|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Best Shareware and Freeware Sites Best Sites for Tips, Tricks and Tweaking Best Sites for Scripts, Drivers and Fonts Computer Glossaries, Guides and Tutorials NEW Reviews: If you are in the market for compatible inkjet printer cartridges you should check out our Editor's two new series of reviews of the best and cheapest inkjet printer cartridge sites. If you are looking for the very best inkjet cartridge sites in terms of customer support then go straight to Inkjet printer cartridge sites reviews. We've bought inkjet cartridges from all the sites listed and can attest to the quality of service offered. If the price of your inkjet cartridges is this most important issue for you then check out cheapest inkjet cartridge sites. Here we carry out a weekly price check on scores of inkjet cartridge sites and list the cheapest ten. Sick of Spam? Gizmo reviews the best spam
blockers for average users
The Best Windows Backup Software Our editor reviews 18 of the best selling backup software products but can only recommend five. But only one, get his "Editor's Choice"
|
Six HIPS Programs Reviewed and Rated An analysis of how well the latest generation of HIPS security products perform The Problem In a previous article "The Home Computer Security Mess" I talked of the home computer security conundrum. On the one hand we have the rapidly increasing sophistication of malware. On the other hand, computer security products have become so numerous, so complex and so overlapping in function that's it's become almost impossible for home users to make rational assessments of their effectiveness. Towards a Resolution To try and make sense of this mess I decided in June 2006 to undertake a series of reviews of current security products. The aim of these reviews was to evaluate how well these products coped with the latest generation of threats rather than simply repeat more conventional detection tests of which there are many. I wanted to look at things conventional tests didn't look at. In particular I was interested in how resistant the security programs were to termination by aggressive malware. I was also wanted to know how they coped with cloaking either with rootkit stealthing or polymorphic encryption. Finally I wanted to test their ability to deal with 0-day threats particularly those served by drive-by download sites. This test of HIPS products is the third in this series. The first covered signature scanners. The second sandbox products. What the heck is a HIPS? The acronym HIPS stands for Host based Intrusion Prevention System. The full name is just about as unhelpful as the acronym. In fact HIPS has no tight definition and it appears to mean different things to different folks. The attempted definition at CastleCops is thorough but its taxonomic complexity confuses as much as it clarifies. The functional definition based on detection technique at Kareldjag is useful but unfortunately a number HIPS employ multiple techniques. And the situation is not helped by some security product vendors who increasingly use the term HIPS in their advertising regardless of whether their product fits any reasonable HIPS definition or not. Personally I think the best way to clarify the idea of a HIPS is to start with the classic HIPS concept and then work out from there. Products like WinPatrol and Prevx home are classic HIPS products. They are non-signature based security products that monitor specific program behaviors and alerted the user if there is a problem. For example when a new program starts the user is warned and asked whether the program should be allowed to run. Most users can get their head around that idea. They have used such products or experienced similar behavior from their firewall. Classic HIPS programs have a number of serious weaknesses. It is the attempt address these weaknesses that creates the definitional problem. Let's look at the weaknesses: First they rely on the the user to give informed decisions to accept or reject a particular behavior. Most users simply don't have the knowledge to make such decisions. Second the give far too many false positives; they fail to discriminate adequately between genuine program activity and that of malware. Third classic HIPS products can be overwhelmed in an attack. While the user is drowning in warning messages the whole ship can sink. Finally they are too noisy. To provide effective protection they end up generating too many warning messages and popups. This constant barrage of messages further confuses users. To overcome these deficiencies security software developers have employed a variety of techniques. White-listing and/or black-listing certain programs are two such techniques. This approach reduces the load on the user, cuts the number of false positives and the overall volume of warnings. However it necessarily requires some sort of signature detection in order to function. Thus the HIPS is no longer simply using behavior based detection alone, it is also a de-facto signature scanner. Running new processes in a virtualized space is another approach. It effectively isolates malware in an attack and prevents the HIPS being overwhelmed, However the line between a HIPS and a classic sandbox and virtualization products has now been blurred. This blurring and confusion between HIPS and other security products is clearly seen in all the products I tested. Although they are all notionally HIPS programs they are in fact, as different as they similar. Does it matter? No, they are simply products that offer another layer of protection for your PC in concert with other security products such as anti-virus scanners. And that folks is as close as I can get to a definition of this class of product. The Products Tested There is no shortage of programs that describe themselves as HIPS or those that could be classified a HIPS. Here's a list of 28 products that I drew up for this review and I'm sure there are others I missed! Ultimately I selected only six products for full review. The first five of these are new generation HIPS products that seemed to have addressed some of the classic HIPS problems. The sixth product, Process Guard, is an older product with a strong following and I wanted to see how it stood up against the its more recent competition. The products tested are listed below along with the vendor's description: Blink: Free for personal use, Windows 2000 SP4 and later, 27.4 MB "eEye Digital Security's Blink® Personal Edition combines intrusion prevention, application and network firewall, identity theft protection, and vulnerability assessment into a single, unified client security solution. With Blink, you are ensured both proactive and reactive protection against the broad methods of attack and compromise used by hackers to gain access to your system and personal data." Cyberhawk: Free for personal use, Windows 2000, 4.67MB "Traditional
antivirus solutions cannot protect you until after they've
discovered a new threat and produced a signature to counter it. DefenseWall Shareware, $29, 30 day trial, Windows 2000 and later, 1.0MB "DefenseWall HIPS
(Host Intrusion Prevention System) is the simplest and easiest way
to protect yourself from malicious software (spyware, adware,
keyloggers, rootkits, etc.), that can not be stopped by your
anti-virus and anti-spyware programs, when you surf the Internet!
Using the next generation proactive protection technologies,
sandboxing and virtualization, DefenseWall HIPS helps you achieve a
maximum level of protection against malicious software, while not
demanding any special knowledge or ongoing online signature updates.
No signatures, no popup windows, no false positives. It is just
reliable and transparent protection, easy to use and strong. Online Armor Shareware, $39.95, 30 day trial, Windows 98 and later, 5MB "Online Armor
protects you when you’re online, but it doesn’t do it by checking
the names of bad guys off a list. Instead, it offers a number of
different layers of protection, starting with only allowing programs
to run that you give permission. So, if you go to a dangerous
website, something won’t just start silently running. Prevx1: Shareware, $21.95, unlimited usage for detection but you must buy the product for malware removal, Windows 2000 and later, 8.52MB "Prevx1 is a very powerful PC security solution. It safeguards your PC and personal information from theft and attack by Spyware, Rootkits, Trojans, Viruses, Bots, Adware and all other forms of malware and crimeware. Prevx uses automated malware research. This allows us to see more malware and see it faster. This means we can provide protection much faster and more comprehensively than other vendors." ProcessGuard: Limited free version and full version, $29.95, Windows 2000 and later, 1.9MB "DiamondCS ProcessGuard is a groundbreaking security system first released late in 2003 that protects Windows processes from attacks by other processes, services, drivers, and other forms of executing code on your system. ProcessGuard also stops applications from executing without the users consent, stops malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks. ProcessGuard even stops most keyloggers and leaktests, and is recognised by many to be the most comprehensive anti rootkit solution available." Methodology All products were downloaded from the vendor's site and were the most recent versions available at the time of testing. Since testing a new version 3.41 of Process Guard has become available. All products were tested using an unpatched version of Windows XP SP2. This was run in a VMWare environment with the exception of DefenseWall which won't run in this environment. It was tested instead using a native XP SP2 system on a stand-alone test machine. Each product was subjected to a series of 10 technical tests and five usage tests. The technical tests were essentially a subset of the impressive array of tests developed by Kareldjag as part of their HIPS testing. I acknowledge the important contribution Kareldjag have made to security testing in developing this methodology. While the technical tests are useful in determining in the scope of a product's protection the usage tests are probably more telling. The five usage tests were: 1. A keylogger test involving the simulation of four different logging techniques plus the installation of four commercial keyloggers 2. Installation of the DFK security test program. This is a sophisticated blended threat simulation that disables defenses, bypasses firewalls, installs a cleverly disguised trojan, a virus and a keylogger all masked with a rootkit. 3. Hostile browsing tests using three different drive-by download sites 4. A shoot-in-the-foot test involving the installation of an infected game, screensaver, keygen, crack and a search toolbar. All were obtained from currently operating web sites. 5. A rootkit installation test using Hacker Defender and FuTo. Testing HIPS products presents some unique methodological problems. This is well illustrated in this extract from a phone conversation I had with a vendor whose product had failed to detect a spyware product embedded in a computer game. Vendor: "I can't see how you could say it failed when the user was given warning when he tried to execute the program" Gizmo: "Yes, but all the warning said was that a new program was starting. The user knew that; he was trying to run a game. There was nothing suspicious." Vendor: "But he was warned and he could have stopped it" Gizmo: "Well how would he know that? To him it was just a game" Vendor: "He was warned. What more can I say?" Gizmo (Exasperated) "But it wasn't even a real warning, it just said a new program was trying to start. Of course it was - he was trying to run a game." Vendor: "My product can't be expected to defend people who are too stupid to take notice of the warnings the software gives them" I kid you not. Needless to say the conversation ended on less than friendly terms. My position is simple. If the HIPS does not provide the user with enough information to make an informed decision in the context of what is happening then the HIPS has failed the test. So a warning that a program is trying to monitor your keyboard will normally count as a pass while a warning that simply says a program wants to start will normally count as a HIPS failure. Context though, is very important. A warning that a program is trying to start must count as a pass if you are simply visiting a website. Similarly for a second program caught starting when running a keygen program. That's context and it can't be ignored. I have no doubt that a number of security product vendors will disagree with my approach. Strangely enough I suspect they will be the same vendors who products have performed poorly on my tests. Odd that :>) Most users will however agree with me . Particularly those who have used HIPS products and know the feeling of being bombarded with unhelpful warning messages. Test Results Summary These tables summarize my full test results that are documented in my lab notes. The lab notes for each product can be accessed by clicking on the product name in the summary tables below. Note that my lab notes are un-proofed working documents provided for documentation and are not product reviews. Prevx1 and Process Guard were tested twice using different settings. Prevx1 was tested using the default "business" (AKA "123" ) setting and the "Expert" setting." Process Guard was tested using the default setting separately with all four global protection setting enabled. Many tests involved a series of subtests. In such cases, the summary tables show the number of tests passed and the total number of subtests. Thus 2/5 means the product passed 2 out 5 subtests. On some tests it would be wrong to treat these scores like fractions or a percentage grade. For example scoring 3/4 on the termination test means that the product can be terminated and that it has failed the test. If in doubt, refer to the full lab notes for each product. Technical Tests: Summary Table
Note: After these tests were conducted the developer of Online Armor contacted me to ask for more information on the tests which that product failed. This information was used to improve the product. These enhancements are incorporated in version 2 of Online Armor. Comments: Only one product put in a perfect perfect performance and that was DefenseWall. Partly this was a reflection of the fact that it is the only product in this group that is based on sandboxing technology which is capable of more complete isolation that behavioral based products. That however, does not diminish from DefenseWall's impressive results. Also impressive was Cyberhawk. For a free product that is in beta testing, it impressed me greatly. Yes there is room for improvement but hey, that's what a beta is for. The results for Prevx1 were most interesting. In its default "123" mode its HIPS functions are disabled. It is really operating as a a kind of of CRC based signature scanner using a centralized database. When used in the "expert" mode the HIPS kicks in and the difference in performance can be clearly seen from the table. However this is at the cost of a much higher level of intrusiveness. Undoubtedly this is why the HIPS is turned off in the default setting. Every product except DefenseWall failed the termination test. This is very disappointing and needs to be addressed by vendors. This is particularly so with Process Guard, a product intended to protect other processes.
Usage Tests: Summary Table
* updated Comments: Again DefenseWall blitzed the field. However on these tests its score was less than perfect; it flunked three out of the eight keylogging tests. In every other respect its performance was impeccable. Prevx1 and Cyberhawk also impressed. Both put in a strong performance across the board. Indeed, Cyberhawk was the only product to get a perfect score on the keylogger tests and it came in second after DefenseWall on the shoot-in-the-foot tests, an impressive effort. Process Guard did quite well when used with all global protection options enabled. However in this mode, it is quite intrusive and can interfere with operation of some other programs. Online Armor flunked all the keylogger tests and missed the rootkits, a disappointing result. With the exception of Online Armor all products provided 100% protection against the three drive-by websites used in the tests, a comforting result. That's what these HIPS products promise to provide and with that one exception, they all delivered. Conclusions All five of the new generation HIPS tested delivered on the promise of providing additional protection without inundating users with meaningless warning messages. They achieved this using very different techniques. Indeed the products tested were as different as they were similar yet they all all performed well. Of the products tested DefenseWall was the outstanding performer with near perfect test results across the board. Additionally, it is small and consumed few computer resources. It's exemplary performance could be attributed in part to the fact that this was the only sandbox based HIPS product in this series of reviews. Sandboxing is a technique that offers great advantages and some serious disadvantages. Prominent among the latter is the requirement for the user to operate in a kind of dual world; the world of things in the sandbox and those outside. This requires a certain discipline from the users, a discipline that not all users are capable of giving or maintaining. For those than can, DefenseWall will provide outstanding security. Don't expect much from the product's documentation though; there's little of it. Also impressive was Cyberhawk. Although nowhere as watertight as DefenseWall it detected most of the malware I through at it. It was also a very un-intrusive product. In normal use it gave hardly any indication of its presence but when it did flash a warning it was usually serious and needed to be heeded. I've seen enough to convince me that Cyberhawk provides a useful additional layer of protection and is a perfect companion for a good signature based security product. The fact that it's free will provide an additional attraction to many users. Prevx is impressive in a different way. While Cyberhawk was quiet to the point that you wondered if it was working, Prevx's presence is constantly felt. However it is a presence that was comforting rather than intrusive. It regularly flashes informative messages that it is checking this or checking that without these messages getting in your way. I really liked this aspect of the product. By contrast, Cyberhawk's total quietness made me feel almost uncomfortable. A delicious irony. Prevx's protection is good too and broadly similar to Cyberhawk and can be increased further by turning on its classic HIPS capability. You will however pay for this increase in detection through constant warning notices. To many users this will be a Faustian bargain. Overall I liked Prevx a lot and can again recommend it for use with a good signature scanner as an additional layer of protection. I do wonder though about its vulnerability to malware that dynamically changes its signature using techniques such as packing and PE encryption. Any system that uses a CRC style of checking will have problems coping with such products. So in conclusion, all these HIPS products can provide additional protection for your PC. Unanswered in these reviews is the question of how much improvement they offer over that provided by conventional signature scanners and firewalls. That's a question I intend to address in my next series of reviews. Gizmo, November 2006. Ian "Gizmo" Richards More Security Tests Coming I'll be presenting the results of my next series of tests in Support Alert Newsletter. If you want to receive these results as they are published, you may wish to subscribe. It's free. If you feel this article is of value, please post it to one or more of the following: Digg it! Del.icio.us Furl
Home Copyright © techsupportalert.com 200 6
|
