http://www.ghostsecurity.com/downloads/appdefend_betasetup.exe

Uninstall all versions of RegDefend/Ghost Security Suite prior to running the above installer

If you have problems with this beta it is very simple to fix. Simply boot into safe mode and uninstall the beta through the start menu.


I am very pleased to be able to finally release a public beta of AppDefend. After many months of work and distractions (GhostWall and another yet to be announced feature) it is in a state which most people will be able to use effectively. It is still a little rough in some areas, so please be mindful of this, on the whole though it is working as it should. RegDefend has also been updated a bit, mostly through the GUI and some driver enhancements. Many thanks to the beta testers for providing testing and ideas throughout the development phase.

AppDefend currently protects against :-
1) Network access
2) Process creation
3) Process execution
4) Global Hooks (DLL injection / Keyloggers)
5) Process/Thread suspension and context modification
6) Virtual Memory modification
7) Remote Thread Creation
8) Physical Memory access
9) Termination of threads and processes
10) Rootkit installation methods


In this beta you will most likely be introduced to "George the Ghost" which is a small nag screen for people who have not purchased the components. It is purposedly coming up often in this beta (5 minutes after the launch of gss.exe he will appear once), and will be reduced to only 2 or 3 times a month by the final build. I just wanted everyone to be able to see the nag screen and possibly provide any feedback regarding it.

All in all there have been a lot of changes, and I hope to hear some feedback regarding the changes and AppDefend.

AppDefend FAQ


Permissions
Each protection in AppDefend can be set to 5 different states :-

BLOCK - This means the protection item will be blocked without popping up an alert
ALLOW - This means the protection item will be allowed without popping up an alert
ASK USER / ALLOW - This means a popup alert will occur when this protection item occurs. If for some reason it is unable to ask the user it will ALLOW it.
ASK USER / BLOCK - This means a popup alert will occur when this protection item occurs. If for some reason it is unable to ask the user it will BLOCK it.
DEFAULT - Use whatever is defined in the .Default rule

When an alert occurs and the application isn't in your AppDefend list, it will use whatever is defined in the .Default rule also. This means if you don't like a protection which AppDefend has, you can easily disable it by setting it to "ALLOW".


Network Access alerts
Sometimes you will receive an alert which says "UDP Send" with "Unknown IP" and "Unknown Port". In the current build of AppDefend it is unable to obtain the port and IP address for UDP communications, this will hopefully be addressed in a future build.

Sounds interesting Jason. Just a question though, will users of ProcessGuard (like myself) benefit in anyway from AppDefend? That is to say, does it have featuers that cannot be found in PG?

Thanks :)

-{ Quote: "Sounds interesting Jason. Just a question though, will users of ProcessGuard (like myself) benefit in anyway from AppDefend? That is to say, does it have featuers that cannot be found in PG?

Thanks :)" }-

It does have features not found in ProcessGuard, but whether or not those features are enough to make you want AppDefend, I am not sure. Some of my beta testers have run both side by side, I however don't see much point in running 2 somewhat similar security applications on the one system, I prefer the minimalist approach. :)

If you are very happy with ProcessGuard and don't need the extra features and useability offered by AppDefend, then I would suggest you wouldn't need to try AppDefend. Of course, the beta is free to try and there is no harm in trying something new. :)

Jason,
Most potential buyers of Application Defend are probably already owners of Process Guard, your program however looks as though it may well be raising the Bar to an even higher level. Can you list all the features and functions that are different in you program that would attract a user of Processguard (such as myself) to jump ship. I am also particularly interested in how it handles Rootkits.
PS Congratulations on Regdefend it is the best registry protector in the game.

-{ Quote: "Jason,
Most potential buyers of Application Defend are probably already owners of Process Guard, your program however looks as though it may well be raising the Bar to an even higher level. Can you list all the features and functions that are different in you program that would attract a user of Processguard (such as myself) to jump ship. I am also particularly interested in how it handles Rootkits.
PS Congratulations on Regdefend it is the best registry protector in the game." }-

I don't want too sound too biased, and hopefully once more people have used AppDefend they can comment. Top 5 reasons why I personally use AppDefend now compared to ProcessGuard (used to be a ProcessGuard user myself :) ) are :-

1) AppDefend is more efficient. Checksumming is done in the kernel driver (rather than in usermode, avoiding permissions issues and being at least a second faster). Faster list searching (used when checking what has which permissions). Better multi-threading technology ensures AppDefend works the best it can on multiprocessor / dual core systems and hyperthreading systems, whilst also taking less time on single processor systems.
2) AppDefend has more protections, with the one I am most happiest with being "Application Network Control". I don't like the major firewalls due to ineffeicient methods of dealing with applications dialing out so have mostly gone without this luxury because I like a fast system. Now I can have this protection without slowdown
3) AppDefend can alert on every protection item rather than just execution like PG does. No more messed up installations because PG blocked something rather than asking
4) Configuration abilities, I can disable any protection I don't want/need. I can also log items that I want rather than things I don't need to worry about. AppDefend protects every application by default, no need to add every program you want protected.
5) You can hash all the items in your list to see if anything has changed, integrity wise, and perform other maintenance activities (cleaning your list of applications no longer on system).

Wow that's a pretty impressive list of features; I guess I'll have to give this a go!

It will be interesting to see how many leap from PG to AppDefend For PG owners their program will be free for them to upgrade, for them useing AppDefend instead will be extra cost, but AppDefend does look as though it is going to be magnificent.

I've been using it for a few hours now and I'm finding it remarkably stable for a beta program.

I can certainly understand why you like the "Application Network Control" Jason, it's very, very handy. Running the Windows Firewall as I do (SP2) it's an added bonus to have this feature.

System still feels nice and light yet very secure - a winning combination :)

I'm testing it now, and seems really impressive :)

Very good for a beta version...

When I install it, appears on the main window, Limited free version on the right of AppDefender.

AppDefender will have a free version with limited features, like Network and programs protection?

Regards

One nice feature to be added, is a Learning Mode to AppDefender, like in ProcessGuard ;)

-{ Quote: "I don't want too sound too biased, and hopefully once more people have used AppDefend they can comment. Top 5 reasons why I personally use AppDefend now compared to ProcessGuard (used to be a ProcessGuard user myself :) ) are :-

1) AppDefend is more efficient. Checksumming is done in the kernel driver (rather than in usermode, avoiding permissions issues and being at least a second faster). Faster list searching (used when checking what has which permissions). Better multi-threading technology ensures AppDefend works the best it can on multiprocessor / dual core systems and hyperthreading systems, whilst also taking less time on single processor systems.

" }-

Okay, though, PG is pretty fast for me already.

-{ Quote: "
2) AppDefend has more protections, with the one I am most happiest with being "Application Network Control". I don't like the major firewalls due to ineffeicient methods of dealing with applications dialing out so have mostly gone without this luxury because I like a fast system. Now I can have this protection without slowdown
" }-

Hmm, but I could be wrong, but most people here like app control firewalls.
Still there's there's an elegence to the idea of adding this to appcontrol as opposed to letting the firewall do it.

-{ Quote: "
3) AppDefend can alert on every protection item rather than just execution like PG does. No more messed up installations because PG blocked something rather than asking
" }-

Yes, I like this. That's also why i prefer stuff like prevx pro, which alerts on driver installs.

-{ Quote: "
4) Configuration abilities, I can disable any protection I don't want/need. I can also log items that I want rather than things I don't need to worry about. AppDefend protects every application by default, no need to add every program you want protected.
" }-

Interesting point , with regards to the discussion here about auto-protection of all entries.
http://www.wilderssecurity.com/showthread.php?t=100007

IMHO The interface for Appdefend looks more logical than PG, and is a big improvement

-{ Quote: "
5) You can hash all the items in your list to see if anything has changed, integrity wise, and perform other maintenance activities (cleaning your list of applications no longer on system)." }-

Nice little feature.

-{ Quote: "AppDefend is also using the currently secure SHA256 hash.
" }-

Interesting, PG uses the more weaker and broken Md5 no? Still is this a realyl big problem?

All in all, AppDefend looks like a much user friendly implementation of the same feature set as ProcessGuard. Very very nice, I always thought the way PG's interface worked was very strange.

There are some additional security features, which as far as I can tell is the network control and the use of SHA-256 for hashing, but not a big deal I suspect for most people who run app control firewalls.

Some other improvements are under the hood, i guess, with stuff like speed which is hard for me to measure anyway.

Still I'm sure the smart money is on Appdefend being better and more well developed than PG not only now, but in the future...

Hi Jason, Very nice application. :)

I especially like the Network Access protection.

@VaMPiRiC_CRoW : Peronally I do not see a need for learning mode as AppDefend works differently Ref. Jason's post above:

3) AppDefend can alert on every protection item rather than just execution like PG does. No more messed up installations because PG blocked something rather than asking.

As far as I can see Jason has inserted some basic apps thus obviating the need for learning mode an this is also a safer way of doing things as the user is in control.

@Jason. I notice you are using SHA 356 instead of the normal MD5 hash checks, is there a particular reason for this?

Anyway keep up the good work :) Pilli

Exellent piece of software!! ;D ;D

Go george!!

Thanks Jason!!

-{ Quote: "
AppDefend can alert on every protection item rather than just execution like PG does. No more messed up installations because PG blocked something rather than asking" }-

That is very nice. I had driver blocked by PG and when the application finished installing, my system rebooted, whereupon I ended up with the BSD. When I tried to boot in safe mode, my system hung. I had to use ER Console to get back a usable system.

I especially like that additional info is supplied when a process starts, like parent process name and network access. Reduces questions when a decision has to be made on a process.

I did find a few minor issues when testing, and maybe we should start a separate thread for them-
1. Balloon tip for register button in Ghost Suite is incorrect.
2. The check now button always gives me "Status: Error downloading update file".

Tsk, tsk Jason, Aussies are supposed to be lounging on the beach, sunbathing and surfing during weekends, not releasing new security applications! :D

This looks interesting so I'd like to add a few questions to those listed above also: Termination protection - does this cover closing applications by clicking on the X at the top-right of their window? If so, does it include any method for checking whether this is user-initiated or not, like PG's Human Confirmation dialog? "Rootkit Driver" permission - this really covers all driver installation, correct? If so, renaming it (e.g. to "Driver/Rootkit") would seem a very good idea to avoid painting every driver as malware. "Keylogging" - does this only check for keyboard hooks or does it include the others (Mouse, MSGFilter, etc). Any plans to include DDE (as highlighted by ZABypass) or other forms of data transfer between programs in order to block current and future leaktests? Some of the options (e.g. Execute or Start Applications) could be usefully restricted, e.g. allowing execution with only certain parameters (useful for Java for applet-specific permissions and RunDLL for DLL-specific ones) or allowing only certain programs to be started. Any plans on this?-{ Quote: "@Jason. I notice you are using SHA 356 instead of the normal MD5 hash checks, is there a particular reason for this?" }-See Slashdot: Meaningful MD5 Collisions (http://slashdot.org/article.pl?sid=05/06/10/1749256&tid=172) - MD5 is not far away from being completely broken so a move to a stronger hash algorithm is timely.

-{ Quote: "I'm testing it now, and seems really impressive :)

Very good for a beta version...

When I install it, appears on the main window, Limited free version on the right of AppDefender.

AppDefender will have a free version with limited features, like Network and programs protection?

Regards" }-

AppDefend will have a limited free version. I'm not sure what the limits will be, butin this beta there are no limits for the free version.

-{ Quote: "That is very nice. I had driver blocked by PG and when the application finished installing, my system rebooted, whereupon I ended up with the BSD. When I tried to boot in safe mode, my system hung. I had to use ER Console to get back a usable system.

I especially like that additional info is supplied when a process starts, like parent process name and network access. Reduces questions when a decision has to be made on a process.

I did find a few minor issues when testing, and maybe we should start a separate thread for them-
1. Balloon tip for register button in Ghost Suite is incorrect.
2. The check now button always gives me "Status: Error downloading update file"." }-

I have created a new beta update point which isn't up and running yet. The new GUI points to the beta update point but there is nothing there for it to check at the moment. This is so that when I release public beta updates over the coming days you guys can easily grab them, without interfering with the existing RegDefend customers and their updating.

Thanks for the tooltip reminders. :)

-{ Quote: "AppDefend will have a limited free version. I'm not sure what the limits will be, butin this beta there are no limits for the free version." }-
Thanks for the info :)

The next build will have the option to choose what features we want to have enabled or disabled?

-{ Quote: "Tsk, tsk Jason, Aussies are supposed to be lounging on the beach, sunbathing and surfing during weekends, not releasing new security applications! :D

This looks interesting so I'd like to add a few questions to those listed above also: Termination protection - does this cover closing applications by clicking on the X at the top-right of their window? If so, does it include any method for checking whether this is user-initiated or not, like PG's Human Confirmation dialog? "Rootkit Driver" permission - this really covers all driver installation, correct? If so, renaming it (e.g. to "Driver/Rootkit") would seem a very good idea to avoid painting every driver as malware. "Keylogging" - does this only check for keyboard hooks or does it include the others (Mouse, MSGFilter, etc). Any plans to include DDE (as highlighted by ZABypass) or other forms of data transfer between programs in order to block current and future leaktests? Some of the options (e.g. Execute or Start Applications) could be usefully restricted, e.g. allowing execution with only certain parameters (useful for Java for applet-specific permissions and RunDLL for DLL-specific ones) or allowing only certain programs to be started. Any plans on this?See Slashdot: Meaningful MD5 Collisions (http://slashdot.org/article.pl?sid=05/06/10/1749256&tid=172) - MD5 is not far away from being completely broken so a move to a stronger hash algorithm is timely." }-

Hi Paranoid2000,

Termination protection isn't currently handling "Windows Messages" or "End Task" . End Task will be added soon, whilst Windows Message handling is still up in the air whether I will add it or not in the near future. The way it was done in ProcessGuard I am not happy about due to the way it has to be done in usermode, and can cause application instability. I have been researching better ways to protect this rather vulnerable area, so there is some hope it can be achieved in a secure , stable and fast fashion.

Rootkit protection in AppDefend does not cover traditional driver installations (RegDefend handles that aspect) , but rather the undocumented ways that the people who write rootkits like to use. So whilst RegDefend will alert mostly about non malicious applications trying to install a driver, if AppDefend is alerting you about a rootkit/driver, you had better watch out. :)

Keylogging isn't implemented yet, apart from in the GUI and RULES. I am still working on that particular protection along with the others I have mentioned.

AppDefend does take into account the commandline if you add it, when processing permissions which removes the RUNDLL and SVCHOST issues which plague PG and the other similar security applications. The alert will also automatically take the commandline for those particular processes when auto remembering (not implemented yet, will be in next build).

-{ Quote: "Hi Jason, Very nice application. :)

@Jason. I notice you are using SHA 356 instead of the normal MD5 hash checks, is there a particular reason for this?

Anyway keep up the good work :) Pilli" }-

Hi Pilli,

AppDefend uses SHA256 for checksumming applications. MD5 whilst being a bit faster than SHA256 is on the verge of being totally insecure, even for executables. Rather than wait for the day that a hacker manages to sneak past a faked MD5 hashed executable, it is better to prepare for the future now and make sure the checksum you are using doesn't have any known severe weaknesses.

-{ Quote: "...Windows Message handling is still up in the air whether I will add it or not in the near future. The way it was done in ProcessGuard I am not happy about due to the way it has to be done in usermode, and can cause application instability. I have been researching better ways to protect this rather vulnerable area, so there is some hope it can be achieved in a secure , stable and fast fashion." }-That's good to hear. While PG is currently the only program to offer human verification, it does have its downsides (popping up when responding to program prompts notably) so an improvement addressing this would be very attractive.-{ Quote: "AppDefend does take into account the commandline if you add it, when processing permissions which removes the RUNDLL and SVCHOST issues which plague PG and the other similar security applications. The alert will also automatically take the commandline for those particular processes when auto remembering (not implemented yet, will be in next build)." }-Given the number of programs that can run others or perform variable actions from the command line (Start, Cmd, Mshta, etc) some form of "generic" parameter handling would be nice (e.g. parsing to pick out any other executable files listed as parameters and checking their permissions separately, a whitelist of known "good" parameters like the RunDLL parameter list here (http://www.tburke.net/info/rundll.htm) or an "allow with these parameters" option for users to decide).

Congratulations Jason,

A very impressive piece of software,
it is fast, stable and a very innovative Security Application,
which i think is a must-have!

After all those years i am working in ICT i only see the development
of things slowing down.
Like waiting 6 years for a new Windows release.

It is nice to see, that things can be different.
This makes working in this field fun!

Why not add Ghostwall in the Security Suite?

:D

-{ Quote: "Congratulations Jason,

A very impressive piece of software,
it is fast, stable and a very innovative Security Application,
which i think is a must-have!

After all those years i am working in ICT i only see the development
of things slowing down.
Like waiting 6 years for a new Windows release.

It is nice to see, that things can be different.
This makes working in this field fun!

Why not add Ghostwall in the Security Suite?

:D" }-

Ghostwall might be included in GSS one day, depending on certain things. It will however always remain a free firewall. :)

Nice job Jason

I know there is a new PG beta 3200b2. I wonder if there will be any posting about the inhancements of it here?

I still think the suite is the way to go.


controler

I have put up a "work in progress" webpage for AppDefend :-

http://www.ghostsecurity.com/index.php?page=appdefend

When the final release occurs, it will be updated with more information. :)

Hi controller, Not sure why anyone would want to post about PG's new updates in the AppDefend forum thay are two different products from non associated vendors?

Cheers. Pilli :)

Indeed.

I always thought that Wilders would only support only one product of each kind with a dedicated forum. eg One AV, One Firewall, etc

For the first time, we actually have 2 products that are directly competiting, each with their own dedicated forums.

Well okay some could claim Ghostwall competes with Looknstop, but I don't think so not without app control.

It will be interesting to watch, developments, will people abandon PG in droves for Appdefend? As noted most people who own RD, also own PG.

Will Diamond CS, strike back, and come up with their RegistryGuard to match RegistryDefend?

Interesting days.

-{ Quote: "Indeed.

I always thought that Wilders would only support only one product of each kind with a dedicated forum. eg One AV, One Firewall, etc

For the first time, we actually have 2 products that are directly competiting, each with their own dedicated forums.

Well okay some could claim Ghostwall competes with Looknstop, but I don't think so not without app control.

It will be interesting to watch, developments, will people abandon PG in droves for Appdefend? As noted most people who own RD, also own PG.

Will Diamond CS, strike back, and come up with their RegistryGuard to match RegistryDefend?

Interesting days." }-

I'd think NOD32 and TDS-3 were competing long before GhostWall and LooknStop. :)

-{ Quote: "I'd think NOD32 and TDS-3 were competing long before GhostWall and LooknStop. :)" }-

Well in those days, TDS-3 was positioned as an anti-trojan that is complementary to antivirus... In particular NOD32.

I still remember a traditional line going around this forum used commonly by NOD32 fans back then, "We don't do antitrojans go get TDS-3 for that".

-{ Quote: "Well in those days, TDS-3 was positioned as an anti-trojan that is complementary to antivirus... In particular NOD32.

I still remember a traditional line going around this forum used commonly by NOD32 fans back then, "We don't do antitrojans go get TDS-3 for that"." }-

Yes, that is how NOD used to act until they realized they must handle anti trojans also if they want to increase their customer base. NOD nearly from the start competed very well with WormGuard's heuristics also.

Look n Stop is adding "PG like features" as are other firewalls. If you can look at where a lot of companies are heading, it all seems to be towards one common point. The question just is, who can do it better and first? :)

-{ Quote: "Exellent piece of software!! ;D ;D

Go george!!

Thanks Jason!!" }-

Well George, I just bought the Unlimited Home licence. Price is fair, for me, hope it helps you. If this is soon to be available, I'll also recommed it to a friend whose just spent $175, twice, to get his system recovered from malware.

So now I'll be checking for the Final.

Does this involve getting an e-mail key?

Jim Clements

Hi Jim, I aslo bought the unlimited version today :) Usually the key is tied to your name and email and should stay the same when the full version is released. If not a simple request with your purchase details emailed to GS will get you another.

Pilli

-{ Quote: "Well George, I just bought the Unlimited Home licence. Price is fair, for me, hope it helps you. If this is soon to be available, I'll also recommed it to a friend whose just spent $175, twice, to get his system recovered from malware.

So now I'll be checking for the Final.

Does this involve getting an e-mail key?

Jim Clements" }-

George Who? ;D ;D

I also bought the Unlimited Home licence I was Hooked the very moment I install it!! And also with Jason's Execllent support!!

Cheers,

Daniel

pilli

I only mentioned it since some posters were wondering the advantage of Appdefend over PG.

I own 2 Lic for PG only because TDS-4 was canceled.

I also own Regdefend and love it.

I am going to try our Appdefend also. I believe Jason is on the right tract;)

controler

And i thought that i was a fast buyer today,
perhaps i must ask Jason if it is possible to auto-buy his new products.

;D

-{ Quote: "tuataraAnd i thought that i was a fast buyer today,
perhaps i must ask Jason if it is possible to auto-buy his new products" }-
Hmm, Just leave all your credit card details with me and I will arrange it for you, no problem 8) ;)

Ok loaded it up.

I am guessing the paid version doesn't merg with this version of RegDefend?
You ask to uninstall it first.

controler

All right. I'm convinced. I bought unlimited home license, even though its a beta. Very impressive product. Also, ordering was so quick. Three minutes between order time and license receipt. :D

Is there a way to clear the ALERTS?

Quote: controler -Is there a way to clear the ALERTS?

The simplest way is to close the GUI using Exit and reopen ATM.
You can also adjust what is logged in the AD config permissions for each application. Some are set to logging as a default.

pilli

I close the app, restart it and all the alerts are still there, my ability to edit permissions is gone, Trying to click the check boxes is gone. I am running MS shared toolkit and have alot of alerts for find and cmd exe's using the shared toolkt. The alerts are in PG also.
So the alert screen fills up fast. I want to be able to clear the alert screen.

Also tried this with the new Sony rootkit. It appears to stop it but there is no
way to go back and allow once stopped and no record in the alert screen.

Hi,
I’m running x64 pro does AppDefend support it? And if so since global hooks are no longer used in x64 would it be of any worthwhile use?

Feature in PG that i like


Look at screen shot please.

screen shot

Pilli wrote:

-{ Quote: " Hmm, Just leave all your credit card details with me and I will arrange it for you, no problem" }-


Thanks Pilli, i knew i could count on you.

;D

Stop the credit card details and focus on the issues please.

Was wondering if this may be a problem Jason .?
Just do not want you to have any problems with Oracle .

-{ Quote: "Feature in PG that i like


Look at screen shot please." }-

Hi Controler

I would suspect that you won't see anything that looks like PG added to Jason's product. Reason should be apparent.

Pete

Hey Peter

Yup I know it shouldn't look like PG. All I was saying is I was not able to 1. see the alerts where I dissallowed the driver install and second I could not get the Alerts window to clear. In my case shuting down the GUI and restarting it won't clear the Alerts window. Some keep a log by day or week. And clearing the window doesn't clear the log. Being able to pull up old logs is nice feature also.
Let's say you are gone for a few days and would like to look the log over by a certian day. No need to sift the whole log.
I know it is Beta. I also like the GUI.
I will mess with it more today.

controler

Excellent piece of software, complete control of my system in one;D
BTW, is password protection going to be available???

-{ Quote: "Yes, that is how NOD used to act until they realized they must handle anti trojans also if they want to increase their customer base. NOD nearly from the start competed very well with WormGuard's heuristics also." }-

That's true. Though TDS backed out of the competition. Making the whole point moot.

-{ Quote: "
Look n Stop is adding "PG like features" as are other firewalls. If you can look at where a lot of companies are heading, it all seems to be towards one common point. The question just is, who can do it better and first? :)" }-

Well, that's very true. "PG like features" are getting pretty common, even in antiviruses and firewalls. Not to mention the standalones like online Armor.

Still you must admit, Appdefend does compete with PG headon, with pretty much (say 90-95%) the same feature set. Looking at the list of the top 5 reasons you wrote why to get Appdefend over PG, I don't see any real big changes, just improvements like SHA256 hashing, better interface, speedups and the controlling network access.

Don't get me wrong, I'm sure "under the hood" it's a lot of work, but essentially PG and appdefend can be compared directly far more so than with say another product like Online Armor, Prev1, not to mention firewall or antiviruses with PG like features which are even less similar.

I would guess, your experience working on PG made doing Appdefend a lot easier. I'm surprised Diamond CS didn't have some kind of clause restricting you from competiting with them in this area when you left them at least for say x years.

I suppose it would be similar to someone working in an antivirus company, leaving to start his own.

Not that I'm complaining mind you, I like competition I'm sure Diamond CS will feel the pressure to improve PG in light of the competition with Appdefend.

The arrival of AppDefend is very good for the "Security Scene" but probably not good for Diamond CS. Since Jason left Diamond CS they have dumped their Anti Trojan Product and seemed to have concentrated very much on tweaking improvements to Process Guard which was and maybe still is a World Beating Product. Along comes AppDefend and it looks to already have the potential to eclipse PG, but a fairer comparison can be made when both come out of Beta. At the very least AppDefend is a serious threat to a major revenue stream for Diamond CS.
Many PG users may stay with that product since upgrading is free, this however does not generate future revenue for Diamond CS, to obtain future revenue they will have to compete with AppDefend in a market where the potential buyer is likely to have more security knowledge than the average Joe and is therfore likely to be very intelligent with the judgements they make before purchasing.
So which one wins between these two fabulous products - my gut feeling is that AppDefend will in the future come out on top, and that Jason has raised the bar with his product.. I guess time will tell, and maybe we will have to wait say 6-12 months for AppDefend 2.0 Versus ProcessGuard 4.0

Forgive me if i have missed this, but:

What is "Ghost security suite".

A. AppDefend + RegDefend?
B. Does AppDefend include RegDefend or will i have to buy licenses for both.
C. Will there be added other options in this suite, before it's "finished" ? :)

Hi Don, They are two defferent products within the GS Suite both require separate licences ATM.
Jason has said that the AppDefend beta still has features to be added

HTH

Why should learning mode not be useful anymore? Go install cygwin on your machine and see if you don't want learning mode :-) Even gimp with its umpteen modules is a pain to install/upgrade with PG.
IMHO, a way to say "ok I trust this app (ie. the exe and its children), don't ask me zillion times for god sake" would be very welcome. In the same vein, "ok I modified this app voluntarily, don't ask me again for the next 5min" would be nice.
Will add this to wishlist....

-RE

-{ Quote: "Hi Don, They are two defferent products within the GS Suite both require separate licences ATM.
Jason has said that the AppDefend beta still has features to be added

HTH" }-
Hi Pilli & thank you. So $60 or more when finished?, hmm.....but maybe there will be a discount if you buy the full suite when finished? It does seem like a nice suite IMO.:)

Hi Don,

With the 15% discount currently on offer for both products (if you sign up as a member at www.ghostsecurity.com), you can get the GSS:

Single licence (Unlimited home PC's) for US$67.90
Single licence (Single home PC) for US$49.90

Since these discounts may be reduced in the (near) future, you may want to buy them now since they both come with unlimited lifetime upgrades, and Jason does seem rather good at updating/improving his products.

-{ Quote: "Excellent piece of software, complete control of my system in one;D
BTW, is password protection going to be available???" }-

Hi Tony,

Yes password protection will be added very soon (private beta testers have been wanting this for a long time too :) ).

-{ Quote: "Hi Don,

With the 15% discount currently on offer for both products (if you sign up as a member at www.ghostsecurity.com), you can get the GSS:

Single licence (Unlimited home PC's) for US$67.90
Single licence (Single home PC) for US$49.90

Since these discounts may be reduced in the (near) future, you may want to buy them now since they both come with unlimited lifetime upgrades, and Jason does seem rather good at updating/improving his products." }-
Thanks Defenestration, i completely missed that.:)

OMG what an amazing piece of software this is, Jason!

Excellent work!

One question; Why must I install Ghost Security Suite for using appdefend? In the future, will you make it a stand-alone product like PG?

I don't use RegDefend and I don't really need Ghost Security Suite because all I want to use is AppDefend instead of PG.

Does this make sense? ;)

-{ Quote: "']OMG what an amazing piece of software this is, Jason!

Excellent work!

One question; Why must I install Ghost Security Suite for using appdefend? In the future, will you make it a stand-alone product like PG?

I don't use RegDefend and I don't really need Ghost Security Suite because all I want to use is AppDefend instead of PG.

Does this make sense? ;)" }-

Hi Suave, it does make sense which is why you can "DISABLE" RegDefend and never have to worry about it. :)

The amount of resources used having both components is very minimal over one or the other. However since most of my customers will use both it doesn't make sense to split it up into 2 separate processes and save a few kilobytes of disk space for people who will use only one. Hope that makes sense. :)

Jason that's interesting news. So for those of us currently want only and have regdefend, eventaully, we have to update to a version that has appdefend built in?

I would prefer to have separated programs to use only what I want...

If I would like to use both, in this way the Ghost Security Suite makes sense...

-{ Quote: "Jason that's interesting news. So for those of us currently want only and have regdefend, eventaully, we have to update to a version that has appdefend built in?" }-

Hi xmen,

Yes all future components will be bundled together, with the user selecting which components will be active from the kernel layer. When you disable AppDefend for instance, it is effectively the same as not having it there in the first place.

Even though it may be "grayed" and in the GUI, the extra few kilobytes it adds to your memory usage and disk usage is minimal.

I don't know, I'd rather purchase this program as a seperate application, just like GhostWall.

I like things very simple, and since I don't use regdefend, I dont want to be bothered with the whole Ghost Security Suite thing and looking at all those extra things/features/options that I don't need.

I must admit though, the Ghost Security Suite is great for people that use all your apps simultaneously. But for people like me, I guess I'd rather just have a simple little stand-alone application called AppDefend running in my system tray to replace PG and supplement GhostWall.

I really really really don't want to have to use the whole ghost security suite just for AppDefend. It's not a matter of saving space/memory... it's just the fact that I have things there that I don't need that irks me :(

I have to agree with that 100%..

And another thing that I think has to go is the whole nag screen concept. I don't think you're going to really "nag" anyone into buying your software. In fact, typically, whenever I see something like that, I immediately dump the software, even if it's good. I just don't like seeing that stuff in an app. I think it cheapens the product. A simple 30 day trial is enough, just have it stop working after 30 days, or 15 or whatever you like. Nagging is useless..

-{ Quote: "']I really really really don't want to have to use the whole ghost security suite just for AppDefend. It's not a matter of saving space/memory... it's just the fact that I have things there that I don't need that irks me :(" }-I suspect the reason for this setup is to minimise the hooking needed of the Windows kernel. With just one overall security program (albeit with multiple components), only one set of hooks is needed reducing the likelihood of conflicts.

This brings up an idea for the next component - HookDefend! ;D Protect existing security applications from being de-hooked by malware or utilities like SDTRestore! See which applications are intercepting Windows functions and be able to check for previously installed rootkits! (with eyepatch included for all budding pirates ... Yar!).

PS. I know Physical Memory access control can block hooking, but there are enough applications out there that seem to need PhysMem access (games, Java, etc) to make specific hook monitoring useful.

-{ Quote: "I suspect the reason for this setup is to minimise the hooking needed of the Windows kernel. With just one overall security program (albeit with multiple components), only one set of hooks is needed reducing the likelihood of conflicts." }-

Yes it would make things simpler for jason too I expect rather than juggling several seperate programs ,different versions etc. But it's not very elegent for people who don't want the full set. Or perhaps people are afraid their resistance will be worn down, day after day of looking at the incomplete set.

-{ Quote: "
This brings up an idea for the next component - HookDefend! ;D Protect existing security applications from being de-hooked by malware or utilities like SDTRestore! See which applications are intercepting Windows functions and be able to check for previously installed rootkits! (with eyepatch included for all budding pirates ... Yar!).
" }-

Hookdefend should be able to protect itself from being dehooked no?

-{ Quote: "']I must admit though, the Ghost Security Suite is great for people that use all your apps simultaneously. But for people like me, I guess I'd rather just have a simple little stand-alone application called AppDefend running in my system tray to replace PG and supplement GhostWall.

I really really really don't want to have to use the whole ghost security suite just for AppDefend. It's not a matter of saving space/memory... it's just the fact that I have things there that I don't need that irks me :(" }-

Hi [suave],

If you take a look at the "whole Ghost Security Suite" as it is now, it is barely over 1MB for the installer. Ghost Security Suite is "a simple little stand alone application" which allows you to see alerts from multiple components. Functionally there is no difference if the RegDefend component was there or not. Infact if the window title said "AppDefend" instead of "Ghost Security Suite" and there wasnt a little picture of "RegDefend" on the main tab, I'd suspect I wouldn't be hearing a complaint from you?

Until there is some real substance behind why you want it into a separate process, there isn't much I can do to help you with it.

-{ Quote: "I have to agree with that 100%..

And another thing that I think has to go is the whole nag screen concept. I don't think you're going to really "nag" anyone into buying your software. In fact, typically, whenever I see something like that, I immediately dump the software, even if it's good. I just don't like seeing that stuff in an app. I think it cheapens the product. A simple 30 day trial is enough, just have it stop working after 30 days, or 15 or whatever you like. Nagging is useless.." }-

Hi Kerodo,

If only there was some registry setting which I could lookup on the system to solve this problem :-

Won't_buy_shareware_if_a_nag_screen_appears

Then people like you could set that to "1" and no shareware would ever nag you again.

In all seriousness however, nag screens are proven to help people purchase software. Before I had George the Ghost on the machine, there wasn't even one message/nag when your TRIAL version turned into the FREE version. This means legitimate users might not have known it expired and thought it was free forever. In the final version the nag screen will only appear 2-3 times a month at maximum, in this build it appears every time you start the program.

The reason why I chose to do "George the Ghost" is to lessen the impact of nagging the user by hopefully lightening up the situation with a little comedy. Looking at it from a purely technical perspective I can understand how it could "cheapen" the product. I don't take myself so seriously however that I am unable to poke fun at myself.

-{ Quote: "If only there was some registry setting which I could lookup on the system to solve this problem :-

Won't_buy_shareware_if_a_nag_screen_appears

Then people like you could set that to "1" and no shareware would ever nag you again." }-Ah, but would RegDefend alert on this? :D

-{ Quote: "Hi [suave],

If you take a look at the "whole Ghost Security Suite" as it is now, it is barely over 1MB for the installer. Ghost Security Suite is "a simple little stand alone application" which allows you to see alerts from multiple components. Functionally there is no difference if the RegDefend component was there or not. Infact if the window title said "AppDefend" instead of "Ghost Security Suite" and there wasnt a little picture of "RegDefend" on the main tab, I'd suspect I wouldn't be hearing a complaint from you?

Until there is some real substance behind why you want it into a separate process, there isn't much I can do to help you with it." }-

Jason, it looks sloppy, that's all. It makes me feel like it is installing all these extra things that I dont want.

Look, if I pay for AppDefend, I'd like it to be its own stand-alone program. Infact, I think all your software should be stand-alone. Maybe you can have the ghost security suite be optional for people who use more than 1 of your software? This way you can make both sides happy.

Anyways, I am using the trial now, and it just bothers me to see the whole RD and GSS there. I feel like there is extra things there that I don't want and also like the AppDefend software that I will purchase in the future is not complete because of all these extra things in there that are disabled and serving absolutely no purpose other than a decoration...

At first I thought I was crazy when I posted this the first time. But now I know that I am not because I see other people here are agreeing with me.

What we want is what we pay for. That's all.

I know it is exactly the same thing to have GSS with AD as a component or just plain AD as a stand-alone application, but it's just annoying looking at all those extra stuff that came bundled with the software I bought that serves me no purpose. It makes me feel like it is incomplete, and it just bothers me.

I don't know if I am explaining this right. And please don't take this the wrong way either. Your work is amazing and I hope you keep up the excellent work and surprise us with more excellence in the future.

And btw, I am not complaining. It is just a matter of preference. The software itself is a wonderful little piece of work. Maybe you can think about making GSS an optional thing for those who want it.

Hi Suave

In a way I understand, even though I like the Ghost Suite. If by chance you use KAV 5.0 and haven't seen the KAV 2006 beta, you will think the Ghost suite is just a light cloud in the breeze. That seems to be the trend. Compare what jason has stuffed in 1mg download, and the KAV beta is 10mg for just supposedly an AV.

Pete

Pete, I wouldn't touch KAV with a 10 foot pole. I tried NOD32 and even that was too much for me. I use f-prot now wich takes up about 1,500k in memory in only 1 process and I am starting to hate that too and I have no idea why.

Im real picky with the things I install and hate things that are too big and I really don't like all-in-one security type apps. I love Jasons work so that's why I make my comments. All the other products can go to hell.

Some ppl like this, others like that... If you have to content everybody, especially if there's no tangible argument beyond "I don't like it that's all", I suppose you must spend your life tweaking cosmetic things.

-RE

Hi all,
how about having a poll then, at least we have some data how many like or dislike.;D

Yeah why not.

-RE

-{ Quote: "']Pete, I wouldn't touch KAV with a 10 foot pole. I tried NOD32 and even that was too much for me. I use f-prot now wich takes up about 1,500k in memory in only 1 process and I am starting to hate that too and I have no idea why.

Im real picky with the things I install and hate things that are too big and I really don't like all-in-one security type apps. I love Jasons work so that's why I make my comments. All the other products can go to hell." }-

Hi Suave

I hear you. I don't install all of KAV as when I didn't use F-Prot I didn't install all of it. But a couple of points. Of course we haven't seen F-Prot 4.0 yet either.

1. I totally agree with you about too big. Trick is to find many/any apps, even standalone, that are as small as Ghost gss is right now.

2. I totally agree with you about all in one apps. I've tried the beta of KIS2006 and it never stays on my machine. One reason, is I like to disable my AV when I do things like backup. But, and this is a typical example. KAV, I can disable. With KIS I can't right click the Icon and suspend like KAV cause I'd shut down the firewall, so I would have to open it and turn off AV. Pain in the butt. Jason has made it easy to disable each component, so this isn't an issue. What would be a good idea is to be able to do it with a right click on the tray icon.


I certainly would vote for this approach, because it technically lends towards stablity and this is a problem many venders have with kernel mode.

Pete

-{ Quote: "']I use f-prot now wich takes up about 1,500k in memory in only 1 process and I am starting to hate that too and I have no idea why." }-F-Prot doesn't allow you to exempt specific files from scanning which can cause problems with software that continually writes to logfiles (e.g. firewalls and process protection software like PG/AD). The kicker here is that the CPU utilisation occurs via a file-access hook so gets charged to the application concerned rather than the anti-virus scanner.

If CPU utilisation is a problem for you then maybe going back to NOD32 and configuring more exceptions would be a better solution (SysInternals' FileMon (http://www.sysinternals.com/Utilities/Filemon.html) utility is great for identifying frequently-accessed files).

Good point.

-{ Quote: "
If CPU utilisation is a problem for you then maybe going back to NOD32 and configuring more exceptions would be a better solution (SysInternals' FileMon (http://www.sysinternals.com/Utilities/Filemon.html) utility is great for identifying frequently-accessed files)." }-
Agreed P2K, this is my method in maximizing my resource consumption........... A correctly configured machine.

Between the 2 GSS processes, it uses approx 15.5 MB which seems a bit excessive to me. This is after the system has been left running for approx 2 hours and is the same as when the system first started. This is also with both RD and AD disabled. Is this normal ?

EDIT: First mem column is Mem Usage, second is Peak Mem Usage and third is VM Size.

-{ Quote: "Between the 2 GSS processes, it uses approx 15.5 MB which seems a bit excessive to me. This is after the system has been left running for approx 2 hours and is the same as when the system first started. This is also with both RD and AD disabled. Is this normal ?

EDIT: First mem column is Mem Usage, second is Peak Mem Usage and third is VM Size." }-Hi Defenestration,

The processes in your screenshot are not related to GSS. You should be seeing only one GSS process: gss.exe. The screenshot below is typical of how GSS performs on my four XP systems. The screenshot was taken after 60 hours uptime.

Nick

-{ Quote: "The processes in your screenshot are not related to GSS." }-Indeed, the twin avp.exe's are Kaspersky - KAV2006 I'd guess. ;)

Oops! I took the screenshot of the wrong process (KIS2006). :)

However, GSS definitely has 2 gss.exe processes on my system, and they both disappear when I exit GSS. I believe the two processes help with self-protection.

That said, my original comment stands about mem usage of the gss.exe processes. While it's now gone down to about 6.5MB, it stayed at around 15.5MB (as shown by Peak Mem usage) for quite a while.

Is this normal ?

-{ Quote: "Oops! I took the screenshot of the wrong process (KIS2006). :)

However, GSS definitely has 2 gss.exe processes on my system, and they both disappear when I exit GSS. I believe the two processes help with self-protection.

That said, my original comment stands about mem usage of the gss.exe processes. While it's now gone down to about 6.5MB, it stayed at around 15.5MB (as shown by Peak Mem usage) for quite a while.

Is this normal ?" }-


You ever look at other security apps? Mcafee VS is using over 30 megs as i type this and spysweeper over 25. 15 megs is nothing. I bet IE is using over 40 for you right now...assuming you are using IE. Firefox probably even more.

I have tested quite a few different security apps and dislike SpySweeper and CounterSpy 1.5 because they are big time memory hogs (near 50 megs for SS, and approx. 60 for CS on my system). This is poorly programmed software and I don't use it.

I have been impressed with TrojanHunter since the Guard only uses approx. 6 MB. KIS 2006 is usually pretty good to and tends to settle at around 8-10MB.

I don't use IE, instead preferring Firefox, and while it is a bit of a memory hog I don't have to run it all the time. Also, a browser has to display lots of images and do layout of pages. I expect anything that has to be permanently running to be very efficient.

Since GSS prides itself on low resource use, I would've expected memory usage to be lower than this.

Defenestration, Peak memory usage does not mean a lot as you can see the basic memory usage of GSS are relatively low, the smaller processe shown is just GSS.exe's self protection BTW.

Looking at how much CPU GSS uses over time will give you a better indication of how light GSS really is.

HTH Pilli :)

-{ Quote: "Hi Paranoid2000,

Termination protection isn't currently handling "Windows Messages" or "End Task" . End Task will be added soon, whilst Windows Message handling is still up in the air whether I will add it or not in the near future. " }- Will this also include protection against all APT kill methods? I tested APT with Firefox 1.5, and AD was not able to protect against kill 6-8.

Aside from that: Excellent application!

APT 6 & 7 are related to windows close messages which are not currently protected by the beta.

I do not know when Jason will implement those protections but I am sure he will get round to it :)

Pilli

-{ Quote: "Oops! I took the screenshot of the wrong process (KIS2006). :)

However, GSS definitely has 2 gss.exe processes on my system, and they both disappear when I exit GSS. I believe the two processes help with self-protection." }-
Another possibility could be the GUI being one and the engine being the other.

I'm hoping that the engine will become a service in the near future, with the GUI being a startup entry. With the Engine running as a service we should see it getting loaded well before other startup entry process.;)

Hi Jason,
Do you yet have any idea when AppDefend is likely to come out of Beta ?

-{ Quote: "Hi Jason,
Do you yet have any idea when AppDefend is likely to come out of Beta ?" }-

Hi James,

A few weeks is the best estimate I can give at this stage. Whilst the BETA is stable, there are some needed features still missing from it.

won't install, any suggestions?

http://img206.imageshack.us/img206/1284/what5xq.jpg (http://imageshack.us)

-{ Quote: "won't install, any suggestions?

http://img206.imageshack.us/img206/1284/what5xq.jpg (http://imageshack.us)" }-

Make sure you have uninstalled RegDefend prior to installing the beta. Also make sure any other security software is disabled when installing.

I already did - now closed all security apps. No, it won't install.

I chose "ignore" and it seem to be working.............

-{ Quote: "I chose "ignore" and it seem to be working............." }-

Being unable to set that value means there is security software blocking it. Since RegDefend blocks that area it is a common thing to happen if you haven't uninstalled RegDefend.

It should still work ok after a reboot even with that message in most cases anyhow.

Hi Jason,

I am mixed, right now I have Ghost Security Suite V1.010 installed. If I want to try AppDefend, do I have to remove GSS first?

Thanks

-{ Quote: "Hi Jason,

I am mixed, right now I have Ghost Security Suite V1.010 installed. If I want to try AppDefend, do I have to remove GSS first?

Thanks" }-
That would be best, that way you will know how this beta will act/react on your system. Make sure you Export any Application Rules you have created in RegDefend before uninstalling GSS 1.010, then you can import them back into the beta and re-enable them.

Hi Antarctica, Yes you need to uninstall RD and reboot before installing the GSS Beta. :)

Pilli

-{ Quote: "Hi Jason,

I am mixed, right now I have Ghost Security Suite V1.010 installed. If I want to try AppDefend, do I have to remove GSS first?

Thanks" }-

That's right!! That is what I did and no problems!! Just reboot before installing the New Beta which has both Reg and AppDefend!!

HTH,

Cheers,

i am not Jason, but: "yes"

Thanks guys for clarify this.:) :)

A new version of the AppDefend/RegDefend betas has been released, it is available through the auto updater.

Changes :-

-RUNDLL32 and SVCHOST are now added as rules based on their command lines (increased security for permanent rules)
-Fixed some tooltips
-Now show whether AppDefend or Regdefend has been disabled from the GUI in the statusbar
-Fixed clock showing incorrect 12 hour time
-Added more items to right click menu on systray, enabling you to set the PROFILE for AppDefend and RegDefend. Allows quick way to disable protection
-Changed the AppDefend Maintenance tab GUI
-Added "Update Checksum" and "Remove" buttons to the SHA256 checksum area
-Changed some icons and wording in the GUI
-Added Restore to Default option in AppDefend maintenance tab
-Now remember AppDefends column order, widths and sorting preferences
-When adding an application in the AppDefend Maintenance tab it now switches to the permissions tab and selects the item
-Fixed keyboard navigation of AppDefend list in permissions tab
-Fixed bug in driver which occured during some unique registry operations
-Some major memory optimizations to the GUI code, saved at least 1-2MB of memory usage
-Optimized starting up procedure to reduce memory usage

Something seems amiss in the update. It downloads and then says it needs to shut down GSS...which it does. However, on restart, the new version is not applied. If I click on check for update again, it wants to redownload the new update.

Windows XP-SP2, GSS 1.100, AppDefend 1.000, RegDefend 2.050 with both AppDefend and RegDefend licensed and registered.

-{ Quote: "Something seems amiss in the update. It downloads and then says it needs to shut down GSS...which it does. However, on restart, the new version is not applied. If I click on check for update again, it wants to redownload the new update.

Windows XP-SP2, GSS 1.100, AppDefend 1.000, RegDefend 2.050 with both AppDefend and RegDefend licensed and registered." }-

Hi Siliconman,

Does it restart itself or do you need to manually restart it?

I have to manually restart it. Maybe I'm not waiting long enough for it to restart itself?......only waiting about 30 seconds.

-{ Quote: "I have to manually restart it. Maybe I'm not waiting long enough for it to restart itself?......only waiting about 30 seconds." }-

GSSUpdater.exe isn't being created for some reason or another. After you have downloaded the updates, close down the GUi and manually run gssupdater.exe and see if it works then.

I am looking into this as you aren't the only one to experience it.

Part of the download shows GSS64.exe while it is downloading? Is that the 64 bit version coming through?

I wasn't taking into account the 64bit version when the updater was written, which is why for this once off time, the 32bit users will download the 64bit version through the autoupdate process. The updater will delete the 64bit version if you are on 32bit however, and from then on with the newer gss.exe you will never download the 64bit version again.

Hi Siliconeman, -{ Quote: "Is that the 64 bit version coming through?" }- I believe the update includes both versions and autoselects the correct OS

HTH Pilli

Manually executed Gssupdater. It forced a system reboot and now GSS is V1.110, AppDefend V1.000, RegDefend V2.050. Is that correct? The "check for update" no longer tries to download a new version.

Thanks much for the prompt assistance!

-{ Quote: "Manually executed Gssupdater. It forced a system reboot and now GSS is V1.110, AppDefend V1.000, RegDefend V2.050. Is that correct? The "check for update" no longer tries to download a new version.

Thanks much for the prompt assistance!" }-

Hi Siliconman,

Those versions are correct yes. I won't be updating AppDefends version in the beta until it is past a final release, but you can determine which beta version you are on from the Ghost Security Suite version number in the titlebar.

Glad to hear the update went ok after that, I'll try and fix having to manually run gssupdater.exe

Very nice changes in this update. Looks great!

Quick Question:

"-Now show whether AppDefend or Regdefend has been disabled from the GUI in the statusbar"

Should we see an icon change (color or X or whatever) if one of the processess is disabled? The right click menu does show disabled status.

I have re-uploaded the install file which contains these updates for anyone having problems, and also for new users.

http://www.ghostsecurity.com/downloads/appdefend_betasetup.exe

Uninstall any previous version of Ghost Security Suite (RegDefend/AppDefend) prior to installing, if you have to use the installer.

-{ Quote: "Very nice changes in this update. Looks great!

Quick Question:

"-Now show whether AppDefend or Regdefend has been disabled from the GUI in the statusbar"

Should we see an icon change (color or X or whatever) if one of the processess is disabled? The right click menu does show disabled status." }-

I have left the changes of the actual icon until a later version, simply because it is going to be undergoing further changes.

When I'm on the log tab, and click Search History, nothing happens.

HI meargh
Those buttons do not currently work in this beta. Logging has yet to be completed.

HTH Pilli :)

Here is a screenshot from the improved maintenance tab.

If I click the About tab GSS 1.110 gives me this error message.http://users.adelphia.net/~mwh333/error1.jpg

I did a clean uninstall of GSS and downloaded the new beta. The version numbers are ok, but "check for update" nag is present every time after reboot, informing there's new version available. Checksum is "failed" for gssupdater in appdefend itself, but there were no other gssupdater present in my system before the new install.

Second thing, the net access bug for Win2K is still there.

isnogood

Any chance the GSS interface could be made to suit 120 DPI a little better? It's really not so bad now, but there are a few spots where text gets cut off, button graphics don't fit, and so on. I can provide screen shots if need be.

I can't find the AD and RD version numbers. Where are they?

-{ Quote: "I can't find the AD and RD version numbers. Where are they?" }-

Home Page and Click About!!

HTH,

-{ Quote: "I can't find the AD and RD version numbers. Where are they?" }-
The About dialog box title bar for each, AD & RD.

-{ Quote: "Something seems amiss in the update. It downloads and then says it needs to shut down GSS...which it does. However, on restart, the new version is not applied. If I click on check for update again, it wants to redownload the new update.

Windows XP-SP2, GSS 1.100, AppDefend 1.000, RegDefend 2.050 with both AppDefend and RegDefend licensed and registered." }-


Hi also have the same problems can someone explain to me how to solve this? I have seen to manually run the file gssupdater.exe, how do you do that???

Thanks,
Atomas31

Hi guys,have i missed an update or something?:( lookin at triple helix's post above (the one with the screenshot of home page of GSS) i noticed the ver. is 1.110 whereas mine is 1.100,and also the tabs at the top are different.

-{ Quote: "Hi guys,have i missed an update or something?:( lookin at triple helix's post above (the one with the screenshot of home page of GSS) i noticed the ver. is 1.110 whereas mine is 1.100,and also the tabs at the top are different." }-
Yep, 1.110 was released today.

-{ Quote: "The About dialog box title bar for each, AD & RD." }-
Duh. I did click ABOUT and somehow I missed seeing it at the top. Thanks.

-{ Quote: "Those buttons do not currently work in this beta. Logging has yet to be completed." }-I'm guessing the lack of a way to control logging is why GSS.EXE is taking 100 MB on my system, after running for about 9 hours. There are many, many entries related to my BitTorrent client...

-{ Quote: "There are many, many entries related to my BitTorrent client..." }-Which means I should disable logging for that event, but still, should be a way to control when entries are dropped off...

-{ Quote: "This brings up an idea for the next component - HookDefend! ;D Protect existing security applications from being de-hooked by malware or utilities like SDTRestore! See which applications are intercepting Windows functions and be able to check for previously installed rootkits! (with eyepatch included for all budding pirates ... Yar!)." }-Going OT somewhat, while that previous post was somewhat tongue-in-cheek, it has occurred to me that most "hook/rootkit analysis" software only shows the entry point for system functions. If multiple security applications (or malware) are hooking the same call (resulting in a chain of hooks), a proper analyzer needs to follow this chain to identify each one and so far, none seem to do so - perhaps a good entry point for a new product?

Paranoid2000 wrote:

-{ Quote: "If multiple security applications (or malware) are hooking the same call (resulting in a chain of hooks), a proper analyzer needs to follow this chain to identify each one and so far, none seem to do so - perhaps a good entry point for a new product?" }-

A very good idea P2K, this would certainly give you a better idea, on what is going on, on your system.

But for me this is next thing isn't clear yet,
what will be the result, if such a chain of hooks will occur?

Does that mean, that all app's that are hooking the same call,
still work, as they would do, if they were the only one?

Or is it something like, the last one, is the only one that
can hook a call?

If that last scenario is true, you can certainly have problems
if you are using multiple Anti Malware tools.

And i don't even want to think about Malware using the same
hook calls.

Then you certainly need your (Paranoid2000) invented program 'hookdefend'.

BTW: it would be a strange coincidence if programs like
PG and AppDefend and Kav or TPF didn't use the same
hook calls ????

Perhaps i have to run some test with the mentioned apps
to see if there is a overlap.
by installing those one at a time, write down the items found with hook analyzer.

???

I haven't analised it in much detail, but I would hazard a guess that hooking occurs ina chained fashion. If not, then that is certainly bad design on MS's part, although in this case I'm reasonably certain they have done the right thing.

I'm sure Jason could chime in to let us know whether it's on a FCFS (first come, first served) basis, although I would also guess this is probably the most liklely implementation when overlap occurs.

-{ Quote: "But for me this is next thing isn't clear yet,
what will be the result, if such a chain of hooks will occur?" }-I'm pretty certain that each and every application hooking would run with the most recently installed going first.

-{ Quote: "Then you certainly need your (Paranoid2000) invented program 'hookdefend'." }-Another interesting option would be to be able to selectively disable hooks. This would allow expert users to selectively enable/disable features (like background file scanning on anti-virus software) even if that ability was not offered by the software itself - and could allow for normally conflicting programs to run together by removing the hook triggering the conflict on one of them.

Hmmm... *dashes off to nearest Patent Office to make an application*

It is almost "impossible" to step through a chain generically, simply because each driver/application stores the pointer to the next in an unspecified location. If you knew all the offsets these apps stored the pointer, then you could theoritically walk the chain and change it's working order. Another way might be to disassemble code on the fly to work it out, or possibly even emulation depending upon the way it was created. Either way, it isn't a simple thing to do. :)

-{ Quote: "It is almost "impossible" to step through a chain generically, simply because each driver/application stores the pointer to the next in an unspecified location. If you knew all the offsets these apps stored the pointer, then you could theoritically walk the chain and change it's working order." }-SDTRestore (http://www.security.org.sg/code/sdtrestore.html) works by loading another copy of the ntoskrnl.exe into memory to find the original pointers. Couldn't this information be used to find the offsets for each hooking program? Alternatively, could stack backtracing be used to identify the entry points of every program hooking a function - or changing the interrupt called so that "HookDefend" could intercept every call made? (this would likely be pretty inefficient though).

Pardon me if I appear to be rambling, but this is starting to sound like an intriguing application.

-{ Quote: "SDTRestore (http://www.security.org.sg/code/sdtrestore.html) works by loading another copy of the ntoskrnl.exe into memory to find the original pointers. Couldn't this information be used to find the offsets for each hooking program? Alternatively, could stack backtracing be used to identify the entry points of every program hooking a function - or changing the interrupt called so that "HookDefend" could intercept every call made? (this would likely be pretty inefficient though).

Pardon me if I appear to be rambling, but this is starting to sound like an intriguing application." }-

The original pointer (found searching physical memory in SDTRestore) would only be stored once in the very first installed hook. It is up to each program to determine where it stores the pointer it grabs from any hook table, as such there is no standard way to retrieve that information.

Stack backtracing could be one alternative way to implement it, however it would be difficult to sort the wheat from the chaff, and it still doesn't allow you to change the chain order without modifying other kernel code, only to "know" what the order is. To change the chain order you need to change at least 2 offsets.

Hooking interupts is another way to "be first" but it is costly, and it is also chained and hence suffers from the same real issues as SDT hooking (for this particular HookDefend application).

Thanks for the reply Jason. I guess the best option would be to have a "hook monitor" feature which would be triggered when installing an application - this would then take before and after snapshots to identify what hooks, if any, the application added and this information could then be used for any future hook manipulation. This would only work from a clean install but should avoid any of the problems you mention.

-{ Quote: "Thanks for the reply Jason. I guess the best option would be to have a "hook monitor" feature which would be triggered when installing an application - this would then take before and after snapshots to identify what hooks, if any, the application added and this information could then be used for any future hook manipulation. This would only work from a clean install but should avoid any of the problems you mention." }-

The unfortunate issue with dealing with it in this manner is that you have to "rehook" the SDT or whatever you are hooking, every boot. And a driver in an installation may not be activated until the next boot, in which case you would also need a very early boot driver to be able to then monitor the areas you are interested in. I can see timing issues here making any such use of this as unreliable.

The best way that I can think of to go through the chain, would be an emulation or disassembling of the code in question to find all the offsets. It is theoritically possible to walk the chain and modify it, but it is quite a bit of work and messing around to make sure that it would work and that it is stable. I have seen some competitors drivers actually continue rewriting themselves into the SDT also (nice use of resources there), which means you would need to neuter any such driver from doing this if you wanted to make a successful modification.

-{ Quote: "The unfortunate issue with dealing with it in this manner is that you have to "rehook" the SDT or whatever you are hooking, every boot. And a driver in an installation may not be activated until the next boot, in which case you would also need a very early boot driver to be able to then monitor the areas you are interested in. I can see timing issues here making any such use of this as unreliable." }-For before and after snapshots, timing should not be an issue. The "before" would be taken when the installer starts (this would probably require user action though, like selecting a "monitor this install" function) and the "after" would occur once the application was completely installed (which again would be at user request). As long as these snapshots are taken of one application install at a time, it should be possible to identify exactly what hooks each application is setting and their offsets.-{ Quote: "I have seen some competitors drivers actually continue rewriting themselves into the SDT also (nice use of resources there), which means you would need to neuter any such driver from doing this if you wanted to make a successful modification." }-This would certainly pose problems when modifying hooks - but couldn't this be tackled by creating a "shadow" SDT which would be affected by application read/writes with the real SDT only being updated when HookDefend decides to copy changes across?

-{ Quote: "For before and after snapshots, timing should not be an issue. The "before" would be taken when the installer starts (this would probably require user action though, like selecting a "monitor this install" function) and the "after" would occur once the application was completely installed (which again would be at user request). As long as these snapshots are taken of one application install at a time, it should be possible to identify exactly what hooks each application is setting and their offsets.
" }-

Well in theory it sounds that simple, however some drivers load earlier than others, unless there was a way to exactly manage the order in which drivers loaded every boot, the results of viewing what has been hooked could be haphazard and not conclusive to the last installed application.

-{ Quote: "This would certainly pose problems when modifying hooks - but couldn't this be tackled by creating a "shadow" SDT which would be affected by application read/writes with the real SDT only being updated when HookDefend decides to copy changes across?" }-

A shadow table (not to be confused with the win32k table) is a pretty good idea. To implement it however would require your driver to always be loaded first and before anything else has a chance to hook anything. You would then either need to modify Microsoft code, or change the original pointer to where the SDT table is and point it to your own. If you modified Microsoft code (some would consider this about 100 times worse than SDT patching) you would have better control over where to send various calls coming in (the shadow or real table for example).

-{ Quote: "...some drivers load earlier than others, unless there was a way to exactly manage the order in which drivers loaded every boot, the results of viewing what has been hooked could be haphazard and not conclusive to the last installed application." }-Good point - some method of taking a snapshot between drivers loading would help, but this would probably involve even more hooking... :D-{ Quote: "...If you modified Microsoft code (some would consider this about 100 times worse than SDT patching) you would have better control over where to send various calls coming in (the shadow or real table for example)." }-Not to mention the joy of having to patch it with every Windows Service Pack or even hot fix. :( A better bet might be to modify code outside of Windows itself, like Ntldr - but the possibilities are perhaps best left to another thread. Time to leave this to get back on-topic. Thanks for your feedback. :)

-{ Quote: "A shadow table (not to be confused with the win32k table) is a pretty good idea. To implement it however would require your driver to always be loaded first and before anything else has a chance to hook anything. You would then either need to modify Microsoft code, or change the original pointer to where the SDT table is and point it to your own. If you modified Microsoft code (some would consider this about 100 times worse than SDT patching) you would have better control over where to send various calls coming in (the shadow or real table for example)" }-.


-{ Quote: "
Well in theory it sounds that simple, however some drivers load earlier than others, unless there was a way to exactly manage the order in which drivers loaded every boot, the results of viewing what has been hooked could be haphazard and not conclusive to the last installed application." }-


If a program that
watches a new program installation? (like: Track'n Reverse etc.)
would see changes, you are perhaps not sure that this was
done by the last installed prog.
But at least give you an idea on WHAT is changed.

And for the record, it might not be the application install
that did this, but i it would be very interessting to see the changes.

-{ Quote: "
Time to leave this to get back on-topic." }-

Of course, but i am glad i haven't missed this.

Thanks!

;)

Wow! ProcessGuard now has a very worthy competitor! Currently, I am a user of PG, but I agree with what an earlier poster said about competition in this area being good for all. One question I have about AppDefend is: Does it alert you while you are using a restricted or limited user account?

Hi octogen, At the moment GSS does not support multiuser accounts but I expect that will change as Jason develops this beta or as point update later.

HTH Pilli :)

-{ Quote: "Hi octogen, At the moment GSS does not support multiuser accounts but I expect that will change as Jason develops this beta or as point update later.
" }-
Pilli, with regard to GSS updates I can confirm that (since admin rights are needed), but aside from that I haven't had any problems under my limited account.

-{ Quote: "Pilli, with regard to GSS updates I can confirm that (since admin rights are needed), but aside from that I haven't had any problems under my limited account." }-

Huh? tlu, does this mean you are able to create rules for a non-administrative account in RegDefend? If so, how? This would go against what is said in this thread: http://www.wilderssecurity.com/showthread.php?t=92470&highlight=administrative Or am I missing something? I apologize if this should be on a different forum.

-{ Quote: "Huh? tlu, does this mean you are able to create rules for a non-administrative account in RegDefend? If so, how? " }- Yes, it works for me. How? Well, the usual popups, and AD saves my decision as a new rule.

-{ Quote: "This would go against what is said in this thread: http://www.wilderssecurity.com/showthread.php?t=92470&highlight=administrative Or am I missing something? I apologize if this should be on a different forum." }- I assume that Jason changed something since then ... but I'm not aware of it, either.

Wow I really must make more of an effort to get on WSF. I have not been around here as much as I used to, since I have started my new job. But wow, upon my return here I see that Jason has come out with what appears to be a very nice looking product.

I have read through this entire thread, but have a few questions.

I am currently a licensed owner of RegDefend. So to try this new beta, I realize I need to uninstall my copy of RD, reboot, and then install the new AppDefend beta as can be found here. http://www.wilderssecurity.com/showpost.php?p=621507&postcount=117

Now, since I am a licensed user of RD, is RD included with this beta install of AD? Or must I install RD over the top of AD?

Are there any special notes of interest regarding AD that I should know of? Like are the default AD settings sufficient? Or is it more like PG and up to the users preference?

TIA for your help. :)

EDIT: One more question. What exactly is the Network protection piece of AD watching? Is it acting like a firewall. E.G. Watching incoming and outgoing traffic?

-{ Quote: "Wow I really must make more of an effort to get on WSF. I have not been around here as much as I used to, since I have started my new job. But wow, upon my return here I see that Jason has come out with what appears to be a very nice looking product.

I have read through this entire thread, but have a few questions.

I am currently a licensed owner of RegDefend. So to try this new beta, I realize I need to uninstall my copy of RD, reboot, and then install the new AppDefend beta as can be found here. http://www.wilderssecurity.com/showpost.php?p=621507&postcount=117

Now, since I am a licensed user of RD, is RD included with this beta install of AD? Or must I install RD over the top of AD?

Are there any special notes of interest regarding AD that I should know of? Like are the default AD settings sufficient? Or is it more like PG and up to the users preference?

TIA for your help. :)

EDIT: One more question. What exactly is the Network protection piece of AD watching? Is it acting like a firewall. E.G. Watching incoming and outgoing traffic?" }-

Hi Trooper,

The AppDefend beta installer also contains a slightly newer RegDefend beta also. You don't need to reinstall RegDefend, as both AppDefend and RegDefend come in the "Ghost Security Suite" package.

AppDefend network protection is watching outgoing connections started by applications. You will receive alerts in AppDefend for anything which needs your attention, you just answer the prompts like you do in RegDefend to cater it to your system.

Thanks for the quick response Jason. So would AD do away with a software firewall per se? (I am behind a router so I only use Kerio 2.1.5 to monitor outgoing traffic basically).

-{ Quote: "TSo would AD do away with a software firewall per se? (I am behind a router so I only use Kerio 2.1.5 to monitor outgoing traffic basically)." }-
Only if you don't need the ability to either block or allow network traffic based on IP addresses or ports.

This for me, is currently is big problem with AD, since it cannot be truly used for application network control.

It would not be that much work to implement this control, since whenever AD currently alerts on network traffic, AD would only need to check the IP address and port against a list of allowed/blocked values. Jason has mentioned that he may add this feature in the future, but it is not of high priority, which is a shame IMO.

-{ Quote: "Only if you don't need the ability to either block or allow network traffic based on IP addresses or ports.

This for me, is currently is big problem with AD, since it cannot be truly used for application network control.

It would not be that much work to implement this control, since whenever AD currently alerts on network traffic, AD would only need to check the IP address and port against a list of allowed/blocked values. Jason has mentioned that he may add this feature in the future, but it is not of high priority, which is a shame IMO." }-

What about GhostWall? Doesn't it do that?

No, it doesn't. GW has no application control. It only filters network traffic.


AD only gives the option of either completely allowing or completely blocking network traffic for an application. There is no finer grained application control.

-{ Quote: "AD only gives the option of either completely allowing or completely blocking network traffic for an application. There is no finer grained application control." }-

Which is fine tho in my opinion. Unless you are looking for a full out sf firewall as part of AppDefend.

I don't expect AD to contain a full out firewall, but would like to be able to control which IP addresses and ports an application can access.

Since AD already shows this information on a network alert, then it only needs to compare the IP address and port against an associated list of allowed/blocked values for the relevant application. This would not take a lot of work to do.

-{ Quote: "I don't expect AD to contain a full out firewall, but would like to be able to control which IP addresses and ports an application can access.

Since AD already shows this information on a network alert, then it only needs to compare the IP address and port against an associated list of allowed/blocked values for the relevant application. This would not take a lot of work to do." }-

That would definitely be a nice feature to have. Did you add that to the wish list by chance?

I wouldn't add inbound port blocking to AppDefend... MS Firewall is free and handles it well enough. It's a *great* idea to add outbound protection tho - maybe now I won't need to keep ZA. How well does it learn from installed app behavior tho???

-{ Quote: "I wouldn't add inbound port blocking to AppDefend" }-

Agree

-{ Quote: "...It's a *great* idea to add outbound protection..." }-

AMEN!

Jason you should definitely take note of this feature. You will attract a lot of attention with this feature ($$$'s)!

betauser2

Limited Free Version;D ;D *puppy*