A sample (not exhaustive) list of typical classical HIPS abilities:
1- Enables the user to make very extensive configurations.
2- Can often detect zero-day malware/threats/exploits that might be missed by blacklist-based security apps.
3- Leaves most decisions to the user. That is, it alerts the user to what MIGHT be a nasty, and gives the user choices such as Allow, Block, or Kill – with sub-options of "This Time or “Always”.
4- In the hands of a careless or lazy user, a classical HIPS will be of less value than a Behavior Blocker (BB). Why? Because BBs tend to make many decisions based on artificial intelligence (“expert-based”), and thus present fewer alerts requiring user decision. HOWEVER, in the hands of a conscientious user who enjoys doing a bit of research from time to time, a classical HIPS gives very VERY powerful protection.
5- Process Execution- The HIPS alerts its user whenever any unknown process (a process not on its whitelist) tries to execute and gives the user choices such as…
a- Allow it to start (once)
b- Allow it to start and add it to the white list of approved applications
c- Block it from starting (once)
d- Block it from starting and add it to blacklist
e- Terminate the process
6- Child/Parent control- Allows user to specify not only which processes can start, but also which processes (children) can be started BY which processes (parents).
7- Process Termination- HIPS can protect specified processes from termination attempts (including thread suspension methods) or give the user a chance to intercept such termination attempts.
8- Process Modification- This feature protects critical processes from being manipulated and modified. This includes attacks such as code/memory/ injections as well as protection against remote thread creation/suspension/injection.
9- Access to physical memory- Blocks access to physical memory, which allows kernel access.
10- Global hook control- Provides control of hooking done by windows program, that is often but not always associated with keylogging. Some HIPS also provide blocking of other keylogging polling techniques like GetKeyState, AsyncKeyState.
11- Service/Driver control- Alerts to software that requires drivers and services. Such programs if malicious can be dangerous because they work in ring zero (kernel access).
12- System Shutdown protection- Warns whenever a process attempts to shut down the whole system.
13- Network control- Enables user to control network connections on a process-by-process basis.
14- Startup control-registry- Monitors and blocks changes to registry relating to auto startups.
15- Startup control-files – Entries in registry keys are not the only way for malware to register themselves for autostartups. HIPS monitor such file and directory locations as well (e.g startup folder or old style win.ini type files).
16- Some HIPS can protect or monitor any specified file or folder.
17- Monitor sensitive areas- Provides warning when files (win.ini, hosts, system files, etc.) are being modified/deleted or if new files are being added.
18- Block low level disk access- Provides warning when low level disk access e.g access to \Device\Harddisk0\DR0 occurs. This can prevent such as Killdisk-type trojans that trash your hard-disk.
[b]NOTE 1:[/b] A HIPS is a type of firewall. There are TWO main types of firewalls:
1- "Conventional Firewall" -- a firewall between the Operating System and the internet.
2- "Classical HIPS" -- a firewall between applications and the kernel of the Operating System.
[b]NOTE 2:[/b] Most stand-alone firewalls (FW) include BOTH a conventional FW & a HIPS-type FW.
4 examples of apps with BOTH types of FW (conventional FW & HIPS-FW): Outpost FW, Private FW, Online Armor FW, Comodo Firewall. In each example, the HIPS components can be "switched off" &/or not installed.
[b]NOTE 3:[/b] WinPatrol : HIPS :: Toy Poodle : Rottweiler