What is the difference between a HIDS/HIPS and an anti virus?

First, you talk about HIDS and HIPS.

  • The 'D' stands for "Detection". It means that the protection system will be able to detect and alert upon a possible security event, but it will not attempt to block anything.
  • The 'P' stands for "Prevention". This means that when the protection system detects a possible security event, it will automatically try to block it.

Since an anti-virus main use is to actively block the access to files detected as malicious, then it would be nearer to an HIPS than and HIDS.

Are they the same thing? This is a good question, especially since Wikipedia states that "The lines become very blurred here, as many of the tools overlap in functionality."

Historically speaking: no. An anti-virus primary goal is to detect and block access to malicious files, while and HIPS solution has a broader goal: it may track changes on the file system (to detect changes not necessarily implying any malicious code, like an unexpected settings change for instance), analyze log filess (system and application logs), check the system components to detect any irregularities, and indeed also try to detect potential malware.

An HIPS solution may be either composed of several different software and the anti-virus be only of them, or one may go toward all-in-one solutions where a single tool will bundle all these functions.

The fact is that nowadays end-user's anti-virus are a bit more than simple anti-virus, over time they have accumulated a very large panel of features turning them more into security suites which can be indeed perceived as end-user's HIPS solutions.

So, my answer here is two folds:

  • A basic anti-virus, whose only goal is to detect and block access to malicious files, is only a part of an HIPS solution,
  • Current end-user's anti-virus go well over this, they are often renamed as security suites and are becoming end-user's HIPS solutions.

Tags:

Antivirus

Ids

Related

Is it possible for a file that is non-executable and read-only to run malicious code? Why did the Papal conclave use a Faraday cage in 2013 when selecting the new pope? John the ripper is not identifying hashes Is physical security less important with disks on a server being encrypted? How trustworthy is `sudo apt-get install (package name)` in Ubuntu? Evaluating the security of home security cameras How to read the key3.db file? Why would a website serve different versions of a file over HTTP and HTTPS? How do large companies protect their source code? Why should my certificate signing request be signed by my private key? Are future TLS versions going to prevent traffic inspection? What precautions should I take when creating users that will be used by applications and not by people?

Recent Posts