Host Intrusion Prevention System (HIPS) is a security technology that protects computers from unidentified viruses and Suspicious Behavior. It includes both pre-execution behavior analysis and runtime behavior analysis.
The following sections are covered:
Applies to the following Sophos products and versions Sophos Endpoint Security and ControlCentral Mac EndpointCentral Windows Endpoint
Monitors code on a computer and blocks any that would behave maliciously before it is executed. Unlike other runtime HIPS which monitor running code and intervene once they believe Suspicious Behavior has occurred, Sophos Behavioral genotype protection identifies and blocks malicious programs before execution.
Sophos Anti-Virus can scan for Suspicious Files that contain certain characteristics that are common to malware but not sufficient for the files to be identified as a new piece of malware. For example, a file containing dynamic decompression code commonly used by malware can be regarded as suspicious. With On-access scanning enabled, Suspicious File detection scans a file when a user clicks to open it. With Suspicious File scanning enabled in scheduled scans, Sophos Anti-Virus will detect the files before anyone attempts to open them.
Sophos Anti-Virus analyzes behavior of the programs running on the system. The runtime behavior analysis includes:
This dynamically analyzes the behavior of programs running on the system in order to detect and block activity which appears to be malicious. Suspicious behavior may include changes to the registry that could allow a virus to run automatically when the computer is restarted.
This dynamically analyzes the behavior of programs running on the system in order to detect buffer overflow attacks.
Note: Buffer overflow detection was not available for Windows Vista and 64-bit versions of Windows in Sophos Endpoint Security and Control 9.7 as these operating systems are protected against buffer overflows by Microsoft's Data Execution Prevention (DEP) feature. In Sophos Endpoint Security and Control 10.x buffer overflow protection (BOPS) has been extended to include these operating systems to increase protection.
When Sophos Endpoint Security and Control is first installed, it detects Suspicious Behavior and displays alerts (and sends them to the console). However, it does not block any of the programs detected.
See How to manage detection of Suspicious Files and Behavior for details on managing alerts.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable for us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.