Host Intrusion Prevention versus Host Anti Virus - Now is the time for change

Host anti virus is a traditional security mitigation software used by millions of computer users across the globe. Anti Virus does a great job of stopping known security exploits through the use of signature type definition files. Unfortunately for the general computer user, the word “known” is the key to this conversation. This means that Anti Virus is only as good as attacks that you already know about. If you use Anti Virus, you are still highly susceptible to a new computer attacks.

Contrast that with Hosts Intrusion Prevention (HIPS). HIPS looks at the behavior of hosts and decides if that behavior could be consistent with the action of malicious code. If the hips software besides that the behavior is suspicious, it will either stop the behavior or query you on whether you want to allow the behavior. Bottom line is that HIPS does not use signature definition files, it uses rule files that don't require updates and will stop viruses and worms whether they are known or not. My experience with hips software is that it is 100% reliable.

The downside of Host Intrusion Prevention software is that the versions that are available are targeted for larger customers with a professional security team that can manage and analyze events seen win rules trigger. Generally it's too complex to be managed by the average end user.

This article is little more than a call to action for security developers. Security engineers readily accept that HIPS software is superior to Anti Virus, now is the time to commercialize the software. Take the complexity out of the existing hips software, and tone it down so that the average home user can use it, and be protected at all times as opposed to the current scenario experience while using antivirus. This isn't that huge of a task. Shoot for the low hanging fruit, and only deploy rules such as, stopping code that is executed after a buffer overflow, stopping code that is being run for the first time, stop browsers from acting as servers, stop the average computer from opening any listening port, stop traffic related to port scans. These are just ideas I'm sure there's more. If you do happen to read this article, please encourage your local hips vendor to commercialize their product, maybe even encourage them to market it to huge service providers such as Comcast, and AOL.

How effective is Anti Virus software at stopping worm attacks?

Host Anti Virus software and Network Anti Virus appliances can both be used to stop worms. But there are a few caveats.

1. New exploits may not be stopped by many Anti Virus packages
2. You must use auto-update features of your AV software to ensure that definitions of current worms are activated.
3. Host anti virus will not stop worms destined for any devices except the device they are installed on.

When it comes to stopping worms I recommend a full blown IPS and also behavior based Host Intrusion prevention software. Network IPS mitigates worms against all network assets and behaviors based intrusion prevention does not depend on signature updates to stop threats.

Yes I'm a Cisco bigot check
www.cisco.com/go/asa
www.cisco.com/go/ips

Check adds on this page for other credible AV and IPS vendors that can mitigate work behavior.

Ha ha, did I really say mitigate work behavior? Ah that should be WORM behavior but I suppose mitigating work behavior wouldn't be a bad idea for some of us......