Chapter 14. Problems with Host Intrusion Prevention
The basic idea behind HIPS (host intrusion prevention system) technology is that it tries to protect you where traditional signature-based AV fails, primarily by watching the behavior of programs that your AV allows to run. If it sees a program behaving badly, the HIPS will stop it (hopefully before it does anything too bad).
I previously argued that in the consumer’s mind, it’s all AV; this is just some other arcane thing that’s trying to keep the bad stuff off. Who cares what it does?
If you do care, the distinction HIPS vendors used to make was that AV is all signature matching—that people write signatures, and those get sent down to end users. HIPS, they would say, is proactive, not reactive. It detects based on bad behavior and will hopefully detect new things, where the AV products don’t have signatures.
Bah, humbug!
AV products, almost without exception, have HIPS technology in them. It might be called “heuristic detection” or something innocuous like that, but it’s in there!
Now, standalone HIPS products generally do more proactive detection than the typical AV product, but that’s because the typical HIPS product will give way too many false positives. People don’t like to be annoyed by pop ups, especially from software they bought that’s supposed to make their lives better.
HIPS technology that doesn’t generate false positives a lot goes into AV products. Any other HIPS technology should never run in an environment where people ...
Get The Myths of Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
