Best Free Intrusion Prevention and Detection Utility for Home Use (HIPS)

 
In a Hurry?

  Go straight to the Quick Selection Guide or the Comments for this article.

Introduction

Gone are the days when a virus was a virus and everything else was - well – different! Now known collectively as “Malware” these threats are constantly evolving and pose a serious challenge to security software. Signature based scanners give the most reliable detection results but these are limited by the frequency of their database updates. To compliment signature recognition software HIPS programs were developed which look for behavior on your PC which is “characteristic of malware activity”. The user is then presented with an alert to either allow or block the event. Some programs automate this process which can occasionally lead to problems. See my article “HIPS Explained” which deals with this and other issues in more detail.

Evaluating the performance of HIPS programs is far from easy and any so called “test results” should be viewed with a degree of caution. It is straightforward enough to feed malware files to a selection of signature scanners and then count what they find to arrive at a score. AV Comparatives provides an admirable service here and the results are always consistent and reliable. There is no such definition line possible for testing HIPS software and my feeling is that some of the vendors may possibly use this to their own advantage (“hype”).

Review Criteria
My objective in reviewing this software is to help users make an informed choice about the suitability of the products for their own requirements. In addition to information obtained from the various producers, I have used two methods to collect the necessary data and tried to present my analysis in a factual and entertaining manner. Part of my review is based on personal usage of the software concerned and I will be updating information about my component set-up on this page. I have also used third party data collected from sources I know to be reliable such as other forums where I have known some of the posters for several years. In reality no one can ever duplicate the system you use and the software reviewed may react quite differently between one PC and another. Ultimately, the best way to judge the suitability of these programs for yourself is to try them.

Discussion

Malware Defender was formerly a commercial program, but this excellent HIPS changed ownership a while back and a new version was released as freeware. The sequence of events relating to this event is set out quite nicely here if anyone is interested. Just follow the thread through.

Malware Defender main interfaceI'd like to state at the outset that this type of program is not for the faint hearted. To use it effectively, and avoid the possibility damaging your system, you will need a reliable knowledge of Windows processes and services. You will also need to pay close attention to the information displayed in the alerts, and the options associated with each one. Luckily, the program installs by default into learning mode which reduces the number of initial alerts to a minimum. That said, it's essential that you only install Malware Defender into a clean system otherwise you'll just be creating "allow" rules for your malware collection to function normally. Everyone has their favorite apps for system cleaning, but my choice would be these. First scan with your resident antivirus and then with HitmanPro and Malwarebytes. You might also like to look at the VBA32 Antirootkit program which will tell you which sections of its scan came up "clean" and which need some further investigation. It will also check the digital signatures of all your files. Anything identified as suspicious can be uploaded to Virus Total for a final check.

In addition to the usual file, registry and application modules, Malware Defender also provides network protection should you choose to enable it, including a connections monitor. This makes it the ideal companion for anyone using Windows own firewall, but wanting more detailed control. It also scores very highly in the Matousec tests for those inclined to value the results.

It was difficult to know exactly where to place Malware Defender in terms of a review rating. For what it does it's an excellent performer but the complexities of using it make it unsuitable for average users. Mistakes can be rectified by changing rule permissions from the log entries, although if you've already denied a vital system function, your screen might now be empty!

 

WinPatrol Startup WindowWinPatrol has been helping to protect computers for more than ten years. With DSA now only available as part of the Privatefirewall package the options for standalone programs of this type have been reduced still further. Maybe then this is the right time to re-visit an old favorite of many users which is still in development and more than capable of providing this extra layer of security.

WinPatrol has many advocates and has recently been upgraded to achieve greater compatibility for Vista and Windows 7 users. It's main objective is to warn you about alterations to your system which may be malware generated. It does this by taking a snapshot of your system settings and alerting you to any changes. WinPatrol operates using a heuristic approach which makes it more likely to find new malware than traditional signature based scanners which are heavily reliant on updates.

WinPatrol will alert you to new program activations as well and is effective across a whole range of malware including worms, trojans, cookies, adware and spyware. Even stuff designed to replicate itself on your system is with WinPatrol's reach. You can also use WinPatrol to filter unwanted cookies and IE add-ons. An added bonus is that WinPatrol will also deal with the problems it finds so you won't need another program to do this for you.

As of V19.0, WinPatrol becomes a "Cloud Edition". Mostly the extra features will only benefit users of the paid Plus version.  One part of the WinPatrol Cloud though is a poll where the WinPatrol community of users can provide personal feedback on files that are detected. The poll data will be available to both FREE and PLUS users.

The author, Bill Pytlovany, provides support and has an interesting comments and resource blog here:

http://billpstudios.blogspot.com/

 

MJ Registry Watcher MJ Registry Watcher is another application that maybe not too many people are aware of. It is a simple registry, file and directory hooker/poller that safeguards the most important startup files, registry keys, and other more exotic registry locations commonly attacked by Trojans. It has very low resource use, and is set to poll every 30 seconds by default, although you can adjust this if required. A configuration file stores all your settings for future use. MJRW not only polls the system, but it also hooks it, so that most changes to keys, files and directories are reported instantaneously. Key deletions are still caught by the polling loop though, since they cannot be hooked. Exactly which keys and files are protected can be completely configured by the user, although the sets supplied with MJRW will cover most standard PCs. You do need better than average knowledge to get the best from this software but users in this category who prefer to combine small light applications to create a layered security solution should definitely check it out. Installation is not required, simply run the program from whichever directory you un-zip it to.

The program now also includes: Process Launch Monitoring, Folder and File Hooking, EMailing of Alerts and Quarantining of Files and Directories. 

There is an active thread for this software at Wilders forum here: http://www.wilderssecurity.com/showthread.php?t=54666 The author, Mark Jacobs, also maintains a range of other free software on his website and will respond to emails for support if requested.

Related Products and Links
Quick Selection Guide

Malware Defender
4
 
Gizmo's Freeware award as the best product in its class!

Runs as a stand-alone program on a user's computer
Comprehensive protection including network monitoring
Complicated to understand for average users - home page in Chinese (see Softpedia links below)
2.8
1.9 MB
32 bit only
Unrestricted freeware
There is no portable version of this product available.
Windows 2K/XP/2003/2008/Vista/7
WinPatrol
4
 
Runs as a stand-alone program on a user's computer
Comprehensive protection; deals with the problems it finds; a pioneer of heuristic based detection technology
“Scotty the Windows Watchdog” projects a somewhat dated image
http://www.winpatrol.com/
28.6.2013
900 kb
32 bit but 64 bit compatible
Unrestricted freeware
A portable version of this product is available from the developer.
MS Windows all inc. 64 bit
MJ Registry Watcher
3
 
Runs as a stand-alone program on a user's computer
Light resource use; excellent default rules with choice of security levels
Only really suitable for experienced users
1.2.8.1
3.01 MB
32 bit only
Unrestricted freeware
This product is portable.
Windows all

Share this
3.966665
Average: 4 (60 votes)
Your rating: None

Comments

by MidnightCowboy on 3. May 2009 - 11:15  (20985)

I know of users who run DriveSentry and Avira together with no issues. Like all vendors DriveSentry do not recommend running two AV components at the same time but they have also told me that doing so with Avira will not cause any conflicts. There are still no test results available for DriveSentry from the popular providers but the feedback on Wilders is very good. You might find this link interesting though:

http://www.virus.gr/portal/en/content/2009-04%2C-09-10-april-hips-antian...

If you do a straight scan of inactive samples then DriveSentry will not find as many as Avira or Avast!, but it is finding 100% of what tries to run which is what it's designed to do. In this respect you could make an argument for it being a better option although the lack of trickle-feed signature updates after 30 days with the free version is also a point to consider.

DriveSentry are releasing a brand new suite in the coming weeks which should be very interesting.

by Anonymous on 3. May 2009 - 13:25  (20988)

how much value or importance should i have on outbound protection? i always thought the biggest reason for not using the built-in firewall was for that reason.(no outbound protection) would dsa and the xp firewall use less system resources? thanks

by JonathanT on 3. May 2009 - 13:33  (20989)

Personally I don't think it's important. If malware is already active in your system you're already in big trouble. But if you simply prevent malware that won't happen unless you'r exceptionally unlucky.

by MidnightCowboy on 3. May 2009 - 16:47  (20991)

I guess the question to ask yourself is do I have anything residing in my computer that would adversely affect my life if it got out? If you do have sensitive files then a good third party firewall/HIPS combination is designed to at least alert you should data theft malware get in by some means and attempt to 'phone home'. Nothing of course is guaranteed and as I've said many times before human interaction remains the biggest threat when presented with an "allow" or "block" choice button. At this level system resource use ceases to become a relevant issue but for an example the system I am using here with Comodo CIS beta 3.9 (RC2) is recording an average memory use of 9.2MB for the firewall and Defense+ components, which is very low. Bear in mind that this version now has the former BOClean (Trojan) module integrated too. When I briefly tested the new version of Outpost Free for instance the memory use was nearly three times this for a lot less protection. I don't have the AV part of CIS installed.

by MidnightCowboy on 3. May 2009 - 18:19  (20996)

DriveSentry competition winning entries now posted in the forum.

http://www.techsupportalert.com/freeware-forum/security/709-drivesentry-...

by MidnightCowboy on 18. May 2009 - 15:11  (21786)

DriveSentry have now released their new security suite, although users are reminded that this does not contain a network firewall like most other software using this description.

http://www.drivesentry.com/AntiVirus-download-free-Firewall-products-for...

They have also confirmed that a free version will continue to be available and that this can be updated manually as before.

by Anonymous on 18. May 2009 - 15:52  (21792)

Is ThreatFire a HIPS? I thought it was a behaviour blocker?

by PsychEroc on 18. May 2009 - 21:35  (21810)

From what I can tell, HIPS is just a super-duper behavior blocker that comes with less pre-set "bad behaviors", letting you decide what's bad. This article is pretty good: http://antivirus.about.com/od/antivirussoftwarereviews/a/hips_behavior.htm

by MidnightCowboy on 18. May 2009 - 22:40  (21819)

Many applications now combine technologies making it difficult to place them into one specific category or another. They've evolved in this way because the malware they protect against has too. PsychEroc's own interpretation is pretty spot on and the article he's linked for you is a great source.

by MidnightCowboy on 19. May 2009 - 15:11  (21873)

DriveSentry free/suite

This link now answers the questions most of us have been asking since the new suite was released. I will be updating the review here to include the suite as soon as I get a chance to run it.

http://forum.drivesentry.com/viewtopic.php?f=6&t=290

by kimboorleelee on 27. May 2009 - 4:49  (22425)

Midnight-- I'm trying to understand all of this. Will you let me know if I seem to be getting things right? I'm not 100% sure if I'm missing something or, at the other extreme, reaching overkill.

I have a new HP Pavillion dv5(2 GHz Intel Dual Core Processor, 4 G Ram) running Vista SP1 64... that's all I can think of off the top of my head. I usually use FF (with WOT, AdBlock Plus, CookieSafe Lite, KeyScrambler Personal, and some other add-ons... that do slow FF's loading), but, when I just want to check something in a hurry, I open Opera with nothing added. I don't do a lot of gaming or visit porn, etc. sites, and I try to follow the security advice I've read re: downloading, pics/links in emails, not logging in as administrator, keeping my software updated, etc. On the other hand, I'm constantly downloading and trying new/beta software, web 2.0 type sites, and FF add-ons; plus I use public WiFi a lot, and I also have four teenagers who occasionally borrow my laptop.

After doing some reading, I equipped my laptop with Avira plus Comodo Firewall (w all that it included... Defense+, SafeSurf, & BOClean). I disabled Windows Firewall but not Windows Defender, and I added SuperAntiSpyware for on-demand scans. That seemed to cover Antivirus, AntiSpyware, & Firewall, so I stopped there. Now I'm reading about HIPS software and programs like Sandboxie. I *think* that extra HIPS software would be overkill, since I've already got Comodo's extras, especially Defense+. I can't use Sandboxie on a 64-bit system, so I was thinking about Geswall. Does that sound right? I'm also wondering if any of what I'm using makes KeyScrambler redundant. Do you have any other suggestions?

Thanks so much for your time!

by Anonymous on 28. May 2009 - 1:49  (22471)

Have you tested winpatrol?

by kendall.a on 28. May 2009 - 4:57  (22472)

Winpatrol is not really a HIPS.

by MidnightCowboy on 28. May 2009 - 12:36  (22496)

Well, you're right about the HIPS. Adding something else in with CIS would not only just be overkill but likely to give you BSOD's as well! Defense+ of course also includes the integrated memory firewall as well as BOClean and in my opinion remains the best HIPS component available.

I know I must sound like an old record because for most users I'm always questionning the need for Windows Defender, or indeed any form of realtime spyware protection. SUPERAntiSpyare is perfectly good enough for most people on it's own.

In theory you would be adding another layer of protection with isolation software but both Sandboxie and Geswall are far from easy to manage and with four teenagers using your laptop I feel that adding Geswall would invite more problems than it would solve.

Your description of browser choice is excellent. I think that by editing the Dr. Web script into Opera's default directory you can achieve a better rendering speed and security with Opera more easily than loading Firefox up with addons and extensions, but that's just my personal preference.

Overall, what you already have is an efficient and above all manageable solution. Try to resist the temptation to be sucked in by all the vendor hype surrounding PC security and start seeing spooks in every file! The short answer to a total security solution for Windows is always going to be Linux, but as this isn't a practical step for most of us what you are already doing is the next best thing.

by Anonymous on 28. May 2009 - 18:52  (22523)

Thanks so much for your help! I didn't realize that BOClean was integrated with CIS, and, somehow, I had both, so I was able to delete BOClean.

Yes, I have heard different opinions about Windows Defender, and, honestly, I've disabled and enabled it several times.... You must be right about the temptation to be sucked in by hype. I think it started after my (now 14 year old) discovered Morpheus and Limewire and brought my old desktop to a screeching halt. That's when I started learning about system security and maintenance.

Do you make your statement about realtime spyware protection because CIS now has such strong HIPS protection? I know that, when I first started reading about this stuff (a few years ago), I kept hearing that I needed this software for antivirus, that for antispyware, another for antirootkit, etc. Did HIPS change that, or was it overkill then, too? With Avira and CIS, I will probably take your advice and disable Windows Defender.

Last question: What do you mean by editing the Dr. Web script into Opera's default directory?

I am still something of a beginner, but I love learning, and partitioning, virtualizing, isolating, and proxy-ing interest me right now. (Just because I want to learn.) I think I spend more time configuring my system than using it. :)

Again, thanks for all of your help!

by Anonymous on 28. May 2009 - 19:09  (22525)

geswall management system could not be easier.
see for yourself.http://www.youtube.com/watch?v=PBKNHBl-yos&feature=channel_page

by MidnightCowboy on 28. May 2009 - 19:54  (22529)

I made the Geswall comment on the basis that four teenager were borrowing the PC in question. This is the warning that appears on the Softpedia page for Geswall.

"NOTE: Only for advanced users. Please be very careful. Your operating system may not start anymore!"

This is why I did not think the risk was worth taking for these particular circumstances.

by MidnightCowboy on 28. May 2009 - 20:33  (22530)

Well, first off spyware has to get in before it can get your stuff out so concentrating on preventative measures is better than hunting for it after it's arrived. In so far as real time protections for anything are concerned then you will always have the issue of user input. I've said many times that a lot of the infected PC's I see all have things like Kaspersky, Comodo, Nod32 etc., but if you allow something that should be blocked then it's in! Second, is there anything on your PC worth stealing? If not, why worry, just use an on demand scanner like SUPERAntiSpyware to get rid of it. If you do have sensitive files on your PC maybe letting four teenagers loose with it is not such a good idea and by far the safest remedy would be to convert the whole thing to Ubuntu.

On the assumption that you stay with Windows though, yes as you say the HIPS component in CIS is excellent. Any spyware that did manage to creep in would need to activate itself to get out at which point Defense+ would offer an alert. Problem solved.

Rootkits are another issue that it's possible to become obsessive about although in terms of causing system damage they can be amongst the most destructive. Avira 9 has good rootkit protection and an on demand scanner like Sophos is good for a second opinion. There are other more effective detectors like GMER but you would need considerable system knowledge to interpret the results.
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

The Dr. Web feature is not so easy to use with Opera as Firefox where it's available as a self installing plug-in. You can however edit your default Opera directory manually to enable the function with a right click from the context menu. This explains how to do it.
http://www.freedrweb.com/browser/opera/

It does take a bit of navigating to scroll down the list until you find the sections you want to edit, but it's straightforward enough so long as you take your time. If you think you're made a mistake just exit without saving. Even with a complete mess up you can always reinstall Opera so no harm done. This will then enable you to check the integrity of any download link before you instruct the download.

It's good to see you enjoy your PC for what it is (in your case) a media, entertainment and learning tool. I too spend a lot of time doing things with mine that are of no Earthly use to anyone or anything, but I love doing it! I often spend ages configuring rules into different firewalls and then the same amount of time afterwards trying to figure out why nothing connects!

by JonathanT on 30. May 2009 - 8:05  (22628)

ThreatFire 4.5 is out!
http://www.threatfire.com/updates/

by JonathanT on 30. May 2009 - 14:24  (22665)
by MidnightCowboy on 30. May 2009 - 20:06  (22679)

This is the key part of their editor's review - and he uses ThreatFire himself.

"Makes user decide whether to allow potentially malicious unknowns. Not enough information about behavior of unknowns"

As I've said many times what is the use of finding stuff you then don't know what to do with? Users certainly need well above basic system knowledge (including the correct location for Win system files) to avoid deleting stuff that's needed to keep their PC alive. I'm not disputing it's benefit as a complimentary partner to other software in the hands of experienced users but for average folk I still think DSA would be a safer alternative, or DriveSentry if you wanted something a little more comprehensive.

by JonathanT on 31. May 2009 - 7:12  (22699)

I've run ThreatFire for quite a while and I've rarely had any pop ups. Personally I've ThreatFire to be more user-friendly HIPS than DriveSentry.

by MidnightCowboy on 31. May 2009 - 10:53  (22712)

ThreatFire is certainly more user friendly in that it requires less work but then what it achieves in terms of overall security is far less. Threatfire is designed to be complimentary software whereas DriveSentry is a front line solution. As such it's cover is far more comprehensive and it's configurablity options more wide ranging.

It's also poor judgment in my opinion to choose security software on the basis of it's popups. You cannot have security without them and I feel the time would be better spent in understanding their meaning and what triggered the event, rather than counting how many one application has compared to another.

by Anonymous on 3. June 2009 - 16:20  (22984)

And this appears on softpedia page for geswall:
"Easy to use - fully non-intrusive, no configuration required".
This warning "Please be very careful. Your operating system may not start anymore!"applies to the majority of free software.
Geswall is one of the best programs I have used and recommend it to anyone.

by MidnightCowboy on 4. June 2009 - 17:10  (23063)

I'm sorry but this type of warning does not apply "to the majority of free software", and again, my original comment was made on the basis that four teenagers were to be borrowing this machine and using Firefox which does have some issues with GeSWall as illustrated here.

http://www.wilderssecurity.com/showthread.php?s=37a58f0793c47d6e8aa97fb0...

This is typical of other user comments you will find on the web.

"Secure your online World"
by cutewave on April 24, 2009
Pros: Light and compact
Great protection against various threats
Cons: Not user friendly
Difficult to configure
Summary: This is a good free security application if you are an IT experts or advanced users.

by Anonymous on 5. June 2009 - 18:20  (23113)

When I tried to install DSA on Vista the message that the program is incompatible with this version pops up.
I'm assuming that is happening because I installed Vista SP2 yesterday.
I installed DSA on a friends computer last night without Vista SP2 and it went fine.

by MidnightCowboy on 5. June 2009 - 21:24  (23127)

You are correct. A new version of DSA is due out shortly which will fix this and some other issues with Vista. It will also produce fewer alerts and have improved performance.

by Anonymous on 5. June 2009 - 21:32  (23128)

Will it then also work on Win 7 RC? Had the same incompat message.

by MidnightCowboy on 6. June 2009 - 14:46  (23184)

No idea - but I've emailed Greg at Privacyware today and I'll post his answer for you (and other potential W7 users).

by MidnightCowboy on 9. June 2009 - 10:55  (23399)

OK- the updated news from Privacyware is this: The new version of Privatefirewall which is W7 and Vista64 compatible is now in Beta and will require a few weeks of testing before being released. During this time Privacyware will be deciding whether to make the firewall freeware (and so scrap DSA) or if not, the new drivers will be incorporated into DSA as well. I hope that the former becomes the case because in terms of protection v system compatibility Privatefirewall is the best software available. Sure if you want to pass a few more leak tests you can pick Comodo or OA but then you also have to contend with the issues as reported in their forums.

Gizmos Needs You

Gizmo's Freeware is Recruiting

 We are looking for people with skills or interest in the following areas:
 -  Mobile Platform App Reviews for Android and iOS
 -  Windows, Mac and Linux software reviews       Interested? Click here