Windows Vista and 3rd Party Security Protection

re: Windows Vista and 3rd Party Security Protection

PeteLind — Wed, 25 Oct 2006 04:36:33 GMT

You qualify the HIPS statement with "...that depends on hooking the kernel." Does this mean there is a way (or are ways) to do HIPS that don't depend on hooking the kernel? Thanks.

Pete

re: Windows Vista and 3rd Party Security Protection

jrjones — Wed, 25 Oct 2006 18:49:08 GMT

Pete

Well, Sophos calls their technique a host intrusion prevention technique, so that is one.

More broadly though, HIPS is a collection of technologies. There are types of behavior that could be monitored for using the existing file system filtering (e.g. opening key files) and the new Vista registry filtering capabilities. The latter could definitely be used to monitor for common behaviors used by stealth malware to get themselves re-started after boots.

Some existing HIPS software also incorporate checks for anything accessing the network, so the new firewall filter APIs could be used for that.

Regards,

Jeff

re: Windows Vista and 3rd Party Security Protection

PeteLind — Wed, 25 Oct 2006 20:32:35 GMT

Okay - so no way to monitor system calls then; it relies on an "extended" definition of HIPS (I am okay with that in general, but it is a bit different than what is usually understood as HIPS-like capability. And Sophos' stuff doesn't really come close even though it does create an interesting alternative avenue). Each of these targets (file system, registry, network) have weaknesses in their coverage, but I guess the real question is whether together they can stop any/all known (to go easy) attacks.