RE: A possible HIPS? Was: Looking for HIDS-only products for XP/2000Pro

["Bill Stout" <bill.stout () greenborder com>]

That would be a version of a sandbox which can be implemented; as
applets, jails, virtual machines, or a capability system.

You might also take a look at our demo download.  It's along the same
lines, although it extends protection to the file system, registry,
network, DCOM, and user shell.  To do so you'll need to granularly hook
into system calls at the kernel level, and have logic to determine when
to launch a process in protected space.  Here's a direct link (bypasses
registration steps):
http://www.greenborder.com/downloads/GreenBorder_TestDrive_v101.zip.
Come back and register through the main web page if you're interested in
deploying this in a company environment.

Bill


-----Original Message-----
From: Brian Azzopardi [mailto:brian () unixpoet com] 
Sent: Tuesday, August 09, 2005 11:21 AM
To: Bill Stout; focus-ids () securityfocus com
Subject: A possible HIPS? Was: Looking for HIDS-only products for
XP/2000Pro


I have implemented a tool which might be useful to protect against both
known and unknown malware. The tool works by restricting the
user-specified
applications to, what in Unix-land would be, a jail. The applications,
for
example IE or Outlook, have only read/write or read only rights to
certain
directories/files. In future I plan to extend the app to protect the
registry as well. I've tested it on W2k/XPpro/W2k3.

I would love to know what the list think of the idea.

Thanks,
Brian


PS
If enough people ask I will release it.


-----Original Message-----
From: Bill Stout [mailto:bill.stout () greenborder com] 
Sent: Thursday, August 04, 2005 6:20 AM
To: focus-ids () securityfocus com
Subject: Looking for HIDS-only products for XP/2000Pro

I'm assuming most companies do both HIDS and blocking.  Are there any
companies which specialize in HIDS for XP/2000Pro?  Specifically passive
(worm/virus/Trojan) attacks, maybe with an online database for
reference.

In other words, if we have a product which protects against certain
vectors
(IE & Outlook), and we want to prove that it did protect them although
it
doesn't detect, what could I use to detect and identify specific
attacks?

Bill Stout
Director of IT
GreenBorder, Inc
www.greenborder.com


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------