Host Intrusion Protection System - Comparison
From CastleCopsWiki
| Caution | The article below is currently in beta and has not been reviewed for factual errors. |
This article is not meant to be a technical review of the quality of these products. The tabular format merely conveys a broad overview of the features the various products offer. As such, for simplicity (and also due to limitations in this author's technical ability!) the table groups similar features together under one citeria e.g Process Modification actually refers to defense against a variety of quite different attacks (which may themselves not be none-exclusive, many process modification attacks can be used for termination etc) or the even broader Other registry entries.
Also please note that support for a feature by the security solution does not in any way guarantee the quality of implementation. For example two products might equally claim to monitor registry to warn about autostarts, one might cover more autostart locations. Or two products might both try to resist Process Termination, but one might block more types of termination methods.
For most part, no attempt has being made to measure this aspect. Refer to this for a list of such tests
This table compares HIPS that use mainly behavior blocking technologies. The comparison table for HIPS using sandboxing(including virtualization) technologies can be found here
[edit] How to use this table
- Do not use this solely or even primarily as a guide to choose HIPS! Particularly if you have never used HIPS before you should just pick one of the well known HIPS (SSM, ProSecurity or Prevx) and forget about this table.
- Do not use this table to pick combination of products to try to cover every area!
- Table only lists existent or claimed features not quality of implementation. Some information is incomplete or inexact because of the need to pigeon hole products into standardised features.
- Products (or combination of products) that cover the most areas or has the most features, are not necessarily the best products.
- Different features vary in terms of intrusiveness and effectiveness.
- What features are most useful and critical, depends on your risk profile, behavior etc.
- Other factors like stability ,machine load, use friendliness are to be considered.
- If you feel you really need a certain feature and can justify why, this table might be helpful.
[edit] Comparative Features Table (HIPS - Behavior blockers)
| Name | ProcessGuard | SSM | AppDefend | AntiHook | Comodo Firewall 3 | Online Armor | Prevx2 | ThreatFire (Cyberhawk) | Neoava Guard | Name | DSA | SafenSec Pro | ProSecurity | Core Force | Winpooch | EQsecure | DriveSentry | Netchina S3 HIPS | Primary Response SafeConnect |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Version tested | 3.410 | 2.3.0.612 | 1.0 | 3.0 | 3.0 | 2.0.190 | 1.0.2 build 58 | 2.0.2.12 | 1.0 beta 3 | Version tested | 1.0 | 3.0 | 1.30 | 0.95.167 | 0.6.3 | 3.3 | 3.0.1.33 | 3.5.5.1 | |
| License | Free Feature limited Liteware available | Free Feature limited Liteware available | Current version is beta and nags you to register | Free Feature limited Liteware available (version 2.6) | Freeware | Commercial | Commercial/ Free version only blocks does not clean. | Free Feature limited Liteware available and Commercial Pro version | Freeware/beta | License | Freeware | Commercial/30 days free trial | Free Feature limited Liteware available | Freeware/beta | Freeware/beta and open source | Freeware | Free Feature limited Liteware available | Freeware | |
| Process Execution | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes | Process Execution | Yes | No, but available through control policy | Yes | Yes | Yes, but off by default | Yes | No | yes | |
| Records command line parameters | No | Yes | Yes | No | No | Yes | No | No | No | Records command line parameters | No | No | Yes | No | No | No | No | No | |
| Children parent control | No | Yes | Limited | Yes | Yes | Yes | No | No | Yes | Children parent control | Yes | Yes, available through rules | Limited | Yes | Yes, but off by default | Yes | No | Yes | |
| Dll loading | No | No | No | Yes(for v2.6 but not 3.0) | No | No | Heuristics | No | No | Dll loading | No | Yes | Yes | Config | No | Yes | No | No | |
| Process Termination | Yes | Yes | Yes | Yes | Yes | Yes | No, but action is noted for Heuristics | Yes | Yes | Process Termination | Yes | Yes | Yes | No | Yes | Yes | No | Yes | |
| Process Modification | Yes | Yes | Yes | Yes | Yes | Yes | Heuristics | Yes | Yes | Process Modification | Yes but ... | Yes | Yes | No | No | Yes | Yes | Yes | |
| OLE Automation control | Yes | OLE Automation control | No | Yes | |||||||||||||||
| Windows Message control | Yes | Windows Message control | |||||||||||||||||
| Access to physical memory | Yes | Yes | Yes | No | Yes | Yes | Yes | No | Yes | Access to physical memory | Yes | Yes | Yes | No | No | Yes | No | Yes | |
| Global hook control | Yes | Yes | Yes | Yes | Yes | Yes | Heuristics | Yes | Yes | Global hook control | Yes | Yes | Yes | No | No | Yes | No | Yes | |
| Service/Driver control | Yes | Yes | Yes | Yes | Yes | Yes | Heuristics | No | Yes | Service/Driver control | Yes | Yes | Yes | Limited, via registry control | No, but registry/file control | Yes | Yes | Yes | |
| System Shutdown protection | No | Yes | Yes | Yes | No | No | System Shutdown protection | Yes | Yes | Yes | Yes? | ||||||||
| Network control | No | Outbound only | Outbound only | No | Yes | Yes | Outbound only | Config | Outbound only | Network control | Limited config | Config | Config | Yes | Config | No | No | Config | |
| Startup control (registry) | No | Config | Config with Regdefend | Yes | Yes | Yes | Yes | Config | Yes | Startup control (registry) | Yes(poll) | Config | Config | Config | Config | Config | Config | Config | |
| Startup control (files) | No | Yes | No | No | Yes | No | Yes | Config | Yes | Startup control (files) | Yes | Yes | Config | Yes | Yes | Config | Config | Config | |
| Browser monitor | No | Yes | Yes with Regdefend | No | Yes | Yes | Yes | Yes | Yes | Browser monitor | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | |
| Other registry entries | No | Yes | Yes with Regdefend | No | Yes | No | Yes | Yes | Yes | Other registry entries | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | |
| Web filter | No | No | No | No | No | Yes | No | No | No | Web filter | No | No | No | No | No | No | No | No | |
| Anti-Phishing | No | No | No | No | No | Yes | No | No | No | Anti-Phishing | No | No | No | No | No | No | No | No | |
| Monitor of sensitive areas | No | No | No | No | Config | Yes | Yes | Yes | Config | Monitor of sensitive areas | Yes | Yes | Config | Config | Config | Config | Config | Config | |
| Restrict file permissions by processes | No | No | No | No | Limited | No | No | Config | No | Restrict file permissions by processes | No | Yes | Yes | Yes | Yes | Yes | No | Yes | |
| Restrict file permissions by directories | No | No | No | No | Config | No | No | Config | Yes | Restrict file permissions by directories | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | |
| Block low level disk access | No | Yes | No | No | Yes | No | No | No | Yes | Block low level disk access | No | No? | Yes | No | No | Yes | No | ||
| Password protection | Yes | Yes | No | Yes(3.0) | Yes | No | Yes | No | Yes | Password protection | No | Yes | Yes | No | No | Yes | No | Yes | |
| Heuristic Algorithm or IDS | No | No | No | No | Yes | No | Yes | Yes | Yes | Heuristic Algorithm or IDS | Yes | Yes | No | No | No | No | Yes | No | |
| Configurable IDS | No | No | No | No | No | No | No | Yes | Yes | Configurable IDS | No | No | No | No | No | No | No | No | |
| Learning mode | Yes | Yes | No | Yes | Yes | Yes | Yes | No | Yes | Learning mode | Yes | Yes (Pro) | Yes | Yes | No | Yes | No | No | |
| Default whitelist | No | No | No | No | Yes | Yes | Yes | No | No | Default whitelist | Yes | Yes | Via Rule Generator | No | No | No | Yes | Yes | |
| Blacklisting | No | No | No | No | No | Yes (with optional antivirus/antispyware) | Yes | Yes (with optional antivirus/antispyware) | No | Blacklisting | No | Yes (with optional antivirus/antispyware) | No | No | No, unless intergreted with WinClam etc | No | Yes | No | |
| Community database | No | No | No | No | No | Yes | Yes | Yes | No | Community database | No | No | No | Yes | No | No | Yes | Chinese version only | |
| Virtualization/roll back | No | No | No | No | No | Yes | No | No | No | Virtualization/roll back | No | Yes/No | No | No | No | No | No | No | |
| Buffer overflow | No | No | No | No | No | No | Heuristics | Yes | No | Buffer overflow | No | No | No | No | No | No | No | No |
[edit] Notes
Please refer to the FAQ on HIPS if the idea of HIPS is foreign to you.
[edit] License
- Free feature limited Liteware refers to the availability of free none-time limited software. These free versions are fully functional and not time limited but have less features than the full version. Note: The table reflects the capability of the full version.
- Nagware refers to software that will frequently nag you to register but is otherwise fully functional
- Beta refers to software that has currently no stable version.
For more freeware HIPS see Lists_of_freeware_behavior_blockers. Also Lists_of_freeware_sandboxes.
[edit] Process Execution
The Software alerts you whenever any unknown process (a process not on your whitelist) tries to execute and gives you a choice. For most software you have the choice to
- Allow it to start (once)
- Allow it to start and add it to the white list of approved applications
- Block it from starting (once)
- Block it from starting and add it to blacklist
Note: This will not prevent scripts such as WSH scripts from starting if the script interpreter engine is on the white list. This feature is also known as execution control, anti-executable, process firewalling etc.
This feature as you might expect, usually contributes most to the number of prompts you get, though features like whitelists of known safe processes can help reduce the number of prompts.
[edit] Records command line parimeters
Another difference between HIPS with respect to execution control is in their handling of command line parameters. Some HIPS totally ignores the command line parameters when creating rules. This means that for a few processes which are highly dependent on command line parameters e.g rundll32.exe,Microsoft Management Console (mmc.exe) or svchost , the choice is between creating an overly wide permanent rule or being prompted every time it is used.
Examples of HIPS that have the option to record command line parameters in rule sets are SSM, AppDefend and Online Armor. AppDefend in particular allows wildcards in the command line parameters for increased flexibility.
[edit] Children parent control
Allows you to specify not only which processes can start, but also which processes can be started by which. Can be helpful against leak tests.
E.g You might authorize firefox.exe to execute if it is started by explorer.exe but might disallow the same firefox.exe from executing if it is started by any other process. Some HIPS provide a limited form of this, you can specify which apps can start child processes without generating prompts but you cannot specify specific parent-child rules.
[edit] Dll loading
Many programs rely on dynamic link libraries (dlls) to provide common functionality. Instead of putting all the functionality into the program( typically exe) itself (a process known as statically linking), the executable 'links' to a separate DLL (many of which are common system dlls) which contains the functionality. When the process starts it checks to see if the dll is already loaded in memory and if not it loads the dlls up.
A very few security products with this feature like ProSecurity and Antihook v2.6 (but not 3.0) , EQSecure monitor and ask the user for approval of the Initialised DLLs for each application.
Essentially, this feature works just like Execution control, except instead of approving processes you approve the dlls loaded up by each executable.
Given that each process in generally loads up more than one dlls and in some cases dozens of dlls, individually approving each one can be a tedious affair.
This feature is not to be confused with the more common dll injection protection which stops another process from injecting a foreign dll into another process. This is covered under Process Modification.
The difference between the two features is that, if a malware replaces the actual dll file with a trojanised copy (directly copying over the file on the disk) instead of trying to directly inject a foreign dll, HIPS with the first feature will catch it.
[edit] Process Termination
One important sign of possible malicious behavior is if a termination attempt of a critical process (typically security software like firewall, anti-virus) is attempted. HIPS can offer protection to specified processes from termination attempts (including thread suspension methods) or give you a chance to intercept such termination attempts.
Note: This section does not take into account whether the HIPS resists termination attacks on itself, but whether it stops termination attacks on other processes. In today's world where malware attack security programs, it is expected for security programs, particularly HIPS to be able to resist termination.
[edit] Process Modification
Similar to process termination, this feature protects critical processes from being manipulated and modified. This includes attacks such as code/memory/ injections (protect vm of process from being read, written) as well as protection against remote thread creation/suspension/injection . Many leak tests are based on exploiting trusted processes (processes given network permissions by the firewall) to do their work ,so HIPS with good process modification protection can offer a lot of protection against leak tests.
Some HIPS will protect only processes explicitly listed (e.g ProcessGuard,Prosecurity while others will intercept any termination attempt. One exception on this: DSA detects changed processes by their MD5 checksum, but does not protect the actual process change itself (e.g. with Zapass).
[edit] OLE Automation control
Control over a form of process manipulation.
[edit] Windows Message control
Control over a form of process manipulation.
[edit] Access to physical memory
Blocks access to physical memory, which allows kernel access.
[edit] Global hook control
Provides control of hooking done by windows program, that is often but not always associated with keylogging. Some HIPS also provide blocking of other keylogging polling techniques like GetKeyState, AsyncKeyState.
[edit] Service/Driver control
Blocks installs of software that require drivers and services. Such programs if malicious can be dangerous because they work in ring zero (kernel access).
[edit] System Shutdown protection
Warns when process attempts to shut down the whole system. Some malware try to force a reboot to exploit "Race conditions".
[edit] Network control
Allows control of outgoing and sometimes incoming network connections by process. I.e Personal firewall capabilities. Currently, not many HIPS have this feature yet, and most users prefer to rely on their own personal firewall anyway. HIPS typically provide only limited network control. Many like System Safety Monitor provide only outbound network control. Others like DSA provide both but have limited configurable options. Some like Safensec provides both inbound and outbound control though.
[edit] Startup control-registry
Monitors and blocks changes to registry relating to auto startups. Note, there are literally hundreds of such locations in the registry and it is impossible to block all of them. Some security software allow you to add new registry keys to monitor, those will be marked as configurable in the table.
[edit] Startup control-files
Entries in registry keys are not the only way for malware to register themselves for autostartups. Security software with this feature monitors such file and directory locations as well (e.g startup folder or old style win.ini type files). Some HIPS can protect or monitor any file or folder , these HIPS can obviously provide this protection as well.
[edit] Browser monitor
Monitors browser (mostly Internet explorer) related configurations for changes. This includes areas such as homepage, ActiveX controls, BHOs, toolbars, trusted zones, hidden internet options, proxy settings etc. Many of these settings are stored in the registry so a good registry monitor will get them too.
[edit] Other registry entries
Other registry entries that are monitored because changes are fishy. File associations, disabling of regedit, changes to default locations of host files etc
[edit] Web filter
Security software filters content before it reaches the browser. Some merely remove all scripts, Java, Activex etc , while the better ones tries to remove only known harmful ones.
[edit] Anti-Phishing
Provides warning when phishing might be in progress. This can be done by a combination of methods, known blacklists, a heuristic analysis of the url etc. The much rarer anti-DNS spoofing feature is also included in this feature.
[edit] Monitor of sensitive areas
Provides warning when files (win.ini or hosts, or in a sensitive area (typically the system directory, c:\windows\system32 sometimes c:\program files are being modified/deleted or if new files are being added. This feature is generally limited and hard-coded in. HIPS that allows customizable file system control (what some call datawall or data level protection) will allow Restrict permissions by directories and/or Restrict permissions by process
[edit] Restrict permissions by processes
Allows you to restrict what files/directories a process can read/write/create. Typically used when running some suspect or untrustworthy application. A feature of sandboxes.
[edit] Restrict permissions by directories
This typically allows you to set some directories (or files) as 'secure' zones so no other process (unless explicitly approved) can read/write etc. This can help protect security programs from being neutralized by 'replacement attacks' where critical files are replaced by dummy or even trojanized files as well as shielding sensitive files from being read (by restricting read access). Also can be used to provide control over Startup control-files
[edit] Block low level disk access
Provides warning when low level disk access e.g access to \Device\Harddisk0\DR0 occurs. This can prevent Killdisk type trojans that trash your hard-disk.
[edit] Password protection
Offers password protection to protect changes to your HIPS settings. Password protection is important because it can protect against attempts to shut down your protection via simulated mouse clicks.
Most HIPS, use a password to secure access to the console. Although you need a password to open the console and change the global settings (e.g selectively turning off features) you can still answer prompts and popups without entering any password.
E.g ProcessGuard (assuming block new and changed application is not checked) or Prevx1.
Some HIPS like System Safety Monitor are even more secure. They will not allow any changes at all, any prompts will be suppressed and denied if the console is not connected. Turning this on requires a password.
[edit] Heuristic Algorithm or IDS
In HIPS products this typically refers to some black box anomaly detection system whose rules are not explicitly stated unlike all the features mentioned above or some pattern matching system. Or includes clever algorithms for anti-keylogging (not just detecting hooks to WH_Hook). HIPS with this feature may not alert on each and every system change depending on the expert system rules.
[edit] Configurable IDS
Allows you to set your own series of states/behaviors to monitor and warn about. Example, alert me if any process that isn't in the security software group that deletes X files in Y seconds. Or a system where you can set configurable penalty points for suspicious behavior and flag processes once the process score above some configurable threshold.
[edit] Learning mode
In learning mode, the security software will automatically create rules as required without prompting by any process that starts on your computer. Another method of learning would be to scan your system (or the start menu) for executables and approve those immediately. Learning modes can be very helpful to ease setup, however this is advisable only if your system is known to be clean otherwise your system might learn to allow malware to work.
While some like Online Armor and Comodo Personal Firewall will only add known safe/white-listed processes (based on various criteria, e.g. Signed files, Microsoft processes etc.) when in learning mode, but will just blindly create rules for everything, so it might be wise to check what rules are added by the learning mode.
A similar feature to help reduce pop-ups is the "install mode" of some HIPS. Typically when you start installing a new program it will result in a lot of prompts as the installer drops many temp files, starts off several temp processes etc. Turning off the HIPS completely while installing might be risky, so some HIPS will allow you to application "install mode" to a specific installer, and this will suppress any prompt generated by the specific installer and any other of its child processes. Other products allow you to run new programs in "install mode" which is like learning mode except only for that application instead of system wide. E.g Prosecurity offers this.
[edit] Default whitelist
Some security software have a large (typically at least 100) list of known trust worthy software (windows components, well known browsers, utilities and software) and these will automatically be given the proper privileges without bothering you with prompts. Some white-lists automatically give known safe program full privileges (trusted status) without bothering to analyze what privileges are necessary. There is a small risk some other program subverts and works through the trusted program though. Some like Prevx1 are of the later kind, but you can select how such known programs are treated. E.g trusted known programs can start up without an explicit rule but are otherwise subject to the same restrictions as any known program.
A different approach involves trusting digitally signed files from trusted vendors or any digitally signed files at all. This approach is available in comodo's defense+ and NetChina S3 HIPS.
[edit] Blacklisting
In practice HIPS programs aren't in the business of telling you which processes are dangerous. However many such products have started adding blacklists of known dangerous processes or have embedded optional anti-viruses modules.
[edit] Community database
Given that software is constantly being updated, even a default white-list that comes with the software can be quickly outdated. A community database, allows users of the product to share their findings of the types of processes they encounter and the decisions they make. Their decisions on whether to allow or not allow can provide some guidance. This information can also help malware analysts to spot fast spreading malware.
[edit] Virtualization/roll back
Many virtualization based software can enable you to reverse any changes made to a fixed basic side when required. Typically the virtualization is carried out on a limited scale, e.g on a browser.
[edit] others
script control? worm detections(network)?
