What is a HIPS? The technology behind Emsisoft Online Armor Firewall explained

  • July 10, 2012
  • 5 min read


There are different ways of detecting, blocking or removing malware. Different suppliers use different technical terms, which can make it difficult for normal users to differentiate between them. It all sounds great in theory, but we would rather not hide behind such complicated terms. We prefer to explain in a clear and understandable manner why Emsisoft’s products offer you the best protection possible.

In another article, we already explained how Emsisoft Anti-Malware works with its three protection levels, namely “Surf protection”, “File guard” and “Behavior analysis”. Emsisoft Online Armor employs another type of technology for detecting attacks: It is part of the category HIPS.

HIPS prevent any intrusion of your PC.

HIPS stands for “Host-based Intrusion Prevention System“. In contrast to a network-based intrusion prevention system that specializes in detecting attack patterns in the network traffic, a HIPS such as Emsisoft Online Armor runs directly on the PC to be protected. Its basic structure aims at alerting the user of every security-related modification of your system – especially those that are particularly critical. This gives the user full control of all the important processes on their PC, and allows them to decide what program they trust enough to allow further actions.

This may sound like a universal remedy for all kinds of attacks, but unfortunately it is not. This is because modern operating systems establish and end new Internet connections every other second, launch and terminate visible and invisible programs including their modules whilst running hundreds of reading and writing processes in the registry and other configuration files. In principle, a HIPS alerts the user of all modifications, whether they come from malware or normal programs. If each and every modification brought up an alarm window, the user would not be able to work or browse as they would constantly be clicking on Allow or Block.

Good HIPS avoid unnecessary alerts

This is why our HIPS Emsisoft Online Armor relies on different techniques in order to reduce alerts as much as possible. Let us have a look at autorun entries. These are removed, modified or added all the time on current systems – for instance, whenever a new program or driver is installed. When using a HIPS, the user would usually receive an alert every time an autorun is modified, requesting confirmation. Autorun entries are basically a source of danger used by a lot of malicious software to ensure they run at startup.

Emsisoft Online Armor, however, detects well-established and harmless autoruns based on different criteria, so that it is able to make many decisions on its own. This means you will receive no alerts and can keep on working on your PC without any further hassle and risk.

Such rules and filters are of course not only used for autoruns, but for more than 500 security-related points on the system. To be precise, filtering alerts is highly complex and is spread over several levels of the OS. After all, it guarantees that no single online attack reaches your PC.


Automatic decisions made by Emsisoft Online Armor to keep alerts at a minimum

Maximum control for experienced users

If necessary, almost all rules and filters of Emsisoft Online Armor can be disabled to give you full control of all system processes. Maximum control means, however, that you will have to take your time to confirm all alerts. It also takes good IT knowledge as you will have to correctly judge diverse processes and actions.

Broadly speaking, a HIPS does not generally classify software as malware, but only alerts of suspicious processes. An exception to this is found in a supplementary feature of Emsisoft Online Armor that detects known malicious software by means of hash values. A hash is a unique checksum that is created from data of an existing file. This value will be compared to Emsisoft’s own cloud database, the “Emsisoft Anti-Malware Network”, and any file recognized as malware will be blocked. The final decision about whether to block or allow the action is still up to the user and their knowledge.

It is a common misconception that HIPS equals firewall. It is true that many desktop firewalls use typical HIPS features nowadays, but traditionally a firewall is used to block TCP/IP ports, as with Windows’ integrated firewall. Emsisoft Online Armor monitors TCP/IP connections and can block ports as well, but this is only a minor part of the entire protection fortress.


TCP/IP blocking is only a minor part of the entire protection.

Firewall does not equal firewall, which is why Emsisoft Online Armor and Windows Firewall, for example, are just as different as a bike and a Formula 1 car. Both run on wheels, but as for their complexity and functionality, they are very different. Windows’ built-in protection works based on rules only and blocks only certain types of connections, whereas Emsisoft Online Armor also monitors all important system processes. Once any malware or hacker manages to enter your PC, Windows Firewall is powerless, whereas Emsisoft Online Armor is usually able to identify the threat in a reliable manner.

HIPS or behavior analysis – what is better?

There is no real better or worse with both technologies, which is why we offer both as different products. While Emsisoft Anti-Malware combines surf protection, behavior analysis and signature-based scans in a powerful bundle that alerts the user of threats clearly recognized as malware, Emsisoft Online Armor is a modern HIPS that informs you about processes and modifications affecting your system’s security.

Advantages and disadvantages of a HIPS are clear – maximum control of your system for experienced users who know how to evaluate arising alerts. If you prefer concrete decisions and as few alerts as possible, though, you had better opt for behavior analysis.

Behavior analysis assembles different recognition patterns that, based on probability calculations, will trigger alerts only when a certain critical value is hit that clearly indicates malware. This causes fewer alerts than any HIPS and still offers an extremely high security level as behavior analysis is especially trained in detecting real malware.

It is not always about choosing one or the other, though, which is why we offer both programs at an inexpensive bundle price. Simply profit from both programs’ powerful capabilities for maximum security and use HIPS, behavior analysis, signature-based scan and surf protection at the same time. Emsisoft Internet Security Pack makes it possible – test it now for free for 30 days!

 

Have a nice (malware-free) day!

Your Emsisoft Team

Emsisoft Endpoint Protection: Award-Winning Security Made Simple

Experience effortless next-gen technology. Start Free Trial

www.emsisoft.com

What to read next