Defend against keyloggers, hooks, rootkits etc.

I'm interested to know what people here do to defend themselves against keyloggers, hooks, rootkits?

What programs do you use? Why?
Do you install anti-keyloggers, anti-hooks, anti-rootkits programs just for that?
Or do you come up with other better and more general protection against them?

Thanks for your sharing. ;D

With the apps i use i feel confident that i'm pretty secure. Of the apps i use there is Prevx1, Regrun(with Unhackme), KAV and BOClean running realtime. I also run scans with Security Task Manager which is massively cool at heuristic detection of keyboard hooks. The author told me that the next version will have capability to detect Kernel level keyloggers. If anything gets by that lot then it deserves to!!!

muf

Key loggers-- SnoopFree
RootKits-- well I guess GeSWall should prevent them( not sure- can anybody confirm it?)
Safe surfing of course
And if something does happen-- Instant Recovery software like EAZ-Fix or Imaging software( EAZ Clone is free and works for me).
Main thing is all of them are non-signature based and all except one are free.

Hi

For me currently, I'm going to really try and get to grips with System Safety Monitor. It looks like one application that can lock your system down and I relish the challenge to see if I'm savvy enough to do it.

Posts by Herbalist are proving very useful.

This plus PG which I've used for a while, whilst overlapping, seem to be overkill but they don't appear to conflict.

I'm also a great fan of ShadowUser for surfing, although again this is probably overkill as I'm not adventurous.

Specific roottkit apps I have on demand are Rootkit Revealer and
the one from Sophos. Of the two I find Sophos more user-friendly but I'm not knowledgable enough to differentiate between them as to their effectiveness.

On another machine I have Snoop Free which seems very effective and lightweight purely for anti-keylogging but my laptop didn't like it.

Why? Good question. For me, purely learning as a hobby in the arena of PC security. I'm a home user with NOD, LnS and various anti-spyware scanners which seems to be ample were I not interested for interested's sake.

I've looked at other apps recent and when I get chance I intend to detail my experiences from a purely newbie point of view.

Hope that helps

Me? I use Online Armor, Nod, BoClean, and Comodo Firewall...soon to be replaced with Online Armor`s firewall.

My defend against keyloggers are Online Armor and Snoopfree

For me it's very difficult to detect in RT a rootkit or any hooking windows API so i use scanner ( all the known but i prefer icesword, gmer, Rootkit Unhooker and Darkspy )

May be i am wrong :wacko:

Hi MaB69

-{ Quote: "

May be i am wrong :wacko:" }-

I don't think there is any 'wrong' - we use apps we trust and compared to most we secure ourselves as best we can.

If SSM works as I hope I feel that I have done the best that I can with the other apps I have to protect myself from all intruders.

Process Guard (latest version). It runs light and handles/defends against keyloggers, hooks, rootkits better than anything else that I have come across. It was the first & is the simplest. However, as a result in being the first it does not cover everything in the same way that some of the newer pgms of the same sort of type do, ie, System Safety Monitor, Ghost Security, ProSecurity (currently a beta), etc. What PG lacks is the ability to create Advanced Rules and also protection for the Registry, that the others do.

Still, it has served me well and I am very happy using it.;D

I use a great combination...ProcessGuard and KAV 2006. KAV's Proactive Defense complements PG by protecting the registry which PG does not do but protects against keyloggers, hooks. rootkits, etc. very effectively. These two together provide full protection and work well together.

-{ Quote: "Me? I use Online Armor, Nod, BoClean, and Comodo Firewall...soon to be replaced with Online Armor`s firewall." }-

Hey beetlejuice,

Any idea how long before OA's firewall will be "ready"?

I've been following it some in the OA beta testing forum, and I see that some bugs are fixed, and then others will appear. But overall it seems to be making progress. While I know that he can't give a concrete time period for it, has Mike indicated any sort of a targeted timeframe for the full official release?

I use SnoopFree Privacy Shield and Blacklight beta. Also, scans with Ewido and A-Squared. I am not really concern bout keyloogers, rootkits etc...but at least I have "something" for detecting them..;D 8)

Yup, I use KIS & PG...so I agree with Mele;D

I use a frozen snapshot (FirstDefense-ISR) to get rid of all threats : no change is no change.

I still need a software that prevents the execution of threats :
1. Faronics Anti-Executable AND/OR
2. Prevx1
seem to do that.

If some threat bypasses AE or Prevx1 or Look 'n' Stop, my frozen snapshot will remove them anyway during the next reboot.
Total removal in 90 seconds + stopping the execution seems to be a good protection with a mnimum of security softwares.
Scanners take too much time and have too many holes and HIPS asks too many annoying questions. :)

Hello there JR. The way things going I wouldn`t be surprised if it`s out for public beta next week. Things are looking up now. As far as a time frame...I can`t give. Sorry.


-{ Quote: "Hey beetlejuice,

Any idea how long before OA's firewall will be "ready"?

I've been following it some in the OA beta testing forum, and I see that some bugs are fixed, and then others will appear. But overall it seems to be making progress. While I know that he can't give a concrete time period for it, has Mike indicated any sort of a targeted timeframe for the full official release?" }-

My settings (http://www.sendspace.com/file/avqrp9) improved by nLite (http://www.nliteos.com/download.html) and covered by Firewall will protect me against everything.
I use MWAV (http://www.mwti.net/products/mwav/mwav.asp) to scan suspisous downloaded files and I use HijackThis (http://www.hijackthis.de/) and GMER (http://www.gmer.net/files.php) to scan PC.

do i have anything that can protect against root kits?

-{ Quote: "do i have anything that can protect against root kits?" }-
Prevx1 protects you against rootkits.
http://individual.prevx.com/features.asp

-{ Quote: "do i have anything that can protect against root kits?" }-BOClean protects against trojans & worms & pestilences & rootkits &.... things that go bump in the night (oh my).:o

BOClean began protecting against rootkits long before most folks even knew how to spell the word. BOClean has done the job for many years for many satisfied users. And those satisfied, well--protected users are all still around to tell about it. Websites can be instructive BUT -- I recommend you do a search & read actual posts by users of BOClean before you decide.

But Prevx offers much more as well.

-{ Quote: "Prevx1 protects you against rootkits.
http://individual.prevx.com/features.asp" }-
Ok but It can,t detect preinstalled rootkits? Am I true?

@bellgamin
What about BOClean in the regard?

-{ Quote: "Ok but It can,t detect preinstalled rootkits? Am I true?" }-
I'm not a malware or internet genius, so I can't answer your question and I'm still learning Prevx1 since the day before yesterday.
Nevertheless it seems very logical to me, that you must install Prevx1 on a CLEAN computer.
I had the impression that Prevx1 creates a whitelist of executables during its installation, just like Faronics Anti-Executable. If your computer is infected with evil executables then they could be whitelisted too during the installation of Prevx1 and run forever.

IMO you have to split the malware problem in 4 smaller problems.
1. The installation of malwares. How can I prevent the installation, which is still the very best method.
2. The execution of malwares. How can I stop the execution of the malware, when it is installed on my computer ? Some malwares executes themselves immediately, others are sleeping until they are triggered.
3. The detection of malwares. Some scanners detect malwares, but don't always remove them completely or can't remove them. So detection and removal are two different things.
4. The removal of malwares. The removal isn't always easy and sometimes dangerous : false positives (scanners), wrong actions of users (HIPS). Removal has to be as complete and fast as possible.

I don't trust my router, firewall, Anti-Executable and Prevx1.
That's why I installed them in a frozen snapshot, that removes everything during the next reboot.
But I don't trust my frozen snapshot either.
That's why I keep an archived snapshot on my external harddisk, that contains the original clean install of my frozen snapshot.
I also have a backup file of an original clean install of my system partition [C:]

Because I'm a newbie in malware and internet, I have to create something like this, because I don't have the knowledge of a malware expert to create a balanced security setup and I don't want 30+ security softwares on my computer either.

-{ Quote: "
Nevertheless it seems very logical to me, that you must install Prevx1 on a CLEAN computer.
I had the impression that Prevx1 creates a whitelist of executables during its installation, just like Faronics Anti-Executable. If your computer is infected with evil executables then they could be whitelisted too during the installation of Prevx1 and run forever.
" }-

I think that is not correct. After installation Prevx1 is health checking your computer using its own malware database which is stored localy on your machine and will alert you for excisting malware.

Gerard

-{ Quote: "I think that is not correct. After installation Prevx1 is health checking your computer using its own malware database which is stored localy on your machine and will alert you for excisting malware.

Gerard" }-
If that is true, then Prevx1 is also based on blacklists and such softwares aren't good enough, too many holes. I have to check this, because I don't know Prevx1 that well.

-{ Quote: "If that is true, then Prevx1 is also based on blacklists and such softwares aren't good enough, too many holes. I have to check this, because I don't know Prevx1 that well." }-

I am sorry I said it wrong and it should be:

-{ Quote: "The Local Database is a catalog of executable programs specific to your computer. This database is created during the Disk Scan.

The Prevx1 Community database is a catalog of information gathered globally from Prevx1 users (the 'Community'). The database contains relevant information about the executable files and Events.

The Community provides detailed information about the emergence, propagation, evolution and control of malware and this information is available to all Prevx1 users allowing them advance warning of new, emerging and evolving threats." }-

Gerard

-{ Quote: "I am sorry I said it wrong and it should be." }-
No need to apologize. I can think for myself. :)

IMO there is a big difference between Anti-Executable and Prevx1 regarding the local database.

Anti-Executable (AE)
The local database of AE requires a CLEAN computer from the beginning and is based on the
actual executables on your computer. So each executable is accepted, even when it is a bad executable.
After that anything what is not whitelisted is refused by AE and that is a pretty good protection.

Prevx1
The local database of Prevx1 doesn't really require a CLEAN computer, because the executables are verified by the community database before they are accepted in the Local Database.
However if a bad executable isn't blacklisted in the community database, then it will be also accepted as a valid executable in the local database and that is a weak point.
So you better install Prevx1 on a clean computer also, just like AE.

---------

For the fun I installed Prevx1 and AE together in a frozen snapshot to see what happens. LOL.

Yes BOClean can kill and remove preinstalled rootkits and whatever else it finds in your computer

-{ Quote: "
IMO you have to split the malware problem in 4 smaller problems.
1. The installation of malwares. How can I prevent the installation, which is still the very best method.
2. The execution of malwares. How can I stop the execution of the malware, when it is installed on my computer ? Some malwares executes themselves immediately, others are sleeping until they are triggered.
3. The detection of malwares. Some scanners detect malwares, but don't always remove them completely or can't remove them. So detection and removal are two different things.
4. The removal of malwares. The removal isn't always easy and sometimes dangerous : false positives (scanners), wrong actions of users (HIPS). Removal has to be as complete and fast as possible.
" }-

I would not rely anti-malware to do the cleanup at all. It is also too late when the malware is infecting your files and destorying your system, so this part is not a concern to me.

If your system is infected, it is hard to tell whether the anti-malware can clean the virus COMPLETELY. Some infected files mgiht be left undetected during the cleaning process. Your system may be re-infect again later on.

The best way is, if you have kept a snapshot, simply roll it over to the last clean state.

One thing which makes me very difficult to choose among these security products are there're nearly no indepedent tests to compare their performance.

Do they work as they intend to? How good do they achieve their goals?

-{ Quote: "Prevx1
The local database of Prevx1 doesn't really require a CLEAN computer, because the executables are verified by the community database before they are accepted in the Local Database.
However if a bad executable isn't blacklisted in the community database, then it will be also accepted as a valid executable in the local database and that is a weak point.
So you better install Prevx1 on a clean computer also, just like AE.
" }-Prevx1 has whitelisting and blacklisting that's sophisticated enough to catch such things and polymorphic malware, and also has a more true memory scan (more like BOClean than most others) that can detect things like rootkits while they are running and cloaked and DLLs injected into system processes (and so, yes, should detect preinstalled keyloggers). Of course you then have behavior blocking, generic detection, and heuristics for those things that are unknown to the community database, which is further enhanced by the fact that you don't get prompted very often. If something unknown is allowed to run, it will continue to check with the community database for updates until it's been marked good or bad. If something you're running has been marked bad, it will kill it and remove it. Also remember that the realtime reporting and live lookups do a lot to close the gap that poses problems to "blacklist-only" based solutions. By combining whitelisting, blacklisting, and generic protection with the live database you get the advantages of all with much less of the drawbacks. You can put Prevx1 in Pro mode for a greater chance at blocking behavior by files not already determined by the analysts, and all sorts of new generic and heuristic detection methods are being added all the time.

-{ Quote: "Key loggers-- SnoopFree
RootKits-- well I guess GeSWall should prevent them( not sure- can anybody confirm it?)
" }-

hmm i never tried geswall vs a rootkit but i did try it vs morgud's threat simulator (which drops a rootkit) and geswall stopped it. gentlesecurity's website also touts geswall's ability to stop rootkits cold as a big "selling point". and geswall seems pretty good vs keyloggers too, i tried it vs martin's undetectable keylogger and geswall stopped it from logging ANY alphanumeric keys.

hope that helps aigle.

-{ Quote: "hmm i never tried geswall vs a rootkit but i did try it vs morgud's threat simulator (which drops a rootkit) and geswall stopped it. gentlesecurity's website also touts geswall's ability to stop rootkits cold as a big "selling point". and geswall seems pretty good vs keyloggers too, i tried it vs martin's undetectable keylogger and geswall stopped it from logging ANY alphanumeric keys.

hope that helps aigle." }-
Thanks zopzop. Nice to see u again.

thanks, that looks nice. Will try it at sometime against rootkits.

-{ Quote: "Prevx1 has whitelisting and blacklisting that's sophisticated enough to catch such things and polymorphic malware, and also has a more true memory scan (more like BOClean than most others) that can detect things like rootkits while they are running and cloaked and DLLs injected into system processes (and so, yes, should detect preinstalled keyloggers). Of course you then have behavior blocking, generic detection, and heuristics for those things that are unknown to the community database, which is further enhanced by the fact that you don't get prompted very often. If something unknown is allowed to run, it will continue to check with the community database for updates until it's been marked good or bad. If something you're running has been marked bad, it will kill it and remove it. Also remember that the realtime reporting and live lookups do a lot to close the gap that poses problems to "blacklist-only" based solutions. By combining whitelisting, blacklisting, and generic protection with the live database you get the advantages of all with much less of the drawbacks. You can put Prevx1 in Pro mode for a greater chance at blocking behavior by files not already determined by the analysts, and all sorts of new generic and heuristic detection methods are being added all the time." }-

-{ Quote: "Yes BOClean can kill and remove preinstalled rootkits and whatever else it finds in your computer" }-

that,s good.

-{ Quote: "The best way is, if you have kept a snapshot, simply roll it over to the last clean state." }-I agree -- assuming, of course, that you know when your computer was TRULY in a clean state.

-{ Quote: "I agree -- assuming, of course, that you know when your computer was TRULY in a clean state." }-
Creating CLEAN snapshots and backup files is quite easy, when you install your computer OFF-LINE.
The trouble is that more and more softwares require an internet connection during the installation and even winXP requires an internet connection to make the activation possible.

This is WRONG. Each software needs the possibility to be installed off-line and that gives users the opportunity to make at least one clean backup of their system partition. That clean backup allows users to re-install their computer from scratch without doing it manual.
Another and even better reason why this is wrong is that not every computer has an internet connection. At work we use pc's without internet connection for many years and we still do.

Once I connect my computer to the internet, I consider my computer as infected and that's why I try to keep my computer clean with a frozen snapshot or refreshing on-line snapshots with clean archived snapshots, because restoring a clean image backup file every day takes too much time.

There is no other way for less-knowledgeable users, because any other method
- has too many holes or
- requires too much knowledge or
- is too vulnerable due to wrong user decisions.

I don't want to guard my computer like a hawk and watch every move it makes and spend alot of time on cleaning it.
I prefer to use my computer for work and fun. :)

-{ Quote: "The trouble is that more and more softwares require an internet connection during the installation and even winXP requires an internet connection to make the activation possible.
This is WRONG. Each software needs the possibility to be installed off-line and that gives users the opportunity to make at least one clean backup of their system partition. That clean backup allows users to re-install their computer from scratch without doing it manual." }-
Agreed. For the most part, I avoid software that requires an online install, but there are things you can't get any other way. Microsoft for example won't make separate downloads available of certain items, telling you you have to get them thru windows update or whatever they call it now. It's irritating and an unnecessary risk to have to go online to get patches to protect yourself from certain vulnerabilities and expose your system in the process.
I can't say if this will work on XP the way it does on my 98 box, but I found that I could capture those updates from their temporary locations on my system. The standard method M$ seems to use is to download the update to your system, launch and install it via a command from the net, then delete the installer. I found I could interrupt that chain with either a HIPS to alert me when the installer tries to start, or by removing the firewall rule permitting IE6 internet access and having the firewall ask each time. Kerio allows you to reply "allow this time only". The 2nd can be a pain as I'd get a new connection alert for each step in the process, but between finishing the download and launching it, I'd always see another connection alert, which told me that the installer was complete and I could copy it to another location.
When using HIPS, instead of just allowing the updater to run, I'd go to the location where the updater was downloaded to and make a copy of it first, saving it for another use later. SSM names the location. The same general idea works with the firewall intercept, but you have to hunt for the new installer. You don't always find them where you might expect.
Just a little something you might want to try the next time you visit windows update.
Rick

-{ Quote: "Creating CLEAN snapshots and backup files is quite easy, when you install your computer OFF-LINE.
The trouble is that more and more softwares require an internet connection during the installation and even winXP requires an internet connection to make the activation possible.

This is WRONG. Each software needs the possibility to be installed off-line and that gives users the opportunity to make at least one clean backup of their system partition. That clean backup allows users to re-install their computer from scratch without doing it manual.
Another and even better reason why this is wrong is that not every computer has an internet connection. At work we use pc's without internet connection for many years and we still do." }-

Agree! It is annoying that I need to online to complete the registration. That's stupid, isn't it? Keep the registration process as simple as possible. Making it complicated just annoy the users.

-{ Quote: "
Once I connect my computer to the internet, I consider my computer as infected and that's why I try to keep my computer clean with a frozen snapshot or refreshing on-line snapshots with clean archived snapshots, because restoring a clean image backup file every day takes too much time.

There is no other way for less-knowledgeable users, because any other method
- has too many holes or
- requires too much knowledge or
- is too vulnerable due to wrong user decisions.
" }-

Yes, the only pre-requiste to get infected is to simply connect to the Internet (or get it from other external sources like infected CDs). That's it! You don't need to do anything else.

It is said:
- the number of reported entry attempts is averaging over 1.1 BILLION attempts per month. Remember that this only represents a small percentage of the actual number of port scan attacks, those that are reported by participants.
- the current "survival time" (the average time for an unprotected system to be attacked and compromised) is only 9 minutes. This means that a newly installed unprotected operating system connecting to the Internet for the first time will, on average, be attacked within 9 minutes and compromised in some way.
[From http://www.tweakhound.com/xp/security/page_1.htm ]

If a hacker knocks at your door and infect you with its new malware, you may get infected if your system is not strong enough to protect the exploit or can't detect that malware. It is just a matter of minutes to attack your computer. Don't think it is too far away.

One day, my anti-virus program warned me for virus (invasion) once I closed my firewall. See! How fast it is to come by your door.


-{ Quote: "
I don't want to guard my computer like a hawk and watch every move it makes and spend alot of time on cleaning it.
I prefer to use my computer for work and fun. :)" }-

It's a dream for all (except the bad guys).

-{ Quote: "No need to apologize. I can think for myself. :)

IMO there is a big difference between Anti-Executable and Prevx1 regarding the local database.

Anti-Executable (AE)
The local database of AE requires a CLEAN computer from the beginning and is based on the
actual executables on your computer. So each executable is accepted, even when it is a bad executable.
After that anything what is not whitelisted is refused by AE and that is a pretty good protection.

Prevx1
The local database of Prevx1 doesn't really require a CLEAN computer, because the executables are verified by the community database before they are accepted in the Local Database.
However if a bad executable isn't blacklisted in the community database, then it will be also accepted as a valid executable in the local database and that is a weak point.
So you better install Prevx1 on a clean computer also, just like AE.

---------

For the fun I installed Prevx1 and AE together in a frozen snapshot to see what happens. LOL." }-

Anti-Executable offers only limited scope of protection. It uses a whitelist approach; while Prevx1 and Online Amour offer a wide range of protection. Depending on your existing security on your computer, you may wish to use specific products or the generic ones.

Both Prevx1 and Online Amour are community-based HIPS. It is good for less savvy users where they cannot decide on their own.

Unlike most HIPS and security products, Prevx1 is a "it-tells-you-what-to-do" type of HIPS. It is not for people who like to keep control of their own computer. It decides everything it knows about on your behalf (you can't change that). If it thinks the program is bad, it will block and kill it immediately. It doesn't ask for your permissions at all.

With Prevx1, I'm becoming a slave. Prevx1 is my master now ;D (joking). I would prefer it tells me the recommended action, but it is me to make the final decision.

For undetermined items or programs, you decide what Prevx1 will do - auto-allow / prompt / auto-block.

Since it is the security software which makes the decision, you may run into problems when things go wrong. There are some cases where Prevx1 generates false positive and kill the genuine process, or prevent your from installation, or stop the program to make some changes. It can by very annoying and this may interfere your rountine and work. It has a place where you may place your program as exclusion, but it doesn't work well - a partial solution.

I find Prevx1 less configurable too. For example, you can't customise the protection mode. You can disable nearly none of its protection components.

If you use Prevx1, you are forced to particiate in the reporting and feedback. For Online Armour, you can opt in or out. Online Armour is better in the aspect of configuration and user controls.

You may wish to try Online Armour as well.

I would strongly NOT recommend running either Prevx1 and Online Amour as the only security product. It is against the philosophy of layered security protection. No security product is fool-proof. They have holes. They may not work what they claim to. Malware writers can always find workaround to bypass your protection. :ouch:

-{ Quote: "I would prefer it tells me the recommended action, but it is me to make the final decision." }-If there's certain things you want Prevx1 to block from programs marked Good, you can always switch to Expert mode and block the action with the "Always remember" option checked to create the personal rule. Just remember that the reason it was changed to not prompt you on everything was because that proved ineffective against malware (unless you're a malware expert). In the case of at least one high-profile worm, over 70% of instances were allowed, and equal numbers of legitimate processes were blocked as well. With the current

-{ Quote: "For example, you can't customise the protection mode. You can disable nearly none of its protection components. " }-This is available in the family license.

-{ Quote: "If you use Prevx1, you are forced to particiate in the reporting and feedback. For Online Armour, you can opt in or out. " }-Right, the whole point is the automated (and realtime) malware research. It puts new processes through tons of generic detection and heuristic rules, then passes the info on to the analysts who make determinations in realtime. It's not solely based on behavior blocking or signature detection, but a hybrid of both, so you get the best of both worlds with less of the drawbacks. Without the community database, Prevx1 would be just another signature based product with the same long response times with behavior blocking tacked on. As it is now, we see a lot more malware and get detection added a lot sooner. Of course nothing is 100%, but this way does have some serious advantages.

-{ Quote: "Since it is the security software which makes the decision, you may run into problems when things go wrong. There are some cases where Prevx1 generates false positive and kill the genuine process, or prevent your from installation, or stop the program to make some changes. It can by very annoying and this may interfere your rountine and work. It has a place where you may place your program as exclusion, but it doesn't work well - a partial solution." }-I'm wondering if you've perhaps not allowed the initial scan to finish. The primary reason for this scan is to build a catalog of what's on your drive so that you're not prompted on anything already installed. It then verifies everything to make sure none of it is malware. If you've allowed the initial scan to finish, you should be presented with anything detected all at once, at which point you should be able to move any false positives to Probation where you should not be prompted for them again. If it's not doing exactly that, please write in to support as your Prevx1 install is not working normally in that case. For any false positives you encounter you can double click on the entry in the Jail tab (from any of the sections) and click the "Disagree?" link to have it fixed in the community database. These are normally fixed within a few hours, depending.

-{ Quote: "I would hardly recommend running either [B]Prevx1 and Online Amour as the only security product. It is against the philosophy of layered security protection. No security product is fool-proof. They have holes. They may not work what they claim to. Malware writers can always find workaround to bypass your protection. :ouch:" }-
Straight from the Anti-Executable Manual :
-{ Quote: "
Faronics Anti-Executable is a software program that prevents any unauthorized applications from
running on a machine. Depending on the security level chosen, even low-level drivers can be prevented
from running. Anti-Executable works on a “whitelist” principle. When installed on a machine, Anti-
Executable scans all the executables currently installed on a machine and adds them to the whitelist:
a list of programs that are authorized to run. Any program that is not on the whitelist is considered
unauthorized and will NOT INSTALL or RUN." }-
A simple black & white philosophy, but very efficient and above all UNDERSTANDABLE for EVERYONE.
If AE fails, any change will be removed by the frozen snapshot after reboot.
If my frozen snapshot fails, I still have my clean original archived snapshot.
How many layers do I need more ? Until I have 30+ security softwares on my computer ? No way man.

For the moment, I'm satisfied with the theory, because I don't have the time to test it in practice,
but I already noticed that AE is very STRICT, because the security is set to HIGH.

Prevx1 is indeed alot more than just that, but Prev1 also requires daily updatings and my frozen snapshot
doesn't allow updatings of any kind, unless I do it myself.
The question is : "Do I need any updatings ?" After all no change means NO CHANGE.
That frozen snapshot is working fine and needs only GOOD changes if it doesn't work properly anymore.
I thought I was clear about this, maybe my English isn't good enough. :)

-{ Quote: "Prevx1 is indeed alot more than just that, but Prev1 also requires daily updatings and my frozen snapshot" }-The only updates you'll get are software updates, which are not daily. All the determinations in the database are looked up when the new process tries to run. There are no database update downloads like in your antivirus, that's the whole point of the community database (having access to new determinations as soon as they're made, without having to wait for updates). You should be getting program updates maybe once a month or so, not daily. With DeepFreeze, however, it won't be able to store the determinations locally, so it will have to look up anything new each time it runs. The way around this would just be to run anything you install in Thawed mode before rebooting to Frozen mode, as well as checking for updates at the same time.

-{ Quote: "
Prevx1 is indeed alot more than just that, but Prev1 also requires daily updatings and my frozen snapshot
doesn't allow updatings of any kind, unless I do it myself.
The question is : "Do I need any updatings ?" After all no change means NO CHANGE.
That frozen snapshot is working fine and needs only GOOD changes if it doesn't work properly anymore.
I thought I was clear about this, maybe my English isn't good enough. :)" }-

Your English is fine. :)

As to your "rollback" security system, how do you solve these problems outlined here:
http://www.wilderssecurity.com/showthread.php?p=843848#post843848


-{ Quote: "Straight from the Anti-Executable Manual :

A simple black & white philosophy, but very efficient and above all UNDERSTANDABLE for EVERYONE.
If AE fails, any change will be removed by the frozen snapshot after reboot.
If my frozen snapshot fails, I still have my clean original archived snapshot.
How many layers do I need more ? Until I have 30+ security softwares on my computer ? No way man.

For the moment, I'm satisfied with the theory, because I don't have the time to test it in practice,
but I already noticed that AE is very STRICT, because the security is set to HIGH.
" }-

Does Anti-Executable stop only executable files like *.exe? How about others?

I haven't tested this product, but I heard someone said it couldn't stop malicious scripts.

How about Process Guard? It can do what Anti-Executable does plus more. To your interest, here's what it can do:
(Sidenote: I notice you don't like answering popups, so this program is probably not suitable to you)
Known Attacks - Introduction

It is quite amazing how many different types of attacks processes can launch against other processes. Many can be fatal, allowing the attacking process to completely bypass all security put forward by another. In this chapter we explain some of the main attacks, as briefly described here.

Termination - The attacking process attempts to terminate or otherwise fatally kill the target process. This is the most common attack and can be accomplished easily by a number of ways, but the most common method is to call the TerminateProcess function, located in the kernel32.dll module. For detailed information about process termination please visit the website for our freeware Advanced Process Termination utility.

Crashing - The attacking process attempts to forcibly crash the target process. This is just as effective as termination, but often results in visual giveaways on-screen such as error messages from the operating system. Termination is usually preferred for this reason, but crash susceptibility is still a security concern, and error messages can easily be hidden by the trojan if its author wants it to do so.

Modification - The attacking process attempts to modify or inject code in the target process, usually with the intent of changing the behaviour of the target process, or hiding its own code in the context of the target process. The target process remains resident and active, but in a modified state. For example, an attacking process could modify an anti-virus scanner so that nothing is ever detected, or modify a firewall so that all traffic is allowed in and out.

Suspension - The attacking process attempts to suspend the target process (usually by suspending all threads belonging to the target process), leaving it resident but in an inactive, frozen state. Often this can still leave the visual impression that the program is ok, especially if it's only visible in the system tray or taskbar.

Leaktests - Leaktests are demonstration programs that test various methods of bypassing firewalls often used by trojans. The attacking process (in this case the Leaktest program) attempts to transmit data to the Internet, usually using advanced techniques such as hooking and thread activation in order to bypass firewalls. Although never designed to be an anti-leaktest program, ProcessGuard has been demonstrated in real-world tests to have remarkable results against many firewall bypass techniques due to it's process-protecting nature, making it possibly the strongest program available today for securing firewalls.

Rootkits & Drivers - Kernel-mode drivers (.sys files) have the power to perform very low-level system functions, and in the case of rootkits (advanced trojans that modify operating system functions to try to gain stealth) they can actually modify the behaviour of critical operating system functions and security processes.

Hooks & Injections - The attacking process attempts to inject a DLL (the hook) into all processes on the system, allowing it to then perform functions on behalf of other processes. When an application has been hooked it can make termination attacks a lot easier, as well as open up certain firewall leak-tests.

Physical Memory - It's possible for user-mode applications to read and even write to kernel regions of memory by using the "\Device\PhysicalMemory" object. This opens the door for a plethora of attacks against other processes.

User Imitation - Malicious programs can generate the same key strokes and mouse clicks that human users use to shut down programs. The attacks are program-specific but nonetheless very effective and fairly easy to execute. ProcessGuard is able to protect against such attacks by combining its advanced Secure Message Handling and Human Verification techniques.

Process Execution - You'd be surprised how many programs execute on your system without your knowledge, and there have also been various operating system and software exploits discovered over the years that allow attackers to execute programs on a target system. Controlling which programs can and can't run on your system is one of the strongest ways you can prevent the above attacks from occurring in the first place, so by allowing you to control program executions ProcessGuard provides you with two layers of security in one.


All of the attacks above represent a very serious and very real threat to local system security, particularly because the majority of people execute programs on their system without actually knowing exactly what all of the code in the program does, but all of these attacks can be easily protected against by DiamondCS ProcessGuard, as demonstrated in further detail in this section.

-{ Quote: "The only updates you'll get are software updates, which are not daily. All the determinations in the database are looked up when the new process tries to run. There are no database update downloads like in your antivirus, that's the whole point of the community database (having access to new determinations as soon as they're made, without having to wait for updates). You should be getting program updates maybe once a month or so, not daily. With DeepFreeze, however, it won't be able to store the determinations locally, so it will have to look up anything new each time it runs. The way around this would just be to run anything you install in Thawed mode before rebooting to Frozen mode, as well as checking for updates at the same time." }-
Sorry, but that's not true. I got updatings every day since I have Prevx1 and each time Prevx1 asked to be restarted again.
And I updated my snapshot with these updatings. :)

-{ Quote: "The trouble is that more and more softwares require an internet connection during the installation" }-This is one of my very few grumbles with Online Armor.

@Notok- Is this a Prevx support forum? Why not put such guidance in a PM, I wonder?

Actually, since this thread is gradually turning into "my program is better than yours" debate, I am well protected by SSM -- which has its own support forum over Yonder (http://syssafety.com/forum/).

-{ Quote: "This is one of my very few grumbles with Online Armor." }-
Windows Defender and A-square have the same problem. I find this very ANNOYING and I'm very angry with M$, because of the online activation of winXP.
When the good guys are helping the bad guys to infect your computer, that's for me the limit.

-{ Quote: "Actually, since this thread is gradually turning into "my program is better than yours" debate, I am well protected by SSM -- which has its own support forum over Yonder (http://syssafety.com/forum/)." }-
SSM isn't good for less-knowledgeable users, way too complicated.
My type of users have neither the time, nor the will to learn such softwares. :)

....this security task is assigned to BOClean. I highly recommend it. ;)

-{ Quote: "....this security task is assigned to BOClean. I highly recommend it. ;)" }-
I have only one problem with BOClean. I can't try it without buying it.
If I don't like it or my total system doesn't like it, I know I get my money back. I wonder how I will get my money back in Belgium. International payments aren't cheap. :)

-{ Quote: "@Notok- Is this a Prevx support forum? Why not put such guidance in a PM, I wonder?" }-Just trying to clear up misconceptions, that particular issue is being, and will be, further dealt with in private. Since Prevx1 is a bit of a new approach I know that it's not always clear how it works. It's neither a pure scanner or behavior blocker, and it even took me a while to really get the whole concept. I hope I can at least give a good idea of how the program works and why it is that way. Sorry if I gave the impression that I'm trying to push the program in any way, that's not my intention.

On another note, to add to the original topic of defending against keyloggers and such, one of the things that most people don't seem to realize is that a lot (if not most) modern keyloggers actually don't use hooks anymore. Rather than intercepting keystrokes as they are typed, what a lot of them are doing is capturing the information your browser submits, just before it's encrypted and sent. So when it comes to keyloggers, you don't want to rely entirely on blocking hooks and such anymore. Martin's Undetectable Keylogger is a novel approach, but not really used since it's not particuarly reliable. If you've got protection against rootkits, however, then you'll at least be covered enough for your other anti-malware to have a much better chance of detecting and removing it.

-{ Quote: "Just trying to clear up misconceptions, that particular issue is being, and will be, further dealt with in private. Since Prevx1 is a bit of a new approach I know that it's not always clear how it works. It's neither a pure scanner or behavior blocker, and it even took me a while to really get the whole concept. I hope I can at least give a good idea of how the program works and why it is that way. Sorry if I gave the impression that I'm trying to push the program in any way, that's not my intention.
" }-

Personally I don't see this thread as pushing Prevx1. I am following this thread with more than average interest. And I hope as long as the mods don't jump into it this discussion can stay public.
Just my opinion.

Gerard

-{ Quote: "Does Anti-Executable stop only executable files like *.exe? How about others?" }-
Anti-Executable detects more than 80 different executable file types, like .exe, .ocx, .ax, .sys, .drv, .x32, .vxd, .scr, .tlb, ...
I couldn't find the complete list yet.
Sources :
http://www.faronics.com/html/AntiExec.asp
http://www.faronics.com/html/AntiExec.asp#Standard

And now I'm dead tired and need sleep. Goodnight. :)

-{ Quote: "I have only one problem with BOClean. I can't try it without buying it.
" }-

No No, a bigger problem is that Boclean uses blacklists. It's no different from antiviruses, Ewido, A2 squared in that respect.

I'm surprised Erikalbert would consider it. :)

-{ Quote: "
On another note, to add to the original topic of defending against keyloggers and such, one of the things that most people don't seem to realize is that a lot (if not most) modern keyloggers actually don't use hooks anymore. Rather than intercepting keystrokes as they are typed, what a lot of them are doing is capturing the information your browser submits, just before it's encrypted and sent. " }-

I guess it depends on what type of keyloggers you mean, the 'legimate' kinds or the not so legimate kinds

In any case, what would you recommend to stop the type of keyloggers you are talking about? Any generic methods?

-{ Quote: "No No, a bigger problem is that Boclean uses blacklists. It's no different from antiviruses, Ewido, A2 squared in that respect.

I'm surprised Erikalbert would consider it. :)" }-
In that case I'm not interested anymore in BOClean. I must stick to the basic principles of my security setup : rollback, whitelists and maybe something else, I'm still not aware of.

I read that Anti-Executable doesn't protect me against scripts, but Anti-Executable isn't my only protection.
I ignore and remove any unknown email without even opening them.
Firefox doesn't allow any scripts with the right settings and extensions.
I assume that scripts, if they succeed to install themselves, cause changes in my frozen snapshot, but those changes are removed during the next reboot. Maybe frozen snapshots don't remove everything, but that has to be PROVEN first. And even when that happens, I still can create a new snapshot via my original clean archived snapshot on my external harddisk and freeze it back.
I'm not saying I have the 100%-solution, I'm just trying to find out what is missing to make it better. After all, I'm not a security expert.
Nevertheless I'm already better protected, than an user, whose security is mainly based on blacklist security softwares.
HIPS is also very good, unfortunately not for my kind of users.
I didn't test Anti-Executable thoroughly yet due to lack of time, but I already noticed, that I can't install anything with AE enabled, not even legitimate softwares and all my whitelisted applications are running without problems.
I can't do it all at once, but I'm getting closer and closer every day. :)

-{ Quote: "
HIPS is also very good, unfortunately not for my kind of users.
" }-

So u think Anti-executable is not a HIPS?

-{ Quote: "So u think Anti-executable is not a HIPS?" }-
No it isn't, because Anti-Executable (AE) is based on a whitelist of applications on your computer, anything else is not allowed to be installed or to run.
AE doesn't even ask questions, like yes or no. It simply says you are not allowed to do this or this software isn't allow to do this.
You can't get access to AE without a password.
AE is one of the most hidden softwares, I've ever seen.
You don't see it in Add/Remove Programs.
You don't see it in the programs menu.
You only see a folder in Windows Explorer, that can't be accessed and an icon in the system tray and even the icon can be hidden with a setting.

You can't click on the icon, you can't rightclick on the icon. It doesn't act like a normal icon. You can't uninstall AE in the usual way. You really have to read the welcome email or the manual to work with AE.
The first time I installed AE, I thought it didn't work or wasn't even installed. AE is a very unusual software. ;D

-{ Quote: "No No, a bigger problem is that Boclean uses blacklists. It's no different from antiviruses, Ewido, A2 squared in that respect.

I'm surprised Erikalbert would consider it. :)" }-I'm not sure I understand what your problem is with BOClean. Can you elaborate?

-{ Quote: "One thing which makes me very difficult to choose among these security products are there're nearly no indepedent tests to compare their performance.

Do they work as they intend to? How good do they achieve their goals?" }-
The only way is testing it yourself and that takes quite some time. I'm not planning to wait for a security expert to get a complete evaluation of my security setup.
Since I'm no expert, I can only test my security setup with the very best scanners. If they don't find anything after 6 or 12 months, I know at least, that I don't need them anymore, but that doesn't mean my computer is clean.
I also can go to dangerous websites to test my security setup, but the problem is, how will I know for sure my computer is still clean.

-{ Quote: "I'm not sure I understand what your problem is with BOClean. Can you elaborate?" }-BOClean is mainly a Blacklist-type program.

Blacklist databases consist of signatures of bad guys. Blacklists raise a red flag if a process is in its bad guy database. Everything else is "okay."

Whitelist databases consist of hashes of okay guys. A process is okay ONLY if it is actually recorded in the okay database. Whitelists raise a red flag for EVERYTHING else.

Prevx is an example of a Whitelist-type program. There are several other such programs including but not limited to System Safety Monitor & Online Armor -- but each program has its own approaches & peculiarities for using the whitelist concept.
~~~~~~~
Assume ProcessX is a nasty.

If Blacklist doesn't see ProcessX on its *bad list* it lets it enter.

If Whitelist doesn't see ProcessX on its *okay list* it raises a red flag.

Ergo, Blacklist is more likely to allow a nasty than Whitelist. Whitelist is more likely to raise a red flag about a new or unknown but okay program, but is MUCH more likely to raise a red flag about a hitherto unknown nasty or zero day nasty.

Attention

BOClean does actually also have heuristics built as well as it's defs database, which obviously isn't as well known as it should be !

Therefore calling it a just a Blacklister is incorrect, and potentially damaging to it's solid reputation too.

Also calling any product that has defs in it does in fact completely differentiate it from strictly Black/White listing type Apps. These can be very good, i use one myself, but are Not the same as ones with defs in, nor do they operate/interact etc with malware in the same way either. A lot more goes on under the hood with defs based products, and even more if they include heuristics.


StevieO

-{ Quote: "I also can go to dangerous websites to test my security setup, but the problem is, how will I know for sure my computer is still clean." }-
Assuming you don't let a rootkit installer run, there are ways to see if anything else gets changed. Using a utility like Inctrl5 (http://www.pcmag.com/article2/0,4149,9882,00.asp), take a snapshot of your system before browsing, then take another afterwards. Inctrl5 will let you know about every new or changed file, folder, or registry entry. I used it heavily while testing SSM on my 98 box, and other than files sitting in the browser cache and temp folders, it confirmed that SSM didn't allow anything on my system to be changed. As for rootkits, Inctrl5 probably won't show them once they're installed.
Rick

-{ Quote: "Assuming you don't let a rootkit installer run, there are ways to see if anything else gets changed. Using a utility like Inctrl5 (http://www.pcmag.com/article2/0,4149,9882,00.asp), take a snapshot of your system before browsing, then take another afterwards. Inctrl5 will let you know about every new or changed file, folder, or registry entry. I used it heavily while testing SSM on my 98 box, and other than files sitting in the browser cache and temp folders, it confirmed that SSM didn't allow anything on my system to be changed. As for rootkits, Inctrl5 probably won't show them once they're installed.
Rick" }-
Thanks for that utility !!! I will look into this, when I'm ready to test my frozen snapshot.

-{ Quote: "Attention

BOClean does actually also have heuristics built as well as it's defs database, which obviously isn't as well known as it should be !

Therefore calling it a just a Blacklister is incorrect, and potentially damaging to it's solid reputation too.

Also calling any product that has defs in it does in fact completely differentiate it from strictly Black/White listing type Apps. These can be very good, i use one myself, but are Not the same as ones with defs in, nor do they operate/interact etc with malware in the same way either. A lot more goes on under the hood with defs based products, and even more if they include heuristics." }-
With a whitelist, like in Anti-Executable, I know exactly what it does. Anything what isn't whitelisted is bad, only your whitelisted application are allowed to run and I know exactly which softwares I installed, because I did it myself.
That's is a very CLEAR picture.

With a blacklist I don't know anything.
Against which malwares am I protected with this scanner ? Beats me.
Against which malwares am I protected by heuristics with this scanner ? Beats me.
Against which malwares am I NOT protected with this scanner ? Beats me.
Which additional scanner(s) do I need to remove the rest ? Beats me.
How many scanners do I have to run ? 1, 2, 8, 10 or more ? Beats me.
Which scanners is better than the other ? Beats me.

Can I verify all that ? Most probably yes. Nice job for me to check hundreds of thousands signatures and compare them with another list of hundreds of thousands signatures to see the differences.
Of course nobody is going to do this, so we start GUESSING to give an answer on all these questions. Very scientific !!! ::)

Wilders is FULL of questions about blacklist security softwares and the reason is obvious : there is no CLEAR picture anymore and the quantity is too huge and increasing constantly.
This is food of course for endless discussions, numerous combinations/opinions and everybody claims to have the right answers.
One big uncontrollable mess, that's what blacklists are.

Each time a scanner tells me "No threats found", I think "What about the rest you didn't find ?"
What a reassurance. Pffft. :)

Here's a free product you could try (KeyScrambler):

http://www.qfxsoftware.com/products.htm


Someone posted about it over at DSLReports.


Cheers.

-{ Quote: "No it isn't, because Anti-Executable (AE) is based on a whitelist of applications on your computer, anything else is not allowed to be installed or to run.
AE doesn't even ask questions, like yes or no. It simply says you are not allowed to do this or this software isn't allow to do this.
You can't get access to AE without a password.
AE is one of the most hidden softwares, I've ever seen.
You don't see it in Add/Remove Programs.
You don't see it in the programs menu.
You only see a folder in Windows Explorer, that can't be accessed and an icon in the system tray and even the icon can be hidden with a setting.

You can't click on the icon, you can't rightclick on the icon. It doesn't act like a normal icon. You can't uninstall AE in the usual way. You really have to read the welcome email or the manual to work with AE.
The first time I installed AE, I thought it didn't work or wasn't even installed. AE is a very unusual software. ;D" }-

I believe SSM with user interface disconnected will give u much more protection than this. Also no body can unisnatll it or open it as it can be password protected.

-{ Quote: "BOClean does actually also have heuristics built as well as it's defs database, which obviously isn't as well known as it should be !

Therefore calling it a just a Blacklister is incorrect" }-I wrote that BOClean is *mainly* a blacklister. I did NOT say that it is *just* a blacklister. It's unsanitary to put words in my mouth.:P

Further, a heuristic is, in essence, simply another form of blacklist. Namely, a heuristic is mainly based upon a list of behaviors which are *typical* of malware. Thus, malware writers can readily test their programs again & again against a given heuristic until they finally find a way to circumvent its current list of *bad behaviors*. Once they do so, they are up & running again.

On the other hand, in order for a malware to get past a whitelist, its programmers must either (a) find a way to get onto the whitelist itself or (b) find a way to get past the whitelist's checksums.

With respect to a program such as System Safety Monitor, the easier route is usually (a) -- finding a way to get onto the whitelist itself. Why? Because SSM largely depends on decisions of the individual user as to what does & does not get whitelisted. If individual users are careless or lazy or misinformed or deceived, the fat is in the fire.

A major distinguishing facet of Prevx1 is the fact that it bases its whitelisting decisions upon a *community* of users plus actual testing done by a team of home-office experts.

To oversimplify:
>Smart malware writers can screw around until they wriggle their way through any blacklist, by tactics such as morphing or zero-day etc.
>Careless or lazy or misinformed or deceived users can screw-up any whitelister that heavily depends upon individual user decisions
>Delay time & system load for updating whitelists are the potential weaknesses of Prevx. Other than that, I see no intrinsic *loose screws* in that sort of whitelist... YET.

-{ Quote: "Here's a free product you could try (KeyScrambler):

http://www.qfxsoftware.com/products.htm


Someone posted about it over at DSLReports.


Cheers." }-


how we know there not stealing out info 2..lol the ppl that make it. what's the free offer over pro??

So far, some respondents simply use generic security products to block all sorts of malware. Others may use specific security products to block particular kinds of malware (eg Snoopfree against keyloggers).

I would like to know why you select such combination, but not the other way round. So why?

-{ Quote: "In that case I'm not interested anymore in BOClean. I must stick to the basic principles of my security setup : rollback, whitelists and maybe something else, I'm still not aware of." }-

Me neither.
The reason is just the same as you. It depends on mainly blacklisting technnique to detect malware.

-{ Quote: "
I read that Anti-Executable doesn't protect me against scripts, but Anti-Executable isn't my only protection.
I ignore and remove any unknown email without even opening them.
Firefox doesn't allow any scripts with the right settings and extensions.
I assume that scripts, if they succeed to install themselves, cause changes in my frozen snapshot, but those changes are removed during the next reboot. Maybe frozen snapshots don't remove everything, but that has to be PROVEN first. And even when that happens, I still can create a new snapshot via my original clean archived snapshot on my external harddisk and freeze it back.
" }-

How about if the malware corrupt/infect your snapshot, or infect your personal data or the area where you don't snapshot?

Have you considered Process Guard?
It can do what you want (block executable files) plus much more.


-{ Quote: "
I'm not saying I have the 100%-solution, I'm just trying to find out what is missing to make it better. After all, I'm not a security expert.
Nevertheless I'm already better protected, than an user, whose security is mainly based on blacklist security softwares.
HIPS is also very good, unfortunately not for my kind of users.
I didn't test Anti-Executable thoroughly yet due to lack of time, but I already noticed, that I can't install anything with AE enabled, not even legitimate softwares and all my whitelisted applications are running without problems.
I can't do it all at once, but I'm getting closer and closer every day. :)" }-

How do you solve these problems which has been outlined here:
http://www.wilderssecurity.com/showthread.php?p=843848#post843848

If you haven't thought of about these problems, it is worth taking a look.

:)

-{ Quote: "
>Delay time & system load for updating whitelists are the potential weaknesses of Prevx. Other than that, I see no intrinsic *loose screws* in that sort of whitelist... YET." }-

Some other (possible) weaknesses:
- wrong report of a malicious application by users (it requires some time to fix that)
- wrong report of a genuine application by users (I have seen reports about this in its support forum)
- grey area: some users may regard this behavoiur as acceptable; others would like to block it. The final decision made by the system may not be desirable to you

I hope Prevx1 will let me make decisions on the actions/behaviours of not only the genuine applications, but also supposingly malicious application.

-{ Quote: "
A major distinguishing facet of Prevx1 is the fact that it bases its whitelisting decisions upon a *community* of users plus actual testing done by a team of home-office experts.
" }-

Notok is probably going to popup and tell you Prevx1 does blacklisting too. and heuristics and everything under the sun.

-{ Quote: "
I'm not saying I have the 100%-solution, I'm just trying to find out what is missing to make it better.
" }-

Well if you are not looking for 100% solutions you might as well stick to blacklists.

-{ Quote: "
After all, I'm not a security expert.
" }-

You are too modest.

-{ Quote: "
Nevertheless I'm already better protected, than an user, whose security is mainly based on blacklist security softwares.
" }-

I guess it depends. I could never survive using your system. It's also pretty complicated, I can't imagine any less knowledgable user learning how to setup your system (paritions and moving profile folders ). To be honest I tried to understand your system , but I only got some vague impression on how it works. Basically snaphots and backups some on a external hard disk and then you rollback every night or something right?

So your system never changes except for some personal info and settings.
Or is it you only backup your system parition ? as i said i don't quite get what you are doing.

Sounds good assuming you can handle the malware in between snapshots except it's too restrictive for me, I would feel like I'm using a library/internet cafe computer and not my own computer. I want to install and keep software. Refreshing snapshots over and over again would fustrate me, it's like you never did anything at all.

I use snapshots and image backups too , but only as a last resort or for testing. But then again I'm not looking for 100% certainity, so I'm happy with scanners, HIPs and some amounts of backup and virtualization.

-{ Quote: "Well if you are not looking for 100% solutions you might as well stick to blacklists.

You are too modest.

I guess it depends. I could never survive using your system. It's also pretty complicated, I can't imagine any less knowledgable user learning how to setup your system (paritions and moving profile folders ). To be honest I tried to understand your system , but I only got some vague impression on how it works. Basically snaphots and backups some on a external hard disk and then you rollback every night or something right?

So your system never changes except for some personal info and settings.
Or is it you only backup your system parition ? as i said i don't quite get what you are doing.

Sounds good assuming you can handle the malware in between snapshots except it's too restrictive for me, I would feel like I'm using a library/internet cafe computer and not my own computer. I want to install and keep software. Refreshing snapshots over and over again would fustrate me, it's like you never did anything at all.

I use snapshots and image backups too , but only as a last resort or for testing. But then again I'm not looking for 100% certainity, so I'm happy with scanners, HIPs and some amounts of backup and virtualization." }-
I'm used to these remarks, so that doesn't bother me. :)
Each time I try something different at work, I get these remarks : it's not possible, it has never been done before, don't do it, what if it goes wrong, what are you trying to do, are you crazy, etc. etc. etc.
And when I've done it successfully, I don't hear anything anymore and this repeats itself over and over again.
I also get alot of bad advices from people, who try to tell me what to do and if I listen to these people and it goes wrong, they all disappear and I get all the blame.
My experience is that each time when I try something different, I'm ALONE, so I'm used to take care of myself.

Right now, I'm moving folders and that is indeed "complicated", but I'm working on that problem. What is a problem NOW, doesn't mean it remains a problem forever. Never heard of FIXING problems ? I do it all the time at work.
At home, everything goes slower of course, because I have to do this in my freetime and at work, I don't do that kind of job
You don't have to understand it either and you don't have to do what I'm doing, because that is alot of work.
Who cares anyway, it's my computer. :)

-{ Quote: "1) How do you deal with the cases where malware infect your personal data as well?
2) If you move "documents and settings" away and don't take a snapshot, what if they are infected? It is a place malware will keen on attacking.
3) How do you prevent trojans and keyloggers etc. from stealing your passwords or other sensitive data between each session? The bad stuff are removed only when you reboot / restore your system, not during the session.
" }-
For now, I assume that Anti-Executable will stop the execution of any not-whitelisted application, including malwares.
I said "assume", because I don't really know for sure.
But I have to start somewhere and my very first approach is to trust the software completely, based on what I have read.
After I configured my system partition completely, my second approach is trying to destroy what I have build in every possible way, I can think of.
At Wilders they call it often "torture tests", but I don't use that expression.
Unfortunately, I'm neither a malware expert, nor an internet expert and that is a big disadvantage to do these torture tests. I just don't know how to do these tests and above all how to CONTROL them.
Once I'm ready, I most probably will ask Wilders how to this, but I'm not that far yet.
As I said before, I can't do it all at once and first things first.

-{ Quote: "4) Some programs do not save changes in "documents and settings", rather they save in "program files"." }-
Most recent applications have a default folder setting, that allow you to save your personal files anywhere.
Typical examples are MS Word, MS Excel. So these applications are not a problem.

Some applications don't have a default folder setting, but still allow you to save your personal files anywhere you want.
Typical examples are Adobe Reader and Notepad. So these applications aren't a problem either.

Some applications store your personal files in the same folder, where the application itself is installed.
In other words under the folder "Program Files" like you already mentioned and that is indeed a problem.
I'm aware of this and it can't be solved to my knowledge at first sight and these application do exist indeed
Such applications have a very bad folder structure, because you never put software objects and personal data objects in the same folder even when you use subfolders in the software folder. You just don't do this in the computer world, this is a capital sin and very stupid too.
Such applications are probably OLD or the programmer wasn't smart enough.
Such applications have often an alternative solution WITH a default folder setting and in that case, I would choose that one.
Since I separated my system files from my personal files, I pay attention to this and I don't have such applications on my system partition and I will avoid them in the future. :)

-{ Quote: "how we know there not stealing out info 2..lol the ppl that make it. what's the free offer over pro??" }-


Truth is that I wouldn't get it either. Looks like the free version is way too basic. Here:


Q: What are differences between the Personal version and the Professional version of KeyScrambler?

A: The major difference is in the level of input protection. Whereas KeyScrambler Personal encrypts keystrokes of your username(s) and password(s), KeyScrambler Professional encrypts keystrokes of all your input, be it a credit card number or a whole page of email you type out on the Internet. We recommend the pro version to individuals and companies whose communications contain sensitive information they wish to safeguard against keyloggers. (http://www.qfxsoftware.com/KeyScrambler/KeyScrambler_FAQ.htm)

-{ Quote: "A: The major difference is in the level of input protection. Whereas KeyScrambler Personal encrypts keystrokes of your username(s) and password(s), KeyScrambler Professional encrypts keystrokes of all your input, be it a credit card number or a whole page of email you type out on the Internet. We recommend the pro version to individuals and companies whose communications contain sensitive information they wish to safeguard against keyloggers.[/I] (http://www.qfxsoftware.com/KeyScrambler/KeyScrambler_FAQ.htm)" }-
I will do my online-banking right after reboot, when my frozen snapshot is still clean and all possible keyloggers are removed in my system partition.
I don't use my online-banking very often. I just do a little bookkeeping in a spreadsheet to calculate my fixed and variable expenses and to stop my wife in time of buying things.
So I don't really need KeyScrambler.
Nevertheless, I've put it on my software-list and thanks for that. I might need it in the future. :)

First thanks for your reply Bellgamin. That is about what I thought I just wanted to make sure.

Well, BOClean has kept me free of infections. They update their signatures against "blacklisted" crap two and sometimes three times a day. I can count on one hand the number of times over the years they have not updated once a day. I have never ever had a legitamate program get hosed (false positive) due to BOClean seeing it as a "bad guy". It just sits there blinking silently protecting using very little resources protecting me with it's "blacklist". ::)

Signature based products give you the most reliable with zero day false positives (almost zero anyway). After all if it gets caught by BOClean and your AV missed it what does that say about your AV Devils Advocate. ;)

Some folks want their security so tight that it would take a software technogiant to figure out what to do. Remember BOClean was written for little intervention by an IT person (my understanding). Another words the user needs to make no decision on what to do based on configuration of course of BOClean.

I guess the bottom line is the product must fit the needs of the user. ;)

Key Scrambler is said to encrypt your keystrokes at the kernel driver level to protect your login information from keyloggers.
It is an addon to Firefox:
https://addons.mozilla.org/firefox/3383/

Does anyone try it?
How effective is it?

Any comment?

Never tried it but I will comment, careful of the add-ons, they usually the cause of security leaks in the browser.....a bit ironic considering the intention of this add-on would be for security purposes....but as I said "I did not try it", if any one has, I would also like to know the end result(s):thumb: :thumbd:

Dear friend ErikAlbert, being my nickname a real Authority in Belgium,please believe you me that if you try BoClean for a while you wont repent of it!

In any case ,i dont think you'll waste anything away in monetary terms if you require/demand a refund if you use any type of card, or very little if with other methods, it is worth anyhow.

IMHO it is the first software i'd care to install after the firewall and antivirus.

As i stated various times,it kept me always clean,not only of big guns,but also of very little malware, so that really i could dispose of such things as
SpyBot and AdAware,etc.

regards, poirot

Most of this thread seems to deal with prevention. Can anyone recommend a good software to detect an already inplanted 'Keylogger'.

Thanks

You could try a-squared free anti-malware. You can check out their
malware database here: http://www.emsisoft.com/en/support/malware/

SnoopFree Privacy Shield is also an excellent choice.
http://www.snoopfree.com/