http://www.drivesentry.com/

New kid on the HIPS(?) block, well I have never heard of it but it seems to have some nice features. Will test it later.

Looks interesting, looking forward to your opinion. Im currently running Prevx. Wonder if theres too much overlap with this

hmm..drat. it is not yet available for download (will be released 10th of November) I will try it then. I also have Prevx1. I like the idea that one, supposedly, can decide what extensions a application can write. But we will see once it is released.

the download link is up and working now.

Yes it is up, I did miss that the trial (PRO version) was downloadble. It is just the freeware version that one cant download yet.

First brief impressions:
Installation went fine and no reboot needed, which is always nice. same goes for when uninstalling the software. They offer a generous 60 day trial.
You have to create an account that you log on to when drivesentry executes, since this program is sort of community based like Prevx1. btw prevx1 and drivesentry work fine toghether. Prevx1 did not recognize this software so it asked for permission to start.
But I think that Geswall and Drivesentry do not work well together. I have set geswall to sandbox all the help files, so when I click on "help" in drivesentry my vmware session reboots. I think that has to do with Geswall trying to sandbox the helpfile.

When I tell drivesentry to protect my windows folder including all sub folders it crashes and freezes the vmware session. Maybe it is just a bug in DS or maybe one isnt supposed to protect windows folder and all the sub folders?
I have not tried Drivesentry in my "live" environment, just in a snapshot in vmware.
But when protecting other folders drivesentry does its job being a "firewall" to the hard drive. I have to allow/deny every program that tries to write/modify/delete anything in the protected folders. Once allowed they become trusted to do all that in the protected folder.

It looks fine, I'm going to install it, I like it protects registry, so that working with another like porcess guard or antihook, it could be great!. Let's see how it works.

I downloaded the Pro version but I had no internet connection on my virtual machine, so I could not create an account, I really hate having to create an account first. :dry:

But anyway I will try to test it later, looks interesting, I think more HIPS should focus on folder/file protection. But I hope it´s not too intrusive, a while back I tested a tool named "Parador File Protection" and that app was a joke, it alerted about just about anything. :wacko:

I downloaded DriveSentry but had a problem so contacted support and was told a new build was uploaded. I don't like having to create an account but in the interest of science I created one.

I've been running DriveSentry for a few days and it seems very slick looking and does what it says on the box. I did notice that it doesn't hassle you to much which is good. I'm not 100% sure but I also don't think it uses API hooks which is good going forward.

Data firewalls seem a logical move to prevent zero day threats as I dont think process monitors and VM tools are the way forward. Process monitors don't save me when I download a crack and allow it to run and it's then free to do whatever it likes. I also worry about VM tools after reading this doc (http://www.codegurus.be/codegurus/Programming/virtualpc&vmware_en.htm) it makes me wonder will viruses become more intelegent to detect where they run from and behave until they execute in a live environment.

DriveSentry is one of the better products I've seen for a while but they must include more features in their free "lite" version or better still make the product free :)

What happens when malicious code is injected in for example Windows Explorer to perform a disk write action?
This is for malware a common way to pass though firewalls (using Internet Explorer).

@ interact, thanks for the review, I still have not played with it, was a bit busy.

-{ Quote: "What happens when malicious code is injected in for example Windows Explorer to perform a disk write action?
This is for malware a common way to pass though firewalls (using Internet Explorer)." }-

@ wilbertnl, can you give a bit more info?

Btw, this thread should be moved to the "Other Anti Malware Software" section. ;)

-{ Quote: "
DriveSentry is one of the better products I've seen for a while but they must include more features in their free "lite" version or better still make the product free :)" }-

Why??? Do you work for free.

With DeepFreeze, why would I need DriveSentry, I wonder?

bellgamin <== (curious but lazy)

wilbertnl I tried a number of attacks in memory on a trusted program. From Ring3 (user mode) I used WriteProcessMemory (WPM) to update an instruction of a trusted program at the OEP to an INT3. DriveSentry detected the WPM and asked me if my "test" program was allowed to write to the exe.

1, Trust program (A) in DriveSentry.
2, CreateProcess on program (A) suspended.
3, Allow my process to have write access to (A) process memory.
4, Find OEP from PE header of process (A).
5, Write my new instruction @ RVA of the OEP into process (A).
6, Clean up and resume process (A).

DriveSentry detected step (5) and prompted me.

I next disabled drivesentry and injected a small (3kb) loader into a trusted program to display a message box (e.g a simple PE virus) this technique can be used to patch the process memory on the fly from within. I restarted Drivesentry and then ran the patched trusted program and DriveSentry prompted me that the program had changed. I guess I could have done this test far quicker with a hex editor :)

I also examined hooking the RVA of the API calls that DriveSentry was possibly using to monitor system writes but they have implemented a Mini Filter Driver. This is more secure as kernel mode api hooks can also be re-hooked and M$ has stopped this trick under Vista. I didn't really examine the drivers as WinXP sp2 has done it's best to screw up my fav' driver debugger Softice!

The only review I've read on DriveSentry was for a beta back in august-> http://svenontech.com/tag/Protector

I've just checked out DeepFreeze (Faronics Corporation / http://www.faronics.com/) under VMware (XP sp2) but it doesn't work? bellgamin no shortcuts are created under the start menu. The task tray icon doesn't do anything when clicked. I guess if I wanted to create a backup/restore of my disk then TrueImage works well :) I've also tried another program (Anti-Executable) from their site which scans the drive then reboots and then does nothing? Are you sure these programs are not a hoax?

Please can anyone else validate my sanity with DeepFreeze.

interact

-{ Quote: "I've just checked out DeepFreeze (Faronics Corporation / http://www.faronics.com/) under VMware (XP sp2) but it doesn't work? bellgamin no shortcuts are created under the start menu. The task tray icon doesn't do anything when clicked. I guess if I wanted to create a backup/restore of my disk then TrueImage works well :) I've also tried another program (Anti-Executable) from their site which scans the drive then reboots and then does nothing? Are you sure these programs are not a hoax?

Please can anyone else validate my sanity with DeepFreeze.

interact" }-DeepFreeze is used throughout computers classrooms of dozens & dozrens of entire school systems and university computer classes. It is also heavily used by libraries, kiosks -- anywhere that computers are used and must be restored (after use) to a pristine status. I have DF running on several of my associates' computers, as well as my own. Works just fine.

Do a search on "DeepFreeze" here at Wilders It is used by several denizens and highly regarded. Another of the same ilk is ShadownUser, but much more expensive. Here is an Example (http://www.wilderssecurity.com/showthread.php?t=132608).

In any event, my question re using DF vice DriveSentry was somewhat tongue-in-cheek. Why? Because DF deletes EVERY change made while in frozen mode. No questions. No pop-ups. No backtalk. ^_^

By the way, that was a very interesting set of tests that you put Drive Sentry through. Well done, & thanks!

bellgamin,

I will examine DeepFreeze again under the real O/S. I ran it B4 on a clean build of WinXP sp2 under VMWare.

Many Thanks,

interact.

I do not think you can compare DeepFreeze with DriveSentry, I mean DS is a HIPS and DeepFreeze not really. Let´s stay on topic. ;)

-{ Quote: "I've also tried another program (Anti-Executable) from their site which scans the drive then reboots and then does nothing? Are you sure these programs are not a hoax? " }-
Anti-Executable (AE) gives you indeed the impression that NOTHING happened after installing it, because AE is the most hidden software I've ever seen. AE is a very unusual software.

1. AE isn't listed in the Add/Remove Screen and requires a special uninstall.
2. AE isn't listed in any usual program menu.
3. AE has one folder in Windows Explorer, that can't be accessed.
4. AE has one icon in the system tray, that doesn't work as a normal icon : clicking, right clicking doesn't work. You can even hide this icon, once you are familiar with AE.

You really have to READ the manual or the WELCOME email to work with AE and it really works like advertised. Any whitelisted executable will work normally, but all not-whitelisted (good or bad) executables won't be able to install themselves. :)

Decided to try it the free version.

Experience so far:

- Gives some pop-ups initially. Protects my C (program) and D (data) drive (max 2 directories is not a practical limitation of the free version).
- Gives a color indicator when the pop-up appears, so the user can assess the risk.
- Protected my office documents, mail and music (max 5 file types in the free version)
- Asks confirmation when a program for the first time try writes or deletes a file in the two protected directories.
- Does not seem to slow down the system noticeably

Conclusion: it works, except for 1 BSOD when starting Paint.

On paper the defense layer looks good:
- communication level = inbound firewall of NatRouter
- threatgate level (Internet, P2P, DVD ROm etc) protected with DefenseWall
- process level protected by SSM with user interface disconnected
- data level: DataSentry free (access level read/write) + Antivir free (content level blacklist Antivirus)

After a day or so I decided to uninstall. Not because the program is not working well, but I do already have 2 HIPS running and I could not think of any additional value of DataSentry over SSM + DefenseWall. When a malware is smart enough to break through the first line (DW) and is able to mislead the second line (SSM), I really can not believe DS woudl be smart enough to detect it. The more of the same feeling is against my idea of putting together a security set. Because DS would be the back up of my backup, I decided to keep SSM (also teh disconnect user interface is a strong option of SSM).

ErikAlbert - I managed to finally get it working for some reason Anti executable required two re-boots. I think the problem was I couldn't find a manual and didn't get any welcome email - I guess they must be hidden also :)

Anti-Executable scans for any PE32 file on a drive then if one is unknown creates a pop-up blocking the process from running. I think the idea is OK but I found some limitations.

1, I wrote a simple screensaver that is a time-bombed trojan which after a week encrypts all the most recent documents.

2, I then installed Anti-Executable which scans all the PE32 files and creates a "white" list and then reboots.

3, I forwarded the system clock and then ran my "trojan" screensaver which runs without challenge and encrypted my recent documents.

I also noticed that it's possible to copy and run my trojan over other trusted programs e.g Trojan.exe -> notepad.exe

I think there are other process monitors e.g PrevX which are better. I still haven't had chance to check out DeepFreeze but I will when I get chance.

interact.

-{ Quote: "I do not think you can compare DeepFreeze with DriveSentry, I mean DS is a HIPS and DeepFreeze not really. Let´s stay on topic. ;)" }-In raising the question about DF versus DS, the question I asked was this...
-{ Quote: "With DeepFreeze, why would I need DriveSentry, I wonder?" }-There was method to my madness. Namely...

+DS will prevent writing to your HD on a case-by-case discretionary basis.
++DS is discretionary from the standpoint that it asks what you want to do when there is an attempt to write to your HD.

WHEREAS

+Upon restart, DF will kill ALL that was written to your HD while in frozen mode.
++DF is also discretionary from the standpoint that you can exempt specified folders from frozen state & thereby decide, case-by-case, as to whether or not to have something written to an exempt folder (thawed) or written to the virtualized HD (frozen).

The point I was trying to make is that spending $$ for DS would be rather questionable if one primarily operated while in a virtualized-or-sandboxed mode. In my case, & others like me, perhaps, I wouldn't need or want DS because I use DF and thereby exercise much the same discretionary responsibilities, and attain much the same results, as would be applicable if I were instead to use DS.

NUTSHELL: DS & DF do relatively similar jobs -- prevention of undesired writing to one's HD -- but by somewhat different methods.

-{ Quote: "http://www.drivesentry.com/

New kid on the HIPS(?) block, well I have never heard of it but it seems to have some nice features. Will test it later." }-

Has anyone ever heard of the Company that manufactures this product? I checked the site. Two addresses are given --

USA Office - (HQ)


DriveSentry Inc,
339 N.Bernardo Avenue, Suite 206
Mountain View, CA 94043
EU Office.


DriveSentry Ltd,
32a Stoney Street, The Lace Market,
Nottingham, UK NG1 1LL

-- But, there is no elaboration. The Company has set up its own forum and the first section is titled "Company News." But, when clicking on it, there is nothing. Apparently, this is a startup. That is okay, but I would like to know something about the principals. Slick website and forum to boot -- but nothing in the way of who, what, when, where and why. I'll stay clear of this in the absence of any information whatsoever on the people and/or company that markets this software.

The only person indicated is someone referred to as "John" -- the administrator of the forum and there is nothing further given as to his identity. Isn't anyone curious as to who or what is behind "DriveSentry?"

Re: AE -- it is a fine product. Telephone support is readily accessible and excellent. The program blocks every executable period, except for those pre-installed. Even, then, a particular executable may not be allowed, including some Microsoft update executables. But, these can be placed in the exempted folder or in trusted applications. To download any new program, simply turn off AE. Then turn it back on after installation. It would be nice if AE also protected against scripts as well as executables. But, there are programs like Wormguard or NoScript for those.

Prevx is based in Derby.

DriveSentry's UK office is Nottingham, 10 miles away.

The point I'm making is that most of the UK's ICT industry is down on the M3/M4 corridor, 200km away.

Ian

which 5 file types are recommended for protection?

Ian

Iangh are PrevX and DriveSentry the same company? I've never been to the UK or USA so I cannot debate on their location.

interact

Prevx has no relationship with DriveSentry.

Until it was posted earlier in this thread I didn't even know they had an office in Nottingham.

ghiser1
Prevx Security Architect.

-{ Quote: "which 5 file types are recommended for protection?

Ian" }-
Two approaches:
a)
The ones which are most important to you (documents, music, photos, whatever).

B)
The ones which have more 'included logic' capabilities (office docs with scripting features, WMF, XML) and thus the easiest to attack

I think DataSentry free is a nice program and an interesting approach to protecting your file/data integrity.

Btw, can someone tell me how this product might actually save your ass, I´m having a little bit trouble with visualizing this. And at the moment I only seem to be getting alerts when moving files on my system (with Drivesentry Pro). In which other scenarios should I be getting any alerts?

-{ Quote: "Prevx has no relationship with DriveSentry.

Until it was posted earlier in this thread I didn't even know they had an office in Nottingham.

ghiser1
Prevx Security Architect." }-

They have a good source of prospective employees from Prevx if they set-up a software arm in UK :) .

-{ Quote: "They have a good source of prospective employees from Prevx if they set-up a software arm in UK :) ." }-

ROFL ;D

You've obviously never been to Nottingham!!!

LOL ghiser1 - I found some info on Nottingham it's famous for robin hood and it's high ratio of women to men - I would doubt any coder would get any work done in Nottingham after finding this site in google : http://www.nottinghamgirls.co.uk

interact.

Btw, I have chosen not to use this product because of the need for an account, I just started my virtual machine and it´s asking me to sign up or log in. Does this thing needs internet activation or what? Yeah right. And can we please stay on topic? :dry: