Free host intrusion prevention for Windows
"Host intrusion prevention" (HIP) software tries to stop malicious software either either recognizing patterns of malicious activity, or by blocking access to critical system areas. When properly implemented, HIP very effective at stopping new ("zero day") attacks that anti-virus (AV) software is largely incapable of preventing.
People seem to have a hard time understanding the difference between HIP and anti-virus, so let’s put it in overly simplistic terms:
- Anti-virus software: identifies malicious code by what it looks like.
- Host intrusion prevention software identifies malicious code by what it does.
AV software identifies malware by matching sequences of bytes in a file with a list of known malware (yes there’s more to it than that, but that’s the basic idea). HIP on the other hand tries to stop malicious actions as they are attempted. This is done in two ways:
- Access controls: by checking the actions of each application against a list of allowed actions (e.g. A web browser is allowed to save files, but not access the system registry)
- Behavior: by monitoring sequences of actions (e.g. An email message is opened then MS Outlook suddenly starts sending attachments to everyone in your address book)
Most HIP products use a combination of both approaches though some are purely behavior-based. By controlling and identifying actions, HIP software is far more effective than anti-virus. For anti-virus to identify and stop malicious actions, all of the following must occur:
- The malicious code must have been captured by the AV vendor (vendors discover new malware a variety of ways, such as by using "bait" machines (honeypots) on the Internet that pose as vulnerable Windows machine)
- The AV vendor must have decide the malware is widespread enough to bother with (AV vendors focus on widespread, public malware)
- The AV vendors must have analyzed the code and found a sequence of bytes that uniquely identify that code.
- The byte sequence must have been added to the daily/weekly AV database update.
- Your organization must have downloaded the update and distributed it to all computers.
Twenty years ago when the pattern-based anti-virus approach was first conceived, that approach worked well. Back then malware spread via floppy disk. AV companies had ample time to collect samples, identify unique patterns, and distribute updates to customers.
Now however, malware is developed and spread much faster than AV patterns can be implemented. Also, the public mass destruction malware that AV vendors focus on is being supplanted by smaller targeted malware written for financial gain. Most malware is now being written to wipe out bank accounts, not hard drives. Targets are small, like the customers of one little online bank, and distribution is swift: victims are usually fleeced long before any AV vendor can respond.
Some HIP products also use patterns that must be downloaded once in a while. However, these are patterns of suspicious actions or lists of system areas to protect… not patterns of bytes in a file. HIP products that use downloadable patterns require updates infrequently, like once per quarter.
Are you HIP?
There is a wide variety of HIP software available, each having different capabilities. There’s no universal agreement on exactly what functions HIP software should perform (other than stop malicious actions without relying on file patterns) but as minimum all HIP should be able to control access to the following areas:
- File system (including modification of EXEs and shared libraries)
- Windows registry
- System memory
- Running processes (including system services, spawning of sub-processes and code injection)
Better HIP software will also be able to control access to the following:
- Windows message passing (e.g. "shatter" attacks)
- COM and OLE
- Network access (binding to a port, sending outbound traffic etc.)
Another criteria for HIP is that it must control access to system resources per application. Resources that MS Internet Explorer can access can be different from those of MS Outlook. High-end HIP software like Cisco Security Agent allow administrators to specific precisely what resource each application can access. Other HIP use vendor-defined databases or restrict all applications the same until placed on a trusted list.
What’s available
There are many good commercial HIP products available: McAfee bought Entercept, Cisco bought Okena, but these are aimed at the enterprise market. They require centralized servers and a significant investment in knowledge, time and capital.
Fortunately for smaller users there are quite a few free and free-for-personal-use HIP products available. Here are a few that we’ve found:
GentleSecurity GeSWall: A comprehensive HIP with both generic protection and rules for enforcing resource access for specific applications (e.g. ME Internet explorer). Desktop version free for personal use.
eEye Blink: Very comprehensive. Free for personal use version monitors applications, registry, memory, and provides a personal firewall (apparently with network intrusion prevention abilities).
PrevX Prevx1: More of an EXE monitor than a HIP: it maintains a shared list of known executables and blocks known "bad" ones. According to comments from PrevX, it also provides "generic keylogger, rootkit and buffer overflow protection". The literature is unclear but it seems that once an application is allowed to execute it is able to access any system resource, rather than just resources it "should" access.
PrivacyWare DSA: Monitors applications, registry, email, services and network. Free for personal and non-commercial use.
Novatix Cyberhawk: The vendor provides no details on which resources it protects, but this appear to be a purely behavior based HIP especially for non-technical users.
CoreImpact COREFORCE: Free for personal and commercial use. Includes a stateful firewall derived from the OpenBSD pf packet filter. Filesystem, network, registry, program integrity. Seems to use a community developed database of specific rules for each application (Firefox, etc).
Arovax Shield: A basic registry monitor. Apparently only monitors and prevents certain registry changes so only performs a small part of what a a full HIP system should do. It can also prevent changes to the system’s hosts file and creation of http cookies in Internet explorer.
Not ready for prime time:
In addition to the above, there are many up-and-comers that are promising but, in my opinion, aren’t yet mature enough for daily use:
winpooch: Open source. Still in beta. Monitors access to critical files only. One interesting feature is that winpooch can integrate with ClamWin to scan files on access, a feature ClamWin desperately needs.
Neoava Guard: A promising but still in beta HIP by a single developer. Can monitor disk, memory, some network access, prompts when unknown EXEs are run, has activity thresholds to detect worm-like behavior and more features being added.
System Safety: Limited trial and freeware version. EXE control (run or block, permit spawning) and registry access control.
Not listed:
I haven’t listed single product protectors (e.g. IE specific), personal firewalls that control only network access, simple file / registry monitors, address space randomizers and the like. A HIP must be able to monitor any application and control access to at least a couple of the resources listed above.
Do you need HIP?
If you have host intrusion prevention installed, do you still need anti-virus? Well, why not… anti-virus is still useful to catch the older malware still in circulation. Both technologies can usually be used without conflict.
Using both HIP and AV provides multiple layers of defense ("defense in depth") which is always a good practice. A Windows system armored by AV, HIP, a personal firewall and not running as Administrator makes a formidable target for malicious software.
Related posts:
- Free antivirus – what’s available now
- The most important Windows security tool
- The most effective malware prevention
- Windows .NET rootkits are easy
Tags: antivirus, host intrusion prevention, Malware, windows, Windows security
4 Responses to “Free host intrusion prevention for Windows”:
November 3rd, 2006 at 4:04 pm
Hi,
Prevx1 contains considerably more then just execution control. Including the scanner Prevx1 will provide generic keylogger, rootkit and buffer overflow protection in additional to the behavioral control if you switch into Prevx1 Pro or Prevx1 Expert modes.
The Central database provides considerable heuristic rules to automate the determination of malware providing a greater level of agent protection.
More detail can be found at:
http://info.prevx.com/download.asp?grab=prevx1overview
Regards,
Prevx Support
November 5th, 2006 at 10:44 pm
Thanks very much… I’ve edited the article to include that additional info.
The doc you linked to is a little more clear than what I’d read previously, but it still seems like Prevx1 can only control whether an EXE is allowed to execute. From the PDF on unknown programs:
So Prevx1 allows users to make a "run/don’t run" decision for an unknown program, and make that same decision later if the program tries to perform an "unknown action". Sounds like EXE control, with the added feature of monitoring actions once an EXE has been permitted to run. Most HIP software on the other hand allows more fine-grained access control: e.g. prevent an app from accessing the network, but allow it to write to the filesystem.
November 6th, 2006 at 11:23 am
Hi,
Prevx1 was born out of the development of Prevx Home and Prevx Pro 2005 which I guess you would class as pure HIPS. As with most HIPS solutions these raise complex questions to the end user to determine what should run. The stats we collected with these products showed 50% of the user base answered incorrectly to question such as should fvprotect.exe be allowed to run or modify the registry. HIPS therefore in its current form would be difficult to implement as a mainstream consumer security product unless these issues were addressed.
Prevx aimed to build on the knowledge we gained at being the first consumer based HIPS solution. We rewrote the Prevx Home/Pro product with a view to reducing the noise and taking away the decision making process in its basic form. We remained however true to the HIPS model by maintaining the ability to raise questions if the user chooses by providing different modes. ABC, Pro and Expert modes have varying degrees of HIPS style functionality.
In Expert mode you will be queried for most activities on your system, such as Regedit trying to modify the Runkey in the registry. This will raise a query to the user to allow the activity to continue. The action you take will create a personal rule which you can then further edit.
On a multi user license key you have access to the Control Centre which provides you with access to the full list of protection modes available within the product. Here you can fine tune the protection within Prevx1. You can for example modify the Runkey policy to automatically; Prevent, Query or Allow (or disable altogether with Off).
The configuration of Prevx1 now becomes the end users choice, either default to allow the Prevx1 Central Db to take care of most of the decisions and reduce the popup noise or run in Pro/Expert mode to make your own determinations.
Regards,
Prevx Support
December 29th, 2007 at 11:00 am
[...] http://advosys.ca/viewpoints/2006/11/free-host-intrusion-prevention/Â [...]