In this section

• Home
• Support
• Knowledgebase
• Articles

Online support

• Knowledgebase
• Virus disinfection

Product maintenance

• Downloads and updates
• Documentation
• Software lifecycle

Contact support

• Talk to an expert
• Send a sample
• Email us

Support services

• Overview
• Technical Support
• Professional Services
• Technical Training

Sophos Anti-Virus for Windows 2000+: Host Intrusion Prevention System (HIPS)

Host Intrusion Prevention System (HIPS) is a security technology that protects computers from unidentified viruses and suspicious behavior. It is used in Sophos Anti-Virus for Windows 2000+.

The following types of behavior are monitored.

Runtime behavior analysis

Sophos Anti-Virus analyzes behavior of the programs running on the system. The runtime behavior analysis includes:

• Suspicious behavior detection
  This dynamically analyzes the behavior of programs running on the system in order to detect and block activity which appears to be malicious. Suspicious behavior may include changes to the registry that could allow a virus to run automatically when the computer is restarted.
• Buffer overflow detection
  This dynamically analyzes the behavior of programs running on the system in order to detect buffer overflow attacks.
  
  Note: Buffer overflow detection is not available for Windows Vista and 64-bit versions of Windows. These operating systems are protected against buffer overflows by Microsoft's Data Execution Prevention (DEP) feature.

Suspicious file detection

Sophos Anti-Virus can scan for suspicious files, that is, files that contain certain characteristics that are common to malware but not sufficient for the files to be identified as a new piece of malware. For example, a file containing dynamic decompression code commonly used by malware can be regarded as suspicious.

Using HIPS with Sophos Anti-Virus

• HIPS settings are in 'alert only' mode by default. If you intend to use the settings, you will need to configure them.
• HIPS settings in the Anti-virus and HIPS policy apply to on-access scanning only.

When Sophos Anti-Virus is first installed, it detects suspicious behavior and sends alerts to Enterprise Console. However, it does not block any of the programs detected.

See Sophos Anti-Virus for Windows 2000+: managing the detection of suspicious files and behavior for details on managing your installation.

What to do

Sophos recommends that you introduce blocking of suspicious behavior as follows:

• pre-authorize any programs you want to continue to run in future
• when you are ready, configure Sophos Anti-Virus to block programs that are detected from then on.

This approach avoids blocking programs that your users may need.

• For installation details, see the Sophos Endpoint Security network startup guide and the Sophos Endpoint Security network upgrade guide.
• For management details, see Sophos Anti-Virus for Windows 2000+: managing the detection of suspicious files and behavior.

If you need more information or guidance, then please contact technical support.

• Article ID: 25044
• Created: 1 May 2007
• Last updated: 13 Oct 2008

Rate this article Choose a rating Very useful Quite useful Moderately useful Not very useful Not useful at all

•  Read our search tips
• Contact one of our experts
• Suggest an improvement