What is the difference between a HIDS/HIPS and an anti virus?
First, you talk about HIDS and HIPS.
- The 'D' stands for "Detection". It means that the protection system will be able to detect and alert upon a possible security event, but it will not attempt to block anything.
- The 'P' stands for "Prevention". This means that when the protection system detects a possible security event, it will automatically try to block it.
Since an anti-virus main use is to actively block the access to files detected as malicious, then it would be nearer to an HIPS than and HIDS.
Are they the same thing? This is a good question, especially since Wikipedia states that "The lines become very blurred here, as many of the tools overlap in functionality."
Historically speaking: no. An anti-virus primary goal is to detect and block access to malicious files, while and HIPS solution has a broader goal: it may track changes on the file system (to detect changes not necessarily implying any malicious code, like an unexpected settings change for instance), analyze log filess (system and application logs), check the system components to detect any irregularities, and indeed also try to detect potential malware.
An HIPS solution may be either composed of several different software and the anti-virus be only of them, or one may go toward all-in-one solutions where a single tool will bundle all these functions.
The fact is that nowadays end-user's anti-virus are a bit more than simple anti-virus, over time they have accumulated a very large panel of features turning them more into security suites which can be indeed perceived as end-user's HIPS solutions.
So, my answer here is two folds:
- A basic anti-virus, whose only goal is to detect and block access to malicious files, is only a part of an HIPS solution,
- Current end-user's anti-virus go well over this, they are often renamed as security suites and are becoming end-user's HIPS solutions.