Free host intrusion prevention for Windows — November 3rd, 2006 Posted by Derrick Webber
A very good article and link
http://advosys.ca/viewpoints/2006/11/free-host-intrusion-prevention/
”Host intrusion prevention” (HIP) software tries to stop malicious software either either recognizing patterns of malicious activity, or by blocking access to critical system areas. When properly implemented, HIP very effective at stopping new (“zero day”) attacks that anti-virus (AV) software is largely incapable of preventing.
People seem to have a hard time understanding the difference between HIP and anti-virus, so let’s put it in overly simplistic terms:
- Anti-virus software: identifies malicious code by what it looks like.
- Host intrusion prevention software identifies malicious code by what it does.
AV software identifies malware by matching sequences of bytes in a file with a list of known malware (yes there’s more to it than that, but that’s the basic idea). HIP on the other hand tries to stop malicious actions as they are attempted. This is done in two ways:
- Access controls: by checking the actions of each application against a list of allowed actions (e.g. A web browser is allowed to save files, but not access the system registry)
- Behavior: by monitoring sequences of actions (e.g. An email message is opened then MS Outlook suddenly starts sending attachments to everyone in your address book)
Most HIP products use a combination of both approaches though some are purely behavior-based. By controlling and identifying actions, HIP software is far more effective than anti-virus. For anti-virus to identify and stop malicious actions, all of the following must occur:
- The malicious code must have been captured by the AV vendor (vendors discover new malware a variety of ways, such as by using “bait” machines (honeypots) on the Internet that pose as vulnerable Windows machine)
- The AV vendor must have decide the malware is widespread enough to bother with (AV vendors focus on widespread, public malware)
- The AV vendors must have analyzed the code and found a sequence of bytes that uniquely identify that code.
- The byte sequence must have been added to the daily/weekly AV database update.
- Your organization must have downloaded the update and distributed it to all computers.
Twenty years ago when the pattern-based anti-virus approach was first conceived, that approach worked well. Back then malware spread via floppy disk. AV companies had ample time to collect samples, identify unique patterns, and distribute updates to customers.
Now however, malware is developed and spread much faster than AV patterns can be implemented. Also, the public mass destruction malware that AV vendors focus on is being supplanted by smaller targeted malware written for financial gain. Most malware is now being written to wipe out bank accounts, not hard drives. Targets are small, like the customers of one little online bank, and distribution is swift: victims are usually fleeced long before any AV vendor can respond.
Some HIP products also use patterns that must be downloaded once in a while. However, these are patterns of suspicious actions or lists of system areas to protect… not patterns of bytes in a file. HIP products that use downloadable patterns require updates infrequently, like once per quarter.
Are you HIP?
There is a wide variety of HIP software available, each having different capabilities. There’s no universal agreement on exactly what functions HIP software should perform (other than stop malicious actions without relying on file patterns) but as minimum all HIP should be able to control access to the following areas:
- File system (including modification of EXEs and shared libraries)
- Windows registry
- System memory
- Running processes (including system services, spawning of sub-processes and code injection)
Better HIP software will also be able to control access to the following:
- Windows message passing (e.g. “shatter” attacks)
- COM and OLE
- Network access (binding to a port, sending outbound traffic etc.)
Another criteria for HIP is that it must control access to system resources per application. Resources that MS Internet Explorer can access can be different from those of MS Outlook. High-end HIP software like Cisco Security Agent allow administrators to specific precisely what resource each application can access. Other HIP use vendor-defined databases or restrict all applications the same until placed on a trusted list.
What’s available
There are many good commercial HIP products available: McAfee bought Entercept, Cisco bought Okena, but these are aimed at the enterprise market. They require centralized servers and a significant investment in knowledge, time and capital.
Fortunately for smaller users there are quite a few free and free-for-personal-use HIP products available. Here are a few that we’ve found:
GentleSecurity GeSWall: A comprehensive HIP with both generic protection and rules for enforcing resource access for specific applications (e.g. ME Internet explorer). Desktop version free for personal use.
eEye Blink: Very comprehensive. Free for personal use version monitors applications, registry, memory, and provides a personal firewall (apparently with network intrusion prevention abilities).
PrevX Prevx1: More of an EXE monitor than a HIP: it maintains a shared list of known executables and blocks known “bad” ones. According to comments from PrevX, it also provides “generic keylogger, rootkit and buffer overflow protection”. The literature is unclear but it seems that once an application is allowed to execute it is able to access any system resource, rather than just resources it “should” access.
PrivacyWare DSA: Monitors applications, registry, email, services and network. Free for personal and non-commercial use.
Novatix Cyberhawk: The vendor provides no details on which resources it protects, but this appear to be a purely behavior based HIP especially for non-technical users.
CoreImpact COREFORCE: Free for personal and commercial use. Includes a stateful firewall derived from the OpenBSD pf packet filter. Filesystem, network, registry, program integrity. Seems to use a community developed database of specific rules for each application (Firefox, etc).
Arovax Shield: A basic registry monitor. Apparently only monitors and prevents certain registry changes so only performs a small part of what a a full HIP system should do. It can also prevent changes to the system’s hosts file and creation of http cookies in Internet explorer.
Not ready for prime time:
In addition to the above, there are many up-and-comers that are promising but, in my opinion, aren’t yet mature enough for daily use:
winpooch: Open source. Still in beta. Monitors access to critical files only. One interesting feature is that winpooch can integrate with ClamWin to scan files on access, a feature ClamWin desperately needs.
Neoava Guard: A promising but still in beta HIP by a single developer. Can monitor disk, memory, some network access, prompts when unknown EXEs are run, has activity thresholds to detect worm-like behavior and more features being added.
System Safety: Limited trial and freeware version. EXE control (run or block, permit spawning) and registry access control.
Not listed:
I haven’t listed single product protectors (e.g. IE specific), personal firewalls that control only network access, simple file / registry monitors, address space randomizers and the like. A HIP must be able to monitor any application and control access to at least a couple of the resources listed above.
Do you need HIP?
If you have host intrusion prevention installed, do you still need anti-virus? Well, why not… anti-virus is still useful to catch the older malware still in circulation. Both technologies can usually be used without conflict.
Using both HIP and AV provides multiple layers of defense (“defense in depth”) which is always a good practice. A Windows system armored by AV, HIP, a personal firewall and not running as Administrator makes a formidable target for malicious software.
Host IPS for Desktop
Wondering that what are the HIPS solution available for personal desktop, by googling it, found out some of them are quite interesting
http://www.gentlesecurity.com/index.html
GentleSecurityWall ensures safe use of internet and network services. It enforces mandatory access control policy, which maintains confidentiality of your data, prevents damage from intrusions and malicious software: viruses, worms, spyware, key loggers etc.
Underlying technology bridges strong GeSWall security with great usability. Being non-intrusive for a user GeSWall requires no or minimal configuration and enforces protection once installed.
>> Well, it doesn’t seem to run on Win 98
System Safety Monitor (SSM) is a Host Based Intrusion Prevention System which will protect your system from all known and unknown malware, rootkits and “zero-day” attacks. SSM proactively keeps track of all running programs’ behavior and blocks malicious or suspicious actions.
Learning mode will help you to easily configure the required security rules.
Compatible with most of well known security software. 100% freeware.
Working at the Windows Kernel level SSM monitors in real-time:
* Malware and Rootkit Installation
* Driver Loading
* Program Execution
* NT Services Installation and State Change
* Program State and Memory Modification
* Thread and Process Suspension and Termination
* Direct Physical Memory Access
* Global Hook Installation
* System Registry Modification
* Window Opening
* IE Settings Change
* Startup Menu Modification
>> Well, it claim that could run on Win 98, however……
http://www.malwareguard.com/malware.html
Malware Guard gives you the most advanced spyware detection, blocking and removing threads as you browse.
ThreatFire uses advanced patent-pending technology to detect signs of malicious behavior commonly used by malware threats. ThreatFire is unlike traditional antivirus products that rely on old fashioned “signature” technology and require updating every time a new threat occurs.
By constantly monitoring the activity on your PC ThreatFire’s ActiveDefense technology is able to hunt down and paralyze threats that are too new or too clever to be recognized by traditional security software.
ThreatFire employs an intelligent behavioral engine to only alert you on truly malicious behavior, because sometimes even legitimate software may look malicious. This means you are only alerted when you really need to be.
http://www.comodo.com/index.html
But if permitable, i think i will prefer Comodo, which come with FREE Firewall, Anti-Malware, Antivirus
-
Archives
- June 2008 (1)
- December 2007 (3)
-
Categories
-
RSS
Entries RSS
Comments RSS
