I'm trying out the latest beta from the Neoava Guard site. I like it very much but I am finding it difficult to protect processes from termination. Is there some sort of helpfile I could read? I've been to the forums but they don't seem to be much help, as NG is still in beta

Applications> Rt. click application/ group and mark as secured. It will give that application termination protection. However ur trsuted applications will be allowed to terminate a secured application. A good balane of security and usability.

OT: aigle, OpenOffice 2.3 and Firefox 2.0.0.8 was released ages ago. ;)

lol, I am fed up of urgrading each n every application. See how it goes: I have to download the new updated versions followed by uninstalling the older version, leaving behind some traces etc. Then I have to install the new version. If there is a major change in an application, I have to update their rules in my HIPS as well.

All this practice is a big haslse. I have stopped updating my software including windows updates. I just update my security software. I guess everything on my system is locked down. I have no confidential data on my system. No banking, credit card etc on web. All my browsers run in GesWall. My main browser is Opera with java turned off, JS enabled for selected sites, cookies denied except for some site. I try to keep just Opera updated. I am a safe surfer too. Outlook is not allowed to run on my system. Almost no executable can run without a popup.

I don,t claim that it,s correct but I am very well satisfied with this practice and I feel as secure as others can be.

-{ Quote: "If there is a major change in an application, I have to update their rules in my HIPS as well.
...
...
Almost no executable can run without a popup." }-
The very reason why I gave "dumb" HIPS the boot a long time ago. ;D

Classical HIPS can,t be afforded on an ever changing system.
If I have a system like this, I will replace HIPS with behav blocker.

Solcroft, Aigle,

Still when installing software the only behavior blocker being silent is PRSC, TF fires and A2's IDS fires warnings. Only the adoption of rules made me move away from HIPS.

Differences between the two is that you can freeze a system with a classical HIPS in silent mode and I am not refering to BSOD just the software configuration.

Regards Kees

Okay. I think I have that rule set up correctly. If there any way I could test whether the termination rules are working correctly? It does seem to be better than SSM Pro in a lot of ways. It is very customizeable but it would be nice if there was a way to export and import settings so that I don't have to redo everything when the next beta build comes out.

U can use SPT9 Simple process terminator) from syssaefty and APT( Advanced processs terminator) from DCS to check for termination. an older thread about termination protection is here.

http://www.wilderssecurity.com/showthread.php?t=172653&highlight=termination+HIPS

-{ Quote: "t it would be nice if there was a way to export and import settings so that I don't have to redo everything when the next beta build comes out." }-
It will be implemented in the next build.

-{ Quote: "It will be implemented in the next build." }-

Any idea when that will be? The blog hasn't been updated since August and .302 was released since September 1st. It's been nearly two months.

Not sure. The best way is to check their forums. Arman must be very busy as he has got a new job. I expect it to be soon though.

They told that rules can be imorted/ exported by backing up registry HKLM\IDT but I never messed with it except once and I failed.

I´m very disappointed, looks like NG will be dead for the coming months, and this means that none of the bugs will be fixed, and no new features will be added anytime soon, really sad, because it was IMO one of the best HIPS when it came to protecion. The GUI could and should be a lot better, so for now I have dumped NG.

As a true HIPS freak I´m a bit sad, because I was still looking for a better HIPS than SSM Pro, but now NG is dead, and ProSecurity/Comodo Firewall are no options for me. Yes they are quite powerful, but not user friendly IMO. :dry:

I am also disappointed but will continue to use current version. Let,s hope Arman can restart the development after few months. He needs to earn as well, rather than working free.

Btw, I had some stability/freezing problems on my real machine, so that´s why I removed NG, and the GUI also annoyed me a bit. It does have a lot potential but it´s just not good enough at the moment. Same goes for Pro Security and Comodo Firewall, so for now it looks like I´m stuck with SSM, which also needs to be improved a lot, but seems to be pretty "dead". :-\

It might be a conflict between two HIPS. Arman has said that he had not yet tried to make NG compatible with other HIPS.

I am using NG and EQS without significant issues9 though sometimes I disable EQS and rely only on NG).

NG has a lot of potential and many cool featrures absent in any other HIPS. Arman also had a plan to make it Vista compatible. Let,s hope that it will be revived after few months.

Yes, could be some conflict, but NG also gives a warning upon install that you shouldn´t install it on systems with modified .exe files? Do you know what that exactly means?

Btw, I decided to look how NG behaved on a clean system, so I installed it on my PC at work (I´m admin), of course I tried to configure it the best way possible to avoid any issues (only other security app on this machine was McAfee Active Virus Enterprise) but even on this "clean" machine it didn´t work correctly, it freezed my PC and after that it wouldn´t even boot anymore.

So I can´t really recommend this app to anyone, seems to be full of bugs, configuration options are also not always remembered. I did get to see two interesting alerts, one about Maxthon trying to log keystrokes (quite strange), and one alert about "remote shell execution", not surprising on a corporate machine. But too bad that NG is not stable, it should have just worked! For example, I didn´t have any problems with Mamutu or SSM at all.

-{ Quote: "Yes, could be some conflict, but NG also gives a warning upon install that you shouldn´t install it on systems with modified .exe files? Do you know what that exactly means?
" }-No, I don,t.-{ Quote: "
Btw, I decided to look how NG behaved on a clean system, so I installed it on my PC at work (I´m admin), of course I tried to configure it the best way possible to avoid any issues (only other security app on this machine was McAfee Active Virus Enterprise) but even on this "clean" machine it didn´t work correctly, it freezed my PC and after that it wouldn´t even boot anymore.
So I can´t really recommend this app to anyone, seems to be full of bugs, configuration options are also not always remembered. " }-During config wizard, did u marked McAfee as trusted and also did u alow NG to mark system files trusted( default NG behaviour)?

Yes, u should not recpmmend NG to anyone expect one who can play with a beta( with some definite bugs/ problems).-{ Quote: "
I did get to see two interesting alerts, one about Maxthon trying to log keystrokes (quite strange)" }-It,s commom alert and I get these alerts from EQSecure and NG both. I guess these are from GetKeyState and GetAsyncKeyState sued somehow by some programs. ThreatFire also gives such alerts.

BTW I always had a hard time to install and get NG,s GUI on reboot but once its, doen after a couple of power resets etc, it,s working OK. No major glitches. I am using it with EQS and GesWall with Antivir on-demand.

Hi lucas!

NG has some unique features:

1- Detection of making exact copy of itself( this feature catches most, if not all, worms even after their execution).
2- Overwriting executables
3- Deleting files rapidly
4-Creating executables
5-Sandboxing/ droping the rights feature( child executables created by browser are treated as untrusted)
6-Reading windows address book
7- Write into partition table( to me this filtet is better than direct disk access used by other hIPS as direct disk access is very common with legit applications giving rise to unnecessary popups.
8- Rapidly read text files
9- Rapidly connect to hosts
10- Create windows user account
11- It has a child parent control not complex like SSM and PS but it,s based upon trusted and non-trusted applications that gives rise to very less popups as compared to other HIPS.
12- Three different pre-defined( a bit configurable) policies- Trusted, Untrusted, Restricted
13- Right click option to mark the static execuatbles as trusted, resticted or untrusted or to quaratine them.
14- Counting bad behaviour of an executable and giving an option to quaratine it.

Some features are present in other HIPS also but implemented a bit diferently.

Take care

I am still learning NG and have not used other HIPS so extensively as NG, SSM free and EQS, so feel free to correct me anywhere.

There are a couple of things that I wish Neoava Guard could do, or, if it can be done, things I wish I knew how to do. Does the latest build of NG offer service protection? Also, with autoruns I am able to enable and disable autorun entries. Is this nornal? Finally, what are the changes NG will add the option to 'restart if terminated,' a la SSM?

-{ Quote: "Hi lucas!

NG has some unique features:

1- Detection of making exact copy of itself( this feature catches most, if not all, worms even after their execution).
2- Overwriting executables
3- Deleting files rapidly
4-Creating executables
5-Sandboxing/ droping the rights feature( child executables created by browser are treated as untrusted)
6-Reading windows address book
7- Write into partition table( to me this filtet is better than direct disk access used by other hIPS as direct disk access is very common with legit applications giving rise to unnecessary popups.
8- Rapidly read text files
9- Rapidly connect to hosts
10- Create windows user account
11- It has a child parent control not complex like SSM and PS but it,s based upon trusted and non-trusted applications that gives rise to very less popups as compared to other HIPS.
12- Three different pre-defined( a bit configurable) policies- Trusted, Untrusted, Restricted
13- Right click option to mark the static execuatbles as trusted, resticted or untrusted or to quaratine them.
14- Counting bad behaviour of an executable and giving an option to quaratine it.

Some features are present in other HIPS also but implemented a bit diferently.

Take care

I am still learning NG and have not used other HIPS so extensively as NG, SSM free and EQS, so feel free to correct me anywhere." }-
That looks very nice :o NG feels like a "smart" classical HIPS. I'm not very keen on clasical HIPS, but NG seems to be worth of a closer look.
Thanks :)

-{ Quote: "There are a couple of things that I wish Neoava Guard could do, or, if it can be done, things I wish I knew how to do. Does the latest build of NG offer service protection? " }-What u mean by this? -{ Quote: "Also, with autoruns I am able to enable and disable autorun entries. Is this nornal?" }-Seems a bit buggy here. If I want to uncheck an autorun entery, no alert. I get alert if I check it again. And if I block, the reg entery seems to be deleted.-{ Quote: " Finally, what are the changes NG will add the option to 'restart if terminated,' a la SSM?" }-Not sure when but what u want to achieve? If any service, u can do it via services.msc also.

-{ Quote: "What u mean by this? Seems a bit buggy here. If I want to uncheck an autorun entery, no alert. I get alert if I check it again. And if I block, the reg entery seems to be deleted." }-
Obviously this tells us NG doesn't block removal of autostart entries, only creation.

-{ Quote: "Not sure when but what u want to achieve? If any service, u can do it via services.msc also." }-
Not everything runs as a service. Winpooch, for example...

I am just refering to autoruns as the program I use to acticate and deactivate services.. I do get prompted when I launch the exe but not when I try and deactivate programs that launch as services; such as LnS and VBA32. I am prompted when I try and reactivate them. But with NG these services can be deactivated, and thus effectively disabled, without ever being prompted. Again, all this was done with autoruns.

@ Aigle

I decided to try it one more time, and guess what, all of a sudden it works just perfectly on my home PC, I´m very excited. I now feel a bit safer. ;D

So I guess it´s a matter of configuring it the best way possible to avoid any conflicts, and perhaps there are less stability bugs in NG than I first thought. At the moment it´s running just fine together with SSM, ZAP, CMG and Sandboxie. I´m not sure why it won´t work on my PC at work. Of course it´s not mature yet, there are a couple of things that work a bit unhandy, and are not really clear. But hopefully these things will be fixed and improved. But it does work correctly, it´s really blocking stuff. :)

@ n8chavez

I do get to see an alert when I try to disable services via Autoruns, so there must be something wrong on your machine. See pic:

http://img124.imageshack.us/img124/9632/screenshot195um7.png

-{ Quote: "@ Aigle

I decided to try it one more time, and guess what, all of a sudden it works just perfectly on my home PC, I´m very excited. I now feel a bit safer. ;D

So I guess it´s a matter of configuring it the best way possible to avoid any conflicts, and perhaps there are less stability bugs in NG than I first thought. At the moment it´s running just fine together with SSM, ZAP, CMG and Sandboxie. " }-That,s nice.
BTW you have two HIPS now( SSM n NG) so there might be problems related to this.

There's plenty of autostart, and Windows services are just one of them. Assuming both aigle's and Rasheed's testing results are correct, NG monitors all tampering to Windows services, but only additions to the Run* regkeys.

@ aigle

Yes, normally I wouldn´t recommend it (you seem to use two HIPS too btw) but I still need SSM for a couple of things, and so far they both seem to work correctly, so no problem. Of course, even ZAP has a HIPS (which I disabled), so this may have caused problems too. Btw, since you have a bit more experience, can you perhaps give some tips about how to setup file/folder control in NG the best way, so that you won´t get any annoying alerts? Which folders do you protect?

@ Solcroft

My mistake, I thought n8chavez meant something else, if you disable/enable services, NG will always alert you (Arman even fixed a bug related to this), but if you delete autorun entries, NG won´t alert, I already addressed this issue on the official NG forum. Not a big problem for me since SSM covers this via the registry monitor, but another tool that can stop this is Arovax Shield (which I used to use), it´s not really advanced but it did do the job, however, it might or might not conflict with NG and other HIPS.

-{ Quote: "At the moment it´s running just fine together with SSM, ZAP, CMG and Sandboxie." }-
Wow, sounds like Fort Knox Overkill :)

-{ Quote: " Btw, since you have a bit more experience, can you perhaps give some tips about how to setup file/folder control in NG the best way, so that you won´t get any annoying alerts? Which folders do you protect?
" }-
I don,t use this feature of NG except for testing. For that I made a special folder in my documents.

@ aigle

OK, so I assume you´re using the feature only in EQSecure. I guess I will have to play with it, I´m still not sure how to use the file/folder protection feature effectively, perhaps I should protect the Windows and System32 folder from "writing" and put all of my important documents in a certain guarded folder. Or something like that. ::)

@ Tommy

I agree it may seem like overkill, but I think it looks worse than it is. First of all, no system (and boot) slowdown or stability issues at all. And they all seem to be working correctly. Basically it´s like this:

SSM: Process/executable control + registry monitor
CMG: Anti buffer overflow
NG : Behavior blocker
ZAP: Firewall

-{ Quote: "@ aigleI guess I will have to play with it, I´m still not sure how to use the file/folder protection feature effectively, perhaps I should protect the Windows and System32 folder from "writing"" }- U can,t do it in NG.-{ Quote: " put all of my important documents in a certain guarded folder." }- Yes

Hi,

I have a couple of questions:

1 If you mark a program as "internet" will all downloaded files via the browser be restricted automaticly?

2 Have you tested the "overwrite executables" feature? If I´m correct it´s not working correctly. I tried a couple of viruses and it couldn´t stop the damage when you choose "block" without terminating the virus. Comodo could stop it.

3 And I´m getting strange results with the VistaTweaker tool, I get a "listen for connections" alert and after this it crashes, can you confirm, and what might be causing this? ::)

http://www.ajuaonline.com/software/vistatweaker/

1- I think so but not sure. There`was a post on their forums about that if I remember correctly.

2- I did not test it yet. Might do it some day. How did u test it BTW.

3- Can,t try. Needs netframework v 2.

1 - Yes, I also read it in the forums, but I have the impression that this isn´t the case.

2 - I´ve tested it with a couple of .exe overwriting viruses that I downloaded from the Sandboxie forum. I can PM you about it, and perhaps you can test these viruses against Mamutu, I can´t test it because of network connections problem in my VM´s.

3 - Why not download it?

Btw, I have to say that Arman did a great job, it´s better than I thought (if you can get it up and running), it´s real stable and blocking a lot of stuff. I wonder if more people are using this tool? I´m a bit surprised that other tools get a lot more attention. Stem are you still using it? :)

Hi,

I wonder if someone can test this, because I´m a bit confused. I have setup NG in a way that it protects the "C:\WINDOWS\system32\" folder, but not the subfolders. Then why am I getting alerts about "C:\WINDOWS\system32\drivers"? Isn´t this a subfolder?

Another thing, I think it´s probably best to make NG always ask you about certain behavior, instead of automaticly blocking stuff, because I´m not sure if NG can protect the system if a process repeatedly tries to do malicious stuff. If you get an alert, you can at least quickly terminate the process, without (or with less) damage.

Not a good idea at all. It will freeze ur system. I had tried it in past.

Actually ATM NG has no file/ folder protection like other HIPS( EQS, CFP etc). The currect protection is good only for confidential folders/ files etc.

Stay away form this type of configuration.

Hi aigle,

-{ Quote: "Not a good idea at all. It will freeze ur system. I had tried it in past." }-

Yes I know, you should be careful with this feature, because it can freeze your system, or make it unbootable in the worst case scenario. But I´ve have been playing around with it and so far there are no problems. I think the key is knowing which folders to protect, and to avoid using protection against "opening" and "reading", at least when it comes to protecting system folders. At the moment I have set it up in a way that the following folders are protected against "writing" and "deletion":

-{ Quote: "C:\WINDOWS\system32\*
C:\WINDOWS\*" }-

I didn´t select the "protect subfolders" option because this might cause problems. That´s why I don´t understand why I got to see alerts about the C:\WINDOWS\system32\drivers folder when testing some malware. Actually, I don´t mind at all because this can prevent malware from tampering with drivers. So all in all, this seems to be quite a powerful feature to prevent malware from modifying system files (they can´t modify .ini, .dll, .exe, .sys etc. files) so I´m quite excited. :)

-{ Quote: "Actually ATM NG has no file/ folder protection like other HIPS( EQS, CFP etc). " }-

Well, can you tell me what´s the difference? I only noticed that EQS will even warn you when you´re about to delete a file yourself (manually), something that NG doesn´t do, but whenever a running process is trying to, it will warn you.

-{ Quote: "
Well, can you tell me what´s the difference? I only noticed tha EQS will even warn you when you´re about to delete a file yourself (manually), something that NG doesn´t do, but whenever a running process is trying to, it will warn you." }-EQs warns as the deletion is done by explorer.exe, if u mark explorer.exe trusted or make an appropriate rule to allow explorer.exe to delete any file, u will not get prompt. I have made such rules for it and some other applications to avoid too many popups( infact file protection in EQS rules must be liberal to avoid headaches). By contrast explorer.exe is marked trusted in NG by default.

Yes, too strict file control can lead to headaches, so that´s why I´m pleased to see that during normal computer usage, NG stays quite, and that´s probably because trusted apps can still do their job. And I don´t think that marking explorer.exe as "trusted" is a problem, as long as other malicious tools can´t tamper with it. Btw, I´ve not setup a confidential folder yet, I´m still trying to figure out which files to protect, and how to avoid many popups.

One of the reasons I like NG is that it gives far less pop ups inspite of the fact that it,s a classical HIPS. Also instaed of usuall parent-child relationship, the relationship of trsuted-untrusted executables is more interesting and gives less popups while maintaining security.

I want to try it too. I only have to install this "smart" NG and it works or does it need my support first ?
Oops .... bad start ... website doesn't open.

It,s beta and has some bugs. I will not suggest it for U.

Here is the download link at bottom.

http://www.smokey-services.eu/forum/viewtopic.php?f=67&t=6157

-{ Quote: "It,s beta and has some bugs. I will not suggest it for U.

Here is the download link at bottom.

http://www.smokey-services.eu/forum/viewtopic.php?f=67&t=6157" }-
Oops my mistake. I thought it was out of beta. It's always in beta AFAIK. ;D
OK then I wait. The link might be useful for another member. Thanks.

Hi,

NG will likely stay as beta for a foreseeable future; the smart kid who develops this remarkable app has to take time off to get his well being together.

It is sad, but is not uncommon for new ventures, especially those are still in infancy. Wish him the best, and hoping his return will be much anticipated.