Please provide comments and solutions that are helpful to the author of this topic.
You're right here. Nevertheless, my comment pointed to legit signed malware, meaning a legit file, issued by a Trusted Vendor, corrupted by malware (a.k.a CCleaner case). If such case occurs, and no programming errors are found (like the infinite callbacks home from CCleaner malware), the chances of signatures detecting it are minimum, tending to zero. Here's where the importance of backups gain popularity.
CCleaner was a case of update poisoning. Furthermore, on most systems, the "malware" never performed any malicious actions at all. It lay dormant. These rare cases can go undetected for a long time. But as soon as malicious actions start taking place on a significant number of computers, it will be detected.You're right here. Nevertheless, my comment pointed to legit signed malware, meaning a legit file, issued by a Trusted Vendor, corrupted by malware (a.k.a CCleaner case). If such case occurs, and no programming errors are found (like the infinite callbacks home from CCleaner malware), the chances of signatures detecting it are minimum, tending to zero. Here's where the importance of backups gain popularity.
Such malware will be also detected by signatures after some time. This usually depends on how aggressive it is. If it is ransomware, then AVs will produce fingerprints in the cloud very quickly. The CCleaner case is special, because the malware was similar to aggressive adware.You're right here. Nevertheless, my comment pointed to legit signed malware, meaning a legit file, issued by a Trusted Vendor, corrupted by malware (a.k.a CCleaner case). If such case occurs, and no programming errors are found (like the infinite callbacks home from CCleaner malware), the chances of signatures detecting it are minimum, tending to zero. Here's where the importance of backups gain popularity.
"Good program"?...so what about "installation mode"?...or similar...that is a common and useful option/feature designed for such cases (we can find it in most of HIPS developed in history). HIPS should react giving us an alert...it's designed for such behaviour although mostly they have useful features called "white/black list" or some others technologies that could make easier porper decision by user. User should choose what in protection is more important and convinient for them but should remember also that HIPS demands our reaction/decision.
That's a security tradeoff. If you 120% are confident about the installer, the installation mode is fine.
So this suggest that HIPS is better then Sandobx suggested by @cruelsister
I'm not saying that HIPS is bad, it's a very strong system that I've used, in Paranoid mode."Good program"?...so what about "installation mode"?...or similar...that is a common and useful option/feature designed for such cases (we can find it in most of HIPS developed in history). HIPS should react giving us an alert...it's designed for such behaviour although mostly they have useful features called "white/black list" or some others technologies that could make easier porper decision by user. User should choose what in protection is more important and convinient for them but should remember also that HIPS demands our reaction/decision.
Answering question in the title - "Why CruelSisters disable the HIPS?" - perhaps it's easier for the user...why we shouldn't do this?...maybe because of such arguments?
WHY YOU SHOULDN'T RUN ONLY WITH AN ANTIVIRUS + FIREWALL AND WHY A PROACTIVE PROTECTION IS NECESSARY - SECURITY OVERFLOW
In this first article we’ll just show that the couple scanner (antivirus/antitrojan/antispyware) + Firewall is not sufficient to mitigate security risks for home users. Then we'll review and list available Desktop/Host Intrusion Prevention Systems designed...kareldjag.over-blog.com
Yes. You both are right. I am talking about antivirus detecting these kind of malware at the very first sight. Literally no AV, if I'm not mistaken, caught CCleaner on the moment. It wasn't after some time that some companies detected the anomaly and found out about what happened. That's my point. To this rare case of malware, probably nothing will be helpful instantly.
Yes, HIPS is stronger than sandbox, but HIPS+a properly configured sandbox is even stronger than either one on its own. CruelSis recommends disabling HIPS because of the headaches it causes to most users. But for advanced users who enjoy the challenge, HIPS adds protection.
Yes...it's only smart technology what can means also that something trustworthy can be blocked...and something lethal can be allowedBut with the configuration of @cruelsister it stops him and with that you do not stop being sure.
You mean start as the service? Nowadays SpyShelter can run in that way...earlier (as I remember) it was System Safety Monitor and Online Armor...and perhaps many others.
I missed this, was CC running some malware??
So far I got no alerts, and I have left the check unchecked, not sure when they are supposed to trigger.
You must understand that it acts as an anti-exe is configured to not allow what is not recognized, even if the application is clean, it will be placed in the Sanbox. It is the responsibility of the user to know if it gives reliability or not.Yes...it's only smart technology what can means also that something trustworthy can be blocked...and something lethal can be allowed
No, but I read that it was disabled (from safe mode) cause it was too annying already.
Did you read the help info about HIPS?
For me...it meansYou must understand that it acts as an anti-exe is configured to not allow what is not recognized, even if the application is clean, it will be placed in the Sanbox. It is the responsibility of the user to know if it gives reliability or not.
It is also not easy for users who do not understand how this configuration works, although some say it is for beginners.
Comodo have ended for me at 3.5 version You all talking signatures like we're in the 90s, this is 2019 and AVs have behaviour blockers, cloud, etc to deal with that sort of malware.
Valid digital signatures still play a big part in whitelisting files.
