From CastleCopsWiki

Caution

The article below is currently in beta and has not been reviewed for factual errors.

Contents 1 Behavior blockers 1.1 Popular 1.1.1 Others 1.2 Process firewalls/ execution control (only) 1.3 File change alerters (only) 1.4 Registry watchers (only) 1.5 Script watchers (only) 2 Information Sources

[edit] Behavior blockers

This class of security software is the latest and newest to be employed and currently it is still very much a niche market, although major security product vendors are starting to add it to their security products. See FAQ on HIPS and discussion here for more details. On the freeware front, there is a wide variety of choices available, mostly liteware (some which are pretty much as capable as the full versions, while others are significantly weaker) and a few open source and free products.

Expect a lot of developments and changes.

Screenshots
Selection of behavior blockers snapshots:
(Click to enlarge)

AntiHook

AppDefend + RegDefend

Comodo Firewall Pro 3/Defense+

Drive Sentry

Dynamic Security Agent

EQSecure

Neoava Guard

Online Armor Free Edition

Prevx2

Prosecurity Free Edition

Process Guard free

SensiveGuard

System Safety Monitor Free Edition

WinPatrol 2007

Winpooch

Threatfire

[edit] Popular

1. All-Seeing Eye - http://www.fortego.com/en/ase.html
2. AntiHook - http://www.infoprocess.com.au/antihook26.php (requires .NET Framework for control panel)
3. AppDefend + RegDefend (nagware, nags at various points)- http://www.ghostsecurity.com/index.php?page=appdefend
4. Avorax Shield - http://www.arovaxshield.com/
5. Blink Personal - http://www.eeye.com/html/consumer/products/blink/index.html
6. Comodo Memory Firewall - http://www.memoryfirewall.comodo.com/
7. Comodo Firewall Pro 3.0 - http://www.personalfirewall.comodo.com/
8. DriveSentry - http://www.drivesentry.com
9. DriveSentry GoAnywhere (for usb drive) (beta) - http://www.drivesentry.com
10. Dynamic Security Agent - http://www.privacyware.com/dynamic_security_agent.html , See also Webroot Desktop Firewall that includes firewall and dynamic security agent).
11. EQSecure - http://www.eqspywatch.com/ , Setup tips
12. Prevx2 - http://www.prevx.com/
13. Prosecurity Free Edition - http://www.proactive-hips.com/download.php
14. RISING Antivirus Free Edition -http://www.freerav.com/ Some Setup tips for the HIPS part of Rising
15. Spyware Terminator - http://www.spywareterminator.com/ Bundled with optional Web Security Guard that includes crawler
16. System Protect (beta) - http://www.system-protect.com/default.aspx
17. Neoava Guard (beta) - http://www.neoava.com/
18. Netchina S3 HIPS - http://liveupdate.netchina.com.cn/ens3_3.5.5/ncs3_3.5.5_EN_setup.exe
19. Online Armor Free Edition - http://www.tallemu.com/downloads.html
20. ProcessGuard free - http://diamondcs.com.au/processguard/index.php?page=home
21. SensiveGuard - http://www.sensiveguard.com/index.html
22. System Safety Monitor Free Edition - http://www.syssafety.com/
23. ThreatFire - http://www.threatfire.com/ Formerly known as CyberHawk , Setup tips
24. Trend Micro RUBotted (beta)- http://www.trendsecure.com/portal/en-US/tools/security_tools/rubotted
25. WinPatrol 2007 - http://www.winpatrol.com/
26. Winpooch (open source) - http://winpooch.free.fr/page/home.php?lang=en&page=home

If all you want is execution control (so you are prompted when an unknown new process tries to execute), then Winsonar 2007 XP or Abstrusion protector is all you need. Avorax Shield and Winpatrol provide mostly registry control similar to that of most antispyware real time protection - warning you of attempts to set autostart entries, hijack browser-related entries, etc. - but do not warn you of new unknown processes starting.

Most of the other entries here do both registry and process control, and also monitor even more subtle system behavior.

ProcessGuard free is one of the earliest and used to be very popular and was a reference against which other software was compared. Being one of the first, it monitors fewer areas (driver/service control, global hooks, process protection but no file or registry protection) than other later offerings, but fans counter that what it controls is more than sufficient for security and prefer it compared to more complicated HIPS.

System Safety Monitor, ProSecurity free, AntiHook, and Appdefend/Regdefend are freeware/lightware offerings of payware products which offer less functionality than the full products. Of these, System Safety Monitor (SSM) has the longest history (almost as long as ProcessGuard). The freeware version of SSM is also the most fully featured of the bunch because it was based on the full version version meant for Windows 98 (works for XP, 2000 also). AntiHook and Appdefend/Regdefend also have a relatively long history, with the latter being developed by one of the former developers of ProcessGuard. The relatively new ProSecurity free is a much stripped down version of the full version ProSecurity (probably one of the most complicated HIPS out there today).

Dynamic Security Agent is a standalone HIPS but is now also incorporated in Webroot Desktop Firewall.

Development has slowed or stopped for Winpooch and NeoavaGuard.

EQSecure is from China and has a relatively popular following among power users because it is very granular and is 100% free. It can also be very intrusive depending on the settings. Netchina S3 HIPS is another product from China similar to EQSecure but is currently too new to be evaluated.

RISING Antivirus Free Edition is also an antivirus product from China, but incorporates many HIPS features and hence qualifies to be included here.

Comodo Firewall Pro v3 is as extensive/intrusive as any, covering almost every major HIPS function imaginable, and uses a whitelist of known safe applications, which in theory should reduce the number of alerts. Comodo Firewall 3.0 is not recommended except for advanced users.

ThreatFire (which boasts an intelligent behavioral analysis engine), Online Armor Free Edition (which includes a full but basic firewall) and Prevx2(which uses a large database whitelist of applications) are perhaps the easiest to use, though Prevx2 does not do cleanup and removal of malware, unlike its paid cousin.

Trend Micro RUBotted "monitors for remote command and control (C&C) commands sent from a bot-herder to control your computer. Additionally, RUBotted watches for an array of potentially malicious bot-related activities, including mass mailing - a common activity performed by a bot-infected computer".

Drive Sentry is mainly used only for control of file/folder system access, protecting against deletion/modification but, unlike most of the others mentioned, does not provide process control - i.e. it does not block process injection attempts, process modification and termination attacks, nor does it block unknown processes from starting. System Protect is similar.

A few HIPS claim to protect specifically against buffer overflows, as opposed to merely stopping downstream effects. These include the already mentioned ThreatFire and Prevx2. Comodo Memory Firewall is somewhat unique in that its sole purpose is to block buffer overflows.

Overall, there are many choices in this category, but some are immature and/or development has stopped. Currently, Online Armor Free Edition (which includes a full but basic firewall) and Prevx2are probably amongst the easiest to use. If you want something even easier, an intelligent analysis engine like ThreatFire is recommended. For power users there are many choices but EQSecure and Comodo Firewall Pro v3 are probably the most granular and cover the most areas.

[edit] Others

1. API Guard - http://www.alamak0ta.republika.pl/apiguard.html
2. ClearShield (beta, Vista only)-http://www.myclearshield.com/en/home?
3. Firekeeper - http://firekeeper.mozdev.org/index.html (IDS using snort rules for scanning HTTP)
4. Full Control - https://sourceforge.net/projects/fullcontrol/
5. Guardian Angel (outdated) - http://www.freedownloadscenter.com/Utilities/Anti-Virus_Utilities/Guardian_Angel.html
6. Hurricanesoft Internet Security 2006 Free Edition - http://www.hurricane-soft.com/Security-Software/Hurricanesoft-Internet-Security-2006-Free-Edition-EN-3.1.3/
7. LOM Heuristics (betaware) - http://www.lommage.co.uk/lomheuristic/
8. MicroPoint Proactive Defense Software (English Version) - http://www.micropoint.cn/
9. OSSEC - http://www.ossec.net/main/
10. Ozone HIPS - http://www.securityarchitects.com/products.html
11. Samurai HIPS - http://www.geocities.com/spcs_inc/
12. SECRETMAKER - http://www.securemaker.com/ All-in-One
13. Strata Guard Free - http://sgfree.stillsecure.com/?q=node/47#whatdoes
14. Wehnus Buffer overflow protection - http://www.wehnus.com/products.pl
15. Wssecure Application Monitor (open source) - http://sourceforge.net/project/showfiles.php?group_id=181434
16. 360 TimeProtect - http://www.skycn.com/soft/43109.html
17. See also Lists of freeware antispyware with resident protection such as Spyware Terminator and Windows Defender.
18. See also Lists of freeware firewalls that have some HIPS function like Jetico 1 and Comodo firewall
19. See also Lists of freeware sandboxes
20. See also Lists of freeware virtualization

[edit] Process firewalls/ execution control (only)

1. Abtrusion Protector (development stopped)- http://www.pcworld.com/downloads/file/fid,56608-order,1-page,1/description.html
2. Exe Lockdown (development stopped) - http://www.padring.com/soft/Utilities/Antivirus/ExeLockdown.html
3. FullControl for Windows (open source) - http://sourceforge.net/projects/fullcontrol/
4. Trust-no-exe - http://www.beyondlogic.org/solutions/trust-no-exe/trust-no-exe.htm
5. Winsonar 2007 XP - http://digilander.libero.it/zancart/winsonar.html

If all you want is execution control (so you are prompted when an unknown new process try to execute), then one of the entries here is what you need. Trust-no-exe is highly configurable and useful software that allows you to set filtering permissions at various levels. Winsonar 2007 XP , offers a special online mode, where all unknown processes are automatically killed.

[edit] File change alerters (only)

1. DriveSentry - http://www.drivesentry.com

These programs alert the user before a file is changed, giving the user the ability to block undesired file changes. Some of the HIPS already mentioned above, such as EQSecure, Winpooch, and Comodo Firewall 3, can also alert to file changes before they occur.

[edit] Registry watchers (only)

1. MikeLin's StartupMonitor - http://www.mlin.net/StartupMonitor.shtml
2. MJ Registry Watcher - http://www.jacobsm.com/mjsoft.htm#rgwtchr
3. RegistryProt - http://www.diamondcs.com.au/freeutilities/regprot.php, alternative download
4. Startup Monitor - http://www.windowsstartup.com/startupmonitor.php

These utilities warn you of changes to autostart entries. Most of them (except MJ Registry Watcher) cover only the most common autostart up areas, and you cannot add more entries for monitoring. Not recommended unless you are not using anything else more capable (E.g. AntiSpyware with realtime protection or one of the other HIPS above with register monitoring capabilities generally do the same and more). For on demand checks see List of freeware autostart lisers

[edit] Script watchers (only)

1. Kaspersky Anti-Virus Script Checker - http://mikepav.narod.ru/eng/kavscrch.htm
2. Script Defender - http://www.analogx.com/CONTENTS/download/system/sdefend.htm
3. ScripTrap - http://keir.net/scriptrap.html
4. Script Sentry - http://jasons-toolbox.sectorlink.org/programs.asp?Program=Script%20Sentry
5. VBS Script Executor - http://fileforum.betanews.com/detail/VBS_Script_Executor/990131048/1
6. Volto Interceptor - http://www.volto.com/interceptor/
7. See also Lists_of_freeware_hardening_tools

These are Script related tools. Script Defender , ScripTrap and Script Sentry are tools that warn you of any scripts running and providing the option of blocking them or letting them continue to run. They work by associating themselves to script extensions (Script Defender allows you to add more extensions to intercept) so if a script runs it will first call them, before passing it on, as such they use zero cpu time. Also most normal users will never run scripts, so these tools are usually silent and not very intrusive until similar monitors for executables.

Note  : Most of these tools are very old, because they were invented at a time when script based worms were rampant.

[edit] Information Sources

1. kareldjag.over-blog.com - lots of details
2. Definition and analyse of what HIPS means by Gartner
3. Behavior Blocking: The Next Step in Anti-Virus Protection
4. Details about Panda's TruPrevent amd here (pdf)
5. The evolution of technologies used to detect malicious code
6. Link to Tests of specific HIPS products
7. HIPS Feature comparison
8. HIPS_FAQ

---

This article is part of the Lists of Freeware Security Software: Malware Control series.

Freeware Anti-Viruses | Freeware Anti-Spyware | Freeware Anti-Trojans | Freeware Anti-Keyloggers | Freeware Anti-Rootkits | Freeware Firewalls | Freeware Behavior blockers | Freeware Sandboxes | Freeware Virtualization | Freeware Security analysis tools | Freeware Hardening tools | Freeware Blocklists | Freeware security services (excluding virus scanners) | Freeware Anti-Phishing | Freeware URL scanners | freeware security suites | List of unclassified tools Related : Lists of online scanners

While reasonable attempts have been made to avoid the listing of any malicious or ineffective software, an entry listed here should not be taken as a mark of approval from CastleCops. The selection of freeware (see definition) here is more inclusive, to provide more experienced users scope for experimentation and not just the usual half dozen or so freeware security software that are often mentioned. While there are many gems in the list, some are in beta and unstable or require fair amounts of skill to use. Less experienced users should probably refer to Roll your own Free Security Suite for a shorter list of popular and safer freeware.

edit this template