Review of the program for proactive protection of the computer Defense Wall Hips. Purpose of the Installer Privileges through AUTO-CONTAINMENT alerts. Automatic creation of HIPS rules in "Training Mode" and in "Safe Mode"

General

When component Hips Enabled, the activity of programs is limited in accordance with the rules. Situations for which the rule is not specified is permitted depending on the HIPS mode, program rating and other conditions.

Usually, a safe mode allows trusted programs any activity that is not prohibited by the rules, except for the launch of unidentified files. Running unidentified programs, as well as any action of these programs, stopped by alerts.

Paranoid mode stops any activity of any programs not provided for by the rules.

In the mode of study, with any activity as not provided for by the rules of activity, new allowing rules will be automatically created.

Rules are presented on the tab HIPS → Hips Rules in the form of a list apps and appointed by him sets of rules.

As applications can act accurate paths to files, path patterns with symbols * and? , as well as groups of files. In the paths and their templates can be used. File groups are sets of paths or templates, they are configured on the tab. File rating → File groups. I emphasize that applications in HIPS rules are identified only by their ways, and not on hash, etc.

The set of rules assigned to the application consists of two tabs: "Access rights" and "Protection Setting". The first is the right of the application itself, on the second - on the contrary, its protection from other programs. The application may have either own set of rulesor some of the prefigured sets: they are configured on the tab HIPS → Rule Sets.

The pre-installed set of the "Windows System Application" rules allows any activity, the "allowed application" set - any, but does not regulate the launch of subsidiaries; The "Insulated Appendix" set is hard forbid any activity; The "limited application" kit prohibits almost everything except window messages and access to the monitor, and does not regulate the launch of subsidiaries. You can not only create your own sets, but also to change the pre-installed.

Starting from the CIS version 10.0.1.6223, the HIPS set "Isolated application" rules is renamed to the "application running in a container". In my opinion, this is an erroneous translation of the "Contained Application" name, as in reality the HIPS rule has no relation to the container (virtual environment). To avoid confusion, I recommend rename this set back to the "insulated application", and in the article it will be called this.

A special case is a set of "installation or update" rules, it gives apps. Programs with such privileges freely perform any actions (except for clearly prohibited rules), incl. Launch any programs, and their subsidiaries also receive the privileges of the installer. Executable files created by such programs automatically become trusted.

Different source configurations Comodo Internet Security differ in the initial set of rules and the controlled spectrum of programs. For the most complete HIPS protection, you must initially select the configuration Proactive Security And already to maintain further configuration.

When restricting programs access to various HIPS resources relies on the section data HIPS → Protected Objects. For example, a file or directory can be protected from a modification only if its full name is suitable for any of the templates on the Protected Files tab. So, if you want to prohibit any program to change files on a D: (regardless of their type), you must first apply this disc to the protected list.

Then, when creating specific rules, it will be possible to vary the restrictions on access to one or another protected objects by clicking "Change" in the "Exceptions" column.

Most appropriate to use HIPS in Safe modeBy turning off the option Create rules for secure applications, or in Paranoid. Then the procedure for determining the access of the program to the resource will be the following:

As you can see, in HIPS, the action "ask" expresses the absence of the rule (in contrast to the firewall, where it prescribes to show alert).

So, the highest priority has the Allowed Top Rule, suitable for this program; Then - the "blocked" tab; Then - the action specified in this rule if it is definitely; Then - the "Allowed" tab of the following rule, etc. In the absence of an unambiguous rule, access is allowed if (i) the privileges of the installer, or (ii) the program is "trusted", and the HIPS mode is "secure", or (iii) the option "Do not show alerts: Allow requests". When none of these conditions are running - access is locked if the option "Do not show alerts: block requests" is noted, or an alert is issued if this option is disabled.

A special case: if the program is executed in a virtual environment and / or with the restrictions of AUTO-CONTAINMENT, then in the absence of the rule it will be given a permission (like the option "Do not show alerts: Allow requests"). In addition, in the virtual environment there is no protection of files and registry, even with clearly specified forbids.

Management of Program Rights through Alerts

When answering HIPS alerts, the applications are assigned rules: temporarily or constantly, depending on the option "Remember My Choice".

Important moment: Rules are assigned an application that is indicated on the left part of the alert. For example, if you ask about the launch of an unknown program by the conductor, the rules will be assigned to the conductor. Typical newbies errors: Select the option "Block and complete execution" in such alert (thus killing the process of the conductor), or the "Isolated application" version (rigidly limiting the right of the conductor), or the "Installation or Update" option (thereby having lost almost all protection ). Usually the most reasonable choice in a notification of the program startup - "Allow" or "only block".

Options "Allow" or "Block only" in various Alerts HIPS means permission or prohibition only with respect to a certain resource. For example, if you enable the application to create a file C: \\ Test \\ a.exe, then an attempt to create a file C: \\ Test \\ B.exe will again lead to alert. To allow the application to create any files in the C: \\ TEST directory, you have to edit the rule via the CIS settings window. Unfortunately, the alerts do not provide permissions for catalogs, templates, groups, etc. However, through the alert, you can apply to the application of any set of rules, which is predetermined on the tab. HIPS → Rule Sets.

If, when answering an alert, enable in it the "Remember My Selection" option, the set of rules assigned to the specified application will change; If there is no HIPS rules for this application - it will be created at the top of the list. When choosing an option Allow or Only block The rules will add permission or prohibition to accuracy for a specific resource (file, COM interface, etc.). When choosing any set rule New rules will not be added to the old, and completely replace them, i.e. The rules assigned to this application will stop acting earlier.

If you disable the "Remember My Selection" option, then the assigned permissions application, prohibitions or rule sets will terminate the operation with the completion of this application or even earlier, and no changes in the CIS configuration will occur. To understand the logic of the work of these temporary rules, it is convenient to imagine that an imaginary entry in the list of HIPS rules is created with each response to alert (without memorization). All "imaginary" recordings are located in the list of rules below the "real" records, but new "imaginary" - above the other "imaginary". This means that the same application can be seen several times through alerts various sets of rules (without memorization), and all these sets of rules will act. At the same time, the highest priority will have "real" rules, then the freshest of the "imaginary", then earlier, etc. But as soon as any "present" rule (with memorization) is created - all "imaginary" rules for all applications are destroyed.

For example, having received an alert about any program, we will appoint it a set of "Isolated application" rules, without memorization. By default, the "All Applications" group is allowed to change temporary files, so this program can still do this, despite the fact that the "Isolated application" set is prohibited. If you assign this set of rules with memorization - changing temporary files will be prohibited, since the new HIPS rule will be created at the top of the list.

Some exceptions are noticed from the described work order when the "Remember My Choice" option is disabled. First, the "imaginary" permissions are not created for launching applications (i.e., when you restart the same application, an alert will again arise). Secondly, if any program is allowed through the alert "Changing the user interface of another application", it will temporarily be able to send window messages to any applications, and not only the specified one.

Monitoring program startup

The ability to launch any program is set in HIPS Rule for running Programs, not for the started. When "paranoid mode", the start of the program is permitted only if there is an explicit permission in the rules. Under the "safe mode" in the absence of the Ruing rule, it is allowed, if the trusted program is trusted. Exceptions - executing programs with installer privileges, as well as under the action of virtualization and / or restrictions AUTO-CONTAINMENT.

So, suppose that when "safe mode" the HIPS program Parent.exe is running and tries to run the child.exe program. In the absence of additional rules, the launch will be silently, only if both programs are trusted. If the child.exe program is unidentified, and in the HIPS rules for the Parent.exe (or group containing it), there is no permission to start the child.exe program (or containing it group), regardless of the HIPS rules for the program of the CHILD.EXE program itself And regardless of the rating of the Parent.exe program before launching, an alert will arise (and relative to the Parent.exe program).

Thus, to allow the fulfillment of an unidentified program, to set a little permitting rules for it itself - permission is required to launch its parent process, as an option - the group "All applications".

If you want to stop the launch of the program, then, having received an alert regarding the parent process, usually you should disable memorization option and select Block → only block. Attention! Item "Block and complete execution" in alert on the program startup Means the completion of the work parent process.

The ability to launch any program define the rules not only HIPS, but also Auto-Containment. Run will be blocked if you require at least one of these components. If the program starts allowed in the HIPS rules, and the Auto-Containment rules prescribe isolate this program - it will start isolated.

It is important to know that, unlike AUTO-CONTAINMENT, in HIPS a child process does not inherit parental restrictions: if you allow a dubious program to run safe, then damage may be damaged on behalf of the secure program.

Automatic creation of HIPS rules in "Training Mode" and in "Safe Mode"

In certain modes, the creation of HIPS rules is automatically:

if the "Training Mode" is enabled and the option "Do not Show Alerts" is disabled or installed in "Block requests" mode, you will create rules that resolve each noticed action of any applications;
if the "Safe Mode" is enabled, the "Create rules for secure applications" option is enabled, and the option "Do not show alerts" is disabled or installed in "Block requests" mode, then rules will be created allowing each noticable effect of trusted applications.

In most cases, these modes do not benefit and apply only for testing or preparation for switching to "paranoid mode".

The rules for the program (any at the "learning mode" or trusted during "safe mode") are created as follows:

The view of the new rule will depend on the requested action:

When one program launches another, the first creates a rule allowing to run a particularly specific program.
When the program changes the file or the registry key included in the list on the tab HIPS → Protected ObjectsThe form of the rule will depend on how the template of this resource is recorded.
- If at the end of the template stands sign | The rule will create a permitting change of the specifically of the object to which the program applied. For example, the program creates a text.txt file on the desktop. Does it correspond to the template ?: \\ users \\ * \\ desktop \\ * | . So, the rule will be created allowing the C: \\ Users \\ Name \\ Desktop \\ Text.txt file.
- If at the end of the template there is no sign | The rule will be created allowing the change in any object according to this template. For example, the program creates a D: \\ Prog.exe file. In the list of protected objects, this file corresponds to the * .exe template. So, the rule will be created that allows this program to change any EXE files.
When contacting a program to any of the following resources, rules automatically create access to it simultaneously to them all:
- Protected COM interfaces,
- Windows hooks and hooks applications,
- Interprocessable memory access,
- Interrupting applications,
- DNS requests,
- Disk (direct access),
- Keyboard,
- Monitor.

Process protection

In the HIPS rules window for any application, it is possible to limit not only the own activity of this application, but also the impact on its operation of other programs. For this tab Setting protection It is indicated what actions with this application will be blocked, and in the exception window (button Change) - What programs they will be resolved. Alerts here are not provided - only permission or prohibition, regardless of the rating. The action prohibited in this way will be blocked, regardless of the rules and rating of other programs.

In particular, using this function, CIS self-defense is carried out from unloading its processes and access to memory. Therefore, even when Hips is not needed, it is desirable to enable it at least with the option "Do not show alerts: Allow requests" (in "Safe" or "Paranoid" mode).

The side effect of CIS self-defense is a huge number of entries in the "Protection Event +" log when using some programs, for example, ProcessExplorer. You can get rid of optional locks, allowing individual applications access to the memory of the Comodo Internet Security group.

I note that the protection against the interruption of applications does not cover all ways to unload the process. So, many applications can be completed by window messages or by access to memory. To protect the application from such completion methods, you will need to note in its rules on the "Protection Setting" tab, not only the option "Interrupt application operation", but also others.

Institute privileges

The meaning of the privileges of the installer

Under certain conditions, the application receives the privileges of the installer, which are as follows:

HIPS Allows such an application all that is not prohibited in rules explicitly, i.e. Works like the mode "Do not show alert: Allow requests";
AUTO-CONTAINMENT does not isolate the programs running by this application;
While this application works, its subsidiaries (as well as their child processes, etc.) are performed with the privileges of the installer;
Executable files that create this application (or subsidiary processes inherited its privileges) are automatically becoming trusted.

Automatic file enhancing to trusted occurs only when the option "Trust applications installed using trusted installments" on the tab . Also in some special cases of the installer privileges are given applications in the "truncated" form: without, or when the user meets the resolution in (if the program is unidentified and has a sign of the installer), or when the program is appointed, or when this rule is applied to it or when the program Inherits these privileges from the parent process.

Automatic entry of the application by the privileges of the installer

The application automatically gets the privileges of the installer if it is trusted and has a sign of the installer. To see if the application has a sign of the installer, it is possible in the list of akiva processes.

In which properties of the application is the sign of the installer, it was said: judging by the experiments, the installers are considered to be programs that in the file name or in File Version Info (in the FileDescription, ProductName, InternalName or OriginalFileName field) contains the word Install, Setup or Update; MSI files are also considered to be installers.

In old versions of Cis, the signs of the installer were other, in particular, the installers were considered to be the programs requested during the launch of the administrator's right, the program whose size exceeds 40 MB, and others. Because of this, many application programs were mistakenly endowed the privileges of the installer (in particular, PortableApps- Assembly), which created an obvious danger. In the CIS 10 version, this threat is significantly lower.

Appointment of Installer Privileges through AUTO-CONTAINMENT Alerts

In the standard configuration "Proactive Security" when you start an unidentified program that has an installer feature, alert appears, offering a choice of four options: "Block", "Isolated Run", "Starting without restrictions" when the "Trust this Annex" option is disabled Without restrictions, "when the option is enabled" Trust this Annex ".

The "Block" option means a ban ban. The "Isolated Start" option means that the program will be running isolated in accordance with the Auto-Containment rules.

If you enable the "Trust this Annex" option and select the "Startless Limit" item, the program will be trusted and starts with the privileges of the installer. At the same time, the AUTO-CONTAINMENT rule will be created, eliminating the subsidiary processes of this program from isolation. Usually this rule does not make sense, and I recommend removing it.

If you select the "Start without restrictions" item when the "Trust this Annex" option is disabled, the program will temporarily start with "truncated" installer privileges, without trust in the created files. Those. Points, and, but not.

Generally speaking, such alert occurs if the following conditions are fulfilled:

component AUTO-CONTAINMENT is included,
on the tab CONTAINMENT → CONTAINMENT Setup Enabled option "Detect programs requiring increased privileges",
there is also a disabled option "Do not show alerts when promoting elevated privileges",
the program run must, according to the Auto-Containment rules, start virtually and / or with limitations,
the program launched has a sign of an installer or requests administrator rights when starting.

As you can see, to display alert, the program started does not have to be unidentified - it is only required that the auto-containment rules prescribe it isolate. In addition, the program may request when starting the administrator right, but not to be an installer.

If you enable the option "Do not show alerts when queries of increased privileges", then in the menu of this option you can select automatic insulation (recommended) or blocking unidentified installers without alerts. Also there are options to "run without restrictions" and "launch without restrictions and trust" - of course, choose them very dangerous.

Appointment of Installer Privileges through Alerts and HIPS Rules

Installer privileges can be assigned to the program explicitly via HIPS: It is the "Installation or Update" rule.

When the HIPS alert arises regarding the activity of any application, you can choose in the window of this alert Process as → Installation or Updateremembered or without.

If you note the memory option and select the "Installation or Update" option, the appropriate HIPS rule will be created and the application will receive the privileges of the installer. If you choose this option without a memorization option, the rule will not be created, and the application will receive a "truncated" option privilege of the installer, without trust of the created files (temporary launch of an unidentified installer without restrictions AUTO-CONTAINMENT).

Through the CIS settings window, you can assign a "Installation or Updating" rule in advance. Obviously, in this case, the application will receive the privileges of the installer without alerts and fully.

Trust Files created with Installer Privileges

As already mentioned, executable files created by trusted installers automatically become trusted if the option "Trust applications installed using trusted installers" is enabled on the tab File rating → Setting up file rating. It was also said that information about creating files by trusted installers is entered into the database, even if this option is disabled.

Judging by the experiments, when the DPUD is turned off, information about creating files directly by trusted installers is entered into the CIS base, and not by any programs that have installer privileges. Those. If the file is created by a child trusted installer or a program that received installer privileges based on HIPS rules, it is not considered that this file is created by a trusted installer. But if the DPUD option is enabled, then files created by any programs, one way or another by the installer's privileges, are noted in the database as created by trusted installers.

Determining whether the file is created under the action of the Installer Privileges, CIS differs from the creation and copying of the file. So, if a program that has the privileges of the installer will complete the normal copy of the file, the file will not be trusted from this. But if under the action of the Installer privileges will occur, for example, the extraction of a file from the archive - CIS will trust this file and to all identical to it (when the DPU option is enabled).

To some extent privileges of the installer work in a virtual environment: If a trusted installer is virtually executed, but creates files in a real environment (in the shared access area), these files are marked in the database created as created by a trusted installer. A similar situation occurs when working in a real environment with the restrictions of AUTO-CONTAINMENT. In my opinion, this is flawed, and potentially dangerous.

Although the DPUD option improves the convenience of using CIS, there is a certain meaning in its disconnection. In particular, when this option is enabled, CIS can trust potentially undesirable programs that are installed with secure applications.

It happens that the installer of any application, even if a trusted, in the process of work creates and launches unidentified programs. Usually CIS does not interfere with their work, as they inherit the privileges of the installer. However, as stated above, inherited privileges are not constantly (which is justified by security considerations), and sometimes in the installation process can work proactive protection. If this manages only HIPS alert, then to continue the installation, it is enough to answer it. But if the HIPS is configured to block without alerts or if AUTO-CONTAINMENT is used, the risk of incorrect installation of the application occurs. This risk is especially high if the option "Trust applications installed through trusted installers" or "detect programs requiring increased privileges" is disabled.

To install the applications to be without interference from CIS, I propose to run installers through a special item in the context menu. To do this, the simplest program that launches the file specified in its command line arguments. It will be needed to download the archive with the program (Password CIS), place the program at any convenient place, add it to trusted and run - the new item will be prompted to add a new item to the context menu (it is removed by re-started). The program is written on AutoIt3, the source code and the converter attached in the Source folder: in case of doubt you can generate a similar program by checking its code and signature of the converter.

Then you need to assign the HIPS "Installation and Update" rule, as well as the AUTO-CONTAINMENT rule:

select the "ignore" action,
in the criteria, specify the location of the program,
leave the disabled option "Do not apply the selected action to child processes".

Now, so that the installation of any secure application has passed freely, it will be enough to call on the installer, holding down the SHIFT key, the context menu and select the "Comodo: Run as installer" item. As a result, even when the installer program itself is completed, its child processes will continue to be performed with the privileges of the installer. These privileges will remove after closing the special window with the text "Click OK upon completion of the installation". But even then these processes will remain excluded from the control of AUTO-CONTAINMENT.

In this comparative testing, we analyzed the popular personal antiviruses and network screens that are in their composition HAPS components (HOST Intrusion Prevention Systems), on the possibility of preventing malicious programs to penetrate the kernel (hereinafter Ring 0) the Microsoft Windows operating system. If a malicious program manages to penetrate the kernel level, it receives full control over the sacrifice computer.

Summary:

Introduction

Host Intrusion Prevention Systems - HIPS (HOST Intrusion Prevention Systems - HIPS) is gaining popularity among antivirus manufacturers, network screens (Firewalls) and other malware protection tools. Their main goal is to identify and block malicious actions in the system and prevent its infection.

The most difficult task of protection is reduced to preventing malware penetration onthe operating system kernel level (eng. Kernel LEVEL) operating in the "zero processor ring" (Ring 0). This level has maximum privileges when performing commands and access to computing resources of the system as a whole.

If the malicious program managed to penetrate the kernel, it will allow it to get complete and, in fact, unlimited control over the sacrifice computer, including the possibility of disabling protection, hiding its presence in the system. Malicious program can intercept the user entered by the user, send spam, conduct DDoS attacks, to replace the contents of search queries, do something else, despite the formally working antivirus protection. Therefore, for modern protective equipment, it becomes especially important to prevent the malicious program in Ring 0.

In this test, we compared the popular antiviruses and network screens that are in their composition HIPS components, on the possibility of preventing malicious programs to penetrate the kernel (hereinafter Ring 0) Microsoft Windows XP SP3 operating system.

Selection of malicious programs for testing

We decided not to model penetration into Ring 0 by any artificial means, but to spend a test for real malware. At the same time, the latter were taken in such a way as to cover all used ways to write in Ring 0, which are actually used in the "wildlife" (in the wild):

StartServicea. - Loading the malicious driver is made by replacing the system driver file in the% Systemroot% \\ System32 \\ Drivers directory with subsequent load. Allows you to download the driver without modifying the registry.
ITW Massage: High
SCM. - Use to register and download the service management manager driver. This method is used by both legitimate applications and malicious programs.
ITW Massage: High
Knowndlls.- Modification of the \\ KnowNDLLS section and copies of one of the system libraries in order to load the malicious code by the system process.
Analysis of ITW: average
RPC. - Creating a driver and download via RPC. Example of use: the loader of the famous rustock.c
Ease of ITW: Rare
Zwloaddriver - Substitution of the system driver malicious, by moving and subsequent direct load.
ITW Massage: High
Zwsystemdebugcontrol - removal of interceptions installed by HIPS to control system events, in SDT using Debug-privileges.
ITW Massage: High
\ Device.\ PhysicalMemory. - Removing the interceptions installed by HIPS to control system events in SDT using the record to the physical memory section.
Analysis of ITW: average
ZWSetSystemInformation - Loading the driver without creating keys in the registry by calling ZWSetSystemInformation with the SystemloadAdcallImage parameter.
Analysis of ITW: average
Createfilea \\\\. \\ PhysicalDrivex - Sectoral reading / writing disk (modification of files or main boot records of the disk).
Analysis of ITW: average

Thus, nine different malicious programs were selected using the above methods of penetration into Ring 0, which were then used in testing.

Methodology of comparative testing

Testing was conducted under the control of VMWare Workstation 6.0. For the test, the following personal means of anti-virus protection and network screens were selected:

PC Tools Firewall Plus 5.0.0.38
Jetico Personal Firewall 2.0.2.8.2327
Online Armor Personal Firewall Premium 3.0.0.190
Kaspersky Internet Security 8.0.0.506
AGNITUM OUTPOST Security Suite 6.5.3 (2518.381.0686)
Comodo Internet Security 3.8.65951.477

Unfortunately, for technical reasons, antiviruses of F-Secure and Norton were excluded. The built-in HIPS does not work separately from the enabled antivirus monitor. And since the selected samples of malicious programs could be detected signaturely, they could not be used. Use these antiviruses with old antivirus bases (to avoid a signature detect) did not fit, because The update process in these products may affect and not only anti-virus databases, but also executable modules (protection components).

Why did we get other popular antivirus foods and network screens in the test, which are there many? Yes, because they do not have an HIPS module. Without it, they have no chance of preventing the penetration into the OS kernel.

All products were installed with the maximum settings if they could be set without a fine manual change of HIPS settings. If during installation was offered to use the mode of auto-learning - then it was used until the launch of malicious programs.

Before testing, the legitimate utility CPU-Z (a small program that reports information about the processor installed in the computer) was launched and the rule was created that offered a test product (its HIPS component). After creating the rule on this utility, the auto-learning mode was disconnected and a snapshot of the system state was created.

The malware specially selected for the test was shot alternately, the HIPS responses were recorded to events related directly to installing, registering, downloading driver and other attempts to write in Ring 0. As in other tests, the system was refunded before checking the next malicious program. The beginning of the snapshot.

In the antivirus participating, the file monitor has been disconnected, and in Kaspersky Internet Security 2009, the malicious application manually was placed in weak restrictions from the incredulous zone.

Test steps:

Creating a snapshot of a pure virtual machine (main).
Installing the test product with maximum settings.
Work in the system (installation and launch of Microsoft Office applications, Adobe Reader, Internet Explorer), enabling the learning mode (if any).
Marking of the number of messages from the test product, the launch of the CPU-Z legitimate utility and the creation of rules for it.
Disconnecting the auto-learning mode (if any).
Translation of the test product into an interactive mode of operation and the creation of the next snapshot of the virtual machine with the installed product (auxiliary).
Creating pictures for all tested products, performing rollback to the main image and re-conducting paragraphs 2-4.
Select a picture with a tested product, loading OS and alternately launching malicious programs every time with a rollback to the original state, observation of the HIPS reaction.

Results of comparative testing

A plusthe table means that there was a HIPS response to a certain event from a malicious program to penetrate into Ring 0 and was able to stop this action.

Minus - If the malicious code managed to get into Ring 0, or managed to open the disk to the sectoral reading and write.

Table 1: Results of Comparative Testing HIPS-Component

Penetration method in Ring 0	PC Tools.	Jetico.	Online Armor	Kaspersky.	Agnitum	Comodo.
StartServicea.	-	+	+	+	-	+
SCM.	-	+	+	+	-	+
Knowndlls.	-	+	+	-	+	+
RPC.	-	+	+	+	-	+
Zwloaddriver	+	-	+	+	-	+
Zwsystemdebugcontrol	-	+	+	+	+	+
\\ Device \\ PhysicalMemory	+	+	+	+	+	+
ZWSetSystemInformation	-	+	+	+	+	+
Createfilea \\\\. \\ PhysicalDrivex	-	-	+	+	+	+
Total stopped:	2	7	9	8	5	9
Number of alerts and requests for user action	Few	Lots of	Lot	Few	Middle	Lot

It is worth noting that with full disabling the training mode, some of the test products (for example, Agnitum Outpost Security Suite 6.5) can show the best result, but in this case the user is guaranteed to face a large number of all sorts of alerts and actual difficulties in the system, which has been reflected in preparation of the methodology of this test.

As the results show, the best products to prevent malware penetration at the OS kernel level are Online Armor Personal Firewall Premium 3.0, Comodo Internet Security 3.8, Kaspersky Internet Security 2009.

It should be noted that Online Armor Personal Firewall Premium is an advanced firewall and does not contain classical antivirus components, while two other winners are comprehensive solutions of the Internet Security class.

The reverse and negative side of the work of all HIPS components is the number of all sorts of messages displayed and user requests. Even the most patient of them will refuse reliable HIPS, if he will be too often to bother him about the discovery of suspicious actions and the requirements of an immediate response.

The minimum number of user actions requests were observed at Kaspersky Internet Security 2009, PC Tools Firewall Plus 5.0 and Agnitum Outpost Security Suite 6.5. The rest of the products often bored by Alerts.

"Behavioral analysis is a more efficient way to prevent infection by an unknown malware than heuristic methods based on the analysis of executable files. But in turn, they require certain knowledge from the user and its response to certain events in the system (creating a file in the system directory, creating a steadwork key to an unknown application, modifying the system process memory, etc.), - comments Vasily Berdnikov, Expert Website.

"In this comparison, the most famous products with on board Hips were selected. As can be seen, only three products were able to adequately prevent the penetration into the zero ring. Also, a very important parameter - the number of messages (alerts) arising from everyday work for the PC and requiring a user solutions. It is here that the technological advantage of products is determined - to control the system to maximize and at the same time use all sorts of technologies to reduce the number of questions asked by HIPS when starting, installing programs, "the expert notes.

The HIPS system using your own driver intercepts all appeals to the OS kernel. In the event of an attempt to perform a potentially dangerous action by the software, the HIPS system blocks the execution of this action and gives a request to the user who decides to allow or prohibit the execution of this action.

The basis of any HIPS is the rules table. In some products, it is not separated in any way, in others - is divided into intermediate tables in accordance with the nature of the rules (for example, rules for files, rules for networks, rules for system privileges, and so on), in the third division of the table occurs according to applications and their groups . These systems control certain system events (for example, such as creating or deleting files, access to the registry, memory access, launching other processes), and each time these events should occur, HIPS is checked with its rules table, after which it acts In accordance with the settings specified in the table. The action is either permitted or prohibited, or HIPS sets the user the question that she should be taken in this particular case.

A feature of HIPS is a group policy that allows you to apply the same permissions for all applications entered in a specific group. As a rule, applications are divided into trusted and untrusted, as well as intermediate groups (for example, weakly limited and strongly limited). Trusted applications are not limited in their rights and opportunities, weakly limited are prohibited the most dangerous for the action system, only those actions that cannot cause substantial damage are allowed, and incredulous cannot carry out practically no systematic action.

HIPS rules contain three base components: the subject (i.e. an application or a group that causes a specific event), the action (allow, prohibit or asking the user) and the object (what the application or the group is trying to access). Depending on the type of object, the rules are divided into three groups:

files and system registry (object - files, registry keys);
system rights (object - system rights to perform certain actions);
networks (object - -press and their groups, ports and directions).

Views Hips.

HIPS, in which the decision is made by the user - When the Application Programming Interface interceptor (API) -Function intercepts any application function, the question of further action is derived. The user must decide whether to run the application or not, with what privileges or restrictions to run it.
Hips in which the decision is made by the system - The decision is taken by the analyzer, for this the developer creates a database into which the rules and decision-making algorithms are entered.
"Mixed" HIPS system - The solution accepts the analyzer, but when it cannot make a decision or enabled Settings "On Decision Decision" solution and choosing further actions are provided to the user.

Advantages of hips

Low system resource consumption.
Not demanding of computer hardware.
Can work on various platforms.
High performance confrontation with new threats.
High efficiency counteracting roottites operating at the application level (User-Mode).

Disadvantages of HIPS.

Low efficiency of countering roottites operating at the kernel level.
A large number of calls to the user.
The user must have knowledge of the principles of functioning

Changes in the HIPS system parameters should be made only by experienced users. Incorrect setting of these parameters can lead to unstable system operation.

Intrusion Prevention System (HIPS) Protects from malicious programs and other unwanted activity that are trying to adversely affect the security of the computer. In the invasion prevention system, an extended behavior analysis is used in combination with the possibilities of detection network filtering capabilities, so that running processes, files and registry sections are tracked. The invasion prevention system on the node differs from the protection of the file system in real time and is not a firewall; It only tracks the processes running in the operating system.

HIPS options are available in the section. Additional settings (F5)\u003e Antivirus\u003e Invasion prevention system > Basic information. HIPS status (enabled / disabled) is displayed in the main window of the ESET NOD32 AntiVirus program, in the Installation section\u003e Protecting computer.

uses embedded self-defense technologies that does not allow malware damage or turn off protection against viruses and spyware. Thanks to this, the user is always confident in computer security. To disable HIPS or self-defense system, you need to restart Windows.

Advanced memory scan module It works in combination with an exploit blocker than enhanced protection against malicious programs that can avoid detecting products to protect against malicious programs through the use of intentional confusion or encryption. The advanced default memory scan module is turned on. For more information about this type of protection, see Glossary.

Blocker exploit Designed to protect applications that are usually vulnerable to exploits, such as browsers, programs for reading PDF files, postal clients and MS Office components. The default exploit blocker is turned on. For more information about this type of protection, see Glossary.

Four filtration modes are available.

Auto mode: All operations are enabled with the exception of those that are blocked by predefined rules designed to protect the computer.

Intelligent mode: The user will receive notifications only about very suspicious events.

Interactive mode: The user will be offered to confirm operation.

Policy-based Mode: operations are blocked.

Training Mode: Operations are included, and after each operation creates a rule. The rules created in this mode can be viewed in the rules editor, but their priority is lower than that of the rules generated by manually or automatically. If the Education Mode is selected in the drop-down list of the HIPS filtering modes, the parameter becomes available. Training mode will end. Select duration for learning mode. Maximum duration - 14 days. When the specified period is complete, you will be prompted to change the rules created by the HIPS system in the training mode. In addition, you can select another filtering mode or postpone the solution and continue to use the learning mode.

The invasion prevention system on the node tracks events in the operating system and responds to them accordingly on the basis of the rules that are similar to the rules of personal firewall. Click the Edit button to open the HIPS Rules Control window. Here you can choose, create, change and delete the rules.

The following example will be shown how to limit the unwanted behavior of applications.

The principle of operation of HIPS (Host-Based Intrusion Prevention System): Detailed description. General parameters HIPS and AUTO-SANDBOX in Comodo Internet Security 8. Viruscope

Hips

HIPS modes

When the HIPS component is enabled, the activity of programs is limited in accordance with the rules. The initially available rules establish permissions for some system programs, and in other cases prescribe the user. The user can add its rules through the "HIPS Rules" tab, or they will be created through its responses to alerts, or to be created automatically when the "Training Mode" is enabled. You can disable alerts, prescribing to always resolve or always prohibit activity in the absence of the rule.

The display of alerts about the program depends on it and the HIPS mode. In "Safe Mode" alerts will be issued only relatively unidentified programs that trusted will be silently given permission (in the absence of prohibitive rule) to any action, except for the launch of any unidentified application. In the "paranoid mode" alerts arise for all programs, regardless of reputation.

In the "Pure PC" mode, alerts occur only for new unidentified programs, i.e. which were not on the disk before, and the "old" perceived like trusted in the "safe mode". The "Pure PC" mode works as follows: From the moment this mode is turned on, the creation of new programs is tracked, i.e. executable files. If a new program is less than 40 MB and does not have a reputation of "trusted", then it is entered into as "unidentified." Only programs from the "Unidentified" list will be limited in rights. The remaining programs less than 40 MB will be perceived similarly to trusted: they will be perceived by HIPS, and Auto-Sandbox, and the firewall.

The "Pure PC" mode is very problemful, and I do not recommend using it. In particular, if you have to put a new unknown program in any directory and change its name, the program will be considered "old", i.e. will receive permission. Nevertheless, you can implement the correctly working analogue of the "Pure PC" mode in the "secure mode" by adding all executable files to the trusted method proposed in.

The procedure for the "secure regime" with the "Create Rules for Safe Applications" option is enabled, as well as the "Learning Modes". Work in the "Clean PC" mode is similar to "safe", but it is distinguished by the fact that unidentified files that were on the disk to turn on this mode will be processed similarly to trusted ("trust" it will be not only HIPS, but also Auto-Sandbox, and a firewall ).

I will say a special case: if the program is executed in a virtual environment and / or with AUTO-SANDBOX constraints, then permission will be given any permissive or prohibitive rule (like the option "Do not show alerts: Allow requests"). In a virtual file protection environment and the registry will not be at all, even with clearly specified forbids. But, of course, a virtual environment and / or auto-sandbox will be applied to this program and its subsidiaries.

Management of Program Rights through Alerts

If you select "Allow" or "only to block" in the Alert, then this permission or prohibition will only be valid for a certain resource. For example, if you enable the application to create a file C: \\ Test \\ a.exe, then an attempt to create a file C: \\ Test \\ B.exe will again lead to alert. To allow the application to create any files in the C: \\ TEST directory, you have to edit the rule via the CIS settings window. Unfortunately, the alerts do not provide permissions for catalogs, templates, groups, etc.

One exception is noted: if any program is allowed through the alert "Changing the user interface of another application", you will create a rule that allows this program to send window messages to any applications, and not only the specified one.

However, via the alert can be applied to the application of a predetermined policy. These policies are created on the HIPS tab\u003e "Rule Sets". The pre-installed policy "Windows System Application" allows any activity, the "Allowed Appendix" policy - any, but does not regulate the launch of subsidiaries; The "Isolated Annex" policy is harshly prohibited any activity; The "limited application" policy prohibits almost everything except window messages and monitor, and does not regulate the launch of subsidiaries. You can not only create your own policies, but also to change the pre-installed.

Permissions, prohibitions and policies assigned to any application through alerts act differently, depending on whether the "Remember My Choice" option is enabled. If you enable this option and select the option "Allow" or "only block", the set of rules assigned to this application will change: it will be added to it or prohibit accuracy for a specific resource (file, interface, etc.). If you enable the option "Remember My Choice" and choose any set of rules - new rules will not be added to the old, but will completely replace them; those. The rules assigned to this application will stop acting earlier. If there is no HIPS rules for this application - it will be created at the top of the list.

If you disable the "Remember My Selection" option, the assigned permissions application, prohibitions or policies will terminate with the completion of this application or even earlier, and no changes in the rules will occur. To understand the logic of the work of these temporary rules, it is convenient to imagine that with each response to the alert (without memorization), a "phantom" entry is created in the list of HIPS rules. All "phantom" records are located in the list of rules below the "real" records, but new "phantom" - above other "phantoms". This means that the same application can be assigned several policies through alerts several times (without memorization), and all these politicians will act. At the same time, the highest priority will have "real" rules, then the most fastest of "phantom", then earlier, etc. But as soon as any "present" rule (with memorization) is created - all "phantom" rules for all applications will be destroyed.

For example, you will assign any program "Insulated Appendix" policy, without memorizing. By default, the "All Applications" group is allowed to change temporary files, so this program can still do this, despite the fact that the "Isolated application" policy prohibits. If you assign this memorization policy - changing temporary files will be prohibited, since the new HIPS rule will be created at the top of the list.