Free Intrustion Prevention software

[Paul Adams]

Short version:
Check out this article - The Register article on PrevX


Long version:
For those that don't know, here is a quick run-down on IDS & IPS:

The concept of an Intrusion Detection System (IDS) has been around for years - they can be network or host-based and typically use signatures to spot different types of attacks.
For example, network-based IDS can spot port scans, repeated login failures to web servers, buffer overflow attempts for web services, while host-based IDS can spot repeated local login failures, scripts attempting to elevate their privileges and so on.

They have a set of actions they can perform when an event is triggered, sending an SNMP alert or an email, or maybe using commands with compatible hardware firewalls to create a temporary rule to block the attack in real-time.


By contrast, the Intrusion Prevention System (IPS) concept is all about the detection and prevention of the attack before it can have an effect or reach a potentially vulnerable system.
IPS is starting to be included in high-end firewall vendor products - CheckPoint have "SmartDefense" integrated in its Firewall-1 line.


PrevX is the first free, consumer-aimed IPS product I have come across and I intend to give it a try on my work and home PCs to see if it:
- works
- has a significant impact on system performance
- conflicts with any software I run


Computer security is all about a combination of methods to protect yourself, there is no single "silver bullet", especially as malware has evolved over the years.

Personal firewalls, "hardware" firewalls, anti-virus, trojan & spyware detection tools and IPS can work together and have individual roles - and with the exception of the hardware firewall there are free versions of all these products (in some cases quite a few choices).
To say that any one of these tools is not needed is incorrect, in my opinion - too many times have I heard of people not running AV because they are "too careful to run things they don't know about", but neglect to think of what might happen if their OS or an application decided to run something on their behalf, or through some vulnerability.


I'll try to remember to report back here if I find anything significant (good or bad) with this product.
I hope this was of use to some of you.

[0iD]

Looks very interesting, keep us posted

[Jiff Lemon]

Looks good - Be interested to learn what you think

[Moby-Dick]

A secure system is like a suit or armout , it requires a number of different sections and layers to provide copmlete protection

[Paul Adams]

At first glance (installed on 3 XP SP2 systems) it seems very polished and has no noticeable impact on system performance.

Some people might find it a little "invasive" with the popup messages at first, but ultimately it has to know what it can and can't trust to access what it considers sensitive resources.

So far I've only seen it generate pop-up alerts from:
- Internet Explorer doing registry and file checks
- Outlook 2003 when it was trying to execute its rules and I think set up its listener for mail events
- Windows Update adding a "run once" entry to enable installation of a .NET update after rebooting

However, on reviewing its log, it does appear to have prevented the MSIEXEC and .NET Framework Update tools from editing some registry entries (without alerting me), so I'm not sure if this could interfere with the correct application of hotfixes or possibly installation of genuine products.

It might be a case of adding some exceptions to the list manually, but I can only see a way to globally enable or disable the "Registry Run-Key Protection" security option... which kind of reduces the value of the tool.

Jury is still out yet, going to feed this back to the authors.


Addendum:
There is currently no way I can see to view (let alone edit) the list of "don't ask me this again" options you have previously selected, so you have no idea if something/someone else has updated this list without your knowledge, or the ability to change your mind, or if it is using CRC checks on the files to verify their integrity.
(All you can do is clear the entire list blindly.)
Ew.

[Paul Adams]

Okay, typical male that I am, I go back and read the manual after finding a potential problem

"Why is Windows Update generating lots of Prevx alerts?
Because Windows Update needs to access key areas of the system registry and needs to be able to write files to areas of the file system that are normally protected by Prevx Home, we recommend that you turn OFF all Security Settings other than the Buffer Overflow policies whilst performing Windows Update. On completion of Windows Update, please turn back ON the Security Settings that you have turned off!

The buffer overflow policies will protect you against internet worms such as Sasser and Blaster whilst performing Windows Update.Whilst these policies are switched off it is recommended that you do not browse other web-sites, in order to minimize the risk of spyware infections."

This (the highlighted "solution") is utter crap and I have told them so.

The product should either automatically pick up the fact the user is performing a Windows Update and do the necessary step-down in security temporarily, or give the user a button to click which does that for the current login session or one hour.

Expecting the user to tune their security settings up and down is pointless, given that Automatic Updates is now the preferred method of keeping Windows patched.