Build an HIPS security wall by yourself

HIPS is short for Host-based Intrusion Prevention System, namely Host-based Intrusion defense System. Compared with conventional anti-virus software, HIPS is an active defense system. It takes processes as the core. By editing specific rules, it monitors process behavior, such as running, accessing the network, accessing the registry, and accessing files. When an exception is detected, it is blocked, it can more effectively protect system security. There are few HIPS Software suitable for Windows 7. In fact, based on the HIPS principle and using system group policies, we can also build an HIPS security system ourselves.
Prevent malicious programs from running
Nowadays, many malware are hidden in C: \ Windows and C: \ Windows \ system32, which can be quickly started (programs in the system directory can be directly run through the command line ), on the other hand, the object name can be disguised as a system program to avoid being discovered by users. Now, special rules can effectively prevent malicious programs from running.
Prevent trojans from running in the system directory
Step 2: analyze the directory status. Open C: \ deny, so to prevent other malicious programs from running in this directory, we only need to create a deny from C: \ rules for running any program (except the above three) in windows.
Step 2: Create a restriction policy. Enter gpedit in the Start search box. msc, press enter to start the Group Policy, expand "Computer Configuration> Windows Settings> Security Settings> Software Restriction Policy", and then click "Operation> Create Software Restriction Policy" on the menu bar ", create a policy. Right-click "Other Rules" and select "New Path rule". In the displayed window, enter "% SYSTEMROOT % \ *" in the Path box \*. exe (prohibit any applications from running in this directory), and select "Not Allowed" for security level ".
Step 2: continue to create a new rule. In the displayed window, enter "% SYSTEMROOT % \ regedit.exe" and select "unlimited" for the security level to allow the registry editing program to run. The method is the same as above. Add the names of programs that you are allowed to run in sequence. After the preceding settings, if a virus program tries to run in the C: \ windows Directory, it is blocked by the Software Restriction Policy and cannot be run (the programs that are not restricted by their own settings are not affected), effectively protecting the system directory from being a hiding place for viruses and Trojans.
Protect key processes of the system
In addition to the above directories, C: \ Windows \ system32 is also a favorite hiding place for virus Trojans. We can also use rules to prevent trojans from running and protect key processes in the system. For example, many Trojans are hidden in disguise as the name of the system process. There are two main ways of disguise:
One is to directly use the name of the system process, such as csrss.exe, but it is hidden in other subdirectories under system32 (because files with the same name are not allowed in the same file ).
Second, use win1ogon.exe(not winlogon.exe, replace I with Arabic numerals 1) name to hide in system32.
Worker (for specific processes, open the task manager and switch to "show all user processes ). Then, use the wildcard to create processes that are not allowed to run, such as csrss restriction. *(. * represents any suffix, which covers the suffixes of executable files such as bat and com) and lass.. In this way, Trojans disguised as system processes will not run.
Reject non-Microsoft Processes
Although the above method is simple, it is impossible for us to intercept all Trojans due to rule restrictions. Because the trojan name is ever-changing, simple rules alone will always expose some new or variant Trojans to the Internet. Users with high system security requirements can also use application control policies to create rules to prevent all non-Microsoft processes from starting.
Step 2: Right-click "computer" on the desktop, select "manage> service", find the Application Identity service, and set it to automatic start. Start the Group Policy Editor as above and expand "Computer Configuration> Windows Settings> Security Settings> Application Control Policy> AppLocker> executable rules ", right-click "executable rules" and select "create default rules ".
Step 2: after creating the default rule, right-click "executable rule" and select "create new rule". In the open creation wizard, select "deny" as the default Everyone account execution permission ", select "path" in the "condition" option and select the system directory C: \ Windows as the restriction rule directory (Figure 3 ).
Step 2: click "Next", select "publisher" under "add exceptions", and click "Browse" to select any built-in system program, such as C: \ Program Files \ DVD Maker \ dvdmarker.exe (only extract the exception signature information from the Program), pull the slider to the publisher in the exception settings ", that is, programs released by Microsoft can run.
Step 2: Follow the on-screen prompts to create the rules for the remaining operations. Then, return to the AppLocker page and click "Configure rule force" in the left-side pane ", in the displayed window, select "configured" under "executable rules" and select "Force rules". After the restart, the restriction rules will take effect. After the above restriction rules are created, programs running in C: \ Windows cannot run if the publisher is not Microsoft. The system will prompt that the program has been restricted by system group policies.
Tips
After the preceding restrictions are enabled, all programs on the local machine that need to run as administrators will be restricted (however, due to the existence of the "exception" setting, the system's built-in programs can run normally ), for restricted programs in non-system directories, you only need to right-click and select "Run as administrator" to start the programs normally (except for System Directories ). For specific program restrictions, you can use the file hash value for restrictions.
Secure Internet access
An important way to intrude into Trojan viruses is to use the network. When you browse a malicious webpage, the virus will first be downloaded to the IE cache and temporary system folders and run automatically, resulting in system exposure. In this way, you only need to set a rule to prevent specified directory trojans from running. The operation is similar to that of adding programs in the following directories to the Software Restriction policy is not allowed to run: