HIPS FAQ

From CastleCopsWiki

Jump to: navigation, search
Caution The article below is currently in beta and has not been reviewed for factual errors.

Frequently asked questions about HIPS.

Contents

[edit] Introduction

Q: What does HIPS stand for?

A: It stands for Host(-based) Intrusion Prevention System. Other similar terms you might see referring to the same technology includes(but are not limited to) are behavior blockers, host-based intrusion detection systems(HIDS), Intrusion detection system (IDS), intrusion prevention systems (IPS) , system firewalls etc. Note: There are some subtle technical differences and usage differences between some of the terms here but these differences won't concern us here.

Let's break it down further.

Host : In it's original usage, the term HIPS originated from the corporate world where a distinction was made between Host based protection (security running on the desktops) and Gateway/perimeter based protection (security running on gateways, routers, email servers) etc. In the context of home use, where all security protection run on desktops, this term isn't very useful. It would include software firewalls, as well as antiviruses since they all run on your desktop.

Intrusion Prevention system : Great marketing battles have being fought over this term and it's sister term Intrusion detection system and no 100% accepted definition exists for them. In general though when people say Intrusion detection system (IDS) in the corporate business context it typically refers to network based IDS which are concerned with detecting anomalous network activity. Most of what we term HIPS for home users are however not of this type.

Unfortunately the term Intrusion preventation system is so generic it could refer to any type of security program. In theory antiviruses could count too, because typically it runs on the desktop and tries to stop intrusions.

However the current usage tends towards defining HIPS as any security software that does not use code based signatures( fingerprinting) for detection (as antiviruses and antispyware do). Most home users are familiar with such products anyway, so in this FAQ they are not considered as HIPS.

Besides code based signatures used by antiviruses and antispyware, there are three other type of security technologies that can be used by HIPS.

The most common type of HIPS for home users are behavior blockers. Two other related technologies are Sandboxing/ virualization technologies that can also be used by HIPS.



Q: How can HIPS technology protect my PC against malware?

A: Simply put, HIPS technology monitors your system states and warns you whenever malicious behavior is going to occur and blocks it from happening in real-time. This is typically done by intercepting system calls at the operating system level and as such the HIPS software is almost always deeply integrated into the system. Sandboxing based HIPS do practically the same thing except they only concern themselves with the activities of certain processes running in the sandbox as opposed to the whole system.


Q: How does HIPS technology differ from the anti-spyware scanner, anti-virus scanner, and personal firewall that I have right now?

A: Traditional scanner based technology (including most anti-virus, anti-spyware technology) traditionally rely on signatures (fingerprinting) to detect malware. The disadvantage of such a method is that, such detection methods are reactive. Generally the security vendor needs to first have a sample of the malware, create a signature, push it to the customers before the malware can be recognized.

In today's world of fast spreading worms and zero day exploits, this may be too slow. HIPS provides pro-active protection by focusing not on recognizing the specific code but on malicious behavior. For example, a program that tries to add entries to your host file to direct your browsers to an advertising site, is extremely likely to be malware and the HIPS gives you a chance to stop it from happening.

One way of looking at it is that your antivirus relies on recognizing criminals by using photographs, while HIPS technology tries to recognize criminal activity and stop them (whoever they are) when they start to act maliciously.

Firewalls can be considered part of HIPS concept model given that it monitors and alerts you when new network connections are made (assuming that network connections are potentially malicious). However HIPS has traditionally focused on monitoring and alerts on other none-network behavior and system states. See also question on process firewall vs network firewall.


Q: What about heuristics offered by anti-virus , don't they offer pro-active protection?

A: Most of the heuristics used by anti-viruses are fairly effective in detecting variants of the same malware family. Using methods such as passive heuristics (analysis of code sections) and active heuristics (limited emulation of code within a virtual machine to reveal otherwise obscured logic such as packers), they can provide some protection against modified malware. However, none are fully reliable particularly against completely new malware simply because they are too many ways to obfuscate malicious code to avoid detection by heuristics, while other heuristics are too broad and generate too many false positives.

Note some AV companies talk about HIPS in their products for example Sopho's Behavioral Genotype® Protection , but aren't really HIPS (except in the broad sense in which all AVs are hosted based) using our definition. They emulate the code, log its actions and decide if it is dangerous. Other examples are Bitdefender's HIVE, ESET's advanced heuristics etc. Malicious code is prevented from executing at all, whereas runtime HIPS can only interrupt code that has already partly executed. On the other hand, emulation has it's limitations e.g anti-emulation tricks, memory requirements etc.

For the purposes of this document (also based on common usage), HIPS does not refer to using emulation to detect malicious code, we talk only about runtime HIPS (as defined above) where code actually runs (partly or fully) and is stopped midway. There are some antiviruses though that provide run-time HIPS like functions however ,see next question.



Q: My anti-spyware/anti-virus app claims it provides "real time protection & monitoring"? Is this the same thing as HIPS? If not, why would HIPS be better than monitoring application I'm running now?

A: Depending on the brand of your anti-virus, real time protection can consist of the following.

  • On access scanner/guard - This is based on traditional classic signature based methods. All antiviruses have this.
  • Heuristics - This refers to classic heuristics (including emulation) to detect malware , nothing to do with HIPS.
  • Behavior monitoring - Some anti-viruses and most anti-spyware provide some light form of system monitoring that falls under the HIPS area. This typically includes monitoring of some registry keys (e.g Spybot's tea-timer, Windows defender) . Firewalls nowadays also typically have some limited form of behavior blocking, in particular in the area of execution control to help defeat leak tests. Good examples include Sunbelt Kerio , Jetico firewall and Comodo firewall (full HIPS will be in 3.0). The antispyware product Spyware terminator has what I would consider a full blown HIPS using behavior blocker technologies.
  • Smart expert based behavior blockers HIPS - Many antiviruses have started including behavior blocker technology supplemented by some clever expert system. These applications monitor system changes but only alert on system changes deemed suspicious. For example, one system change alone might not be deemed suspicious but several done by the same process might raise a red flag. Examples of antivirus that include this are Panda Detection & TruPrevent, F-Secure's DeepGuard , KAV's PDM and to a lesser extent Norton's SONAR. Many other big antivirus vendors also provide solutions (Trend, McAfee, Sophos) that are HIPS but as a separate package from the antivirus and are geared toward businesses only. See for a bigger list


Q: I've already got an application that warns me when certain Registry changes are made. Why would I need a HIPS application? What additional protection would it provide?

A: While most antiviruses and antispyware have some light form of behavior monitoring, dedicated HIPS programs typically provide a greater range as well as more in-depth protection . For example almost all HIPS provide process monitoring (see later), protection of processes from modification and termination attacks which are areas typically not covered by other traditional products (though this may be changing). Also HIPS tend to be kernel based, and provide the deepest level of protection. For example many apps that claim to protect the registry, merely poll the registry for changes every 5 seconds, this is too slow and may give malware an opportunity to act first. Most dedicated HIPS instead hook system calls, so they can intercept intended changes before they occur.

That said many traditional security products (antivirus and firewalls) are beginning to incorporate some serious HIPS based technology, refer to this list of major products (forthcoming) that lists the HIPS features supported.


Q: Sounds good to me, but what are the disadvantages of using HIPS?

A: HIPS are not a panacea to the ills of the world. Depending on the type of HIPS product used, some level of expertise(see later) is needed to operate them. For most HIPS products, some user judgment is required to judge if a given change is dangerous or not. For example, process monitoring is a powerful feature, but the onus is on you as the user to decide what processes to trust to run. Also unlike antiviruses, classic HIPS cannot tell you before hand prior to running if a given software install is malicious or not. If you do trust to allow a software install and the software turns out to be malicious, your HIPS might block some of the malicious behavior, but not totally. As always it is advisable to combine your HIPS with a good signature based scanner for maximum effectiveness.

[edit] Stability, Compatibility

Q: I've heard that HIPS applications often use "kernel level filter drivers." What are these? Why do HIPS apps use them? Are they dangerous?

A: HIPS programs are meant to resist attack from the worst kinds of malware, and require full and complete access to the operating system to avoid being subverted. Kernel level drivers provide this access (termed ring zero access). Antiviruses and firewalls also use similar drivers. Kernal level drivers can be dangerous if too many of them are used together which happen to be incompatibles. For most part, most HIPS vendors try to ensure HIPS is compatible with most main stream antiviruses. Check the vendor's compatibility list for details.



Q: I've heard that HIPS apps can cause system instability and blue screens. Is this true? Why? Are some HIPS apps are stable than others? How do I tell?

A: Like all security software that use kernel level drivers, it is possible for some systems to experience some instability depending on the setup. This goes for antiviruses and firewalls as well of course. Generally HIPS applications that have being development for a longer time, as opposed to those that are still in beta are likely to be more stable.

Still it is wise to backup first whenever installing a new HIPS program (or antivirus,firewall for that matter).


Q: I thought HIPS apps were more for corporations and administrators. Are there HIPS apps suitable for home users like myself? If so, which ones?

A: The current crop of HIPS app has now began to target home users. See this list for a short listing of products.



Q: Can HIPS app conflict with any of my other security applications -- like my current anti-virus app, anti-spyware app, or personal firewall? Can I run two HIPS apps simultaneously?

A: It is possible for conflicts to occur, just as it is possible for conflicts to occur between anti-virus, anti-spyware and firewalls. However most HIPS are tested with a range of mainstream (and not so mainstream) antiviruses and anti-spyware so conflicts are not likely, particularly for established products. While it is possible to run two or even more HIPS simultaneously (as many have done), the risk of conflicts increases (because testing using two HIPS is a lesser priority) for only a little gain.


Q: If I install a HIPS app, will it replace my anti-virus, anti-spyware, or firewall applications? Can I uninstall the other apps? Should I keep one or two of them as "back-up"? If so, which ones should I keep?

A: Most HIPS do not claim to replace other security components particularly firewalls, though it is certainly possible if you are careful and experienced. However, a few HIPS can be bundled with antivirus modules such as Online Armor (KAV) and Safe'N'Sec (Bitdefender) though this is optional. As for firewalls, again most HIPS do not provide network control, but a few like Prevx1 and Appdefend do provide rudimentary control, though again these functions can be switched off. Currently, I would not be comfortable relying on HIPS to provide Network control, though if you have a hardware firewall to control inbound connections it might be possible.

[edit] Usage

Q: I've heard HIPS apps referred to as "process firewalls." How is HIPS different than my personal firewall? Can it replace my current firewall?


A: Personal firewalls commonly in use such as Zone Alarm free, Kerio 2.15 firewall (the newer/paid versions have some HIPS functions) are network firewalls. They only alert when a process tries to create network connections , this is of course only a subset of all processes that run on your system. A process firewall, alerts you whenever any process at all tries to start. You can then choose to allow it to run once, run every time (hence putting it on the white list of approved processes), block it once, block it every time (blacklist it).

This is a very powerful line of protection since any unknown and presumably malicious processes won't be allowed to run unless you give them permission first.

On the negative side, this feature (often called exe monitoring, execution control, executable white-listing or even anti-executables etc) can be very noisy, since it prompts you every single time you start a new process that hasn't being approved yet or when an existing program is updated. Features such as white-lists of known legitimate processes that are automatically allowed can help reduce the load. Examples of HIPS with such features would be Prevx, Online_Armor and SafenSec


Due to the popularity of monitoring process execution, many people have the mistaken impression that HIPS only consists of this. Please note that while most HIPS systems do provide execution control and hence count as "process firewalls", not all HIPS systems do. HIPS that do behavior blocking monitor a lot more behavior (e.g registry changes, driver installations)than just this one feature. HIPS that are purely sandboxes (see next question) don't have this feature either.


Note: Like all terms used here, there is some variant in use. Some people may use "process firewall" to refer to more than simply white-listing of executables but also include other features that protect running processes from being modified, terminated etc.


Q: I heard of "sandboxing" and "virtualization" apps, do they count as HIPS?

A:Yes, they count as HIPS. Sandboxing is an old concept that refers to putting restrictions on processes to prevent them from carrying out various activities (typically defined in terms of what files and directories allowed to read/write). This is pretty much the same idea as classical HIPS (though current HIPS mostly focuses less on file system control and more on processes and registry), except that sandboxing apps typically sandbox only particular processes or sections of the system as opposed to traditional HIPS that monitor the whole system. These processes or programs monitored are typically high risk programs (browsers, emails) or highly suspect programs (new programs you are not quite so sure of) , so if anything bad happens they cannot break out of the sandbox and affect other parts of the system.

Also Sandboxing applications (e.g BufferZone, Defensewall, Sandboxie), typically (with exceptions) do not generate any prompts, but automatically stop disallowed behavior. This makes it a lot less noisy and easier to use. Of course you could set most classic HIPS (SSM etc) to "deny all" as well. However the wider coverage of HIPS (system wide) makes it a bit harder to do this without causing problems.

Many sandboxing apps also incorporate file system virtualization, so any changes made by the sandboxed application is only "virtual", and can be reversed with a click.


Q: I've heard that HIPS apps tend to produce a lot of pop-ups asking you to confirm or deny this, that, and the other action. I really don't have time for this kind of "chatty" app. Is this true? Are all HIPS apps like this? Just some? How do I tell?

A: To be perfectly honest, using HIPS at the beginning is likely to be a scary experience. That said, there are several things you can do to reduce this problem.

  • Turn off unnecessary monitoring- Most HIPS can be configured for different levels of use. Pick the beginner level, which monitors only a smaller subset of behavior.
  • Use the learning mode- Most HIPS products have a learning mode. The idea of a learning mode is to create a clean baseline of what your system is like and the HIPS will learn what is normal. Any permissions or rules needed will be automatically created by your HIPS. Once you have being in learning mode for a period of time, you can then stop and let the HIPS start protecting you. One problem is that you must be sure that your system is clean while the HIPS is learning , otherwise the HIPS will learn to allow malicious behavior by malware. Also, whenever you make any major changes to your system , particularly new software installs or patches, prompts will be created.
  • Use HIPS with good whitelists or community databases- Some HIPS like Prevx include a fairly complete and constantly updated list of known clean and legitimate processes which will automatically be allowed to start or do various actions without prompting. This cuts down a lot on the noise factor particularly if you use mostly mainstream applications.
  • Use sandboxing HIPS - As already mentioned above sandboxing HIPS are somewhat easier to use because they focus on monitoring and sandboxing only certain processes and not the whole system. One of the main problems of using standard HIPS is that many prompts are a result of actions by perfectly legitimate parts of your system or by your other security software or when you update an existing program. It takes patience to handle them. With sandboxing you avoid this problem (the excess prompts) by sandboxing only suspect programs or programs like browsers which provide a possible vector for infection.


  • Use a 'smart HIPS' - Most HIPS products on the market currently monitor singular behavior and changes and alerts you whenever it happens. Smart HIPS tries to analyze whether the behavior requested by the suspect process is likely to be malicious using various factors such as past history, sequence of behavior etc. As such they will be less noisy and won't alert as much. Examples include Safe n Sec, and antiviruses like KAV's PDM, Panda's TruPrevent and FSecure's DeepGuard.


Q: How difficult are HIPS apps to learn how to use? Am I going to have to be an expert in Windows? How much about my computer am I going to have to know and understand?

A: As already mentioned HIPS with features like Whitelists (particularly Prevx1 which has perhaps the most complete whitelist with millions of entries) or use some sort of smart expert system (like Cyberhawk/ThreatFire, Norton Antibot/Primary Response SafeConnect ) can probably be used almost like an antivirus (i.e without much knowledge). For others, it cannot be denied that you will need some time to learn how to use the HIPS to it's fullest potential. While you don't need to be an expert in Windows, most people who have used and stuck to them, eventually start to understand more about their systems. At the very least most people who use HIPS as just process firewalls, gain an awareness of what files and processes are expected on their system which allows them to quickly zero in on suspect processes. This itself is a very important step for computer security aside from the protection given by the HIPS.

If you go beyond that, you also will probably also need a rudimentary understanding of various terms like registry, startup entries, hooks, drivers etc so you can understand what is being changed and why it is important to stop untrustworthy processes from changing them.


Q: Do I need to turn off my HIPS when I'm installing new software?

A: Some vendors of HIPS recommend that you turn off the HIPS briefly (or at least turn it off on a limited scale for the installer only) when installing a new product. This has the advantage of saving you the bother of being bombarded by countless prompts due to the system changes made by the installer. This is a good idea, particularly if you fully trust the software install. Also some products like ProcessGuard don't fail nicely, for example if drivers install are blocked, the installer will just terminate abruptly without giving you an option to approve the driver install.

On the other hand, doing software installs with HIPS on, gives you a chance to see what kinds of changes are being made by the install. If you see something particularly fishy occurring (e.g a software trying to install a driver when it has no reason to) you can immediately block it. Also various sandbox-virtualization/rollback type HIPS, actually track changes made by the software install, it goes without saying those types of products should not be switched off during install.

Most users will probably turn off standard HIPS during installs, which points out to the major weakness, since it won't be able to protect you if you are tricked into running a trojan horse.Even after starting the HIPS, if you really trust the program (which turns out to be a trojan horse), you might ignore the warnings of the HIPS and allow it.


Q: What are the basic features of a HIPS app? If I were comparing several HIPS applications, what features or qualities should I look for? How do I tell if one is better than another?

A: Most HIPS typically have the following.

See this for a table of comparison of features in HIPS


Q: Are there any published tests (like PC World or PC Magazine) of the best HIPS apps?

A: As yet there hasn't being many tests focusing on HIPS apps. However are some comprehensive tests out there already (plus dozens of magazine type reviews).

  • Tests by Matousec (note Matousec's definition of firewall effectively includes HIPS) here
  • Tests by www.testmypcsecurity.com here
  • Tests by Kareldjag here as well as here. These sites contain a wealth of information but are a little difficult to navigate.


  • Comprehensive test of KAV 6 and KAV 7's PDM

here and here and here

  • Individual reviews of varying skill can also be found on individual pages of each software here


Kareldjag tests are mainly technical tests of the capabilities of HIPS to thwart unusual attacks(raw memory access etc) rather than testing against malware per se (though recently he has started to test with real malware). AV-Comparatives tested by manually executing real active spreading malware. Gimzo's tests are simpler, based mostly off Kareldjag's. Matousec technically tests for firewall, but his requirements for firewalls pretty much overlap with HIPS functions and many HIPS have limited network control, as a result he has tested DSA, Ghost security, System Safety monitor which we consider HIPS etc.


Q: If I buy a HIPS app for my Windows XP system, will it also work on my older Windows 98 box? What happens when Windows Vista comes out next year -- will it work on that?

A:There are exceptions (E.g SSM free (but not paid)) as well as other none-kernel based products , but for most part HIPS are pretty kernel specific and most work only on NT based systems (NT,2000,XP) etc because of the nature of the application which makes it difficult to run on a 98 system due to the lack of security. As always with any software purchase read the system requirements before you try or buy.

As for Windows visa, Microsoft has redesigned the kernel (via a feature known as PatchGuard) disallowing various changes such that almost all security software including antivirus and firewalls that rely on undocumented features that patch the kernel (hooking to SSDT etc) will be broken But normal access to kernel via signed drivers is still allowed. Symantec makers of Norton, McAfee as well as Agnitum (of Outpost firewall) , Sunbelt etc have already expressed concerns that this will reduce their ability to protect users. They claim that such modifications are needed to protect their programs from being terminated (tamper protection) and/or to provide behavior blocking/HIPS features. See here for more.

Sophos and Kaspersky on the other hand have disagreed. Arguably though Sopho's HIPS feature is than just very advanced heuristics via emulation as such it is not surprising they aren't affected. Kaspersky does provide HIPS features (as defined here) via its Pro-defense module though.

Microsoft have agreed to release APIs that give limited access to kernel , but those won't roll out until the first service pack in 2008 at the earliest.

So the short answer is things are up in the air right now.

Update April 2007

It seems despite all the complaints, many security software including HIPS have began to support Vista to some extent (at least the 32bit version) in beta. Here is a short list of HIPS with limited or full support



Q: I use Firefox for all my web browsing and I never visit porn sites or crackz sites. Why would I needs a HIPS app?

A: Why would you want to use an antivirus? or an antispyware? HIPS provide additional protection on top of these precautions. Whether you really need this extra protection is of course up to you.


Q: Do you have a short list of HIPS apps recommended for home users? If so, how did you select the apps on the list? What were the criteria for selection and recommendation?

A: Yes, see this list . Most of the list consists of older and more well known ,established and popular HIPS apps that have gone through several cycles and years of development. Examples include ProcessGuard, System Safety monitor. Others are newer but show promise. The focus is towards products that have a free (or better yet open source) version. Many have also being tested and have obtained good comments.

[Original Draft (modified) questions from Eric L. Howes, Dir. of Malware Research, Sunbelt Software ]

[edit] IDS, IPS, HIDS, HIPS, Behavio(u)r(ial) blockers or System firewalls?

Is there really a difference between any of these terms? Or is it marketing?

  • HIPS Host based Intrusion prevention System - From the point of view of a home user directly connected to the net, all security resides on the host (as opposed to the gateway), so the term Host doesn't add much. Currently one of the the more popular terms even though the term is very vague. Using the broad definition means even your Antivirus is a HIPS as argued by Gartner. Currently, the common view of HIPS (at least from the home user point of view) excludes traditional Antivirus technologies and refers to behavior blocking techniques.
  • HIDS Host based Intrusion Detection system - See comment about HIPS about the usefulness of the word Host.
  • IDS - Intrusion Detection System - IDS systems are almost completely network based and are typically employed on the corporate Gateway perimeter to detect attacks and are usually (at least until now) not host based. IDS systems also rely heavily on signature rules to detect attacks (e.g Snort).

These days because of the rise of non-network based intrusion detection systems, Some have proposed calling this older type of systems NIDS (Network intrusion detection systems), but they seem to be losing the battle.

  • IPS - Intrusion Prevention System - As the name suggests this prevents instead of just informing. There are a lot of NIPS (network based intrusion prevention systems) most of which don't run on the host.
  • Behavio(u)r(ial) Blocker - A somewhat older name that was used for this class of product when it first emerged in the 90s. IMHO the most descriptive and informative of all the terms in the list even though the term "behavior" is very broad... This almost always run on the host machine.Products like Star force's Safensec is marketed under this term. Some use behavior blocker in a very specific way (what we call Expert-based behavior blockers - see next section) and distinguishes between it and classic HIPS/system firewall.
  • System firewall - Because HIPS relies on stopping malicious behavior in real time, there is a need for it to protect itself well. As such they almost always patch the kernel, to help protect the system from subversion, some people call products like this System firewalls, because they screen and protect the operating system from being abused. This term is not as popular.

[edit] Policy based behavior blockers vs Expert-based behavior blockers

HIPS that use Behavior blocking technology can arguably be split into 2 classes. Policy based and Expert-based systems. Policy based systems simply uses a clear policy rule on what behavior is allowed or not (or more commonly prompts you if no rule exists yet). For example, it might just have a policy to stop attempts for none-white listed processes to read a certain sensitive file area.


Expert based systems are more complicated , they are equipped with a series of rules that help the system judge what to block or not. Typically human experts will analyze a number of malware and try to create a series of rules that will reliably alert only when a series of changes are really dangerous. For example, they might find after analyzing malware that 95% of malware, will first create a start up entry, then access the file area, so it will not block normal software that mere creates a startup entry.


Expert based systems are generally quieter, have fewer false positives (much like Antiviruses), although it's unclear how accurate the expert system is. Policy based systems are more transparent, easier to understand what is being controlled and blocked, but requires more effort to use.


Most HIPS behavior blocking technology products geared to the home user are currently of the Policy based kind. However, expert based behavior blockers are starting to appear, including Cyberhawk/ThreatFire, Norton Antibot/Primary Response SafeConnect, and to some extent Prevx and Safe n Sec which are basically expert based behavior blockers HIPS (with a judgment module),so it makes most of the decisions on its own, although you can typically crank up the security setting so that it now acts as a policy based HIPS.


Also a few antivirus (e.g Panda Tru prevent , KAV'6 PDM, FSecure's DeepGuard) and antirojans (A2 squared IDS) employ expert-based behavior blocker HIPS because unlike policy based HIPS, they provide similar characteristics to traditional scanning technology (low noise, low FP) which users of antivirus have come to expect.

[edit] Behavior blocker or HIPS

As mentioned there is a sizable number of people who feel that calling policy-based behavior blockers such as System Safety monitor, behavior blockers is misleading. They reserve that term for software which was labelled Expert-based behavior blockers above such as ThreatFire (formerly cyberhawk) , Norton's antibot, KAV's PDM etc. Another common term that seems to be used is for Threatfire and its cousins is "Behaviour-based anti-malware".

Some even exclude Threatfire class of software from being called HIPS!

Retrieved from "http://wiki.castlecops.com/HIPS_FAQ"
Personal tools