Free hard drive encryption - Download a trial of SafeGuard Easy
Sophos Anti-Virus for Windows 2000+: Host Intrusion Prevention System (HIPS)
Host Intrusion Prevention System (HIPS) is a security technology that protects computers from unidentified viruses and suspicious behavior.
HIPS includes both pre-execution and runtime behavior analysis.
Runtime behavior analysis
Sophos Anti-Virus analyzes behavior of the programs running on the system. The runtime behavior analysis includes:
Suspicious behavior detection
This dynamically analyzes the behavior of programs running on the system in order to detect and block activity which appears to be malicious. Suspicious behavior may include changes to the registry that could allow a virus to run automatically when the computer is restarted.
Buffer overflow detection
This dynamically analyzes the behavior of programs running on the system in order to detect buffer overflow attacks.
Note: Buffer overflow detection is not available for Windows Vista and 64-bit versions of Windows. These operating systems are protected against buffer overflows by Microsoft's Data Execution Prevention (DEP) feature.
Pre-execution analysis
Behavioral Genotype Protection
monitors code on a computer, and blocks any that would behave maliciously before it is executed. Unlike other runtime HIPS, which monitor running code and intervene once they believe suspicious behavior has occurred, Sophos Behavioral Genotype Protection identifies and blocks malicious programs before execution.
Suspicious file detection
Sophos Anti-Virus can scan for suspicious files, that is, files that contain certain characteristics that are common to malware but not sufficient for the files to be identified as a new piece of malware. For example, a file containing dynamic decompression code commonly used by malware can be regarded as suspicious. With on-access scanning enabled, suspicious file detection scans a file when a user clicks to open it. With suspicious file scanning enabled in scheduled scans, Sophos Anti-Virus will detect the files before anyone attempts to open them.
Using HIPS with Sophos Anti-Virus
- Suspicious Behavior detection is set to 'alert only' mode by default. If you intend to use this feature, you will need to configure it.
- HIPS settings in the Anti-virus and HIPS policy apply to on-access scanning only.
When Sophos Anti-Virus is first installed, it detects suspicious behavior and displays alerts (and sends them to Enterprise Console). However, it does not block any of the programs detected.
See Sophos Anti-Virus for Windows 2000+: managing the detection of suspicious files and behavior for details on managing alerts.
See also
How to
Configure on-access scanning
Deal with alerts about suspicious files or behavior
Decide whether to allow or block a file or program
Authorize the items that Sophos finds
Documentation
For installation details, see the Sophos Endpoint Security network startup guide and the Sophos Endpoint Security network upgrade guide.
For management details, see Sophos Anti-Virus for Windows 2000+: managing the detection of suspicious files and behavior.
If you need more information or guidance, then please contact technical support.
- Article ID: 25044
- Created: 1 May 2007
- Last updated: 22 Jan 2009
Free hard drive encryption
- Protect sensitive data from unauthorized use
- Encrypt data, hard drives and removable media
- Work uninterrupted with encryption on demand
