HIPS Explained

HIPS Explained
This is my attempt to clarify what a HIPS is, what it does and how best to incorporate a HIPS program into your security protection.
 

What does "HIPS" mean anyway?
It stands for Host Intrusion Prevention System. In essence it's a program that alerts the user to a malware program such as a virus that may be trying to run on the user's computer, or that an unauthorized user such as a hacker may have gained access to the user's computer.

Background and history
A few years ago it was relatively easy to classify malicious programs. A virus was a virus and other things were, well – different! Nowadays “bugs” have changed and the defining lines between them have become more blurred. Not only do we have added threats from trojans, worms and rootkits but the different malicious products are often combined together. This is why malicious programs are now often referred to collectively as “malware”, and the applications produced to fight them “broad spectrum”.

 

In the past detection software relied primarily on identifying malware by their signatures. This method, although reliable, is only as good as the frequency of the updates. There's an added complication in that much of the malware circulating is constantly mutating and changing its form. In the process it changes its signature. To combat this HIPS programs were developed, which add the ability to “recognize” possible malware by its actions rather than signature. These "actions" could be attempts to control another application, run a Windows service or change a registry entry.
 

It's a bit similar to detecting a criminal by his behavior rather than by his fingerprint.  If he acts like a thief he probably is thief. Similarly a computer program that acts like a malicious program probably is a malicious program.
 

The problem here is that sometimes perfectly legitimate programs may act a little suspiciously and this may lead to a HIPS falsely labeling the legitimate program as malware. These so called "false positives" are a real problem for HIPS programs (see also How to Report Malware or False Positives).That's why the best HIPS programs are those which use a combination of signature and behavioral techniques. But more on this later.
 

What does a HIPS program actually do?
In general terms a HIPS program seeks to retain the integrity of the system in which it is installed by preventing changes to that system from unauthorized sources. Normally it does this by generating a security popup alert asking the user whether any change should be authorized.

 

This system is only as good as the responses of the user to the popup alert. Even if the HIPS software correctly identifies a threat, the user may inadvertently approve the wrong action and the PC could still become infected.
 

It is also possible for legitimate actions to be misconstrued as malicious behavior. These so called "false positives" are a real problem for HIPS products, though thankfully they are becoming less common as HIPS programs become more sophisticated.
 

The positive side to this is that you can use some HIPS programs to control the access rights of legitimate applications, although this would only be advisable for experienced users. I will explain this and why you might want to use it in greater detail later.  Another way of looking at HIPS is to imagine it as a firewall to control applications and services instead of just Internet access.
 

Defining type
Modern malware has become so sophisticated that security protection programs can no longer rely just on signature -based detection alone for protection. Now many applications use a combination of different techniques to identify and block malware threats. As a result several different kinds of security products now employ HIPS. Today it is not uncommon to find a HIPS in an anti-virus program or in an anti-spyware program, though by far the most common application of HIPS is as part of a firewall. Indeed most modern firewalls have now added HIPS protection elements to their IP filtering capabilities.

HIPS programs use a variety of detection methods to increase efficiency. In addition to signature recognition HIPS programs also watch for “behavior consistent with the activities of malware”. What this means is they seek to identify actions or events known to be typical of malware activity.
 

Some behavioral analysis programs are more automated than others and although this may seem like a good idea, in practice it can lead to complications. Occasionally circumstances may combine to indicate that the quite legitimate action of an application is suspicious and cause it to be terminated. You may not even be aware of this until things stop working! This is safe enough and merely an annoyance so long as the process is reversible, but occasionally it leads to possible system instabilities. Although such events are rare their impact can be severe, so consideration of this is advisable when making a choice.
 

Set-up and configuration
HIPS programs should be installed with their default settings and run like this until they have either finished whatever training period is required, or you become familiar with their operation. You can always adjust sensitivity levels and add extra rules if you feel this is necessary later. Applications with default “training periods” are designed that way for a reason. Although it might be tempting to reduce the term of training, you could be reducing the efficiency as well. A PDF guide is usually produced by the makers and it's always a good idea to read this before installing.

 

Earlier I mentioned the potential for using your hips program to control legitimate application use too. We do this already with our firewalls by restricting port use. You can use a HIPS program in a similar manner to block or restrict access to system components and services. In general, the tighter you tie Windows down the safer it becomes. I read somewhere that safest Windows system is called Linux! ... But that's another issue! Sometimes legitimate programs will set a level of system access on install that is far in excess of what they actually need to perform their normal functions. Restricting applications to "read access” to your hard drive when they don't need a default “write access” as well is one way to reduce risk. You can use the DEFENSE+ settings of Comodo's CIS to achieve this as one example.
 

When a potential threat is identified
Most HIPS programs notify users of potential threats using interactive popups when an event is triggered. Some programs automate this process and then tell you about it afterwards (maybe!). The important factor is not to become “automated” yourself when responding. There's no real point in having any security applications if you blindly click “yes” to everything. Just a few seconds thought before making a decision can save hours of work later on (not to mention loss of data). If a notification turns out to be a “false positive” you can sometimes record this as an “exception” to prevent future alerts. It is also advisable to notify the makers about false positives so that they can fix these in later versions.
 

What if you're not sure?
Figures vary according to which you read but up to 90% of all malware infections come from the Internet, so most of the time you will be online when a security popup appears. The advised action is to block the event and Google for information about the file(s) identified. The location of a recorded threat can be just as important as the file name. Also, “Ispy.exe” may be legitimate but “ispy.exe” could be malware. A 'HijackThis' log posting might help but results from the automated service can be a little ambiguous. In general you should do little damage by blocking or quarantining an event until you are sure what to do with it. It is only by deleting things before being sure that could possibly lead to disastrous results!
 

How reliable are community advisories?
The trend now is to include community based advisory content in popups. These systems try to help you respond accurately to security popups by telling you how others have responded.

 

In sounds an attractive idea in theory but in practice the results may be disappointing. For example, if only 10 people have seen a particular warning previously and nine of them made the wrong choice, then when you see a 90% recommendation to block the program you will follow suit! I refer to this as “sheep syndrome”. As user numbers increase then so should the reliability of the advisories but this might not always be the case so some caution is needed. You can always Google for a second opinion.
 

Multiple protector or “layered approach”?
A few years ago the use of all-in-one security suites did not offer performance levels comparable to using several individual security applications to achieve a “layered” protection. Recently though vendors have invested heavily in suite development and this is now reflected in their results. Some though still contain at least one weak component and if this happens to be the firewall you might want to make another choice. The general consensus is that a combination of separate elements will still give higher performance and better overall reliability. What they do most of course is offer greater choice and flexibility. Comodo was the first major suite to be truly free, but now Outpost and ZoneAlarm also have freeware suites. All of these offer a serious alternative to paid software.
 

Recommendations
A car is only as good as its driver and the same applies to software. There is no such thing as a “set-and-forget” security program. Try to pick something that you can understand and are happy to use. It's like comparing Sunbelt-Kerio and Comodo firewalls. Yes, if you want to nail things to the ground Comodo has the potential to give better protection, but it's also more difficult to understand. If you find Kerio easier to work with then you are more likely use it effectively and ultimately this would be the better choice (up to Windows XP only. Windows 7 users check out TinyWall) Use the various test results as a guide, but only that. No test can ever duplicate your computer, your programs and your surfing habits.
 

Selection criteria
I have always selected my own applications in the following order. You of course may think differently!
 

Do I need it?
Many people argue the “usefulness” of some software when balanced against what it is likely to achieve. If your firewall already has a good HIPS component (like Comodo, Privatefirewall or Online Armor) then maybe this is enough. Programs like Malware Defender however do use different techniques so could offer complimentary protection in some circumstances. Only you can decide if you think this is necessary. Experts still advise not running more than one security software of the same type.
 

Can I use it?
Adding any HIPS program will generate more work in terms of configuration requirements and alert management. HIPS programs in general can be somewhat ambiguous with what they find so you should be prepared to confirm their findings. With only average knowledge you might find it a challenge to interpret the results.
 

Does it work?
HIPS techniques are only effective where the user responds appropriately to security popups generated by the HIPS. Beginners and apathetic users are unlikely to be able to make such responses.

 

For diligent and experienced users there is a place for HIPS programs in PC security as HIPS adopt a different approach to traditional signature based software. Used either as a standalone or combined with a firewall, HIPS will add to your detection abilities.
 

Will it mess up my system?
Security programs by their very nature have to invade the inner sanctum of your PC to be effective. If you already have a registry like a plate of spaghetti, “ghost folders” in your program files, get “blue screens”, Windows error messages and un-requested pages of Internet Explorer opening then adding a HIPS program is only going to make things worse. Even on a clean machine, making a wrong decision could lead to permanent instability. Potentially though, you can do similar damage with a registry cleaner.
 

Can I use more than one?
I see no advantage in using two HIPS programs together. Experts still advise not running more than one active security software of the same type. The risk of conflict outweighs any possible benefits.
 

Conclusion
Users should maybe consider improving their browser security first by replacing IE with Chrome, Firefox or Opera and using a sandbox before thinking HIPS. People with a standard firewall could introduce Malware Defender for additional protection. Users of CIS or Online Armor would gain no advantage from doing so. System load and resource use are a consideration, although mainly for older machines. There really is no definitive solution other than to say that too many of anything is usually too much! All in all it's about striking a balance. The biggest threat to my computer will always be me!

Current Best Free HIPS Review: www.techsupportalert.com/best-free-hips.htm

 

 MidnightCowboy

 
 


 
 
 
Share this
4.33803
Average: 4.3 (71 votes)
Your rating: None

Comments

by ajeoae on 13. April 2014 - 13:54  (115661)

"Users should maybe consider improving their browser security first by replacing IE with Chrome, Firefox or Opera and using a sandbox before thinking HIPS."

Great article MidnightCowboy! I think this recommendation in particular however is a little dated (perhaps when you originally wrote it when IE7 was more popular). Right now, as of 2014, IE10 and 11 are two of the most secure browsers you could run. It's not because of the browser's vulnerabilities itself as much as it is how the browser helps mitigate exploits that target 3rd party addins. Both Firefox and Chrome do a pretty dismal job at this out of the box (Firefox in particular unless you heavily use noscript for everything) and Sandboxie would be 100% needed, it's a shame it's a bit of a chore to work around. As much as it goes against the security through obscurity marketing, I think Microsoft has really pulled through and delivered a solid browser finally. If IE is still not your thing, Comodo Dragon (based on Chromimum) and Dell Kace's secure browser (based on Firefox) are two good alternatives that actually build in sandboxing. (and yes I have a soft spot for Opera personally...my preferred browser on Linux!)

by MidnightCowboy on 13. April 2014 - 14:25  (115663)

Unfortunately a lot of people are using old versions of IE, especially those with XP. Also, in my experience, folks find it easier to manage the necessary security tools for Firefox and Chrome. MC - Site Manager.

by leaveamsg on 3. March 2013 - 19:46  (105911)

i love your "I read somewhere that safest Windows system is called Linux!" shot. if 90% of the users on the internet used linux it would be torn to shreds. the only reason its safer is the malware authors aren't targeting it. maybe try googling "linux kernel vulnerabilities" as an example.

by MidnightCowboy on 4. March 2013 - 0:08  (105916)

The exploitation of Linux kernel vulnerabilities relies on and assumes a great deal of "help" from both the distro compilers and users, very much like the scare mongering Windows exploits published that require physical access to a machine in order for it to be compromised. In any case, "what if" scenarios do not apply to Linux currently and are unlikely to as Microsoft will remain the dominant OS.

by Orkeven (not verified) on 21. August 2012 - 7:20  (98051)

this was a great article, biased intermittently, still great. thank you for the clarification. personally I used to think that windows firewall and a good antivirus (avast!) was good enough until 2days ago when avast performed a scan and found a rootkit and then events culminated in my losing important OS files. I mean, I couldn't even install .msi files on windows! .exe files were unexplainably missing, cmd.exe gone! command.exe launched but was useless - just couldn't run anything. to cap it all, I had gained almost 20GB of hdd space! that's how much stuff I had lost, folks. so, I did what I had to do - reinstalled windows. so, yes, I do appreciate dis site n the knowledge passed. I just started using hitmanpro, privatefirewall, ravflame (anti rootkit ware) all with my avast! I hope there to be know conflicts. I mean, hitman isn't automated n privatefirewall has got d DSA thingy. Personally, I think I'm good to go!
Thanks, once again.

Ekerette Ekpo, Nigeria.

by MidnightCowboy on 21. August 2012 - 7:34  (98053)

It's fair to say that most of the articles here will be biased to an extent because they reflect the personal opinions and preferences of the editors who wrote them. That said, we do try to be objective and the intention is always to be helpful. I'm glad you found this contribution useful. :)

by marley (not verified) on 1. July 2011 - 11:47  (74609)

We have a security package which does not include anti-virus, if I install a seperate anti-virus programme will it slow down my computer, it is already slow at peak times.

by MidnightCowboy on 1. July 2011 - 11:56  (74611)

Hi marley,

Unfortunately any antivirus program will slow down your computer, it's just the degree that varies between products. You can go a long way towards reducing your threat exposure by using a third party DNS filter which may even speed things up, and WOT (Web Of Trust) which will install now for most of the major browsers. You don't say what other components are in the package you have already, so above this I can't offer much more advice.

by Jason H. (not verified) on 3. September 2010 - 6:34  (57181)

Is this HIPS that is included with Comodo Firewall incompatible with Threatire? If you recommend not using both at same time do you prefer one over the other?

by MidnightCowboy on 3. September 2010 - 8:18  (57188)

Both programs are quite aggressive in what they do so there is always likely to be conflict. There will also be some redundancy between the two as they monitor the same things. IMO Comodo is by far the best option as it gives you a first class firewall along with the HIPS component.

by Okiedokie (not verified) on 30. August 2010 - 15:14  (56994)

Thanks for the informative article. I am probably a 3 on a scale of 10 in terms of computer knowledge, so bear with me on a couple of questions.

You stated in the article:

"Experts still advise not running more than one active security software of the same type. The risk of conflict outweighs any possible benefits."

I am currently running Microsoft Security Essentials, latest version on my desktop (Win 7 OS). While Essentials had been doing a fairly good job (I thought), last week I got a rogue desktop security program that slipped through Essentials. In order to clean the rogue off my computer, I went to my laptop and downloaded rkill.com and copied it to my desktop, then ran it. It stopped the runaway activity of the rogue. I then downloaded Malwarebytes Anti-malware, and installed and ran it. It seems to have solved the rogue problem and seems to be interfacing OK with Essentials.

QUESTION: In your opinion, are these two anti-malware programs compatible? Obviously Essentials was not good enough to block the rogue program, but it has been a good anti-virus program, or at least so I thought.

Would appreciate your comments.

On a different tack, I noticed that you were praising Comodo's firewall; I am currently using my Windows 7 firewall. In your opinion, would I be well advised to switch to Comodo and disable the Windows 7 firewall?

Thanks for your help

by MidnightCowboy on 30. August 2010 - 17:24  (56996)

Hi,

Personally, I use HitmanPro and Malwarebytes as my secondary backup scanners. Because these are only scanners and don't run in real time there is no danger of a conflict with your resident AV. I would also recommend a security biased third party DNS client such as Sunbelt's ClearCloud which will help you to avoid potentially malicious websites in the first place.

http://clearclouddns.com/

The Comodo firewall is certainly good but you will need a considerable amount of knowledge to configure it effectively. Yes in real terms it offers a lot more than Windows own firewall which although an excellent filtering platform has no HIPS or sandbox features. That said, the complexities of understanding Comodo make it unsuitable for a lot of users. If you were insistent on moving away from Windows take a look at the latest ZoneAlarm Free which offers a bit more without going over the top, and is certainly a lot easier to understand and work with.

by Okiedokie (not verified) on 30. August 2010 - 19:51  (57005)

Because I wanted real-time protection, I decided to spring for the Malwarebytes' commercial program. So I have two AV programs both scanning real-time. So far, I have experienced no problems. If problems arise, of what nature are they likely to be?

About the firewall issue: I am not insistent on moving away from Win 7 firewall, necessarily, as long as it provides me the protection needed. It is not the top-rated, from what I have gathered, but maybe good enough.

On an entirely different note and issue, I have a question:

What would cause my screen to unexpectedly drop from full-size to greatly-reduced size, with no interaction from me? One second, I am reading something on the screen, the next, I have to re-size the screen?

Any help appreciated.

by MidnightCowboy on 30. August 2010 - 20:06  (57007)

Two programs scanning is real time together compete for file access and system resources. One for instance can be trying top open something already being scanned by the other. Wherever you look on the web you will see reports from users of dual program setups who insist they have no ill effects. All I can say is that every vendor and tech I have spoken to says such as set up is likely to invite system conflicts and degrade protection instead of improving it.

As for your other issue, possibly a driver error? Or, If you have recently installed new software and this is a recent development you could try a system restore to before the install just in case something happened during this process. Otherwise, try posing in our forum support where folks far more knowledgeable than myself in this area will be able to help.

by MidnightCowboy on 19. January 2010 - 11:07  (41520)

You're welcome!

by Fishy mr Fish (not verified) on 23. July 2010 - 4:25  (54781)

we <3 you

by Anonymous on 19. January 2010 - 5:17  (41498)

Thanks MidnightCowboy....for such detailed information about HIPS.

FCCMA

by Anonymous on 12. January 2010 - 23:47  (40919)

Privacy ware site not so hot in McAfee siteadvisor ! 2010 ?

The cost of Free .

by mr6n8 on 13. January 2010 - 20:15  (40976)

Just to clarify the above statement. McAfee Site Adviser gives the site a green (good) rating
http://www.siteadvisor.com/sites/privacyware.com

There are a couple of comments (2 years old) indicating a trojan in a download, but McAfee obviously found nothing.

Those comments could well have been made because of a false positive finding by their anti-malware.

Since privacyware gets a green from McAfee, I am not sure of the basis of the above comment.

by MidnightCowboy on 13. January 2010 - 16:41  (40961)

TSA uses WOT to rate other sites because we find this to be the most up to date and reliable. Nothing here is knowingly posted unless it has a "green" status. People are of course free to use whatever ratings software they wish and visit the sites flagged (or not) accordingly.

by Anonymous on 30. November 2009 - 10:40  (37550)

An excellent article and thanks a lot!!!

Gary LosAngeles

by Anonymous on 6. June 2009 - 12:40  (23170)

I like paranoid geeks, they make me laugh.

by peter on 6. June 2009 - 12:48  (23173)

You can imagine the fun we get from Anonymous posts!

by Phylis Sophical on 27. March 2009 - 6:38  (18648)

Very Informative and straight forward. Thanks.

by Anupam on 15. March 2009 - 11:56  (17872)

Nice article MidnightCowboy. Thanks for all the insights on HIPS. Looking forward to the review section :).

Anupam Shriwatri, India

Gizmo's Freeware is Recruiting!

Gizmos Needs YouShare your knowledge of free software with millions of Gizmo's readers by joining our editing team.  Details here.