execute an unrecognized file, even one without a digital sig, I often do not get a prompt.
To test it, I downloaded a couple new programs from Cnet, they did not have sigs, and I opened the installer, and went through a couple steps, but did not see a prompt from SpS. I did not complete the installation process, but I should have seen prompts right away, like I see with NVT ERP.

SpyShelter alerts are not dependent upon signature when the program is set to "Ask User."

You should get an Action 53 - Execute an Application alert when any non-whitelisted process executes.

If you have another security program on the system that uses HIPS, then it might be the cause of the SpyShelter malfunction. For just a single example, Webroot WSA will cause SpyShelter's alert system not to function.
 
5

509322

Thread author
Unfortunately, Spyshelter consistently fails to prevent infection in the MT testing hub. I don't know what is going wrong, but it just doesn't protect.

Sure it does. You have to block sample upon execution - Action 53 or use the Terminate option in any other alert. No HIPS will protect a system against infection if you allow the malware to run to the full run sequence. If you allow samples to run from the MT Malware Hub, then SpyShelter cannot prevent infection.

SpyShelter is not an antivirus. It is a HIPS. HIPS is designed to lock a system down.

HIPS is not meant to run unknown samples and the alerts tell you to block or allow. Also, HIPS is not a sandbox.

If you were browsing the web and got an unexpected alert - from say Powershell (because the browser was exploited and all of sudden Powershell is attempting to run) - you would block Powershell upon execution. It would be the same for a drive-by download that attempts to autorun malicious_autorun.js. You would block wscript.exe in the alert.

HIPS is there when the malware gets onto the system - and you block it if it executes. If you allow something in a HIPS alert, then you just allowed access to the system; system is infected.

1. Clean install OS
2. Install desired, verified clean softs
3. Install HIPS
4. You monitor system
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Sure it does. You have to block sample upon execution - Action 53 or use the Terminate option in any other alert. No HIPS will protect a system against infection if you allow the malware to run to the full run sequence. If you allow samples to run from the MT Malware Hub, then SpyShelter cannot prevent infection.

SpyShelter is not an antivirus. It is a HIPS. HIPS is designed to lock a system down.

HIPS is not meant to run unknown samples and the alerts tell you to block or allow. Also, HIPS is not a sandbox.

If you were browsing the web and got an unexpected alert - from say Powershell (because the browser was exploited and all of sudden Powershell is attempting to run) - you would block Powershell upon execution. It would be the same for a drive-by download that attempts to autorun malicious_autorun.js. You would block wscript.exe in the alert.

HIPS is there when the malware gets onto the system - and you block it if it executes. If you allow something in a HIPS alert, then you just allowed access to the system; system is infected.

1. Clean install OS
2. Install desired, verified clean softs
3. Install HIPS
4. You monitor system
Hi, I guess you must have misunderstood me. I did not mean that I took samples from the malware hub and then clicked "allow" like a dummy on every alert, and then wrote in to complain about it.
I rather meant that @Av Gurus has tested SpS many times, and published his results in the malware hub. If you take a look at the results, it is not very promising.
 
5

509322

Thread author
I rather meant that @Av Gurus has tested SpS many times, and published his results in the malware hub. If you take a look at the results, it is not very promising.

SpyShelter Free is being tested. More than half of the features are disabled.

In SpyShelter Premium, files can be added to user-defined protected folders which can be configured to block Writes or Read\Writes to those folders. Protected folders - with the correct access rules for processes running on the system - will prevent file encryption.

SpyShelter HIPS does not detect rapid file modification, file archiving & deletion, screen lockers, etc - the commonly used techniques to ransom files or the system. The only way to ensure the system is protected is to block Action 53 - Execution.

You should not extrapolate the test results of a free product - which is heavily feature-limited - to the fully-featured premium product.

Besides, if the user doesn't know how to use and apply the product correctly, then it is a given that the incidence of failures will be high.
 
Last edited by a moderator:

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
In my test I use Win Defender (with PUA) + Spyshalter free.
Settings are default (*=changed):
High Protection
Auto Block *
Terminate Child Process *

I'm on mobile now so can't put some pictures.
Lot's of time SpyShelter got pop-up that it block something but the process remain active in RAM and infect OS.
 
5

509322

Thread author
Lot's of time SpyShelter got pop-up that it block something but the process remain active in RAM and infect OS.

Deny = deny action (it does not terminate a process)

Terminate = terminate parent process (the one at the very top of the alert + children [depending upon settings])

Once a process is allowed to run, and it is not blocked from the very beginning, then it is possible only child processes can be blocked. It depends on the run sequence. Parent process could still be loaded into memory and\or running on the system.

Malicious process can be running on system - sitting there, loaded into active memory, but doing nothing on the system... look for process CPU usage = 0 %.

Auto-block all suspicious actions should block the process upon execution; Action 53 - Execution of a File. It should be added to the Black List upon execution. If not, then there is something wrong with it.

Also, SpyShelter terminate is not effective 100 % of the time. There are corner cases - that not even Process Explorer, Process Hacker, KillSwitch, Task Manager, etc can terminate.

In those cases you need to use something like IT Hurricane's PowerTool.
 

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
Here are the settings in my test with SpS:
Clipboard02.jpg Clipboard03.jpg
 

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
ReHIPs is a great program, and definitely one of my favorites, but it does not have a fully developed HIPS like SpyShelter and COMODO and the others do. The HIPS is pretty rudimentary, because the main strength of the software lies in its isolation capabilities.

I think there should be more creativity in the rules creations dialogs of HIPS programs for one thing. User needs to be able to see his choice of protections and maybe even associated them with a color or zone or something. There is some effort for this in security programs, but not anywhere nearly as much as I would like. User should be able to have a visual map at all times in his/her head of how the protection engages and its scope, especially with HIPS. Not just this, though. In some cases, it could be important to know when/where there isn't protection too. Visualization is nice. :)

Practicing with HIPS involves setting them to "Interactive" mode - which is basically where the HIPS generates an alert for many actions on the system.

After using Private Firewall, I am curious if HIPS could help users maybe by presenting what has been approved by the user for the application already, both number of rules allowed and then maybe what was the last rule and when the last rule was allowed. It's easy with HIPS to get lost in a sea of rules, because the rules can be set for all processes. Well, the context of seeing my own choices so far as a user for a process I think would help bring home the decision for me. It would be in the proper context of all that has happened before. Maybe there more interesting uses for counters that could be applied to HIPS...just don't know, but HIPS can use some of this kind of thing I think. In this way, security HIPS alerts could show me somehow that the process does business in dangerous neighborhoods and give a risk assessment concerning what could go wrong.

Just to remind myself o_O, standard HIPS does nothing to block the worst kind of subversive malware...the kind for stealing data and ideas. There should be connection HIPS of some sort too. Rules are pretty limited in the programs I have seen. Something like alert me if any of x, y, or z data is scheduled to be moved over the internet.

But a problem arises when the user installs a new and unfamiliar app. There, you can't rely on the HIPS prompts to tell you when it's getting malicous. It's almost impossible to know that, during the installation process.

For the short term at least, why can't changes to known user file types (or even user defined types of files) be alerted every time for safety sake. And then if there is a drive by and the user accidently allows one, on the next file, he gets a second chance to stop ransomeware.

Or another concept that might work for protecting personal files would be to do a test write to a virtual environment with each change to amass a list of changes to the first file. Present the nature of the changes in an alert to the user before user allows/denies the save and then the next choice comes. In this case, even the first file could be protected from ransomeware. User could then be presented an option of whether to whitelist remaining batch changes scheduled by the process or not. I don't think I would put this on the same prompt as the initial process allow block alert, because malware writers would surely go to writing normally with the first file and then beginning the malicious activity. Something else to remember and consider I think.

The ransomeware problem is like a train without brakes that is nearing each one of us. We need to find some brakes for systems to at least slow the train enough so that it does very minimal or no damage.

I use SpyShelter on two test systems along with AppGuard - not so much for protection but instead to study process run sequences and to capture command lines. It's just convenient for me.

Interesting job. Thanks for the helpful comments.
 
Last edited:
5

509322

Thread author
I don't understand why they don't just use a driver to handle the termination, they know how to do it for sure... :rolleyes:o_O (assuming they don't already do this and it's just a bug they don't want to fix?)

It is not a bug, it is the way HIPS functions. For example,

execute Parent_Malicious_Process.exe > attempts to execute Child_Malicious_Process.exe > user Allows > Child_Malicious_Process.exe attempts to execute Windows process > user Terminates Child_Malicious_Process.exe > dependent upon settings either the Child_Malicous_Process.exe only or both it and its child will be terminated

The Parent_Malicious_Process.exe can still be loaded in active memory since the user only terminated the child process (Child_Malicious_Process.exe). If the user had terminated the parent, then it would not be loaded into active memory - and the entire run sequence would have been terminated right there and then.

However, there are some malicious processes that resist termination using HIPS, antivirus, behavior blockers, and various other utilities. As long as an autorun has not been created by the process, a system reboot will clear active memory and it will not reload.
 
Last edited by a moderator:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top