Subject: Deep discussion about Micropoint and the HIPS

#1  Deep discussion about Micropoint and the HIPS

[draft translation by sidineyqiao]

For example, someone uses the shadow, ice, recover fairy, AyRecovery, these products to protect the system security, then to prevent the virus to infect the system. You can restart the system to recover it after infected. We should admit the protect effects of these products, but recovering the system quickly are their targets, not kill the virus. So it is not ideal to protect and kill the virus. Why? Let’s analyze it.

1st, what is the kernel principal of the recover software? it is to monitor and control the read/write of the hard disk through the way to complete the operation of the fake read/write that cheat the system and the application software. Because the hard disk doesn't have the real record or record marks, so it will recover to the primitive condition after restarting the system.
Based on the theorem and targets of the recover software, we can know that the protect effects of the recover software is very good and there is nothing lose after restarting. But it is useless to the Virus, Worm, Trojan, Backdoor, Spy ware which has the network actions at the present network times. Cause they aren’t the antivirus software.

For example:
1. Trojan stealer, restarting the system is meaningless after the number have stolen
2. Worm, as the worm sending the mails blindly, the garbage mail has sent after you recover the system.
3. Overflow attacking. The windows XP which don’t have the patches will be attacked by shock wave in a short time when it is in the internet. Then you restart the system in 60 seconds. as to this, the recover software is useless. It will restart the system in 60 seconds after you restart the system. The pc can't used normally. The way to resolve the problem needs to install the patch or close the firewall ports or install the anti-virus software to against the overflow attacking.

Let’s talk about the main topic. I think the most difference isn't the usability problem; it is not that the alarming of the micropoint less and hips more; it is not that micropoint detects intelligently and hips reports everything blindly in default. it is not that micropoint suits to the fresh user, only the advanced user understands the reminding of the hips. The most difference is they are two kinds software, one is antivirus software and network firewall, and another is system firewall. So the different targets lead to the suitable user and the representation, just like the example of the recovery software to prevent the virus above.

The main purpose of the micropoint is anti-virus and the network firewall. as to the advanced structure, so I named it the anti-virus software 2.0.it is normal that the user experienced the micropoint don't suit to operate it and doubt it when they first use the micropoint proactive defense software. I have used it about one year. I used the micropoint with other anti-virus software from the early days and I didn't trust in the micropoint firewall, so installed the black ice and later I completely closed the entire monitor real-time and uninstalled other firewalls. I only use the micropoint in daily working life; the scanning of the other anti-virus software is JUST to identify the sample.

A lot of friends think that the micropoint lack the ability to kill the virus and only pay  attention to the defense. I express reservation about this opinion. I have experienced the effects of the micropoint to kill the virus when I handled a machine trouble to one of my friend in the early year. the situation on that time was: one old laptop computer run the system slowly, and it can't monitor of the installed  abroad antivirus software, so visited the net abnormally with  little 3rd software under IE. To tell you the truth, I have already wanted to reinstall the system. But the laptop driver is a hard thing .so I install the micropoint to try to do something when I don't have any expectation on it. it can't install the micropoint in normal mode. So I install it under the safe mode then back to the normal mode, the micropoint kills the two unknown Trojan finally. I restart the computer by the reminder and the computer runs normally.

The monitor of the abroad antivirus software starts to run automatically either. This is only a specific example and any software can't recover the system to the destruction of the irreversible virus. but it can prove the micropoint isn't the pure proactive software. the behaviors engine has the anti-virus ability when you install the micropoint after your computer were infected. But we pay little attention and little information about it in the forums.

I think HIPS means system firewall more than Host Intrusion Prevent System. Hips is one set analyze tools to judge the behaviors based upon the API of the program. The main function is system firewall, additionally; the mode of the network firewall is to check every data bag according to the rules. But the difference is the system firewall only focus on the api actions.

the hips and the traditional anti-virus software 1.0  have nothing relation, but it has relations to the micropoint which called the anti-virus software 2.0.so the behaviors judgments part of the micropoint engine is based on the program api and the hips can defend the virus more or less. But the hips isn't the anti-virus software, it only can defend the virus but can't clean the virus. Just like the debug.exe in windows system can clean the virus but can't detect the virus. You can focus on the own field, antivirus kills the virus that can ensure the efficiency and the quality.
ps: debug.exe is a treasure that jiangmin use it to kill the virus  when he starts to do the antivirus software.


So the micropoint kills the virus better than the hips. Because the micropoint has not only the behavior analyze to judge the virus, but also use several technologies to integrate then guarantee the efficiency and the result. But the hips are more visually in monitor the system behaviors than the micropoint. Micropoint focuses on the judging result, and the hips focus on the process. Different emphasis is to the different users. But there have some relations in the different user in real. Someone use the micropoint to analyze the system, and the hips to defense the virus.

Because of something affected so the micropoint do the less time to advertisement and the user .I guess Liu Xu will name it to the proactive defense system. But a lot of person misunderstood that it is the behaviors analyze technique of the program. It will bring the bad influences on the antivirus industry, and there will have more and more software named "proactive defense" occurs. but few of them have the completely proactive defense system. Others will have a few relations to the single alarming function about the API. It is a long way to develop the anti-virus software 2.0.

i like watch the 50-50 contest. The resist of the user have little result to the fake products. I only hope that the departments of the director ready the proposal before it happens, and control the process to examine strictly. let the mp3 event never happens again to destroy the industry benefits.

2008-9-5 11:10
I have to say you are an good expert to translate the security knowledge.!
how much do you translate per thousand characters?
i will hire you !

2008-9-5 17:27
