Sophos Anti-Virus for Windows 2000+: Host Intrusion Prevention System (HIPS) overview

  • Article ID: 25044
  • Rating:
  • 3 customers rated this article 2.7 out of 6
  • Updated: 06 May 2014

Host Intrusion Prevention System (HIPS) is a security technology that protects computers from unidentified viruses and suspicious behavior.

HIPS includes both pre-execution and runtime behavior analysis.

Applies to the following Sophos product(s) and version(s)

Sophos Endpoint Security and Control 9.7
Sophos Endpoint Security and Control 10.0

Runtime behavior analysis

Sophos Anti-Virus analyzes behavior of the programs running on the system. The runtime behavior analysis includes:

Suspicious behavior detection
This dynamically analyzes the behavior of programs running on the system in order to detect and block activity which appears to be malicious. Suspicious behavior may include changes to the registry that could allow a virus to run automatically when the computer is restarted.

Buffer overflow detection
This dynamically analyzes the behavior of programs running on the system in order to detect buffer overflow attacks.

NOTE: Buffer overflow detection was not available for Windows Vista and 64-bit versions of Windows in Sophos Endpoint Security and Control 9.7 as these operating systems are protected against buffer overflows by Microsoft's Data Execution Prevention (DEP) feature.  In Sophos Endpoint Security and Control 10.x buffer overflow protection (BOPS) has been extended to include these operating systems to increase protection.

Pre-execution analysis

Behavioral Genotype Protection

Monitors code on a computer, and blocks any that would behave maliciously before it is executed. Unlike other runtime HIPS, which monitor running code and intervene once they believe suspicious behavior has occurred, Sophos Behavioral Genotype Protection identifies and blocks malicious programs before execution.

Suspicious file detection

Sophos Anti-Virus can scan for suspicious files, that is, files that contain certain characteristics that are common to malware but not sufficient for the files to be identified as a new piece of malware. For example, a file containing dynamic decompression code commonly used by malware can be regarded as suspicious. With on-access scanning enabled, suspicious file detection scans a file when a user clicks to open it. With suspicious file scanning enabled in scheduled scans, Sophos Anti-Virus will detect the files before anyone attempts to open them.

Using HIPS with Sophos Anti-Virus

  • Suspicious Behavior detection is set to 'alert only' mode by default in Sophos Endpoint Security and Control 9.7. If you intend to use this feature, you will need to configure it.
  • HIPS settings in the Anti-virus and HIPS policy apply to on-access scanning only.

When Sophos Anti-Virus 9.7 is first installed, it detects suspicious behavior and displays alerts (and sends them to the console). However, it does not block any of the programs detected.

See Sophos Anti-Virus for Windows 2000+: managing the detection of suspicious files and behavior for details on managing alerts.

See also

The HIPS best practices guide

Documentation

For installation details, see the Sophos Endpoint Security network startup guide and the Sophos Endpoint Security network upgrade guide.

For management details, see Sophos Anti-Virus for Windows 2000+: managing the detection of suspicious files and behavior.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments