I just installed the new Webroot Desktop Firewall and enabled all the DSA features in it. So far the pop ups have been limited and very concise, and I have seen tests that DSA has done very well in. However I am still looking for some encouragement that DSA is a good program and it's worth keeping WDF with it enabled. Thanks.

There's no point in fishing for replies just to make you "feel good" and reassure you that you've made a wise choice. If you're happy with it and it works for you, stick to it, 'nuff said.

But for what it's worth, it's a good program.

You can take a look at this links-

http://membres.lycos.fr/nicmtests/Dynamic-Security-agent-tests/DSA_index.htm?

Fishing around would imply I'm being coy. (reluctance to make a commitment) I already made the commitment and simply asked for encouragement. (to spur on) If you need the definition to spur on let me know. LOL. Seriously I didn't want to simply ask if DSA is better than ThreatFire or other HIPS programs because I was afraid this thread may turn into one of those dreaded "closed verses threads". LOL. But thank you for letting me know it's a good program solcroft. Also thanks for the link acr1965.

Relax, he just wants to know what we think of DSA, that's all! :)

Personally, I wouldn't bother with DSA. It lacks control and at times it can be very inconsistent and buggy. However, the next version of DSA might be worth checking out (if it isn't bundled in a suite that is).

Have you tried SSM yet?

Hi Wordward -

Beng a Privacyware representative, I am certainly biased, but WDF 5.5 is a very complete, rigorously tested, desktop defense package that provides advanced control over ports, applications, processes, system and application behavior along with a number of other cool management and reporting features. WDF 5.5 includes all of the features offered in Privatefirewall 6 (to be released under the Privacyware brand soon), wherein DSA is fully integrated, and is now also fully integrated with Webroot anti-spyware and anti-virus offerings.

This issue does not concern DSA specifically as you are essentially using Privatefirewall 6.0 with the added benefit of full WR integration. For those who do not require or desire such granular control (RedZero is correct regarding DSA's limited control and configuration features - this is by design), DSA is a complete desktop defense application that combines conventional, although basic, firewall capabilities with behavioral components in an easy to use and free product. Hope this helps.

Thank you Privacyware. I really like the Program so far and use it with a-squared Anti-Malware running with no problems, and so far it seems without any overlap. I do want to make sure I have DSA enabled correctly though. Here is what another forum member said about enabling it.

"Therefore it looks like activating DSA is achieved by going to:

File-advanced settings and then enabling each-Email Anomaly Detection-System Anomaly Detection and Advanced Application Settings- plus the previous suggestion of turning the Process Monitor to High/Ask.

These functions all seem to be part of DSA ;"

I would go further and say these functions ARE DSA-plus the Registry module which Bellgamin confirms is present without the option of turning on/off.

However is there registry protection in WDF 5.5 as well?

RedZero, I have used SSM Free, but it scared me a little. LOL. Seriously though I liked it, but it just wasn't something I felt I needed. Also thanks for sticking up for me. It gets brutal in here sometimes. LOL.

{QUOTE->
RedZero, I have used SSM Free, but it scared me a little. LOL. Seriously though I liked it, but it just wasn't something I felt I needed. Also thanks for sticking up for me. It gets brutal in here sometimes. LOL. <-QUOTE}

You're welcome. ;)

Did you try SSM in learning mode? Learning mode takes care of all the decision making and creates a default rule for each prompt that you would usually receive if learning mode were off.

However, I would only suggest learning mode if you're certain that your machine is clean to begin with.

Hey RedZero. I did use learning mode, and to be honest I even liked it a little better than ProSecurity Free. However if I used any other program right now other than WDF with DSA integrated, it would be Online Armor Free. I just like the way Mike supports his products here in the forum, and the fact he has given people a software program that offers so much protection for free. It was nice to hear from a Privacyware Rep here too though.

{QUOTE->
However is there registry protection in WDF 5.5 as well?

<-QUOTE}

Yes. It just isnt customizable.

I.e in some of the hips (e.g ssm, prosecurity) you can choose to monitor additional registry keys on top of the default ones (or you could remove the default ones). In DSA and probably WDF 5.5, it already monitors most of the standard autostart registry entries plus probably a couple of others (not sure about this).

Given that you are not the type to fiddle with settings like this , you probably don't want or need configurable registry protection, so DSA/WDF is fine for you.

Thanks Lusher. Alos, I am using a-squared AM but there are some overlaps with WDF/DSA and I was wondering if a-squared is even needed? I could just un-check the IDS protection if so. Also what about using ThreatFire with WDF/DSA?

{QUOTE-> Thanks Lusher. Alos, I am using a-squared AM but there are some overlaps with WDF/DSA and I was wondering if a-squared is even needed? I could just un-check the IDS protection if so. Also what about using ThreatFire with WDF/DSA? <-QUOTE}

Sigh. At this point or later someone is probably going to chant the mantra about "layers" and tell you to not only check the IDS protection but also add Threatfire and a sandbox like Sandboxie or GeSwall and something like siteadvisor and.....maybe add ProSecurity on top of DSA and ....

Supposedly the A2 squared IDS rules are now being touted as comparable to threatfire, so someone "knowledgable" will tell you they don't overlap with DSA..... cos one is smart one is dumb...

And if we go by the layers principle, which if i understand the way it is interpreted here by many, if the functions don't overlap, we **MUST** add them. (Some believe even if the functions overlap, you should still add them because of the redudancy principle)

My advise, learn to use WDF/DSA properly and to understand what the prompts mean, that will be of more value than adding more and more security programs. That plus a quality antivirus is more than sufficient.

But I know this is not conventional wisdom here, where many of the regulars (including some moderators i believe) run 2 or 3 HIPS together.

Tests of DSA HERE (http://www.wilderssecurity.com/showthread.php?p=925697#post925697) and HERE (http://membres.lycos.fr/nicmtests/Dynamic-Security-agent-tests/DSA_index.htm).

The latter test is discussed by Wilders folks HERE (http://www.wilderssecurity.com/showthread.php?t=179889).

Also, DSA scored "Good" on firewall leak tests HERE (http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php).

IMO --- DSA is an excellent HIPS-type adjunct to a firewall but it is not a full-scope HIPS in the same category as SSM, ProSec, Neoava, EQsecure, et alia. I think you will get good, well-rounded protection from the Webroot firewall with DSA aspects enabled.

P.S. When it comes to layers, I prefer Rhode Island Reds to Dominicks or Leghorns.

bellgamin <== (ommmm ommmm layerzzzz layerzzx ommm ommm) :)

I have to ask here if anyone thinks the HIPS in Online Armor Free, comes close to the protection DSA offers?

The HIPS features in Online Armor (assuming that you use the advanced capabilities thereof) are much more comprehensive than the HIPS features of DSA. In fact, OA's HIPS are pretty much on a par with SSM, ProSec, etc.

DSA's HIPS mainly alert you when process or email activities become significantly DIFFERENT from what is usual/normal for your computer.

In order to set *norms* DSA "watches" how you use your computer for a period of time specified by you, and then DSA alerts you when actions deviate from that norm. You can specifiy how big or small a deviation that you want DSA to call to your attention.

Let me GENERALIZE the differences as follows...
***Classical HIPS (SSM, OA, PS, etc) notify you when a process acts in a way that is significantly typical of the way malware acts.

***DSA notifies you when a process acts in a way that is significantly NON-typical of the norm for YOUR computer.

The above distinctions are not rigid. For example (comparing DSA with OA)...
***DSA's "Process Protection" & "Application Protection" modules are highly redundant with what OA does.

***On the other hand, DSA's "Email Anomaly" & "System Anomaly" modules will give alerts about process or email events that are not routinely noticed by OA.

{QUOTE-> Sigh.
And if we go by the layers principle, which if i understand the way it is interpreted here by many, if the functions don't overlap, we **MUST** add them. (Some believe even if the functions overlap, you should still add them because of the redudancy principle)

But I know this is not conventional wisdom here, where many of the regulars (including some moderators i believe) run 2 or 3 HIPS together. <-QUOTE}

Lusher,

Well spoken. I only use a hardware FW/sandbox-HIPS to protect me against the majority of threats. Behind this a behavioral protection IDS (auto quarantaine disabled) to have some additional protection when installing new software. Although this makes me fall into the category of people using two HIPS, this makes sense because I have to lower the sandbox defense to install a programs with trusted (admin) rights. After the install I like to have the behavior blocker to keep an eye on my config. Only use an AV on demand scan before image backup (no realtime AV).

Regards Kees

{QUOTE-> The HIPS features in Online Armor (assuming that you use the advanced capabilities thereof) are much more comprehensive than the HIPS features of DSA. In fact, OA's HIPS are pretty much on a par with SSM, ProSec, etc.

DSA's HIPS mainly alert you when process or email activities become significantly DIFFERENT from what is usual/normal for your computer.

In order to set *norms* DSA "watches" how you use your computer for a period of time specified by you, and then DSA alerts you when actions deviate from that norm. You can specifiy how big or small a deviation that you want DSA to call to your attention.

Let me GENERALIZE the differences as follows...
***Classical HIPS (SSM, OA, PS, etc) notify you when a process acts in a way that is significantly typical of the way malware acts.

***DSA notifies you when a process acts in a way that is significantly NON-typical of the norm for YOUR computer.

The above distinctions are not rigid. For example (comparing DSA with OA)...
***DSA's "Process Protection" & "Application Protection" modules are highly redundant with what OA does.

***On the other hand, DSA's "Email Anomaly" & "System Anomaly" modules will give alerts about process or email events that are not routinely noticed by OA. <-QUOTE}
This is SO VERY WRONG.

bellgamin, you need to turn off Learning Mode to see what DSA is actually monitoring behind-the-scenes. I think you'll need to turn your statement in your whole post COMPLETELY the other way round.

Ok so what's the true consensus then? Is the protection offered by OA Free close to that of DSA's protection, slightly better, or no where as comprehensive?

{QUOTE-> This is SO VERY WRONG.

bellgamin, you need to turn off Learning Mode to see what DSA is actually monitoring behind-the-scenes. I think you'll need to turn your statement in your whole post COMPLETELY the other way round. <-QUOTE}

Please provide some arguments Solcroft, this is al i can do with just an oponion statement ;)

LOL. Yes some facts for me also would be welcomed.

{QUOTE-> Please provide some arguments Solcroft, this is al i can do with just an oponion statement ;) <-QUOTE}
To be honest, I'm surprised. I think this should be painfully obvious to anyone who's ever used both before. bellgamin's description of DSA's abilities is very very lacking, and covers only the anomaly protection it offers.

OA's HIPS provides application-level defense and autostart locations of the registry only. DSA, on the other hand, provides monitoring of application activity as well as modifications to file/registry data. I don't have both programs at hand right now to compare the specifics (not on my comp right now), but that alone is enough to claim that DSA offers far more protection than OA's HIPS, though most of DSA's protection happens in the background due to learning mode turned on for 7 days by default.

OA free's HIPS do NOT come near what other applications like SSM or ProSec offers. It's just an application-level HIPS like PG and AntiHook. It's (somewhat) good at defending attempts to manipulate or hijack legit processes in memory or other actions that don't involve writing data to physical drives, but that's it, and it doesn't even do it as well as other HIPS (SSM, EQ and ProSec come to mind) do. It won't prevent modification or deletion of critical files, or changing of sensitive registry data. On the other hand, DSA does, although its protection cannot be configured.

{QUOTE-> Ok so what's the true consensus then? Is the protection offered by OA Free close to that of DSA's protection, slightly better, or no where as comprehensive? <-QUOTE}

There is no concensus WordWard, just people with differing interpretations and opinions. Very few people (probably no-one) has down enough technical tasks for the degree of differentiation you are asking for.

Even if you were asking just for size of feature set (and not "protection offered" which implies quality of implemention), it would still be a hard task for comparison, because despite similarities among all HIPS in their class, their features still don't always match up nicely (as i found out when trying to do the castlecops wiki article!)

If you ask me, either package is fine. The only major difference is that the Webroot firewall package has superior capabilities (filter by ip) than the OA Free's firewall. You can't do it for OA free's firewall.

HIPS wise, either package provides a high level of security. Any edge (if any) held by DSA or OA in this area is probably not big enough to worry about.

My advise, try both, and keep the one that you find nicer.

Trying to use this forum to get the "truth" about whether OA Free is close to that of DSA's protection, slightly better, or no where as comprehensive as going to be futile.

You can choose to listen to me (and I'm after all *the* author of a highly inaccurate but neverthless oft cited wiki article on HIPS by many people in Wilders), or you can choose not to, your choice.

{QUOTE-> To be honest, I'm surprised. I think this should be painfully obvious to anyone who's ever used both before. bellgamin's description of DSA's abilities is very very lacking, and covers only the anomaly protection it offers.
<-QUOTE}

Without adding more fuel to the fire, I must say I totally agree with what Solcroft has said in that post.

"OA's HIPS provides application-level defense and autostart locations of the registry only. DSA, on the other hand, provides monitoring of application activity as well as modifications to file/registry data"

Yes. "protected file objects" if I recall correctly is the term used.

"OA free's HIPS do NOT come near what other applications like SSM or ProSec offers. It's just an application-level HIPS like PG and AntiHook. It's (somewhat) good at defending attempts to manipulate or hijack legit processes in memory or other actions that don't involve writing data to physical drives, but that's it, and it doesn't even do it as well as other HIPS (SSM, EQ and ProSec come to mind) do."

Yes. Agreed. except for the very last bit from "and it doesn't even do it...." which i withold judgement because ,that one is based on technical data that I don't have.

Bellagamin has being a long time user of DSA (and other hips), and I have never found his description of DSA versus other HIPS to be so off , that is what makes his post in this thread quite surprising.

I wonder if someone hacked into his account? Or there is some miscommunication here.

Solcroft, Lusher

To my knowledge DSA does not protect against dll injection. So OA has a plus here. Stating that OA "is (somewhat) good at defending attempts to manipulate or hijack legit processes in memory or other actions that don't involve writing data to physical drives, but that's it" is a bit unfair (when comparing to EQS, SSM and PS), because DSA lacks more on this area.

Also OA free has the option to run programs with limited rights. Another bonus of OA against DSA that at least OA remembers what you enter. DSA has a reputation of forgetting the choices the user made. On the other hand DSA has a lot of good surprise features (meaning the additional defense it appeared to have and proven in Nicm's tests).

Anyway I think it are both good programs (considering that they are free), also Webroot FW with DSA elements and OA free (with FW) are both nice free FW's.

Regards Kees

{QUOTE->
To my knowledge DSA does not protect against dll injection.
<-QUOTE}

Good point. Also, DSA lacks consistent hashing control.

I just think that in the long run you will want or perhaps even need something with more control in regards to rules, parent/child configuration, etc.

I am, of course, very familiar with DSA, having had opportunity to directly review certain logic diagrams produced by one of my more adventureous (but benign) students.

Solcroft is largely correct in what he says, most of which is concerned with my following statements...

{QUOTE-> The above distinctions are not rigid. For example (comparing DSA with OA)...
***DSA's "Process Protection" & "Application Protection" modules are highly redundant with what OA does.

***On the other hand, DSA's "Email Anomaly" & "System Anomaly" modules will give alerts about process or email events that are not routinely noticed by OA. <-QUOTE}

As I am an old lawyer, one needs to pay close attention to what I write, ESPECIALLY when I write a glittering generality such as that quoted above. When I am dancing, please take note that my feet seldom touch the floor.;)

To wit, I said that certain DSA modules are "highly redundant" with those of OA. I did NOT say that they are identical. I primarily meant "redundant" in the sense that, if one runs OA & DSA simultaneously, and a new process is run for the first time, both of them will pop-up an alert. .

As to the relative protective power, OA versus DSA, OA covers a broader spectrum of possible threats than does DSA and (as said before) they overlap only in some areas. However, I was not discussing relative protective power in my prior post.

If I HAD been discussing *protective effectiveness" then I might have written the following: "If I could run only ONE security app, & the options were strictly limited to OA & DSA, then my choice would be SSM". :P

I'm happy that I still have the ability to surprise Lusher once in a while. On the other hand, I can never surprise my wife -- she always knows what I am thinking even before I do. Which leads to the interesting question: If a man in a forest states an opinion, & no woman is present, will he still be wrong?

{QUOTE-> S
To my knowledge DSA does not protect against dll injection. <-QUOTE}
NO, it does. Try FireHole leaktest against it!

Aigle,

I believe you, why Firehole leaktester and not for instance Zapass?

Regards Kees

Because I did not try Zapass.
Right now I am not sure but I think:

Firehole -- global hook
Zapass -- remote thread creation

So they are a bit different. Pls correct me if I am wrong.

{QUOTE-> Solcroft, Lusher

Also OA free has the option to run programs with limited rights. Another bonus of OA against DSA that at least OA remembers what you enter. <-QUOTE}

That's exactly the problem I was alluding to in my response to Wordward who wanted to know which one was "more comprehensive in protection" even if we restricted comprehensiveness to mean the features offered and ignore quality differences.

If you compare any two HIPS chances are, one will have one feature the other doesn't and vice versa.

Solcroft probably feels that *on the whole* DSA provides more comprehensive protection which means he might think some features in OA like the run safer option etc is not as important etc..

OT question: does anyone know where I can find the full-blown technical details of exactly what is restricted under Limited User Account? I've been trying to find this information without success.

{QUOTE-> OT question: does anyone know where I can find the full-blown technical details of exactly what is restricted under Limited User Account? I've been trying to find this information without success. <-QUOTE}

Well, usually Limited User Accounts are part of the Users group, so:

http://www.wellesley.edu/Computing/WinXP/wxpgroups.html

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/windows_security_default_settings.mspx?mfr=true


Users Can:
-Create, modify, and delete their own data files
-Run system-wide or personally installed applications
-Change their personal settings
-Install programs for their own use only
-Access the network
-Print to local or networked printers
-Do anything a Guest can

Users Cannot:
-Modify system-wide settings, operating system files, or program files
-Affect other users' data or desktop settings
-Install applications that can be run by other users
-Add printers
-Configure the system for file sharing


For even more details, open Process Explorer under an account with Administrator rights, then open something like notepad, and at the same time open notepad again with something like DropMyRights or psexec. From there you can compare the privileges of each notepad process by viewing the Security tab in Process Explorer.

{QUOTE-> DSA has a reputation of forgetting the choices the user made. <-QUOTE}I believe you, BUT -- I never had DSA forget anything. At least, not that I noticed.

Has anyone else experienced this issue?
~~~~~~~~~~~~~~~~~~~~~

Also -- the new Webroot firewall (http://www.webroot.com/consumer/products/desktopfirewall/) is using a new version of Private Firewall (PFW) -- newer even than is available from PFW's own website. The Webroot FW includes DSA.

Does anyone know whether the Webroot version of DSA (included in their firewall) is ALSO newer than the one available from PFW's site (http://www.privacyware.com/dynamic_security_agent.html)?

{QUOTE-> Has anyone else experienced this issue? <-QUOTE}
Yes, everytime DSA would ask, forgetting my previous choices and is why I uninstalled DSA, only leaving it in some snap-shots that are rarely rebooted.

{QUOTE-> Has anyone else experienced this issue? <-QUOTE}
No. But I only used it for a short period of time. I liked it. Maybe I will use it again.

Been using WDF with DSA for about a week now, and so far it hasn't forgotten anything so far. Also, I have come to believe it is a very well thought out piece of software. My PC and Internet runs fast and smooth, and no bumps so far running it along with a-squared AM and AVG Pro. I may even shut down a-squared and just rely on WDF/DSA and AVG for my security.

{QUOTE-> Been using WDF with DSA for about a week now, and so far it hasn't forgotten anything so far. Also, I have come to believe it is a very well thought out piece of software. My PC and Internet runs fast and smooth, and no bumps so far running it along with a-squared AM and AVG Pro. I may even shut down a-squared and just rely on WDF/DSA and AVG for my security. <-QUOTE}

Well, I say if it works well for you and your system then go for it. :)

Have you considered using some sort of virtualization in your setup as well?

I have considered something like Returnil RedZero, but have been reluctant to try it out. I worry that some of these type of programs may cause troubles despite not hearing of many.

{QUOTE-> Yes, everytime DSA would ask, forgetting my previous choices and is why I uninstalled DSA, only leaving it in some snap-shots that are rarely rebooted. <-QUOTE}
Hi,

When I tested DSA three times at different days, I have this experiences, that was why I uninstalled it; there are many other HIPS better and more updated than DSA. A security app stands still , not moved one inch farther does not warrant your glance at all. No update for DSA since ----, I can not even want to recall it. In this case, grass is greener on other side of the fence, and is not an illusion at all. Take care.

{QUOTE-> I have considered something like Returnil RedZero, but have been reluctant to try it out. I worry that some of these type of programs may cause troubles despite not hearing of many. <-QUOTE}

I would highly recommend a sandbox such as Sandboxie. While virtualization doesn't guarantee 100% security (no program offers that), it just adds another layer of security.

If you're concerned about these sandboxes causing trouble, you can always back up your data using something like Acronis True Image.

Another option is creating a restore point or even another user account for the sole purpose of testing out some of these programs and then delete the account afterwards.

By now Wordward,you should have become convinced that the use of WDF/DSA(or OA),will give you all the security you need for normal usage-that together with a good antivirus.

You have tried both-decide which appeals more,is easier to use, get used to it,be happy and dont worry;D

I am using WDF/DSA( a new version is out!) with just an antivirus,no additional layers,what is the point?.No problems.

I think you also have a router,enable NAT.

However ,if it gives you additional, reassurance,there is no conflict if you install Threatfire a top rated HIPS, no speed penalty and only small memory usage.

No doubt you have imaging backup software like ATI-set it to schedule auto download twice daily in the background and no matter what disaster,trojan,virus. software or hardware,occurs,you are as safe as can be.:thumb:

Hairy Coo you say a new version. What version number is it? I have 5.5.10.20 which I thought was the latest version, but now that I think about it how does one update WDF? I don't see any update tabs.

{QUOTE-> Hairy Coo you say a new version. What version number is it? I have 5.5.10.20 which I thought was the latest version, but now that I think about it how does one update WDF? I don't see any update tabs. <-QUOTE}
The previous version was 5.5.8.xx.
You have the current version.

Thanks, I may send Webroot an E-Mail to ask about how to update WDF when a new version is out, and since I'm not sure if DSA has been updated along with the firewall I will ask this as well. From what I have read and heard from a few people however, DSA offers more protection than OA Free does so I'm not that worried if it has been updated.