Hi,

Here is a review I've made about DSA :

http://membres.lycos.fr/nicmtests/Dynamic-Security-agent-tests/DSA_index.htm (http://membres.lycos.fr/nicmtests/Dynamic-Security-agent-tests/DSA_index.htm)

80 tests were completed, against a set of trojans (10), backdoors (5), worms (4), rootkits (27), keyloggers (22), and last but not least, 'unhooker' malwares (6), a new kind of bully I think, slowly spreading.

Tests are either grouped together, either tested in their own page, and the last page has tables with every tests results.

I hope this work is useful for people wondering about the level of protection offered by this program, DSA (http://www.privacyware.com/dynamic_security_agent.html).

I'm sorry for the ads, but this is a free host .

nicM

nice job nicM! i really like DSA and i hope it continues to improve. there really hasn't been an update to it since last summer no?

Excellent review and nice site layout nicM.:)

Have been trying out DSA in an XP vm and am quite liking it and will probably use it on this Vista install when compatible.

Never saw a single ad over there.

Adblock Plus.;)

Mighty impressive work nicM :thumb:

I have yet to see a satisfactory response from anyone at Privacyware regarding the EULA of DSA. So, it's a no go for me.

oh i almost forgot to ask you nicM : did you send these results to the makers of DSA?

Would be interesting to know which other current HIPS offer better protection against the new malware threat of the SSDT restorers/kernel-hooks unhookers; the so-called "HIPS/Firewall killers".

Excellent review,i enjoyed it.Just a question.Was the "require user approval for each alert" enabled or not?Although i must confess i never quite understood if it's important or not.

The "require user approval for each alert" setting gives an enhanced popup dialog with the option of temporarily allowing/blocking actions. Selecting Allow/Block with the regular popup dialog is equivalent to selecting "Remember this setting" with the enhanced dialog.

I just received an email from Privacyware support. Without giving the specifics of the email, there is no communication between their servers and DSA. The EULA for many of their products will be changed as their products are updated. nicM, please send your results of your tests to Privacyware. I would send them a link to this thread, but since you put the effort into the testing, it is appropriate that you send it.

-{ Quote: "The "require user approval for each alert" setting gives an enhanced popup dialog with the option of temporarily allowing/blocking actions. Selecting Allow/Block with the regular popup dialog is equivalent to selecting "Remember this setting" with the enhanced dialog." }-

:thumb: Thanks,much appreciated.I think i will have another look at DSA soon.

Thanks for your comments. Zopzop, yes of course Privacyware is aware of these tests, since the publishing had to be approved by them anyway : The EULA of DSA, clause 'benchmark testing", requests Pwi approval before communication to 3rd parties. But these test are independant, and nothing had to be changed before to publish it :) .

It's true that current version is almost 1 year old now, but I can tell they're working on future versions (improvements, Vista-ready, etc).

-{ Quote: "Would be interesting to know which other current HIPS offer better protection against the new malware threat of the SSDT restorers/kernel-hooks unhookers; the so-called "HIPS/Firewall killers"." }-

Sure :D . I've already tested a few with these malwares, but tests were informal. Now that I have more time, I'll perhaps make another small review on this subject ;) .

Heh, Thanks Franklin :) , as I didn't expect compliments about the site layout, indeed !

Fuzzfas, yes, "require user approval for each alert" was enabled : You can see it with the look of the screenshots.

-{ Quote: " Sure :D . I've already tested a few with these malwares, but tests were informal. Now that I have more time, I'll perhaps make another small review on this subject ;) ." }-

Looking forward to seeing these results, nicM ;) .

Many members here always look forward to your thorough tests/reviews.

@Thankful & nicM -- Well done! Thanks muchly. :thumb:

i don't linger too much over comment since i don't speak well in english :'( , anyway i express you heartfelt thanks for your splendid job! :thumb:




PS: I hope in a similar test for ProSecurity in a near future....;D
Txs again from Italy!8)

Very useful test/info. THANKS! :thumb: :)

I have Nod32, XP Firewall and Cyberhawk Free. I tried DSA recently, and think I will install it again. With Nod32, Cyberhawk Free and DSA I dont know if I will continue to use XP Firewall or use Comodo PF.

-{ Quote: "
PS: I hope in a similar test for ProSecurity in a near future....;D
Txs again from Italy!8)" }-

Such a test on a single program, I do not think (not for now at least), but I'll try to make a small comparative on the unhookers, as mentioned in post #12 ;) .

Thanks,

nicM

Very nice review NicM. Posts like this are one of the reasons this is such a great site.

Excellent review nicM! :thumb:

Nicm,

Thx, I have a question does DSA detect dll file changes (e.g. the bpmdm32.dll) and registry change (of the BHO) by itself, or can this/do you have to configurate this yourself?

The results of DSA are really amazing, DSA free + CyberHawk free + DEP for an ordinary XP setup will protect you against most threats.

Regards Kees

Thanks a lot for your comments :)

Kees1958, I'm not sure if I've understood what you mean, on the Trojan.SPY.Agent.IR.2 test : Do you ask if something had to be changed in DSA settings for it to detect it? If that's the correct mean of your question, the answer is no : DSA will prompt about these events by default, as these detections are the fact of the "application monitor" component, which can't be disabled unless you close DSA (unlike Process monitor).

What DSA detects in this test is the access to the .dll file by the trojan, and the BHO creation. However, this is one of the very few .dll injection DSA was't able to block during these whole tests : The only way to prevent it is to prevent the file access, since BHO creation will work even if denied in the prompt about it. Dll is injected in IE/explorer as soon as file access is allowed.

Nicm

Thx, you guessed/interpretated my question right

-{ Quote: "...but I'll try to make a small comparative on the unhookers...
" }-

any news? ;D

Don't rush him please. btw i mailed him the 1st day :P