I've started this thread to answer any product related questions anyone may have about the product or how things work.

Ask away!

Sorry posted it in the wrong thread.

Can you give me a run down of all the script executables you protect against? Thanks!

Can your product be configured to Default Deny only allowing executables on a whitelist?

Off the top of my head they are .vbs, .scr and .bat. I'll see if I can get a more concise list together. Any you were wondering about specifically?

Currently you can't reconfigure with a list, when you install it automatically allows OS files only, the rest will prompt you and the list is built that way.

As a side note, 1.0.0.61 was released today. A few small bug fixes as well as additional product compatibility (other security apps).

-{ Quote: "As a side note, 1.0.0.61 was released today. A few small bug fixes as well as additional product compatibility (other security apps)." }-was this realease just now or earlier?thanks

Just released, you can hit update it should grab it.

-{ Quote: "Just released, you can hit update it should grab it." }-thanks:thumb:

BluePoint Security Review:

http://remove-malware.com/antimalware/anti-malware-reviews/bluepoint-security-review-and-demo/

cool video:)i'll grab some pop corn with a 2 litre pepsi :):)

Ah, the infamous Matt review. As I've stated before, the review is very sparse (not sure he understood the product). I think his review was a bit of a retaliation from our posted video series. The main problem we had with the review was that he leads you to believe nothing is denied during his test and the user must click deny. This is incorrect, everything is denied by default and has already been blocked and denied by the time you see the notification. He made no mention that every single threat he tested against was completely prevented (something many products cannot claim, if you watch his other product reviews). The notification is more of a way to override the denial. The notifications can also be turned off under settings if you like. Either way, we have a full product review if you wish to see how it responds to threats and known safe software.


Our full walk through:

http://www.youtube.com/watch?v=yuJoXPYpcB4

actually there are quite a few that passed the 10 mark with him. But getting to the point, would it not be just as eay to block the detection then to even offer a user the option. If they are all legit, then just block them. By doing so you open up a whole new portion of the human race to purchase your product. Of course if this is another FP issue with products like this, I totally understand your reasoning.

BluePointSecurity.

I just watched the remove-malware review. He stated he was merely picking faults with your product, but for the holier than thou attitude you seemed to have, maybe?

And it's interesting you think he doesn't understand how your product works. The average user doesn't stand a chance, then.

BTW, I did watch your Youtube clip about Defensewall (before you removed it). So I have been curious how well Bluepoint works and how it performs. I thought it was a weird way to introduce yourself, by putting something else down.

Now seeing a few members here have tested Bluepoint, and found some flaws, I'd say, All's fair in love and war. Quite funny actually.

come on guys nothing is perfect you all know that ;D try it for a week or two and then write down your complaints that is what i do,look at my signiture at the begining didnt understand and didnt like appranger but after i started to dig under the hood and found alot of potential in it,let's do same with bluepoint:) in two week(14) you can know a litle bit of it to draw conclusions,let's not draw conclusions cause of matt's youtube video,let's try it our selfs;D let's give blue point a chance:thumb:

also this program is new at wilders let's give him a warm welcome,think positive guys,it is free for 14 days:)

I dont think it was the Wilders Members who lit this fuse, with all due respect.

-{ Quote: "I dont think it was the Wilders Members who lit this fuse, with all due respect." }-i know that but my point is to try before bashing:)maybe some thing good to complament your arsenal is near you:)

-{ Quote: "i know that but my point is to try before bashing:)maybe some thing good to complament your arsenal is near you:)" }-

Interesting you trust someone that uses their professional expertise to create an exploit to trash a competitors product. But then maybe I am going over the top with criticism.

I could swear I heard him say that BP was blocking things but then getting a pop up with a block/allow choice.
That is confusing to the average pc home user. That seemed to be the point he was trying to make.

I'll be interested in seeing what other reviewers, not influenced by any statements made by others, have to say about BP.
Hugger

-{ Quote: "Interesting you trust someone that uses their professional expertise to create an exploit to trash a competitors product. But then maybe I am going over the top with criticism." }-like i always say i like honest people that tells the true for what works or what doesnt work,yes it happen when you go to futureshop or best buy,the first thing they tell is this software protects 100% againts all kind of malware ''sure'' run a mbam scan and will find tons of adware in the machine:) for defensewall test i dont know how he did the test maybe he allowed this keylogger trusted.but my point was to try before drawing conclusions:)

-{ Quote: "like i always say i like honest people that tells the true for what works or what doesnt work,yes it happen when you go to futureshop or best buy,the first thing they tell is this software protects 100% againts all kind of malware ''sure'' run a mbam scan and will find tons of adware in the machine:) for defensewall test i dont know how he did the test maybe he allowed this keylogger trusted.but my point was to try before drawing conclusions:)" }-

Ok. Well you seem totally non cynical, unlike me. LOL

Anyway rant over. :D

-{ Quote: "Ok. Well you seem totally non cynical, unlike me. LOL

Anyway rant over. :D" }-i remenber when i first introduce appranger to the forum,and even now there are some people at the forum that dont understand how appranger works,my point is this without trying a software we can not judge for the first impresion or for what others experience with the software the only way is to try it ourself;D like at this moment i am trying it my self and after 14 days i will be the judge;D :) well kind of:) let see if this program covers or patch my needs:)

-{ Quote: "Ok. Well you seem totally non cynical, unlike me. LOL

Anyway rant over. :D" }-anyway i will try hard to understand it,cause it looks diferent from what i am use to:) (hips)it looks simple too:):)

trjam:

Absolutely agree, several of the products did quite well in his reviews. I would have expected all of the products to be able to prevent infection from "in the wild threats". Known threats that are out there are fairly easy to prevent, the real challenge in my mind is how do you prevent a threat that was created 5 minutes ago? That's where most products struggle. Using signatures/definitions/heuristics will fail that type of test most of the time.

Here's the reasoning behind our allow/deny notifications. I'll give you an example, lets say as an average user I am running xyz antivirus. I'm browsing the internet and I visit a page that contains a drive by downloader that was just created 5 minutes ago. At this point, your AV company hasn't added this threat to their def lists and if heuristics don't catch it which they often don't you stand a very good chance of being silently infected.

Same scenario with BluePoint installed, even if we do not know about the threat you will be alerted when the drive by download style threat attempts to execute. It will be blocked by default unless you override it.

The reason for the allow/deny is to protect you 100% of the time, not just when we know about the threat. We can't eliminate the prompts as then you wouldn't be able to install anything!

-{ Quote: "Sounds like a classical HIPS (or a simplified one?). Defense+, OA's HIPS, Malware Defender etc would all provide the same protection out of the box. What's the difference?

Thanks for your time." }-the diference is that this software has a on the cloud database and the one you mention dont;D

this one looks in a way like prevx,maybe i am wrong:)

-{ Quote: "Now seeing a few members here have tested Bluepoint, and found some flaws, I'd say, All's fair in love and war. Quite funny actually." }-

Please report them! You may even get a free license out of it ;)


I know not everyone liked the videos series, hence why we took it down. At the same time I think people should be informed (maybe in a less Hollywood way of course) of how easy it is to bypass "most" of the products out there simply by opening up a developer and writing a new threat. There's a complete false sense of security with many products. We would be happy to provide a copy of the keylogger to any vendor that asks, although it won't solve the problem. They'll add it to their def list and if someone were to create another 30 minutes later, same problem. And it gets worse, the keylogger did not "exploit" any holes in the os or products being tested. It was simply 30 lines of code in vb6. Meaning, the keylogger didn't even attempt to evade these products, most of them just didn't seem to bother preventing it.

To me, this is why we still see infections and prevention failure.

We are similiar to Prevx in that both products utilize the cloud for detection, however the security model is completely different. Prevx uses heuristic detection while BluePoint relys upon white listing (default deny anything we don't know about or that is not trusted without your permission).

Our security model is based upon if we don't know the publisher it's denied and you are asked for permission. Quite a few notifications, yes, but you are rewarded with very very strong protection against new malware. Nothing will be executed silently behind your back.

-{ Quote: "We are similiar to Prevx in that both products utilize the cloud for detection, however the security model is completely different. Prevx uses heuristic detection while BluePoint relys upon white listing (default deny anything we don't know about or that is not trusted without your permission).

Our security model is based upon if we don't know the publisher it's denied and you are asked for permission. Quite a few notifications, yes, but you are rewarded with very very strong protection against new malware. Nothing will be executed silently behind your back." }-i think this is cool idea to prevent any unknown publisher from loading,just to prevent infections
it will be even nicer if bluepoint silently blocks all silently without any alerts,but again will have to have an installation mode for trusted publishers:)

-{ Quote: "trjam:
The reason for the allow/deny is to protect you 100% of the time, not just when we know about the threat. We can't eliminate the prompts as then you wouldn't be able to install anything!" }-


Gotta admit, we keep beating the hell out of you and you come back for more. Hell, I may actually make you a friend soon.:blink: Nah!

Lets look at your quote. Isnt your math wrong. I would say with that combo and the average user a 50 percent of right or wrong would apply.

Now for some advice. Quit pushing. Quit comparing. Quit hanging out here all day. Invest that time in the product. Only respond to legit questions and answers that only relate to your product. Give a few licences away. Get any frigging videos or references to off the internet and you just might, might, want to honestly, apologize that was the wrong approach to take. The weird thing is, it may have been accurate in some circumstances.

People at other forums talk about the family atmosphere here, the "You better like the products that Wilders does or you are toast." That is such BS. There are more things run through the grinder here then anywhere else. There are more experts and idiots,;D here then anywhere else. And that my friend, is what makes this place special. You dont kick the door in, you knock. So, you got one groupie, do as I suggest and you may get more. But remember, You dont kick the door in, because, the backward swing, can damage your hip bone.

So, lets start afresh, people try it. If it stinks tell why based on the product not the person. If it works, can someone beside jmonge let us know. And if you listen to these good folks here, you may just have something. Oh, and dont create a product for geeks, create one for all.;)

-{ Quote: "We are similiar to Prevx in that both products utilize the cloud for detection, however the security model is completely different. Prevx uses heuristic detection while BluePoint relys upon white listing (default deny anything we don't know about or that is not trusted without your permission).

Our security model is based upon if we don't know the publisher it's denied and you are asked for permission. Quite a few notifications, yes, but you are rewarded with very very strong protection against new malware. Nothing will be executed silently behind your back." }-
One last jab, you are right in comparing yourself to Prevx. Reader must figure out answer.;)

Out of the box simplicity is one of them.

Take a look at this screenshot:

http://www.torchsoft.com/images/md_screenshot.jpg

Grandma certainly isn't figuring that one out anytime soon. Although I could easily teach her how bluepoint works in about 15 minutes.

There are certainly other products on the market that can protect you properly with the proper configuration and settings of course. We aren't really out to compete with the more obscure products, we are after the AV companies, that's where the real failures are.

BluePoint easily prevents malware from all vectors (usb, network, cd etc). We are not concerned about where malware comes from, only what is trusted and what is not when it comes to executable code.

I consider Prevx to be an excellent product, we would be happy to be associated with them. They consistently outperform the AV companies with ease. As has been previously stated, our security model differs from theirs quite a bit, the similarity is only in the fact that they use the cloud as we do instead of pushing defs to customers.

-{ Quote: "You obviously ran a newly introduced file on your real system (keylogger.exe), thus breaking this rule." }-

Since when did threats play by rules?

just poking at you ;)

-{ Quote: "Gotta admit, we keep beating the hell out of you and you come back for more. Hell, I may actually make you a friend soon. Nah!

Lets look at your quote. Isnt your math wrong. I would say with that combo and the average user a 50 percent of right or wrong would apply.

Now for some advice. Quit pushing. Quit comparing. Quit hanging out here all day. Invest that time in the product. Only respond to legit questions and answers that only relate to your product. Give a few licences away. Get any frigging videos or references to off the internet and you just might, might, want to honestly, apologize that was the wrong approach to take. The weird thing is, it may have been accurate in some circumstances.

People at other forums talk about the family atmosphere here, the "You better like the products that Wilders does or you are toast." That is such BS. There are more things run through the grinder here then anywhere else. There are more experts and idiots, here then anywhere else. And that my friend, is what makes this place special. You dont kick the door in, you knock. So, you got one groupie, do as I suggest and you may get more. But remember, You dont kick the door in, because, the backward swing, can damage your hip bone.

So, lets start afresh, people try it. If it stinks tell why based on the product not the person. If it works, can someone beside jmonge let us know. And if you listen to these good folks here, you may just have something. Oh, and dont create a product for geeks, create one for all" }-

Advice taken and I even agree with most of it!

Well I'm going to take your product later today for a rigorous test drive (3,000 safe well known applications, and 3,000 malicious to be fair ;)) :) I like the deny approach, however, I would like it more to by default be deny not matter what. Technically speaking, if an average user wants to run something they will not matter if it is unknown, however, since you are using a white listing approach, all unknown applications SHOULD be blocked automatically with no user intervention. Therefore, your whitelist should always be up to date with safe software, rather then focusing on malicious. That way average users will have a large database of white listed applications, which can allow them to install SAFE software. Just a tip ;)

-{ Quote: "Advice taken and I even agree with most of it!" }-

Totally agree or not, many a vendor has learned that the consumer always comes first. Take care and good luck with some accurate testing of your product here. That I can assure you, it will be given.:thumb:

I think its a behavioral blocker like Threatfire or Mamutu. A classical HIPS would have a set of configurable rules. If you need more comprehensive protection this can be used in place of Threatfire and alongside a traditional anti-virus product to provide all the protection one needs. TF is free while this one is a paid security product.

-{ Quote: "Interesting you trust someone that uses their professional expertise to create an exploit to trash a competitors product. But then maybe I am going over the top with criticism." }-

Come on we are living in a capitalist world. Such a behavior such as trashing your competitor is expected. It is a tough world, it's the survival of the fittest i.e crushed or be crushed. There is no such thing as kumbaya my Lord, Kumbaya in a competitive world.

Follow jmonge advice try the product and voice your opinion later. Please never forget that the capitalist business world is a jungle, one cannot afford to be soft and weak when it comes to a product's competitors.

-{ Quote: "Gotta admit, we keep beating the hell out of you and you come back for more. Hell, I may actually make you a friend soon.:blink: Nah!" }-

Are you sure you are using ESS? This morning I had the faint notion that you were using McAfee Total Security 2010 beta. ;D

Ok, I installed 200 samples. As many as the VM could hold :P All 200 samples were shown as unknown, 198 remained undetected during the scan. A scan of the computer detected 18/2554 take about 100 html samples off (sorry I forgot to remove them :/).

The 1,200 safe samples of files I had, only 102 were classified as white listed. Missing whitelisted applications included, Wordpad and Notepad?

Also, one of the samples infected Task Manager and BluePoint kept blocking Task Manager from running as it was infected.

The 18 samples detected were unable to be removed or quarantined, as they did not show up in the detection panel?

A lot of work needs to be done, as this looks promising, but I would not let the average user use it just yet.

I must say though, this was not an easy test. Of the 2554 samples, most vendors only detect around ~600.

~Comment removed.~

Mcafee, and it is beta, killed my internet in less then 12 hours. It kills me how Eset gets the heck it does when there are so many suites that it puts to shame in quality.

But this is about BluePoint and we need to embrace the offer to test it. There is no better testing bed then Wilders, when you really think about it. Be fair to this vendor and give him the same constructive feedback Wilders does for all. That is really all that matters.

I think it should be set to deny on default. Windows7 Firewall Control acts in a "deny" mode unless you specifically authorize a service or executable. If its malware, you don't want it to run. In other words, if you don't trust the software, that's exactly what a behavioral blocker/anti-executable should perform for the average user. If you trust it, you can allow it.

333halfevil:

Out of curiosity, were you able to infect the vm after installing BluePoint or was it infected prior to the install?

Thanks for the feedback guys, you've been busy!

I'd really like to see some prevention tests if you guys have time, that's really what the products was designed for.

Again, we really appreciate the honest no BS feedback, good and bad.

PM me, I may be willing to provide license keys if you're willing to test things out for us.

Thanks

-{ Quote: "I'd really like to see some prevention tests if you guys have time, that's really what the products was designed for.

Again, we really appreciate the honest no BS feedback, good and bad.

PM me, I may be willing to provide license keys if you're willing to test things out for us.

Thanks" }-
very generous offer, you are to be commended. This folks can help you, it may take awhile but they can make your software even better. Me? No, I just try to offer advice.

cheers
Jeff

One other thing I forgot to mention, make sure when you are running your scans while testing, you check under settings -> file types to scan -> selected ALL.

Also, under settings tick off heuristic scanning as well as compressed files.

You may end up with lower than expected detection rates otherwise.

These settings apply to on demand scanning only, not real-time protection.

I did reinstall, and do a brief test. But on the chance it was a conflict with Malware Defender or Online Armor, I uninstalled both of those. (THat would almost be a deal breaker). I then did a clean scan of all files, which came up clean. That's wrong, I have a folder of malware, some not password protected.

Decided as a first test to try killdisk. First thing was I used Powerarc to remove it from the archive. Got a "unknown file" pop up on that. Allowed it and then ran the kill disk exe. Bluepoint, did detect malware, and shut it down without a prompt.

I then tried another virus I have, and Bluepoint let it run with out a peep.

Let me comment a bit about philosophy. Way back when Prevx was a pure HIPS, they got some good user feedback and discovered at least 50% of the time when users were presented with a prompt the allowed malware.

Both OA and MD, have the pop up thing and it's great if you don't know what you are doing, which most don't.

I have a situation, which illustrates the mom and pop issue. I have a business I run and have two young ladies who work for me. We use Outlook as an email client, and are in a position, that a clients email has an attachment, we have to look at it. The problem is if they get a pop up from either program they don't know what to do.

Solution is Sandbloxie. Both browsers and Outlook run Sandboxed, so they can pretty much allow whatever, and let it run without hurting the system.

Could Bluepoint, take over that role. Not by a longshot yet. If you need pop ups, its not going to be good. The classic default deny is Faronics Anti Executable, and did does it's job ruthlessly, but it also in some ways drives me nuts, to the point, I don't run it.

So for Bluepoint, to truly be revolutionary, it's going to have to find a way to allow what's needed to run, and block what's bad, with no pop ups.

My humble 2 cents.

Pete

cool;) i noticed that when i disable the notification unknown publisher or even malware get a ride to quarentine vault;) i tested with a malware sample and with the notification on first and blue point alerted me about unknown file detected,publisher unknown and also description unknown,with notification on who wants to allow this :):):) this unknown notification explain it all.now i did same test with notification off and run same sample now i didnt get any notification and silently sent this malware to quarentine which is cool ;) very cool indeed,i run a scan and this file was quarentine and ofcourse was not running it was in jail :):) nice program:thumb: the file i was testing is the card.exe :)

-{ Quote: "333halfevil:

Out of curiosity, were you able to infect the vm after installing BluePoint or was it infected prior to the install?

Thanks for the feedback guys, you've been busy!" }-

I infected the machine AFTER installation. I would never do it beforehand :P

If I denied the installation, I doubt it would have infected the VM. However, I was pretending to be an every day user, like I really wanted to install the program. Therefore I allowed 200 malicious applications to execute, and ran a scan on it while it was loaded into the memory.

Then I reset the VM, with BluePoint already installed, updated, ran a scan with 2554 samples (all extracted into a folder) and let it detect. I did configure the scanner beforehand, giving it the best chance at detecting the malware.

so did it detect the 200 samples or not?thanks

it will be nice to have a pasword protection againts settings modification:)

-{ Quote: "so did it detect the 200 samples or not?thanks" }-

As I have posted before:

-{ Quote: "All 200 samples were shown as unknown, 198 remained undetected during the scan." }-

-{ Quote: "As I have posted before:" }-i see:)

for the scaning settings remenber to change from executables to all files;) and then run the scaner:)

I watched Matt's videos and I understand the point he and others are trying to make, that an average user won't know whether to allow or deny.

But, the file description is saying it's 'unknown', which means, running an unknown program that isn't common, is a risk right? But average users don't think this way.

I agree the default option should be to 'deny'. And then a user could access the history of deny/blocked applications and decide whether to run this program.

I'm yet to try out this program, but I think it's main strength would be when you're visiting a web page and something tries to load in the background. When you see the allow/block alert, you'd realise something tried to load, click on block and get off the site.

But as jmonge said, give the program a go, provide feedback, and you might end up having a program you've really wanted.

if people dont want an alert notification,just disable it and malware can not run,i am testing this alerting off as we speak i tried to run a malware sample and no totification nothing run and now i am scaning and gues what the scaner pick it up in real time it was on hold :0:)

-{ Quote: "I'm yet to try out this program, but I think it's main strength would be when you're visiting a web page and something tries to load in the background. When you see the allow/block alert, you'd realise something tried to load, click on block and get off the site." }-

Absolutely and this is the way "most" of the infections I see occur.

Again glad to see the testing going on. Keep in mind, you really need to use your best judgement when allowing things outside of a lab/vm. As someone mentioned above, if your surfing around and you see x34532.exe popup with an allow/deny...well hopefully you know what to do there. We may end up changing the way the allow/deny works in the future and we'll have password protection soon.

It's pretty easy to muck things up in the lab by allowing everything then trying to cleanup (not a bad test though).


Just an idea:

Load up a clean VM

Then pass every drive by/malware site you can find attempting to infect the vm (clicking deny of course or set the settings to silent)

and or attempt to run malware from folders on the desktop


That's really the strength of the product, even though the decision is yours, your always given one.

ofcourse drive by downloads are the modern malware attacks of this time:)especially when websites(legit websites)are compromise

i personally have this silent;) and run a scan later to see what was put in jail:)
i noticed that when Blue Point is in silent mode,also prevx is silent and when i dont have it silent i get two alets one for Blue Point and the other one from prevx:):)

i guez matt forgot to explain in his youtube video that BP has a silent mode so papa and mama dont get bother by the pop ups:argh: so matt if you are reading please re-test ;D

1. Is the white-list only based on your own definitions and not on any risky white-listing methods like Digital Signatures?

2. Will it detect malware that disguises itself for example through a picture-file? Discussion about this type of threat was active very recently if not still active.

3. Is blockage of new versions of trusted software completely avoided through your white-listing of trusted vendors?

Which operating systems does it support?

Dave

-{ Quote: "Which operating systems does it support?

Dave" }-

From a BluePoint email I received.


"We support Windows XP up through Windows 7 (32 and 64 bit)"

ds

Correct

Few more screenshots...

211774
211775
211776
211777
211778

Saraceno

You beat me to the punch! New version out guys, 1.0.0.66. It will auto update of course, or simply click update.

-Allow/Deny alerts have changed, more informative to the user as to the risk level of the item attempting to execute
-Overall memory utilization reduced
-A few issues were corrected when scanning large (100k+) numbers of threats


BluePoint is currently being tested by an independent research firm as we speak, alongside of a handful of other products. Real-time prevention as well as detection rates will be published shortly. I'll let you know as soon as they are released!

Thanks!

-{ Quote: "Saraceno

You beat me to the punch! New version out guys, 1.0.0.66.

-Allow/Deny alerts have changed, more informative to the user as to the risk level of the item attempting to execute
-Overall memory utilization reduced
-A few issues were corrected when scanning large (100k+) numbers of threats


BluePoint is currently being tested by an independent research firm as we speak, alongside of a handful of other products. Real-time prevention as well as detection rates will be published shortly. I'll let you know as soon as they are released!

Thanks!" }-cool:thumb: i was about to complain about a memory leak :):),i am running to update to this new version,thanks again:thumb:

this new changes are very cool changes indeed,i noticed that it blocks/deletes malware without the user interaction;) good job buddy:thumb:

yes i noticed this also,may be cause the database is on the cloud :):)

this program is getting better and better in a short time,keep up the good work;)

-{ Quote: "yes i noticed this also,may be cause the database is on the cloud" }-


Correct, this delay is dependent on your internet connection speed. Of course, even before the analyzation is complete, the threat never has a chance to execute (unless you override!).

Our license activation process is similar to Microsoft's, we take a look at key hardware, that's how we knew about the vm/when you reinstall the product. No personal information is collected of course!

Glad to see everyone testing things out, hopefully you find it as affective at preventing the nasty stuff as we do!

New articles about BluePoint Security!

What makes BluePoint Security different?

http://www.bluepointsecurity.com/node/93


How many security products do I need to protect my computer?

http://www.bluepointsecurity.com/node/92

From the first article:

-{ Quote: "BluePoint Security is the first solution on the market that combines true application whitelisting and powerful antivirus features into one easy to use product. Application whitelisting prevents all types of malware infections known or unknown effectively while our powerful antivirus engine removes any infections your computer may already have." }-

I am not sure I'd totally agree with that. Online Armor ++, and it's predecessor Online Armor AV Plus have been doing that.

I release there is a certain degree of hyperbole in marketing, but one should be a bit careful.

Pete

-{ Quote: "New articles about BluePoint Security!

What makes BluePoint Security different?

http://www.bluepointsecurity.com/node/93


How many security products do I need to protect my computer?

http://www.bluepointsecurity.com/node/92" }-nice reading thanks

I tested BPS today. It never ended the first scan. After reboot I tried scanning again. It was stuck again. Then it froze my system. After reboot it happened again. I had to finally uninstall it in safe mode. :(

Could you please check compatibility with DW, Prevx, and Winpatrol?

I tested BPS, as I think the best security is obtained with a combination of sandboxing (for me now Defencewall 3.0 beta) and whitelisting (for me now Prevx with age/population heuristics "high"). I'm however interested to alternatives to Prevx, as at the moment it does not YET work exactly to the way it should in my opinion (ie. as a true whitelisting anti-executable). The next version 4 may correct this though.

I of course took system backup before testing - just in case....

-{ Quote: "I got the same issues mate, except it didn't freeze my system. I tested in a freshly installed VM XP with no other programs running." }-

Well, this sounds bad! :thumbd:

Always keep in mind guys the scanning communicates with the cloud. The first scan of your computer may take a few hours depending on your connection speed. If it appears to be frozen it's most likely just taking awhile to scan. After the first initial scan it will complete much faster as we utilize a few caching methods to speed things up. To be honest with you I wouldn't recommend running our product with 3 other security products installed, there's no real point in that. It's not that you can't, just the fact that you'll probably end up with system instability. Our product is really meant to be run as a standalone. If your testing things in a vm, use BluePoint alone, that way you can fairly judge how things are working. BluePoint is perfectly capable of protecting you without any additional products, in fact that was one of the reasons for developing the product.

I don't believe Online Armor ++ is considered a true whitelisting solution as far as I'm aware. Leaving out the whitelisting is like leaving your doors unlocked imho.

Most of what makes our product perform so well at prevention (whether we know about the threat or not) is our implemenation of the technology. It's easy to slap a whitelisting or antiexecutable label on a product and call it good. It's quite another to design one that is capable of stopping everything without an infection, including scripts. It baffles me why anyone would run anything other than a whitelisting type of solution (ours or not).

Personally speaking, I have yet to find another product that is able to prevent everything I can throw at it and I'm always looking. Most of the product failures I see in my own lab tests are due to one simple fact; They allow code to execute BEFORE analyzing the executable, this is a big no no. Keep in mind in about 3 lines of code I can wipe an os! If a product allows me to run any code at all unchecked, it's over. I've recently tested a few of the newer "whitelisting" type products out there and that was the result. Nothing official here, just installing products in a vm and attempting to slip things past them (threats i've written in a lab environment).


Just sharing my opinion, I'm a huge fan of the whitelisting approach and have been for many years.

ssj100:

Try scanning with the settings set to executables only, that should really speed up the scan.

Sounds good, let me know. I do really appreciate everyones efforts to test things out, the product has already improved directly from your efforts! Keep it up!

Well I was able to get it installed and run a scan without a problem. My issue is the fact that it will not start automatically and it will not enable the protection?

Sent you an email

-{ Quote: "I tested BPS today. It never ended the first scan. After reboot I tried scanning again. It was stuck again. Then it froze my system. After reboot it happened again. I had to finally uninstall it in safe mode. :(

Could you please check compatibility with DW, Prevx, and Winpatrol?" }-
i knew it;D i have prevx and bps and same as you when i run a full scan with eitheir one???

-{ Quote: "Well, this sounds bad! :thumbd:" }-no,no,no BPS alone is fine8) fast here using same xp;D i think the problem it's with prevx i think

I installed BPS into clean, updated virtual machine. Here's the result >:(
Perhaps there is still some work to be done :dry:
Hopefully it works some day, the idea is very appealing to me.

Very strange! I've never seen any issues in a clean vm. It does that right after install? Would you mind sending us the data from the error report -> support@bluepointsecurity.com

We'll be testing prevx and a few other products to make sure they play nice together if possible this week.

With all the good review about this product, and with this site testing it out. Makes me want to buy the product as this site always tells the truth here. But I to run the same good programs as most here do. I can't see paying for this product yet while the bugs are getting worked out here. Maybe later I'll put my money out for it too.

I'm having the team ensure BluePoint works with a few of the popular products such as sandboxie, defensewall and prevx. We can't control how other vendors work with us but we'll do our best.

As far as running the product as a standalone you should be fine, most of the issues we've seen are with running multiple products at the same time. While you may be more secure running multiple products, it can be a delicate dance as far as stability goes as many of the products play in the same areas of the os.

I'll keep you posted.

-{ Quote: "I'm having the team ensure BluePoint works with a few of the popular products such as sandboxie, defensewall and prevx. We can't control how other vendors work with us but we'll do our best.

As far as running the product as a standalone you should be fine, most of the issues we've seen are with running multiple products at the same time. While you may be more secure running multiple products, it can be a delicate dance as far as stability goes as many of the products play in the same areas of the os.

I'll keep you posted." }-
yes Blue Point Alone is fine, fast scaning and without freezing:thumb:

-{ Quote: "I'm having the team ensure BluePoint works with a few of the popular products such as sandboxie, defensewall and prevx. We can't control how other vendors work with us but we'll do our best.

As far as running the product as a standalone you should be fine, most of the issues we've seen are with running multiple products at the same time. While you may be more secure running multiple products, it can be a delicate dance as far as stability goes as many of the products play in the same areas of the os.

I'll keep you posted." }-

Please put Winpatrol on this list. It is a very handy adminstrative tool against many nasties, as can be seen below :)

-{ Quote: "yes Blue Point Alone is fine, fast scaning and freezing:thumb:" }-

Born to be optimist? ;D

HOLY ~snip - Possibly Offensive Phrase Removed as per TOS (http://www.wilderssecurity.com/tos.php)~, ive never seen soooo many startup programs on 1 system ako.... :o

-{ Quote: "HOLY ~snip - Possibly Offensive Phrase Removed as per TOS (http://www.wilderssecurity.com/tos.php)~, ive never seen soooo many startup programs on 1 system ako.... :o" }-

Well, everyone tries to make their software autorun nowadays. >:(

-{ Quote: "Well, everyone tries to make their software autorun nowadays. >:(" }-

very tru, thats why im always pruning my autoruns and services with WinPatrol since everything tries to auto start as u said. thats why WinPatrol is so irreplaceable for me :)

-{ Quote: "Very strange! I've never seen any issues in a clean vm. It does that right after install? Would you mind sending us the data from the error report -> support@bluepointsecurity.com

We'll be testing prevx and a few other products to make sure they play nice together if possible this week." }-

Right after install.

-{ Quote: "I installed BPS into clean, updated virtual machine. Here's the result >:(
Perhaps there is still some work to be done :dry:
Hopefully it works some day, the idea is very appealing to me." }-


I seem to have been able to fix my original problem with an uninstall and reinstall. I am now seeing the same issue as ako (absent the VM). I am getting the error report during the running or updating of other programs. I ran ccleaner and encountered the error and again when I updated SUPERAntiSpyware (which is not running realtime).???

-{ Quote: "I don't believe Online Armor ++ is considered a true whitelisting solution as far as I'm aware. Leaving out the whitelisting is like leaving your doors unlocked imho.

Most of what makes our product perform so well at prevention (whether we know about the threat or not) is our implemenation of the technology. It's easy to slap a whitelisting or antiexecutable label on a product and call it good. It's quite another to design one that is capable of stopping everything without an infection, including scripts. It baffles me why anyone would run anything other than a whitelisting type of solution (ours or not).

Personally speaking, I have yet to find another product that is able to prevent everything I can throw at it and I'm always looking. Most of the product failures I see in my own lab tests are due to one simple fact; They allow code to execute BEFORE analyzing the executable, this is a big no no. Keep in mind in about 3 lines of code I can wipe an os! If a product allows me to run any code at all unchecked, it's over. I've recently tested a few of the newer "whitelisting" type products out there and that was the result. Nothing official here, just installing products in a vm and attempting to slip things past them (threats i've written in a lab environment).


Just sharing my opinion, I'm a huge fan of the whitelisting approach and have been for many years." }-

My gut reaction to the whitelisting enthusiasm was negative, but I wanted to test before saying anything. Having tested it's still quite negative.

I have a lot on this machine. Right now with only my browser active I have 99 processes running, and it's all stuff I use.

I've tested whitelisting apps like Faronic's Anti-Executable. It works well, but as much as my system changes it was just a pain.

I installed BluePoint with the idea of how it would serve for someone not conversant in security software or all that system aware. Since a reboot wasn't called for at first I didn't. I started trying software and got several unknown program pop up's. At that point I rebooted.

On reboot, half of my startup programs didn't run. I started one manually (Desktop Clock) and got the pop up with the buttons whited out. Had to power reset. Clearly most of the office programs were fine, but half of my utilities generated unknown program alerts. Then I tried my trading programs. To a one, they were all unknown.

This is the problem with "cloud" whitelisting. You can never have a complete list of all the software out there.

So the current solution ends up with two results. Either someone blocks something they shouldn't and has a mess, or they get in the habit of allowing, and end up allowing something they shouldn't.

I think Bluepoint, is fine for users who understand their system and software, but not techie users could get in trouble.

Pete

-{ Quote: "My gut reaction to the whitelisting enthusiasm was negative, but I wanted to test before saying anything. Having tested it's still quite negative.

I have a lot on this machine. Right now with only my browser active I have 99 processes running, and it's all stuff I use.

I've tested whitelisting apps like Faronic's Anti-Executable. It works well, but as much as my system changes it was just a pain.

I installed BluePoint with the idea of how it would serve for someone not conversant in security software or all that system aware. Since a reboot wasn't called for at first I didn't. I started trying software and got several unknown program pop up's. At that point I rebooted.

On reboot, half of my startup programs didn't run. I started one manually (Desktop Clock) and got the pop up with the buttons whited out. Had to power reset. Clearly most of the office programs were fine, but half of my utilities generated unknown program alerts. Then I tried my trading programs. To a one, they were all unknown.

This is the problem with "cloud" whitelisting. You can never have a complete list of all the software out there.

So the current solution ends up with two results. Either someone blocks something they shouldn't and has a mess, or they get in the habit of allowing, and end up allowing something they shouldn't.

I think Bluepoint, is fine for users who understand their system and software, but not techie users could get in trouble.

Pete" }-

I look forward to Prevx 4.0. It could give a reasonably clever (big enough database) white-listing anti-exe.

-{ Quote: "I've tested whitelisting apps like Faronic's Anti-Executable. It works well, but as much as my system changes it was just a pain." }-

Agreed, many techie's systems change on a daily basis, whitelisting may be an issue at that point. But the average casual user is checking email, facebook etc it's perfect for that type of user.

Whitelisting is definitely a challenge to implement but I would far rather work towards a smooth whitelisting solution than working with any other security model, there's just too many ways around them/flaws.

Also, we really try to stray away from being the decision maker when it comes to "trusted" software. I wouldn't trust a vendor that decides to be the whitelisting czar. If and when they start making mistakes whitelisting apps, it would defeat the benefits of whitelisting in the first place. Just my opinion.

ako

I can't replicate the same issue in a clean vm, not seeing any problems. Can you tell me what service pack and language your vm is running? Also, what version of the .net framework is installed?

-{ Quote: "ako

I can't replicate the same issue in a clean vm, not seeing any problems. Can you tell me what service pack and language your vm is running? Also, what version of the .net framework is installed?" }-



--------------------------------------------------------------------------------

The license associated with the Belarc Advisor product allows for free personal use only. Use on multiple computers in a corporate, educational, military or government installation is prohibited. See the license agreement for details. The information on this page was created locally on your computer by the Belarc Advisor. Your computer profile was not sent to a web server. Click here for more info.


--------------------------------------------------------------------------------


About Belarc

System Management Products

Your Privacy



In page Links:

Network Map new

Software Licenses

Software Versions & Usage new

Missing Hotfixes

Installed Hotfixes









System Security Status CIS Benchmark Score


1,88 of 10 (details...)




Virus Protection


Unknown




Microsoft Security Updates


1 missing







--------------------------------------------------------------------------------

Computer Profile Summary
Computer Name: Bb-2654cddbcdb5 (in TYÖRYHMÄ)
Profile Date: 5. syyskuuta 2009 23:41:00
Advisor Version: 8.1b
Windows Logon: admin


Plan for your next computer refresh...
click for Belarc's System Management products

Operating System System Model
Windows XP Professional Service Pack 2 (build 2600)
Install Language: suomi
System Locale: suomi VMware, Inc. VMware Virtual Platform
System Serial Number: VMware-56
Enclosure Type: Other
Processor a Main Circuit Board b
2,40 gigahertz Intel Pentium 4
8 kilobyte primary memory cache
512 kilobyte secondary memory cache
Not hyper-threaded Board: Intel Corporation 440BX Desktop Reference Platform
BIOS: Phoenix Technologies LTD 6.00 12/03/2005
Drives Memory Modules c,d
6,43 Gigabytes Usable Hard Drive Capacity
2,72 Gigabytes Hard Drive Free Space

BENQ DVD DD DW1640 [CD-ROM drive]
Levykeasema [Floppy drive]

VMware Virtual IDE Hard Drive [Hard drive] (6,44 GB) -- drive 0, s/n 00000000000000000001, rev 00000001, Not SMART 456 Megabytes Usable Installed Memory

Slot 'RAM slot #0' has 256 MB
Slot 'RAM slot #1' has 128 MB
Slot 'RAM slot #2' has 64 MB
Slot 'RAM slot #3' has 8 MB
Local Drive Volumes

c: (NTFS on drive 0) 6,43 GB 2,72 GB free

Network Drives
None detected
Users (mouse over user name for details) Printers
local user accounts last logon
admin 5.9.2009 21:37:56 (admin)
local system accounts
HelpAssistant never
Järjestelmänvalvoja never (admin)
SUPPORT_388945a0 never
Vieras never


Marks a disabled account; Marks a locked account None detected
Controllers Display
Standardi levykeasemaohjain [Controller]
Ensisijainen IDE-kanava [Controller]
Intel(R) 82371AB/EB PCI Bus Master IDE Controller
Toissijainen IDE-kanava [Controller] VMware SVGA II [Display adapter]
Bus Adapters Multimedia
VMware SCSI Controller
Intel(r) 82371AB/EB PCI to USB Universal Host Controller Creative AudioPCI (ES1371,ES1373) (WDM)
Game Port for Creative
Virus Protection [Back to Top] new Group Policies
No details available None discovered
Communications Other Devices

VMware Accelerated AMD PCNet Adapter
primary Auto IP Address: 192.168.0.104 / 24
Gateway: 192.168.0.1
Dhcp Server: 192.168.0.1
Physical Address: 00:0C:29:9B:E7:84

Networking Dns Server: 192.168.0.1
Microsoft AC Adapter
Standardi 101/102-näppäiminen tai Microsoft Natural PS/2 Keyboard
VMware Pointing Device [Mouse]
USB Root Hub

See your entire network map...
click for Belarc's System Management products

new Network Map (mouse over IP address for physical address) [Back to Top]
IP Device Type Device Details Device Roles
192.168.0.1 Router D-Link DHCP Server, Gateway, Domain Name Server, Web Server
192.168.0.100 Muumilaakso (in MSHOME) Browse Master
192.168.0.104 Windows XP Workstation Bb-2654cddbcdb5 (in TYRYHMŽ), VMware


Find your security vulnerabilities...
click for Belarc's System Management products

Missing Microsoft Security Hotfixes [Back to Top]
These required security hotfixes (using the 08/11/2009 Microsoft Security Bulletin Summary) were not found installed. Note: CIS benchmarks require that Critical and Important severity security hotfixes must be installed.
Q928365 - Critical (details...)


Manage all your software licenses...
click for Belarc's System Management products

Software Licenses [Back to Top]

Belarc - Advisor adeca0bd
Microsoft - Internet Explorer 55697
Microsoft - Windows XP Professional 55697-649-6478953-23529 (Key: RH)


Find unused software and reduce licensing costs...
click for Belarc's System Management products

new Software Versions & Usage (mouse over i for details, click i for location) [Back to Top]
ı i Belarc, Inc. - Advisor Version 8.1b
ı i BluePoint Personal Edition Version 1.0.0.66
i Cinematronics - 3D Pinball Version 5.1.2600.2180
i Igor Pavlov - 7-Zip Version 4.29 beta
i Microsoft (r) Windows Script Host Version 5.6.0.8820
ı i Microsoft Corporation - Internet Explorer Version 6.00.2900.2180
ıııı i Microsoft Corporation - Messenger Version 4.7.3001
ı i Microsoft Corporation - Windows Installer - Unicode Version 3.1.4000.1823
i Microsoft Corporation - Windows Movie Maker Version 2.1.4026.0 i Microsoft Corporation - Windows® NetMeeting® Version 3.01
i Microsoft Corporation - Zone.com Version 1.2.626.1
i Microsoft Data Access Components Version 3.525.1117.0
ıııı i Microsoft(R) Windows Media Player Version 9.00.00.3250
i Microsoft® .NET Framework Version 2.0.50727.42
ı i VMware Tools Service Version 5.0.0 build-13124
ı i VMware Tools Tray Version 5.0.0 build-13124
ı i VMware User Process Version 5.0.0 build-13124


i Mouse over to see details, click to see where software is installed.
ı Marks software last used within the past 7 days.
ıı Marks software last used within the past 90 days, but over 7 days ago.
ııı Marks software last used within the past year, but over 90 days ago.
ıııı Marks software last used over 1 year ago.
Unmarked software lacks the data to determine last use.


Audit your security posture...
click for Belarc's System Management products

Installed Microsoft Hotfixes [Back to Top]
Internet Explorer
SP2 (SP2)
WGA
SP0
KB892130 on 3.1.2008 (details...)
Windows Media Player 6.4
SP0
KB925398_WMP64 on 4.1.2008 (details...)
Windows Media Player 9
SP2
KB936782_WMP9 on 4.1.2008 (details...)
Windows Media Player
SP0
KB911564 on 4.1.2008 (details...)
KB952069_WM9 on 30.3.2009 (details...)
KB973540_WM9L on 5.9.2009 (details...)
Windows XP
SP0
KB941569 on 4.1.2008 (details...)
SP3
KB873339 on 4.1.2008 (details...)
KB885835 on 4.1.2008 (details...)
KB885836 on 4.1.2008 (details...)
KB886185 on 4.1.2008 (details...)
KB887472 on 4.1.2008 (details...)
KB888302 on 4.1.2008 (details...)
KB890046 on 4.1.2008 (details...)
KB890859 on 4.1.2008 (details...)
KB891781 on 4.1.2008 (details...)
KB893756 on 4.1.2008 (details...)
KB893803V2 on 1.1.2008 (details...)
KB894391 on 4.1.2008 (details...)
KB896358 on 4.1.2008 (details...)
KB896423 on 4.1.2008 (details...)
KB896428 on 4.1.2008 (details...)
KB898461 on 1.1.2008 (details...)
KB899587 on 4.1.2008 (details...)
KB899591 on 4.1.2008 (details...)
KB900485 on 4.1.2008 (details...)
KB900725 on 4.1.2008 (details...)
KB901017 on 4.1.2008 (details...)
KB901214 on 4.1.2008 (details...)
KB902400 on 4.1.2008 (details...)
KB905414 on 4.1.2008 (details...)
KB905749 on 4.1.2008 (details...)
KB908519 on 4.1.2008 (details...)
KB908531 on 4.1.2008 (details...)
KB910437 on 4.1.2008 (details...)
KB911280 on 4.1.2008 (details...)
KB911562 on 4.1.2008 (details...)
KB911927 on 4.1.2008 (details...)
KB913580 on 4.1.2008 (details...)
KB914388 on 4.1.2008 (details...)
KB914389 on 4.1.2008 (details...)
KB916595 on 4.1.2008 (details...)
KB917953 on 4.1.2008 (details...)
KB918118 on 4.1.2008 (details...)
KB918439 on 4.1.2008 (details...)
KB919007 on 4.1.2008 (details...)
KB920213 on 4.1.2008 (details...)
KB920670 on 4.1.2008 (details...)
KB920683 on 4.1.2008 (details...)
KB920685 on 4.1.2008 (details...)
KB920872 on 4.1.2008 (details...)
KB921503 on 4.1.2008 (details...)
KB922582 on 4.1.2008 (details...)
KB922819 on 4.1.2008 (details...)
KB923191 on 4.1.2008 (details...)
KB923414 on 4.1.2008 (details...)
KB923980 on 4.1.2008 (details...)
KB924270 on 4.1.2008 (details...)
KB924496 on 4.1.2008 (details...)
KB924667 on 4.1.2008 (details...)
KB925902 on 4.1.2008 (details...)
KB926255 on 4.1.2008 (details...)
KB926436 on 4.1.2008 (details...)
KB927779 on 4.1.2008 (details...)
KB927802 on 4.1.2008 (details...)
KB927891 on 4.1.2008 (details...)
KB928255 on 4.1.2008 (details...)
KB928843 on 4.1.2008 (details...)
Windows XP
SP3 (continued)
KB929123 on 4.1.2008 (details...)
KB930178 on 4.1.2008 (details...)
KB930916 on 4.1.2008 (details...)
KB931261 on 4.1.2008 (details...)
KB931784 on 4.1.2008 (details...)
KB932168 on 4.1.2008 (details...)
KB933729 on 4.1.2008 (details...)
KB935839 on 4.1.2008 (details...)
KB935840 on 4.1.2008 (details...)
KB936021 on 4.1.2008 (details...)
KB936357 on 4.1.2008 (details...)
KB937894 on 4.1.2008 (details...)
KB938127 on 4.1.2008 (details...)
KB938828 on 4.1.2008 (details...)
KB938829 on 4.1.2008 (details...)
KB941202 on 4.1.2008 (details...)
KB941568 on 4.1.2008 (details...)
KB942615 on 4.1.2008 (details...)
KB942763 on 4.1.2008 (details...)
KB942840 on 4.1.2008 (details...)
KB943055 on 5.9.2009 (details...)
KB943460 on 4.1.2008 (details...)
KB944338-V2 on 30.3.2009 (details...)
KB944653 on 4.1.2008 (details...)
KB945553 on 5.9.2009 (details...)
KB946026 on 5.9.2009 (details...)
KB946627 on 30.3.2009 (details...)
KB950749 on 5.9.2009 (details...)
KB958470 on 5.9.2009 (details...)
KB971032 on 5.9.2009 (details...)
SP4
KB923561 on 5.9.2009 (details...)
KB938464-V2 on 30.3.2009 (details...)
KB946648 on 30.3.2009 (details...)
KB950760 on 30.3.2009 (details...)
KB950762 on 30.3.2009 (details...)
KB950974 on 30.3.2009 (details...)
KB951066 on 30.3.2009 (details...)
KB951376-V2 on 30.3.2009 (details...)
KB951698 on 30.3.2009 (details...)
KB951748 on 30.3.2009 (details...)
KB952004 on 5.9.2009 (details...)
KB952287 on 30.3.2009 (details...)
KB952954 on 30.3.2009 (details...)
KB954600 on 30.3.2009 (details...)
KB955069 on 30.3.2009 (details...)
KB955839 on 30.3.2009 (details...)
KB956572 on 5.9.2009 (details...)
KB956802 on 30.3.2009 (details...)
KB956803 on 30.3.2009 (details...)
KB956841 on 30.3.2009 (details...)
KB957097 on 30.3.2009 (details...)
KB958215 on 30.3.2009 (details...)
KB958644 on 30.3.2009 (details...)
KB958687 on 30.3.2009 (details...)
KB958690 on 30.3.2009 (details...)
KB959426 on 5.9.2009 (details...)
KB960225 on 30.3.2009 (details...)
KB960714 on 30.3.2009 (details...)
KB960715 on 30.3.2009 (details...)
KB960803 on 5.9.2009 (details...)
KB960859 on 5.9.2009 (details...)
KB961371-V2 on 5.9.2009 (details...)
KB961501 on 5.9.2009 (details...)
KB967715 on 30.3.2009 (details...)
KB968537 on 5.9.2009 (details...)
KB970238 on 5.9.2009 (details...)
KB970653-V3 on 5.9.2009 (details...)
KB971557 on 5.9.2009 (details...)
KB971633 on 5.9.2009 (details...)
KB971657 on 5.9.2009 (details...)
KB972260 on 5.9.2009 (details...)
KB973346 on 5.9.2009 (details...)
KB973354 on 5.9.2009 (details...)
KB973507 on 5.9.2009 (details...)
KB973815 on 5.9.2009 (details...)
KB973869 on 5.9.2009 (details...)



Click here to see all available Microsoft security hotfixes for this computer.

Marks a security hotfix (using the 08/11/2009 Microsoft Security Bulletin Summary)
Marks a security hotFix that fails verification (a security vulnerability)
Marks a hotfix that verifies correctly
Marks a hotfix that fails verification (note that failing hotfixes need to be reinstalled)
Unmarked hotfixes lack the data to allow verification


--------------------------------------------------------------------------------


a. Processor clock speed is measured at computer start-up, and on laptops may be impacted by power option settings.
b. Data may be transferred on the bus at one, two, or four times the Bus Clock rate.
c. Memory slot contents may not add up to Installed Memory if some memory is not recognized by Windows.
d. Memory slot contents is reported by the motherboard BIOS. Contact system vendor if slot contents are wrong.
e. This is the manufacturer's factory installed product key rather than yours. You can change it to your product key here [url]http://go.microsoft.com/fwlink/?LinkId=45668[/url] for Windows, or here [url]http://support.microsoft.com/?kbid=895456[/url] for Office.
Copyright 2000-9, Belarc, Inc. All rights reserved.
Legal notice. U.S. Patents 5665951, 6085229 and Patents pending.

--------------------------------------------------------------------------------

-{ Quote: "Agreed, many techie's systems change on a daily basis, whitelisting may be an issue at that point. But the average casual user is checking email, facebook etc it's perfect for that type of user.

Whitelisting is definitely a challenge to implement but I would far rather work towards a smooth whitelisting solution than working with any other security model, there's just too many ways around them/flaws.

Also, we really try to stray away from being the decision maker when it comes to "trusted" software. I wouldn't trust a vendor that decides to be the whitelisting czar. If and when they start making mistakes whitelisting apps, it would defeat the benefits of whitelisting in the first place. Just my opinion." }-

Your opinion on ThreatFire? I consider it using a white-list (and black-list) approach, but detection instead based on behavior.

Haven't tested/checked out ThreatFire lately, I'll give it a look.

Just performed a small amount of testing with several products installed on the same vm. We'll continue more shortly, just wanted to take a quick look at things.




WinPatrol v 16.1.2009.1
Prevx v3.0.1.65
Online Armor Personal Firewall ++ v3.5.0.32


WinPatrol doesn't appear to cause any issues when combined with BluePoint.

Online Armor seems to work fairly well with BluePoint, although I wasn't able to update BluePoint even after allowing the outbound in the firewall. I suspect that it's just a setting (didn't have time to dig through it). I disabled it and was able to update BluePoint without issues.

Prevx and BluePoint seemed to be the most incompatible together in the same vm. The vm was very very sluggish (and this server is a dual quad core xeon!). I would not recommend running these two products on the same machine. The slowdown from Prevx alone in the vm seemed quite considerable. Prevx and BluePoint perform similar duties, I would suggest testing threats against them in a lab environment (attempt to infect) and make your own conclusions. Go with what you feel most comfortable with.

As I've stated before I would strongly discourage running 3+ security programs at the same time especially if they are performing real-time monitoring capabilities. The result of 3+ real-time monitoring programs hooking into the same areas of your os will cause performance issues at the very least, instability is also quite likely. As a general rule of thumb, having more than one product hooked into the same areas is a dangerous proposition. Non real-time protection programs are far less likely to cause compatibility issues with BluePoint.

Keep in mind, disabling security products doesn't necessarily remove the os hooks and these hooks are usual the causes of compatibility problems. So try to install BluePoint as a true standalone.

Personally, instead of running 3 or 4 programs to remain protected, I would seek out 1 that can do the job alone. There are less than a handful of them I would consider up to that job. As always, choose what makes you comfortable.

This isn't definitive and we'll continue cross testing.

ako,

Thanks for the detailed information. Nothing jumps out at me as being the problem. My strong suspicions are either a corrupt .net framework or a language issue. It doesn't like something about that vm for some reason. I can tell you if clean machines wouldn't installed we'd be flooded with support calls, so it must be something specific to that machine. I'm checking into the language your using to see if that causes any issues.

-{ Quote: "Your opinion on ThreatFire? I consider it using a white-list (and black-list) approach, but detection instead based on behavior." }-

I'm always happy to share my opinion as you all know! ;D

I checked out ThreatFire with my usual quick test method which is:

1. Install on clean vm
2. Update
3. Reboot
4. Attempt infection with a few common in the wild threats
5. Attempt infection with newer less known threats
6. Attempt to execute keylogger (we created)
7. Attempt to destroy vm with threat that deletes key windows dll's within about 5 seconds after execution (we created)


I rate products by how far along this list they are able to survive as threats higher in this list are more difficult to prevent, especially since they are not on defs and we created them! Most of them fail at step 4-5.

this one made it to step 6, which while not perfect is quite good actually.

I tend to be a security purist, meaning I look for as close to 100% prevention out of a product as possible. I look to solve the malware problem, not to cleanup their messes after the fact, I'm tired of cleaning them up. At this point I believe in technologies based upon sandboxing or whitelisting, I've personally seen all other technologies fail time after time in real world tests. I'd love to post reviews as I've seen far too many reviews performed by unqualified people (names withheld). Many of these reviewers are doing a massive disservice to users as they are "passing" products that have clearly failed at prevention, even in their own video reviews.

Since you are aware of the technology BluePoint is based upon, you can probably guess how far down the list it survives ;)

-{ Quote: "I've started this thread to answer any product related questions anyone may have about the product or how things work.

Ask away!" }-
Thanks for the kind invitation. when I understand well, BluePoint Security approach is: "deny the unknown".

IMHO a direct download link to an exe file in your sig don't fit in that approach.. ::)

<S>

-{ Quote: "... as I've seen far too many reviews performed by unqualified people (names withheld). Many of these reviewers are doing a massive disservice to users as they are "passing" products that have clearly failed at prevention, even in their own video reviews." }-
This thread can turn into an interesting one. :D Please provide us with names and facts to back up your statements. :)

<S>

-{ Quote: "Out of the box simplicity is one of them.

Take a look at this screenshot:

http://www.torchsoft.com/images/md_screenshot.jpg

Grandma certainly isn't figuring that one out anytime soon." }-I am a GrandPa (& then some) & I understand Malware Defender (MD) pretty good, including your screenie. So also does my great-granddaughter Amy (age 9). She is adept with several classic HIPS, including D+ & MD.

Classic HIPS enable power-users & tweak-freaks to have control-to-the-max. However, a neophyte can use MD easily by putting it in "Learn Mode" for a while, & then "rig for silent running" (Silent mode). A neophyte user of MD need never mess with (or even see) the MD screen you showed unless s/he wants to learn.

This thread is starting to go in the wrong direction again:-\ . Us vs Them::) seems to be getting thrown back into it. Whether the product is beneficial to the user, how and why, that is what is important folks (I think??? ). Independent test results are good as well!:doubt:

Just my thoughts.

ds

for me own personal test is the best cause you prove it your self,you know some test reviewers dont tell the truth;D it is better if we as users be the judge,well after testing:)

-{ Quote: "I'm always happy to share my opinion as you all know! ;D

I checked out ThreatFire with my usual quick test method which is:

1. Install on clean vm
2. Update
3. Reboot
4. Attempt infection with a few common in the wild threats
5. Attempt infection with newer less known threats
6. Attempt to execute keylogger (we created)
7. Attempt to destroy vm with threat that deletes key windows dll's within about 5 seconds after execution (we created)


I rate products by how far along this list they are able to survive as threats higher in this list are more difficult to prevent, especially since they are not on defs and we created them! Most of them fail at step 4-5.

this one made it to step 6, which while not perfect is quite good actually.

I tend to be a security purist, meaning I look for as close to 100% prevention out of a product as possible. I look to solve the malware problem, not to cleanup their messes after the fact, I'm tired of cleaning them up. At this point I believe in technologies based upon sandboxing or whitelisting, I've personally seen all other technologies fail time after time in real world tests. I'd love to post reviews as I've seen far too many reviews performed by unqualified people (names withheld). Many of these reviewers are doing a massive disservice to users as they are "passing" products that have clearly failed at prevention, even in their own video reviews.

Since you are aware of the technology BluePoint is based upon, you can probably guess how far down the list it survives ;)" }-

Interesting... in other words, running things under a LUA, which most users normally should - but don't - ThreatFire would have been "good enough" in theory. ;D Thanks for your testing and insight on my query. :)

-{ Quote: "This thread is starting to go in the wrong direction again:-\ . Us vs Them::) seems to be getting thrown back into it. Whether the product is beneficial to the user, how and why, that is what is important folks (I think??? ). Independent test results are good as well!:doubt:

Just my thoughts.

ds" }-

At least I definitely respect your opinion, but just as I thought, my query led to better understanding, both of the effectiveness of one of my products of choice and the philosophy, insight and professionalism of BluePoint as a company.

I installed BPS inside VM with english XP. Now it worked. Small test:

Allowed: FS blacklight, Processexplorer, Hitman pro, Adobe reader, a2, CIS-installer, MBAM, Unhackme

Blocked: IE (sic!, pic 1), Realplayer (pic 2), GMER (high risk), Quicktime, AVZ

The analysis never allowed execution and took too much time - minute or so.

Allowed execution of malware when installation was inside Defencewall (pic 3). (Blocked this one as unknown outside of DW.)

Did not block a pdf-exploit (pic 4). Allowed even registry modification before seeing something! (pic 5)

I am not convinced. :thumbd: :dry:

Two more pictures: HOSTS-changed, Hitman pro scan after the exloit. (3 dead files from another test, not related to BPS.)

Final picture. Scanning finds all malware files (Hitman pro scan after BPS cleaning clean.) Why real-time failed?

Good to hear it's running in the new vm.

-{ Quote: "Allowed execution of malware when installation was inside Defencewall" }-

Are you clicking allow to test infecting the machine? Once you click override or allow you may very well end up infected and have to resort to a scan to clean things up.

All security apps have settings or alerts you can override, it doesn't really prove anything to override all of the alerts to show infection, it's also a bit misleading.

A better test would be to click deny on everything during the test and then determine if anything was modified. As a side note it looks like your a few versions back, check for updates.

-{ Quote: "The analysis never allowed execution and took too much time - minute or so." }-

The analysis will never allow execution no matter what risk rating/result we give the item. That's more prevx's style. We never allow anything that's not known to us to be safe, allowing items after analysis would be heuristics/defs and that's not how BluePoint works, whitelisting only. Allowing items that appear to be "safe" can result in failure to prevent. That's up to you the user to determine if you want to allow execution. If your browsing around and you see the notification popup, it's quite likely it needs to be denied. The latest version is also more informative with the alerts.

-{ Quote: "Scanning finds all malware files (Hitman pro scan after BPS cleaning clean.)" }-

Also good to hear, a few have done testing and have reported nothing was detected when malware was present ??? . Without seeing their setup it's tough to tell why that happened (settings possibly?). Either way our detection rates are very very good (a few sites are testing as we speak). I think you'll be pleasantly surprised when our detection rate percentages are released here in the next few weeks :)

Blue Point Shield didnt fail,bet if you test BPS alone it will block all those malware you tested;D i recognize all those malware that you use and even more i tested againts blue point and blue point clean the house very easilly,you may have a conflic in between security software;D did you tried BPS alone like i did?try that:)

I "think" he clicked allow on the items to see how it responds/deals with that type of situation. I would find a hard time understanding how that many executables were allowed to execute without permission.

ako, let us know on this one.

Thanks!

ofcourse if i click allow it will go and even like that the scaner will remove them after all:) what i do is i wait few second after running malware and for sure it will be auto-block8)

A few test setup recommendations:

Setup a clean vm
Install BluePoint
Update BluePoint
Check settings if testing scanning detection rates

Begin testing


Make sure you clearly state whether you have clicked allow on any malware related items, this sort of makes the test a bit pointless as every security app I've seen has ways to override and allow malware if you really want to.

Try to explain screenshots so everyone understands what your showing.

We have a few groups officially testing things now, we don't mind everyone testing, just make sure your clear on how you tested. Most security vendors would probably not encourage this type of "unofficial" testing. We stand behind our prevention methods and as long as you explain your methods we don't mind.

-{ Quote: "

-{ Quote: "Allowed execution of malware when installation was inside Defencewall" }-

Are you clicking allow to test infecting the machine? Once you click override or allow you may very well end up infected and have to resort to a scan to clean things up.


A better test would be to click deny on everything during the test and then determine if anything was modified. As a side note it looks like your a few versions back, check for updates.
." }-

Of course not. I got no warnings before the one seen in fig. 5. maybe a confict, I don't know. If Jmonge told it blocked everything I believe him.

The version was downloaded just before testing,but seemed to be indeed old with one version number.

-{ Quote: "I "think" he clicked allow on the items to see how it responds/deals with that type of situation. I would find a hard time understanding how that many executables were allowed to execute without permission.

ako, let us know on this one.

Thanks!" }-

See above. I think I should know what I'm doing. :dry:

how often does the database updates?i didnt get my for 1 complete day:) i do it manually when i scan

If you look at my test you see eg.

-that even IE was blocked! ???
-that many common apps (too many) were blocked
-that analysis never helped, analyzed apps. were always blocked
-that there is conflict between DW and BPS
- allowing execution of malware without a prompt (conflict?)

-{ Quote: "If you look at my test you see eg.

-that even IE was blocked! ???
-that many common apps (too many) were blocked
-that analysis never helped, analyzed apps. were always blocked
-that there is conflict between DW and BPS
- allowing execution of malware without a prompt (conflict?)" }-very strange isues you have,i am runing blue point and appranger without any problems

No offense intended ako, just wanted to clarify! 8)


-{ Quote: "-that analysis never helped, analyzed apps. were always blocked" }-

That's exactly how BluePoint works, your permission only, not ours. The threat rating is there to help you make a decision only, not make it for you (that would be our competitors!).

-{ Quote: "-that there is conflict between DW and BPS" }-

There may be, we'll test this week. Setup properly as a standalone, BluePoint will not allow execution of anything without your permission, why run a second product when you're already locked to safe processes/code already?


-{ Quote: "- allowing execution of malware without a prompt (conflict?)" }-

Most certainly something is wrong probably a conflict, if you are not notified about code execution (exe's etc) then I promise you something isn't right. Again, test things out with 1 product installed at a time, otherwise it becomes difficult to ensure any kind of accuracy and consistency.

The Q/A thread has turned into test thread! ;D

Could always create a new thread at some point.

-{ Quote: "how often does the database updates?i didnt get my for 1 complete day:) i do it manually when i scan" }-oooopppsss i forgot it's on the cluoud;D dont need any malware signiture all it's done online when scaning;D

Correct, no need for signature updates. The updates we release are software updates with additional features etc.

Shake that signature update addiction, it's not good for you!

;D

-{ Quote: "Correct, no need for signature updates. The updates we release are software updates with additional features etc.

Shake that signature update addiction, it's not good for you!

;D" }-i know;D

i dont find any slow down with blue point and appranger;) two cool on shields and scaners:thumb:

for or since i install Blue Point Security i tested againts about 50 new malware samples of all kinds and trying to get hurt and cant:argh:
it kept the house clean;)
i am already recomending to my friends for theier families cause it is very easy to use
3 programs i can sure recomend DefenseWall,AppRanger and for sure Blue Point Security

Absolutely, the smaller vendors are the ones providing the innovative solutions and solutions that actually work when tested. In my opinion the large antivirus vendors lost the fight against malware years ago. They are incapable of thinking outside of the box, instead recommending click that updates button every 5 minutes! Unfortunatley the average consumer is still buy products from these large vendors, we're going to change that.

-{ Quote: "Absolutely, the smaller vendors are the ones providing the innovative solutions and solutions that actually work when tested. In my opinion the large antivirus vendors lost the fight against malware years ago. They are incapable of thinking outside of the box, instead recommending click that updates button every 5 minutes! Unfortunatley the average consumer is still buy products from these large vendors, we're going to change that." }-agree:thumb:

Sorry to say this but the posts between "jmonge" and "Blue Point Security" seems like something out of an infomercial.

I do hope and wish that "Blue Point Security" comes out as a great product, the more options out there the better, but please find a better way to convince people that your product is good. Get more independent known testers to compare your product with other well known tools and then we can talk.

I also appreciate that you let some people here alpha test your software but it still has to get out of Beta before you state that it is ready for "prime time".

It's being independently tested as we speak.

Our product isn't in alpha or beta stages by any means, we have already been through beta testing and are actively selling our product on the market.

We encouraging everyone to check it out!

any new updates coming soon?

We'll probably release an update Thursday or Friday, with a few performance enhancements and fixes, nothing major.

-{ Quote: "We'll probably release an update Thursday or Friday, with a few performance enhancements and fixes, nothing major." }-cool:thumb: thanks

New BluePoint Security Enterprise Edition screenshots:

http://www.bluepointsecurity.com/products/enterprise

Our enterprise edition information page is coming together, it's a bit sparse at the moment, we're working on videos and a few other interesting things...

If you're responsible for more than 50 workstations/servers, the enterprise edition may be for you. Complete centralized management, no more wild wild west as far as employees destroying/infecting machines etc. We hold weekly webex sessions to show off the product, if you think you may be interested we'd love for you to join our session!

We move quickly! Stay tuned!

is BluePoint Security Personal going to be ready soon?and for updating for next version does it requiere to uninstall first or is it overwrite on top of the old one?thanks blue;)

-{ Quote: "I've started this thread to answer any product related questions anyone may have about the product or how things work.

Ask away!" }-

Well here is one.

Suppose I have UAC on with PGS (a freebie) with a deny execute of the user space, running all internet facing applications as a limited user.

What are the benefits of using your product over the rights amangement stuff which came along with my Vista OS?
Why is it worth the money?

Cheers Kees

-{ Quote: "is BluePoint Security Personal going to be ready soon?and for updating for next version does it requiere to uninstall first or is it overwrite on top of the old one?thanks blue" }-

We always release our product updates in a way that simply allows you to click update in the user interface (it will autoupdate also). You never have to uninstall/reinstall. I've always thought it was odd that av companies tend to release version 2007, 2008, 2009 requiring a reinstall every year.

Kees1958,

We get this question so often I decided to do a quick video demonstration.

I setup a clean vm (Windows Vista Ultimate x86) with a user running low rights with UAC enabled. I setup a webserver and hosted a virus embeded in an html page, then visited the page and attempted to infect the Vista machine.

I didn't install any security products in this vm, I wanted to simply test out UAC and low rights alone as that is a very common question and a common scenario for an average user. While UAC and running as a low rights user are great security layers, in a real world scenario they often fail at preventing threats. As far as UAC goes, threats don't always access sensitive areas of the os which would trigger a UAC prompt. If I were designing a malicious piece of code, I would actually test to ensure it didn't trigger UAC (malware writers are clever remember!). The same goes for low user rights, high level user permissions are not necessarily needed (depending on its target and intentions on your system) to execute malicious code and do damage as demonstrated in the video.

Part 1:

http://www.youtube.com/watch?v=RlV-XyM3Hg8

Part 2:

http://www.youtube.com/watch?v=USPLHrCm-sE



Great question, keep them coming, we have a great lab environment and are happy to perform tests for you guys!

I noticed from some of the earlier BluePoint demonstration videos that during the testing, neither deny or allow was clicked on the "unknown" program. but the pop up was exited out of instead? What would of happened if, say, Ma or Pa had BluePoint installed and in the same scenario, they had clicked allow?

-{ Quote: "We always release our product updates in a way that simply allows you to click update in the user interface (it will autoupdate also). You never have to uninstall/reinstall. I've always thought it was odd that av companies tend to release version 2007, 2008, 2009 requiring a reinstall every year." }-
i find your idea very cool:thumb:
by the way is BPS going to have password protection and self protection soon?

;) -{ Quote: "I noticed from some of the earlier BluePoint demonstration videos that during the testing, neither deny or allow was clicked on the "unknown" program. but the pop up was exited out of instead? What would of happened if, say, Ma or Pa had BluePoint installed and in the same scenario, they had clicked allow?" }-
even if click allow it will be pick up by the scaner,i tried that and i allowed a malware sample and i did a scan and remove:thumb:

-{ Quote: "by the way is BPS going to have password protection and self protection soon?" }-

Very soon, we'll have password protection shortly, they self protection has been less of a priority just because of the fact that nothing is going to execute and shut our processes down without permission, it will be there soon either way.

-{ Quote: "Very soon, we'll have password protection shortly, they self protection has been less of a priority just because of the fact that nothing is going to execute and shut our processes down without permission, it will be there soon either way." }-thanks,it sounds good;)

-{ Quote: " neither deny or allow was clicked on the "unknown" program. but the pop up was exited out of instead?" }-

The videos posted above or the old videos?

Exiting out of our notification results in a denial (denial has already occurred by then).

It's certainly possible to click allow and or override anything you execute. In the case of the keylogger, they would receive a fairly ominous "high risk" warning, requiring them to click "override and allow". Hopefully they wouldn't override things and allow it but as with all security products they can be overridden. Our AV engine also backs up the default deny system, meaning you're not given an option to allow a known in the wild virus, it's simply taken care of. We've done away with the allow/deny notifications and moved to "override and allow" for high risk items to help with user confusion. You'll still see allow/deny, but only on items that appear to be somewhat safe.

Same file

http://www.bluepointsecurity.com/imgs/screenie.jpg

BluePointSecurity

Great videos, but I am running PGS (Pretty Good Security), so I can set a Software Restriction Policy for Vista Home. SRP denies execution outside Windows and Program Files directories. All the browsers run with low rights (IE and Iron), all other internet facing programs as limited user. See http://www.wilderssecurity.com/showthread.php?t=250748

SO SRP does exactly the same as Blue point does, deny execution.

So what is the added value of your product, why should I buy when I run UAC with SRP deny execute.

I realized BluePoint is a HIPS:lurking: .

just tested blue point againts 3 malware samples 1 braviax.exe 2 antivirus pro 2010 and MacroVirus and delete them all,it cleans the house

I have the same question as Kees1958 above. If you run with SRP and lower privileged accounts, what benefit does BPS over this configuration?

The lower priv accounts will help only marginally, see video above. SRP however has piqued my interest and it's a great question.



http://support.microsoft.com/kb/324036

Per Microsoft:
-{ Quote: "Important: We recommend that you do not use software restriction policies as a replacement for antivirus software." }-

Interesting ways to bypass SRP (I haven't tested these):

http://requinix.blogspot.com/2009/01/bypass-software-restriction-policy.html

In theory, SRP performs in a similar way to BluePoint. It also heavily depends on how you have configured SRP. Are you locking down to known hashes? Are you allowing any folders to change? I'll try and find time to test out SRP in the lab and see how it goes, I suspect it's fairly weak when it comes to actual exploits.

Thanks for quick reply...

I will have a look at this also in the next few days.

I've always enjoyed Marcus Ranum's articles, it's a bit dated but still applies for the most part:


-{ Quote: "Execution Control: Antivirus bites the wax tadpole!
For years I have been railing about how stupid "default permit" execution architectures are, and how there are no decent tools that allow a Windows system administrator to build a system in "default deny." I tried Windows execution control, and one commercial product - but right now I'm getting great results from a tiny piece of freeware." }-

http://www.ranum.com/security/computer_security/editorials/antivirus/index.html


SRP appears to be a cumbersome beast, especially if you're looking to achieve a true lockdown (as BluePoint does), how are you configuring SRP? As a complete lockdown or other?

lol, I truly do find the defintion of 'cumbersome beast' to apply to HIPS not SRP. SRP offers no popup, no evidence of itself at all. You only apply the restrictilon.

Technically speaking, the whole CreateProcess() method, which is invoked on execution, is written to check for SAFER values before allowed the process creation. If a valid SAFER rule is found, then the values the SAFER rule has are applied. It might be to deny execution. If this is so, it is denied plain and simple. It is true that if you are admin, and you have the option to 'exclude admins', then the rule will not apply.

If the SAFER value is to restrict aka Basic User, then the security token of the process is replaced with one of a Basic User instead of admin/power user. The process is allowed to be created, but at dimished rights. Again, it just happens. There are no hooks or other stuff going on. The actual method is designed to look for SAFER values before creating the process.

While POC's exist, I have not seen or heard yet of the exploit in use.

Suffice to say that if you choose to employ a default-deny scenario using SRP, things will be denied. You are correct, the effectiveness of SRP is only as good as it's configuration. Regarding hashes, these are not needed. Indeed, even using a path is not the ideal way to mitigate. Based upon name alone, such as FireFox.exe, it matters not where the executable lives. SAFER rules state to the process, IF the process is NAMED FireFox.exe, then apply the denoted rule (deny, allow, restrict, contrain, untrust).

For something already built into the OS one would wonder why it is not employed more. I personally believe it is because there is no way to really know it is working. You can create a process and examine its properties or actions and see what is going on, but for the average home user, it really is too transparent. However, for geeks like myself, it is a gem.

Sul.

-{ Quote: "Regarding hashes, these are not needed. Indeed, even using a path is not the ideal way to mitigate. Based upon name alone, such as FireFox.exe, it matters not where the executable lives." }-



Yikes :o

That's why I was curious as to how you were configuring it. Feeding SRP 10k file fingerprints is unfeasible and unmanageable in my opinion, although that's the only way it would be considered even remotely secure.

What about a virus named svchost.exe or mspaint.exe!

Major hole there

That'd be the first question out of a CSO, they ask us that all of the time, it wouldn't go well.

Configured that way, there would be a huge advantage to using BluePoint, we lock things down to fingerprints meaning renaming files isn't going to bypass our system as would be the case with SRP.

-{ Quote: "Yikes :o

That's why I was curious as to how you were configuring it. Feeding SRP 10k file fingerprints is unfeasible and unmanageable in my opinion, although that's the only way it would be considered even remotely secure.

What about a virus named svchost.exe or mspaint.exe!

Major hole there

That'd be the first question out of a CSO, they ask us that all of the time, it wouldn't go well.

Configured that way, there would be a huge advantage to using BluePoint, we lock things down to fingerprints meaning renaming files isn't going to bypass our system as would be the case with SRP." }-this is very interesting:)

jmonge

How's your system running with Prevx and BluePoint on the same machine? Any issues?

That's why certainly at the enterprise level, you need an easy to use management console ;D


http://www.bluepointsecurity.com/products/enterprise


http://www.bluepointsecurity.com/imgs/screenshots/3ApplicationControl.png

Yes, it is true, SRP is not the holy grail. But then, nothing is or will be.

There are 2 different viewpoints from which one has to stand (at least).

First you have the advanced user. This user is A) smart enough to fix problems B) smart enough to steer clear of problems and C) smart enough to employ methods of differing types to fill in the gaps (called security ;) ).

The less advanced user A) probably does not know how to fix problems, so any problem is truly a problem B) does not know what the threats/problems really are, so does not even know how to avoid them C) employs no method at all, employs the 'most advertised' method or employs a method he/she does not understand. All of these resolutions likely lead to someone like myself helping them out.

Now examine SRP in the hands of a knowledgable user. This user employs SRP from Admin. He sets SRP to apply to all users including Admin. He sets his browsers and all internet facing apps (because he understands where the threats come from) to start up restricted to Basic User. He understands that a User is restricted. He can then browse, whether the browser is more secure like Rmus does or not it up to him. Either way, he knows in typical situations root, windir and programfiles will be restricted by the process running as user. He is smart enough to close down the rights of the user group to create/modify autostart areas in the file system and the registry. He is smart enough to realize when he downloads a file, it is put into a directory that itself has a software restriction policy that says any executable within this directory will start as a user only. This user now knows that his browser is retricted, and where he downloads files to is restricted. It is now feasible how for svchost.exe to be created to windir? Because of users restrictions, programs running as user (the threat gates) are not allowed to do so. By default the download directory restricts any new files (executed within it) to be demoted to user, so they also cannot create/modify svchost.exe in windir.

It is up to this user to understand when they remove a new downloaded file to some un-restricted directory, and execute it, that without some HIPS or AV or other aid, they run it and take thier chances. Now the new file CAN modify svchost.exe, or create svchost.exe in program files. Then svchost.exe can run from one of these directories. Assume then that a payload has been dropped, that svchost.exe is created in windir/malware directory. Assume that a homepage has been changed in the default browser to go to the payload homesite. The next time the user starts the browser, it should go to homesite, and it in turn is coded to start windir/malware/svchost.exe and do some bad things. However, when the browser starts it will start via SRP as a Basic User. Whatever the rogue svchost.exe was designed to do will now be limited to whatever a Basic User can do. While this does not provide any effects of data/key logging etc, it does still provide an amount of restriction.

It is not perfect, to be sure. In the hands of a knowledgable user however, it can be very very secure. This does not even approach the default-deny method of using SRP. SRP has its limitations.

This is exactly why I can use it with great success and comfort, but also employ SBIE or vmWare if needed. I use ShadowDefender as well, 24/7. I could use an AV to scan a downloaded file. I could put a HIPS in place and the know for sure what is happening. But enough about me, lol.

The problem is finding a solution for the user that is not as knowledgable. If we want others to be as safe as we are, or feel we are, we must provide some method that compromises ease of use with security. It is not an easy thing honestly. How can it be. The nature of itself precludes that you must understand security to be secure, yet we ask security to be effective for novice users without novice users understanding security.

I fear it is a catch-22.

Sul.

I don't know, the whole no fingerprint checking and relying on exe names seems a bit weak to me, I certainly wouldn't feel comfortable with it (as a standalone). Most of the malware samples I see aren't named virus.exe and in fact there have been many examples named svchost.exe, which configured that way would run unchecked (albeit with low rights, watch earlier posted vid about the effectiveness of low rights).

As a real world and very common example:

I imagine a threat combined with a zero day IE bug being placed on a web page, if the threat just so happened to be named the same as one of the 1000's of Microsoft executables on an a system configured with SRP, it's over.

Drive by's are probably the most common infection vector, over the past decade or so I would say anytime I've ever been infected it was completely behind the scenes and without my knowledge, I only found out after the fact via noticeable system problems. Certainly I knew better than to be fooled by rogues etc, but simply visiting an infected page is tough to prevent by remaining vigilant.

-{ Quote: "The lower priv accounts will help only marginally, see video above." }-

Personally, I would not call it "marginal" that limited user accounts prevent system-wide infection that affects all user accounts, or that they prevent the installation of malicious drivers and direct hard disk access (kernel-mode rootkits, MBR rootkits...), or that they prevent modification of system files and services. If that's marginal, then I'd really like to hear what counts as substantial! ;D Limited user accounts can help a whole lot: they protect security software from termination attacks, for example, protect other user accounts from being infected by mistakes made by one limited user, and make cleanup extremely easy (just delete the user profile, and that's that, assuming properly configured file permissions). It's certainly true that limited user accounts don't prevent people from executing files, even malicious ones, but their impact to the system can be limited. The user account itself, though, remains vulnerable to infection. That's where other measures should come in, from AVs to anti-executables and such.

-{ Quote: "SRP however has piqued my interest and it's a great question.

http://support.microsoft.com/kb/324036

Per Microsoft: "Important: We recommend that you do not use software restriction policies as a replacement for antivirus software."
" }-

Since SRP does not tell the user whether some file is safe or not (nor does any other pure/bare anti-executable type measure), Microsoft suggests that users at least use AVs to get some kind of idea on whether the file is known bad. That recommendation, though, tells nothing of the effectiveness of SRP.

And yes, making SRP rules based on filename alone is not secure. Convenient, maybe, but not secure in any way. But then again, there's no reason why you would have to make filename rules, when SRP allows much more secure options like hash, path (assuming you're smart and give your users only limited user accounts where they can't write into any and every location), publisher etc rules...

-{ Quote: "Interesting ways to bypass SRP (I haven't tested these):

http://requinix.blogspot.com/2009/01/bypass-software-restriction-policy.html
" }-

None of those are actual bypasses. All of them require there to be huge gaping rules left in the SRP rules by whoever created the software restriction policy, that is to say, misconfiguration. Holes such as leaving temp folders "unrestricted" when they certainly should be "disallowed" if SRP is being used to default-deny. When the SRP is created by someone who knows what they're doing, none of those supposed bypasses will ever work. Now, there are entirely valid methods to bypass SRP that cannot be stopped with making tighter rules. They're just methods a whole lot more sophisticated than the ones in that blog.


As for the malware problem in general, unfortunately nothing we currently have, and I do mean nothing, would solve anywhere near 95 % of the problem. And that's because a vast group of people get infected through social engineering, and the only security products that help against that are blacklisting products, and even they offer only very partial aid. No anti-executable whitelist, no limited user account, no software restriction policy, no HIPS, no sandbox, nothing will be able to reliably protect a system where the user has been fooled into wanting to execute a malicious file that pretends to be good. Once the user has his mind set on executing the file, he will ignore warnings from security software, give the admin password (if he knows it), turn off security products, anything he can, to get that file executed. And once the file is executed, then it's game over. So, while user education may be difficult, it is absolutely required if we ever desire to get anywhere near 90 or even high 70 % area of eradicating the malware problem. There's no dancing around that, unless we want to move to using computer systems where even the owner of the system cannot decide to execute code of their choice, or in other words a completely Orwellian environment.

-{ Quote: "Personally, I would not call it "marginal" that limited user accounts prevent system-wide infection that affects all user accounts, or that they prevent the installation of malicious drivers and direct hard disk access (kernel-mode rootkits, MBR rootkits...), or that they prevent modification of system files and services. If that's marginal, then I'd really like to hear what counts as substantial! Limited user accounts can help a whole lot: they protect security software from termination attacks, for example, protect other user accounts from being infected by mistakes made by one limited user, and make cleanup extremely easy (just delete the user profile, and that's that, assuming properly configured file permissions). It's certainly true that limited user accounts don't prevent people from executing files, even malicious ones, but their impact to the system can be limited. The user account itself, though, remains vulnerable to infection. That's where other measures should come in, from AVs to anti-executables and such. " }-

Substantial would stopping it from executing in the first place ;)

As I've stated many times, once you start allowing code to execute your playing with fire. I'm quite sure I could do massive system damage simply by executing code under the same circumstances as that video. Allowing the foothold is where the downfall starts. I'm not trying to say people should be running as admins, low rights is a great step in the right direction, I just here far to often that "well I don't run as an admin so I'm perfectly safe", in real world threat testing scenarios, it doesn't hold true whatsoever.


-{ Quote: "And yes, making SRP rules based on filename alone is not secure. Convenient, maybe, but not secure in any way. But then again, there's no reason why you would have to make filename rules, when SRP allows much more secure options like hash, path (assuming you're smart and give your users only limited user accounts where they can't write into any and every location), publisher etc rules..." }-

Agreed, is anyone actually running a hashed based SRP setup? It would be quite secure in theory, I just don't see how you could manage it or set it up in a way that your system wouldn't be useless.

-{ Quote: "
As for the malware problem in general, unfortunately nothing we currently have, and I do mean nothing, would solve anywhere near 95 % of the problem. And that's because a vast group of people get infected through social engineering, and the only security products that help against that are blacklisting products, and even they offer only very partial aid. No anti-executable whitelist, no limited user account, no software restriction policy, no HIPS, no sandbox, nothing will be able to reliably protect a system where the user has been fooled into wanting to execute a malicious file that pretends to be good. Once the user has his mind set on executing the file, he will ignore warnings from security software, give the admin password (if he knows it), turn off security products, anything he can, to get that file executed. And once the file is executed, then it's game over. So, while user education may be difficult, it is absolutely required if we ever desire to get anywhere near 90 or even high 70 % area of eradicating the malware problem. There's no dancing around that, unless we want to move to using computer systems where even the owner of the system cannot decide to execute code of their choice, or in other words a completely Orwellian environment." }-

I would venture to say that social engineering is more in the minority of the way people are infected, more commonly it's drive bys (no data just my experience). Certainly you can't control the human element completely, however you can warn them that they are about to execute something potentially harmful. The problem here is that users often times AREN'T being notified of infection or even warned, many times infection is silent and behind the scenes. I've infected countless vm's in the lab with no warning whatsoever from the security product and that's just terrible.

-{ Quote: "As for the malware problem in general, unfortunately nothing we currently have, and I do mean nothing, would solve anywhere near 95 % of the problem" }-

A properly engineered AE/AV security solution easily achieves 95%+ prevention, as many exploit testers have confirmed on these very forums, something no other security model can claim with honesty. The solution is right there guys, it's in the security model and grasping the deny the unknown methodology. Firewalls have been applying this methodology to network traffic for 15+ years very effectively. Long ago, networking equipment used to rely on large lists of "bad" ip's, until manufactures realized it's just not effective and moved to implicit deny all except known/trusted traffic. It's the same idea, applied to endpoint security.

-{ Quote: "Substantial would stopping it from executing in the first place ;)" }-

A pretty high requirement to set, considering that the user still needs to be able to run some software... ;D

-{ Quote: "As I've stated many times, once you start allowing code to execute your playing with fire. I'm quite sure I could do massive system damage simply by executing code under the same circumstances as that video. Allowing the foothold is where the downfall starts. I'm not trying to say people should be running as admins, low rights is a great step in the right direction, I just here far to often that "well I don't run as an admin so I'm perfectly safe", in real world threat testing scenarios, it doesn't hold true whatsoever." }-

Sure, executing malicious code is most often a very bad idea. So, stopping it from executing is a great idea. But as far as doing massive damage in a limited user account, you'd be able to do damage limited to that account and its user, damage such as deleting personal files or stealing passwords or other important data, serious issues to be sure, but you wouldn't be able to damage the actual system or other accounts without privilege escalation exploits.

But if anyone is saying they're perfectly safe because they don't run as admin, they're simply wrong. Not running as admin is a good idea, but it's not a panacea. Then again, nothing is.

-{ Quote: "Agreed, is anyone actually running a hashed based SRP setup? It would be quite secure in theory, I just don't see how you could manage it or set it up in a way that your system wouldn't be useless." }-

Most users of SRP aren't using only hash rules, because path rules work just as well and for all practical purposes as securely as long as your users are running with limited user accounts. For example, if you allow C:\Windows\System32, and limited user accounts can't write there, that's a pretty secure rule that is easy to make (indeed, it's made by default) that allows a whole lot of critical system executables at once without allowing the user to execute arbitrary files in that path.

-{ Quote: "I would venture to say that social engineering is more in the minority of the way people are infected, more commonly it's drive bys (no data just my experience). Certainly you can't control the human element completely, however you can warn them that they are about to execute something potentially harmful. The problem here is that users often times AREN'T being notified of infection or even warned, many times infection is silent and behind the scenes. I've infected countless vm's in the lab with no warning whatsoever from the security product and that's just terrible." }-

Sure, remote code execution is nasty. Blocking most of it is great. But social engineering attacks are a vast problem, and while I don't have any studies of the actual percentages, I would bet my entire fortune that social engineering attacks most certainly account for more than just 5 % of all malware attacks! ;D

-{ Quote: "A properly engineered AE/AV security solution easily achieves 95%+ prevention, as many exploit testers have confirmed on these very forums, something no other security model can claim with honesty." }-

Actually, it achieves that only against remote code execution. Which is, of course, the only thing that people test here. (No-one is going to be able to test being fooled by some malware to execute it. To do that, they'd have to be able to deceive themselves somehow.) Against social engineering, it does not reliably achieve any percentage, since the user will just execute the malware in spite of the AE/AV. And if the AE blocks by default, then the user will just turn it off, just like they would do if the user was installing an entirely legit software.

-{ Quote: "The solution is right there guys, it's in the security model and grasping the deny the unknown methodology. Firewalls have been applying this methodology to network traffic for 15+ years very effectively." }-

Default-deny is a great idea. But it's not fool-proof (as fools are incredibly powerful creatures). If there remains any way for the user to install software, and there must remain a way, or the user will be really furious, then the user can just use that way to execute malware that attacks him through social engineering, and the AE can't do a thing to stop it.

As I've said: you can stop most remote code execution attacks easily, no matter how unwise the user is, by using whitelisting. But whitelisting can't stop a social engineering attack against a user who has administrative access to the system and is able to disable security software or log in as admin. That's simply an undeniable fact of life. While anyone who bothers to look can easily find remote code execution attacks in the web, it's equally easy, if not even much easier, to find social engineering attacks. There's a ton of those out there, and default-deny doesn't reliably stop them, because if the user wants to run that bad exe, he will run it, and disable security software that tries to stop him. Personally, I've seen targeted email attacks where the bad guy even warns the target that the attachment causes some AVs to give a "false positive" detection but the user should just ignore that to run the cool game/watch the cool vid/etc. Of course, the "false positive" actually isn't false, but some users are fooled, and even whitelisting security software is defeated.

So, yes, user education is absolutely required if there is to be any hope of reaching anywhere near 70+ % prevention against all malware attacks, including social engineering.

I agree on the social engineering point, you can always go back to that and anything will fail against a user that is determined to run things.

My point is, when a friend brings me an infested laptop they weren't socially engineering into being infected. A few files were dropped silently while they were browsing, executed through an exploit and they had no idea what happened, they just know their system is destroyed. That's not social engineering, that's security model failure. If you stopped the silent attacks, you'd stop the vast majority of the spread of malware. Think about it, conficker even code red (the list is endless) they aren't social engineering attacks. Server admins weren't sitting at their sql servers clicking on pictures of Brittany, again no user interaction here. Many of them spread through exploits and if there isn't a properly built wall there to stop and prevent them, malware writers will continue to release threats that are very effective without any kind of user interaction.

-{ Quote: "I agree on the social engineering point, you can always go back to that and anything will fail against a user that is determined to run things." }-

And indeed that is why it's hard to create a security system that can provide anywhere near perfect prevention. Because the user is often the weakest link, and as long as he has the admin password and control over the system, he can always just turn security off if he is fooled by some attack and wants to execute some bad file.

-{ Quote: "My point is, when a friend brings me an infested laptop they weren't socially engineering into being infected. A few files were dropped silently while they were browsing, executed through an exploit and they had no idea what happened, they just know their system is destroyed. That's not social engineering, that's security model failure. If you stopped the silent attacks, you'd stop the vast majority of the spread of malware. Think about it, conficker even code red (the list is endless) they aren't social engineering attacks. Server admins weren't sitting at their sql servers clicking on pictures of Brittany, again no user interaction here. Many of them spread through exploits and if there isn't a properly built wall there to stop and prevent them, malware writers will continue to release threats that are very effective without any kind of user interaction." }-

Oh, I understand. On the other hand, quite often people bring me computers that were infected through social engineering (run this exe to view a cool video). Social engineering is a big problem. But that certainly doesn't change the fact that remote code execution is a bad thing and we should work to prevent such attacks, as they're much easier to prevent than social engineering: it's hard to teach Joe User to know what not to run, and get him to actually remember that, but easy to install some whitelist product on his system to block most remote code execution attacks.

My main point here is this: as long as users continue to fall for social engineering attacks, and aren't educated enough to avoid them reliably, then we're not going to achieve anywhere near 95 % prevention against all malware attacks. Remote code execution, sure. But all attacks, no. That's just to say that even with a sound security policy and all kinds of blacklisting and whitelisting protecting a system, the system remains vulnerable as long as there are uneducated users who have full control over it.

the real truth is no instalation of any kind of software no infections:) my 2 cents

@BluePointSecurity

Sorry to have some critical notes regarding your thought out promo campaign regarding your product.

You started the campaign with the innocent words:

-{ Quote: "I've started this thread to answer any product related questions anyone may have about the product or how things work.

Ask away!" }-

Like the thread title describe, indeed an BluePoint Security product Q&A starting post. Straight and to the point. But with incredible fast motion you turn the thread into a never ending promo campaign for your product. Your product is the best/superb, all other products are worthless, crap, ready to trash.
Taking a look at what you claim about the competition it underline what I write: your product is simply the best and have factual no serious competition, and all established vendors are doing a lousy job and their products are lousy too.

Another sign of your promo strategy: your signature. A billboard lookalike, my regards..

Also noteworthy: your endowment to circumvent nasty questions regarding your product, promo campaign and faithful helpers, and (free) alternatives for BPS. Direct nasty (but valid) questions and remarks pointed at you are ignored by you anyway.

<S>

-{ Quote: "Also noteworthy: your endowment to circumvent nasty questions regarding your product, promo campaign and faithful helpers, and (free) alternatives for BPS. Direct nasty (but valid) questions pointed at you are ignored by you anyway. Can you explain the why for this strategy? Of course I know the answer, but please tell the crowd too." }-

I don't feel your attack is warranted, however, what questions have I ignored?

Folks,

Let's keep the discussion technically focused. Leave speculation of motivations out of the thread.

Thanks in advance.

Blue

-{ Quote: "I don't feel your attack is warranted" }-
Please don't entangle an ascertainment with an attack.

<S>

well for me Blue Point Security is patching the hole that wasnt cover for long time:) i personally tested and i encourage others to tested for 14 days(trial)and will not be disapointed;)

As mentioned, let's keep it to technical issues related to our product and the technology surrounding it. If you have a question there, I'd be happy to help.

Back to SRP topic for a second if we could.
If it were configured as (http://www.mechbgon.com/srp/) suggests, then I feel you have most of your basis covered, as far as executing arbitrary code goes. This appears to be the nearly the same security strategy as BluePoint's product, except that BluePoint allows the user more granularity and an option to easily override default deny policy. Would this be an accurate description?

-{ Quote: "Folks,

Let's keep the discussion technically focused. Leave speculation of motivations out of the thread.

Thanks in advance.

Blue" }-
Removed the speculation of motivations part. ;)

<S>

-{ Quote: " I'll give you an example, let’s say as an average user I am running xyz antivirus. I'm browsing the internet and I visit a page that contains a drive by downloader that was just created 5 minutes ago. At this point, your AV company hasn't added this threat to their def lists and if heuristics don't catch it which they often don't you stand a very good chance of being silently infected.

Same scenario with BluePoint installed, even if we do not know about the threat you will be alerted when the drive by download style threat attempts to execute. It will be blocked by default unless you override it." }-
It’s not at all clear to me how this example is different from what Norton Internet Security 2010 would do: namely, alert the user with a recommendation to deny the application based on its poor "reputation." Can you kindly elaborate?

Spiral123,

-{ Quote: "Adjustment for 64-bit Windows 64-bit versions of Windows (both Vista and XP Pro x64 Edition) have an extra Program Files directory named C:\Program Files (x86). Click on Additional Rules and make a new Path Rule that makes that directory Unrestricted, so software that's installed there is allowed to run." }-

Is SRP an effective layer if configured properly, certainly yes. Do I see problems with it, yes.

Some of this is my opinion, but since you're asking I'll share;


● Allowing SRP rules that allow ANY folders to remain unrestricted and unchecked is dangerous in my opinion.

● It's unfeasible to import 1000's of hashes into SRP and lock your system down to them as it lacks any kind of real management interface. This would be the only way to configure SRP that I would consider it secure and that would stand up to threat testing.

● Running SRP in hash lockdown mode (the only which I consider truly secure) is most certainly unfeasible for a casual computer user. This is why BluePoint exists, we didn't feel that there was a product that achieved the level of prevention we have while still being very easy to use.

From the SRP article:

-{ Quote: "But dude, I already have antivirus and a firewall. Does a Software Restriction Policy really have anything to offer me? Heck yeah. New malware is being released every hour of the day, and it takes time for your antivirus software to get updates that detect the new malware, leaving a window of vulnerability..." }-

Again, BluePoint isn't vulnerable to this "window of vulnerability" that mainstream av products suffer from (sig based or heuristic), making SRP sort of a mute point, unless someone isn't willing to pay for a more polished solution.

The entire philosophy behind our product is to stop the never ending cycle which is generally:

Virus created
Virus released
Users infected
Security vendors react to and attempt to clean up the mess

-{ Quote: "It’s not at all clear to me how this example is different from what Norton Internet Security 2010 would do: namely, alert the user with a recommendation to deny the application based on its poor "reputation." Can you kindly elaborate?" }-

NIS 2010 is simply not based upon the same security model as BluePoint, that would be the prime difference. As you mentioned, Quorum is based upon reputation combined with heuristics. While it does perform better than previous versions, I certainly wouldn't consider that a bulletproof security model by any means.

We don't look at application behavior because we don't believe heuristics are the way to go when it comes to preventing threats nor is reputation. How many of their customers have to be infected before a bad reputation is earned? Using the user community's infections as a net for your definitions list seems a bit strange to me, that's the same community your charging to protect!

Not product bashing but just to highlight the differences between BluePoint, I've installed NIS 2010 in a lab and noticed it does not flag brand new files just based upon the fact that they are "new". I compiled up a brand new exe and it ran without a peep. However, if your exe "looks" suspicious to NIS, it will then flag. Looks can be deceiving, these guys are pretty clever out there. I know if I were making money bypassing things like this, I would be working very very hard at it.


Thanks for the great questions guys, you've made me think hard quite a few times ;)

Have really enjoyed the discussions with everyone here, even though we may not always agree, I think we can learn from these type of discussions.

-{ Quote: "Please don't entangle an ascertainment with an attack.
" }-

I just thought I would point out the correct usage. ;)

ascertainment is not a word.

assertion is the correct word to use, see here > http://www.wordreference.com/definition/assertion

ascertain > http://www.wordreference.com/definition/ascertain

:)

-{ Quote: "@BluePointSecurity

Sorry to have some critical notes regarding your thought out promo campaign regarding your product.

You started the campaign with the innocent words:



Like the thread title describe, indeed an BluePoint Security product Q&A starting post. Straight and to the point. But with incredible fast motion you turn the thread into a never ending promo campaign for your product. Your product is the best/superb, all other products are worthless, crap, ready to trash.
Taking a look at what you claim about the competition it underline what I write: your product is simply the best and have factual no serious competition, and all established vendors are doing a lousy job and their products are lousy too.

Another sign of your promo strategy: your signature. A billboard lookalike, my regards..

Also noteworthy: your endowment to circumvent nasty questions regarding your product, promo campaign and faithful helpers, and (free) alternatives for BPS. Direct nasty (but valid) questions and remarks pointed at you are ignored by you anyway.

<S>" }-

I think the same should be true for Prevx also, if you read their threads objectively. To me I do not think this a promo thread at all. Anyway even if it were to be one what would have been wrong with that? To me BluePoint security is an excellent product and I tested it, and it performed well. I executed everything at it, and BPS handled all my malware samples with flying colors.

My only criticism has to do with the GUI, black font on a blue background is not too attractive. A color pattern and design like Outpost for example is more appealing.

If BPS enterprise is as good as its home product then McAfee has a lot to worry about. Right now McAfee VirusScan Enterprise 8.7 is the only enterprise product that I trust. The reason for that it is mostly based upon prevention first and detection section second with DAT release and Artemis.

May God be with you BPS and you have nowhere to go but up. :)

Thank for your input BluePointSecurity.

-{ Quote: "

Is SRP an effective layer if configured properly, certainly yes. Do I see problems with it, yes.

Some of this is my opinion, but since you're asking I'll share;

● Allowing SRP rules that allow ANY folders to remain unrestricted and unchecked is dangerous in my opinion. " }-

In Vista with UAC on that is a non issue, because unspecified will be covered by UAC.

-{ Quote: "
● It's unfeasible to import 1000's of hashes into SRP and lock your system down to them as it lacks any kind of real management interface. This would be the only way to configure SRP that I would consider it secure and that would stand up to threat testing. " }-

With Vista reease Microsoft has overhauled the placement of user and work data storage of programs. A simpel deny execute of the user space C:\Users will do. No need for hashes or a white list. When you create a specific install directory in C:\Program Files, UAC will prompt you when you are moving something into it. Because of the install directory I do not need a white list with program hashes, so please explain.

-{ Quote: "
● Running SRP in hash lockdown mode (the only which I consider truly secure) is most certainly unfeasible for a casual computer user. This is why BluePoint exists, we didn't feel that there was a product that achieved the level of prevention we have while still being very easy to use.
" }-
But there is now PGS and it comes with an ini file, some wilders members will be developing a default ini file with names of programs to run as limited, so the cath 20-20 situation will be enforced. Thanks for the tip to provide program hashes, not for a white list, but for the run as limited user list. :thumb:

@Any other reasons why I should use your product? See how easy it is to bash a product, when you are using your set of validity arguments. Good you have removed all those stupid video's. Bashing competition is a 'me too' strategy which only allows for a lowest price USP, pretty horrible business scenario for blue point when there is a product PGS which cost no money and requires no extra code to run on your PC.

I tried this about one hour ago on my vista, brought it to a crawl. Took it off and done with this. Not putting down the product just not for my pc. Sorry

it is running very smooth like a baby skin man,ofcourse only run 2 antimalwares at a time:) in all my pcs

-{ Quote: "
Not product bashing but just to highlight the differences between BluePoint, I've installed NIS 2010 in a lab and noticed it does not flag brand new files just based upon the fact that they are "new". I compiled up a brand new exe and it ran without a peep. However, if your exe "looks" suspicious to NIS, it will then flag. Looks can be deceiving, these guys are pretty clever out there. I know if I were making money bypassing things like this, I would be working very very hard at it.
" }-

You compiled a new exe... and what did it do? What if you compile an exe that will trash the system or at least do some kind of harm? Maybe your "quick test"-method and results would do good here. :)

-{ Quote: "Programs I use : Spy Sweeper, Counter Spy, NIS 2010, Manutu , A-Squared , Prevx Edge, WinPatrol , Deep Freeze , MBAM , Returnil Pro, Sandboxie, DefenseWall, KeyScrambler Premium ,
AppGuard, Zemana AntiLogger." }-

Unless your running on a very old machine, BluePoint will not cause any kind of noticeable slowdown. Without more info it's tough to tell why. How many other products did you have installed alongside BluePoint?

Kees1958

As I've said before, personally I wouldn't bother with most of Microsoft's protection mechanisms when it comes to preventing threats/system damage, including SRP. I've seen UAC, low rights and SRP fail to do the job. Most people aren't sitting in a lab all day such as I am.

I think in the end everyone should use what they are comfortable with. I think anyone testing out BluePoint in a lab should be able to easily see the difference as many already have. We don't expect everyone to switch to our product and that's fine.

-{ Quote: "Unless your running on a very old machine, BluePoint will not cause any kind of noticeable slowdown. Without more info it's tough to tell why. How many other products did you have installed alongside BluePoint?" }-
come on man this machine here is older than grandma;D and like the song says
'' i believe i can fly '' ;D

-{ Quote: "come on man this machine here is older than granma;D and like the song says
'' i believe i can fly '' ;D" }-
Hey Jmonge

When I read your signature I told myself: "Man that's just one tough security apparatus." ;)

I agree! He has AE, heuristics and removal pretty well covered there. That would be tough to bypass indeed.

-{ Quote: "Hey Jmonge

When I read your signature I told myself: "Man that's just one tough security apparatus." ;)" }-thanks,and fast:)

with the help of prevx,blue point and Mbam;) thank you guys:thumb:

but remember with just BPS it will be more than well covered;) it also removes tough malware like malware is a joke;)

-{ Quote: "I agree! He has AE, heuristics and removal pretty well covered there. That would be tough to bypass indeed." }-

BluePointSecurity

Could you tell me how secure are BPS processes with regard to self protection? Maybe it is self evident; however, I just want to double check.

Hello Forum,
Had BPS running for 24hrs, the only problem is when running a complete scan it freezes on 11%.No problems with my security programs ( See Signature.) and no computer slow downs, nice.
Badcompany.

Is BluePointSecurity compatible with Prevx 3.0, and Online Armor? I'm running XP Pro. How exactly does BluePointSecurity detect malware? I remember reading something about denying anything unknown from running on their website. I thought it was kinda of vague. Does it work like anti-executables or does it use in the cloud analysis? I'm very interested in learning more?

-{ Quote: "Is BluePointSecurity compatible with Prevx 3.0, and Online Armor? I'm running XP Pro. How exactly does BluePointSecurity detect malware? I remember reading something about denying anything unknown from running on their website. I thought it was kinda of vague. Does it work like anti-executables or does it use in the cloud analysis? I'm very interested in learning more?" }-with prevx yes;)
http://www.youtube.com/watch?v=RlV-XyM3Hg8
http://www.youtube.com/watch?v=USPLHrCm-sE

very detail information

BluePoint is based upon deny the unknown, meaning if we don't know the publisher as a known trusted reputable source we ask your permission. The cloud av engine is there to help inform the user when they are notified about unknown code whether it appears to be safe or not. Meaning, even if new malware is released 5 minutes from now and we don't yet know about it, you're still protected and won't be infected (unless you override the ominous alerts that is!).

Sure, it's a little dry but it explains in detail how BluePoint works.
http://www.youtube.com/watch?v=yuJoXPYpcB4

There are no known compatibility issues between Prevx/Online Armor/BluePoint Security, however I would strongly recommend against running 3 real-time apps on the same machine. You may end up with a very very slow machine or possible system instability issues.

Hope this helps!

-{ Quote: "Had BPS running for 24hrs, the only problem is when running a complete scan it freezes on 11%" }-

A few people have mentioned that the scanning has frozen or won't complete. Keep in mind we utilize the cloud to analyze files, it may take quite a while to completely scan you computer the first time. The scan will complete, just be patient. After the first scan, you'll notice successive scans are much faster. We utilize a few caching methods to improve speed after the first scan.

Hopefully that clears up a bit of confusion.

-{ Quote: "Is BluePointSecurity compatible with Prevx 3.0, and Online Armor? I'm running XP Pro. How exactly does BluePointSecurity detect malware? I remember reading something about denying anything unknown from running on their website. I thought it was kinda of vague. Does it work like anti-executables or does it use in the cloud analysis? I'm very interested in learning more?" }-

Just to add to one of your questions that was not answered. Yes, it appears to work fine with Online Armor.

ds

-{ Quote: "A few people have mentioned that the scanning has frozen or won't complete. Keep in mind we utilize the cloud to analyze files, it may take quite a while to completely scan you computer the first time. The scan will complete, just be patient. After the first scan, you'll notice successive scans are much faster. We utilize a few caching methods to improve speed after the first scan.

Hopefully that clears up a bit of confusion." }-

The scan stayed on 11% for over 1hr before I stopped it.
Badcompany.

Second full scan took 7 mins.
Badcompany.

I just downloaded BPS and when I rebooted I found that Defensewall, which was disabled, did not show up in my Taskbar.
The only program that did start right away was Prevx.
When I started DW I got your pop up about whether to allow it or not. I'm surprised that it isn't recognized as safe.
Also, I lost all of my other Taskbar residents.
That's not going to kill me but I'm surprised to see it happen.
Will BPS work with DW as well as Prevx or is there a problem with this.
For the duration of my own trial I've removed DW, but I damn well feel naked without it.
Hugger

Hugger,

Glad to hear you're kicking the tires. We haven't received any reports of interaction problems with Prevx or DefenseWall. As always, my normal caution, I wouldn't recommend running more than 1 real-time protection product permanently on the same machine due to the potential of stability/slowdown issues. I completely understand you wanting to get familiar with things while still running DefenseWall and Prevx. I'll be happy to help out if you do find any conflicting issues between them.

-{ Quote: "NIS 2010 is simply not based upon the same security model as BluePoint, that would be the prime difference." }-
I’m curious and want to learn more: please elaborate upon the differences in the security model of BluePoint Security and Norton Internet Security 2010. In addition, do you have a white paper that provides insight into the security model of BluePoint Security?

-{ Quote: "I've installed NIS 2010 in a lab and noticed it does not flag brand new files just based upon the fact that they are "new". I compiled up a brand new exe and it ran without a peep." }-
It doesn’t surprise me that a non-malicious executable created on your own PC runs without any warning by Norton Internet Security 2010. However, if you repeat the same test, but download another newly created executable from a public website using a different PC, I suspect that the result will be different.

-{ Quote: "I’m curious and want to learn more: please elaborate upon the differences in the security model of BluePoint Security and Norton Internet Security 2010. In addition, do you have a white paper that provides insight into the security model of BluePoint Security?" }-

Simply put, NIS 2010 is not based upon an AE/Whitelisting security model, BluePoint is. Very different methodologies, Symantec appears to be betting on advanced heuristics and file reputation (Quorum). We have many reasons for choosing the security model we have as opposed to heuristics and reputation. While heuristics and file reputation have come a long way in recent years, we believe these models have limitations as far as approaching 100% prevention no matter how advanced they become. In the end files have to "appear" to be suspicious, which is a designers interpretation as to what is in fact a suspicious behavior. What if a malicious file doesn't appear malicious but is? What if a file has no reputation but is malicious and is missed by heuristics? In order to earn a reputation in the first place, a certain amount of infections must occur in the user base, why use your customers as a net for malware? Why depend on heuristics which again are simply "definitions" of suspicious activities, when history tells us definitions are inadequate?

In the end, our model is very well thought out right from the beginning. Our security model was designed from the ground up to achieve as near to 100% prevention as possible. While it's easy to find gaping holes in other security models with simple obvious questions, that's not the case with ours. Sometimes I wonder if they've even thought out the direction they are moving in when such simple ways to bypass their security model exist. It seems many have come to accept a certain amount of infections, chalking it up to "nothing is perfect". Internally, our thinking is that no amount of infection is acceptable and I think it shows when our product is put to the test.



-{ Quote: "
It doesn’t surprise me that a non-malicious executable created on your own PC runs without any warning by Norton Internet Security 2010. However, if you repeat the same test, but download another newly created executable from a public website using a different PC, I suspect that the result will be different." }-

Keep in mind, downloads are not the only attack vector. There are many ways to become infected, while web based attacks are probably the most common, usb devices, network shares and email are also popular vectors. Malware writers don't play by the rules, they will utilize any method possible to achieve infection. If they find an unlocked door, they will exploit it to the fullest potential. Standing at one door, such as treating files differently that have been downloaded is a patch work approach and it won't solve the problem, they'll just begin knocking on another unprotected door. Ultimately, you need to prevent code from executing in the first place, no matter where it comes from unless it's from a trusted source. Allow unknown random code to execute and your allowing a foothold, once there's a foothold it'll be exploited one way or another. I believe you will begin to see most of our competition begin to switch to a model similar to ours, as in my opinion, it's the only real way to begin actually winning the battle. Trust me, they are very aware they are losing the battle, it's widely known and published, it's only a matter of time.

I think people need to spend more time asking questions about security models and methodologies, brand names are unimportant. Analyze the model they are based upon, then determine if the model is sufficiently thought out enough to not be easily bypassed. This will lead you to products that are truly exceptional at prevention.

-{ Quote: "I’m curious and want to learn more: please elaborate upon the differences in the security model of BluePoint Security and Norton Internet Security 2010. In addition, do you have a white paper that provides insight into the security model of BluePoint Security?


It doesn’t surprise me that a non-malicious executable created on your own PC runs without any warning by Norton Internet Security 2010. However, if you repeat the same test, but download another newly created executable from a public website using a different PC, I suspect that the result will be different." }-

Pleonasm

How do you know that the .exe was not malicious? ;D

One of them was a recompiled version of our test keylogger, simple modifications were made to evade heuristic detection.

I haven't read the whole thread, sorry if was asked/mentioned/answered before.
Answer me one simple Q: can you guarantee that you will always recognize all legitimate programs as such, meaning can you truly differentiate between unknown good programs and unknown malicious programs? Keep the Users decision aside, please, since we can only predict their actions.

You seem to be addressing just one side of the "big picture"-how to protect the user from malware. Everything that is unknown (to you) is not necessarily malicious. That means that you will inevitably get in the way of the user, interrupting his work, blocking legit applications which he/she needs for his/her work (since they're unknown to you).
You seem to have a tone of superiority when you compare yourself to other products, which isn't something I like to see... especially having in mind that there is no "Ultimate answer" to malware problems. Preventing them is not a big issue but balancing between annoying the user or interrupting his work and protecting him is. :)

-{ Quote: "Answer me one simple Q: can you guarantee that you will always recognize all legitimate programs as such, meaning can you truly differentiate between unknown good programs and unknown malicious programs? Keep the Users decision aside, please, since we can only predict their actions." }-


No. This is just as impossible as guaranteeing that someone can maintain a 100% complete and accurate blacklist. Here's a quick breakdown of how BluePoint works:

All of this happens before code execution, a very important point.

When we are unaware of the safety of executable code, our cloud av attempts to determine if the item is a known in the wild virus

If the item is a known virus, it's prevented from executing and deleted

If the item appears safe but isn't from a trusted publisher we prompt the user with a risk rating and other info before any execution is allowed.


Typical mainstream av generally works more like this (obv simplified):

A. Is item known to be bad?

B. Does item look suspicious?

If a and b = false then execution is allowed.


Again, trying to keep users protected by keeping up with threats and their behaviors is a backwards approach right from the beginning imho.


-{ Quote: "You seem to be addressing just one side of the "big picture"-how to protect the user from malware. Everything that is unknown (to you) is not necessarily malicious. That means that you will inevitably get in the way of the user, interrupting his work, blocking legit applications which he/she needs for his/her work (since they're unknown to you).
You seem to have a tone of superiority when you compare yourself to other products, which isn't something I like to see... especially having in mind that there is no "Ultimate answer" to malware problems. Preventing them is not a big issue but balancing between annoying the user or interrupting his work and protecting him is. " }-

You're correct, computer security has always been a balance between ease of use and being intrusive to the user. While users may occasionally be prompted to make decisions about code execution, they will be spared infection. Being infected not only gets in the users way, I know people personally that have had bank accounts drained by silent keylogger infections, that's quite an inconvenience!

I've shared my opinion many times here about prevention and the state we're in as far as security products ability to effectively prevent threats so I'll leave that one alone. My opinions are formed from my experience not only in the testing lab, but through working with users as well as corporations in tough positions after being infected while they believed they were protected.

As much as I enjoy a good debate, let's try to keep it to Q&A on the product itself, there's already quite a bit of information on the site as to how our product works and the reasons why we do things a little differently.

isuninst.exe is rated as high risk by BPS.
I think it's part of Installshield.
I right click on it in history and it's removed.
Can't find it.
Earlier, BPS also nailed ctfmon.exe and something from process explorer as bad.
I think perhaps the white list is not yet mature.
Hugger

Hugger,

Did it just block them or did it remove them?

Sometimes it'll report high risk if the item appears suspicious but it shouldn't actually delete the item unless it's known to be infected.

It removed them.
Right click menu gets me nothing useful.
Also, yesterday I ran Real temp and HDTune. Both are well known monitors and used by many. I had to allow them.
Today I had to allow them again. BPS doesn't seem to remember permissions.
Hugger

I've removed BPS and installed DW again.
Too many of my programs did not run properly.
Upon removing BPS they all started and ran the way they used too.
You have good ideas and a good product.
But from where I stand I think it still needs work.
I'll try it again in the future.
Hugger

there is a trick here,listen first install your softwares and then install BPS no problem at all;)

No problem Hugger, thanks for giving us a try! As jmonge mentioned, BluePoint runs best as a standalone (the only real-time protection product on the pc).

Our official support forums are open!

http://www.bluepointsecurity.com/forums/

We've enjoyed Wilders!

look at my signiture no problems here and still fast in this old xp2 pc:thumb:

-{ Quote: "No problem Hugger, thanks for giving us a try! As jmonge mentioned, BluePoint runs best as a standalone (the only real-time protection product on the pc).

Our official support forums are open!

http://www.bluepointsecurity.com/forums/

We've enjoyed Wilders!" }-

same scheme as Wilders ;D

-{ Quote: "there is a trick here,listen first install your softwares and then install BPS no problem at all;)" }-

The problems I had were with software that has been on my system for a long time.
I think BPS offers great protection.
But I also think it needs more polishing.
That's not a derogatory statement. Just my opinion.
I'll be looking at it again in the near future.
Hugger

-{ Quote: "The problems I had were with software that has been on my system for a long time.
I think BPS offers great protection.
But I also think it needs more polishing.
That's not a derogatory statement. Just my opinion.
I'll be looking at it again in the near future.
Hugger" }-just very strange isue,cause i have 2 or 3 programs and looks nice here,also you can disable BPS reboot and all your programs will load after that and check bps will be also enable:thumb: it works for me,it may work for you,dont give up on bps buddy is a very cool program,imagine having those 2 together Defensewall and blue point security:thumb:

-{ Quote: "Here's a quick breakdown of how BluePoint works: ...

If the item is a known virus, it's prevented from executing and deleted

If the item appears safe but isn't from a trusted publisher we prompt the user with a risk rating and other info before any execution is allowed.

Typical mainstream av generally works more like this (obv simplified):
A. Is item known to be bad?
B. Does item look suspicious?
If a and b = false then execution is allowed." }-
Perhaps I am missing the point, but I still fail to see the conceptual advantage of the security model of BluePoint Security over that used by Norton Internet Security 2010. Keep in mind that Symantec uses information about a “trusted publisher” in its assessment of a security risk, too; and prompts the user when a file’s status is indeterminate at a point in time.

-{ Quote: "Perhaps I am missing the point, but I still fail to see the conceptual advantage of the security model of BluePoint Security over that used by Norton Internet Security 2010. Keep in mind that Symantec uses information about a “trusted publisher” in its assessment of a security risk, too; and prompts the user when a file’s status is indeterminate at a point in time." }-

I'm not sure how else to explain it guys. NIS 2010 does not prevent unknown code from executing. Period. BluePoint does. We do not allow code to run based upon it's reputation or it's behaviour (NIS 2010 does), as these methods expose you to circumvention.

Allow unknown code to execute behind your back in any way, at any time even it if looks "safe", and malware writers will exploit it.

Our concept is very simple. There are other vendors out there that claim to do what we do but when you put them to the test, they simple don't stop code execution. It's as simple as this, load up BluePoint in a vm and try to run a new batch file, a new vbscript or a newly created executable. It will not run without your explicit permission. Meaning, you will not see the executable show up on task manager at all, 0 lines of malicious code will execute. Test another security app claiming to be similiar to ours in the same vm (without BluePoint) with the same files, were they blocked? Do they show up on task manager but the product tells you it's blocked? That's the difference with our product and that's what matters in the real world as far as preventing malware.

You'd be surprised at how many of our competitors allow code execution (shows up in task manager!) then attempts to block the item after the fact. They are not doing the job properly. Once executable code shows up in task manager, you've already allowed too much.

Get your hands dirty with these products in the lab as I know many of you have, look for the things i've mentioned.

Our model is simply but the devils in the details.

well said buddy,well explain:thumb: makes sense what you said,i also noticed that some vendors says it is block even show theier product in green meaning protected and in real was not,i saw this one day i was testing a product which i reserve to mention it's name,but it is true what you said:)

-{ Quote: "i also noticed that some vendors says it is block even show theier product in green meaning protected and in real was not,i saw this one day i was testing a product which i reserve to mention it's name,but it is true what you said" }-

Yes and that one bothers me the most. Informing a user that a threat has been prevented when clearly several executables are sitting running code in the background is just appalling to me. Why were they allowed to execute in the first place? To me this just highlights the reason vendors need to rethink their security models (those relying upon signatures and heuristics for prevention) that is. Obviously I spend a great deal of time informing everyone about our product but it's bigger than that for me. It's personal. The industry needs to change, there are better ways of protecting people.

Honestly I wish I could name names, because there are truly other solutions out there that do in fact work very very well, meaning they will stand up to nearly any type of fierce real-time attack I can throw at them without issue. Sadly there are others that allow me to bypass them with simple coding tricks in ten minutes and I shut the vm off, testing over. I think the problem is, they are not mainstream solutions, the smaller vendors are beginning to think outside of the box. They are the ones that realize there's an opportunity here to really come up with a solid solution that turns the tides and actually begins to put the malware writers out of work.

total agreement here

-{ Quote: "
Honestly I wish I could name names, because there are truly other solutions out there that do in fact work very very well, meaning they will stand up to nearly any type of fierce real-time attack I can throw at them without issue. Sadly there are others that allow me to bypass them with simple coding tricks in ten minutes and I shut the vm off, testing over." }-

I don't really see why you couldn't name names. Telling the truth is seldom immoral or illegal, so what's stopping you? ;D

-{ Quote: "Perhaps I am missing the point, but I still fail to see the conceptual advantage of the security model of BluePoint Security over that used by Norton Internet Security 2010. Keep in mind that Symantec uses information about a “trusted publisher” in its assessment of a security risk, too; and prompts the user when a file’s status is indeterminate at a point in time." }-

Pleonasm

Here is a challenge for you. Please get a hold of coolwebsearch and then install NIS 2010 and execute cool web search and see what happens. Not only that NIS 2010 will allow code execution but also NIS 2010 after analysis of the file will tell you that coolwebsearch is a safe file and that it is OK to install it, believe me no kidding. I tested NIS a couple of months back; unless NIS 2010 got its act together you'll probably have the same result if you decide to test it. Do not take my word for it test it and behold. ;D

Hi BluePointSecurity

I already tested BPS twice and we have included your product in our official testing schedule. First I would like to apologize to everybody that already contacted me for testing requests. I thought that I was going to be ready last August; however, I had to take some time off work. Now I'm contemplating mid October, sorry.

To me and without any subjectivity, I can say that BPS is a fantastic security product with zero code execution (98% of the time), who can ask for more ;D. However, I have two constructive criticisms to convey:

1) BPS must have strong self protection of its processes such as bluepoint.exe and bp.exe (No, No, No bp is not equal to British Petroleum :-). At the moment I can say that BPS does not have any self protection at all. I used Process Explorer to successfully terminate all BPS processes without BPS putting up a fight :'( .

2) BPS got fooled by a rogue Anti-Spyware. The rogue was packed inside Braviax installer. Even though BPS monitored the installation; nonetheless, it allowed the rogue to install. Another rogue got installed and BPS believed that setup.exe was from Microsoft and allowed it to install.

I have got to say also that on both of these occasions BPS did prompt me for an action. The first instance BPS could not make a decision so it asked me to decide since BPS rated the threat as low consequently, I executed it just to see BPS reaction.

After these two rogues installed I performed a full scan and BPS deleted them without a hiccup, and I was quite pleased. All in all I can unequivocally state that only BPS and McAfee VirusScan Enterprise 8.7 successfully pass all my tests with no infection left behind :D.

Right now McAfee VirusScan Enterprise 8.7 is installed on all on my work computers and I can say even further that if BPS enterprise product is as good as its home product then McAfee has a tough fight in its hands. The BPS upstart can only grow. ;).

Anyway do not let success grows into your head man, listen to wisdom and pay special attention to the wishes and dreams of your customers and you'll continue to be successful. :thumb:

-{ Quote: "There are other vendors out there that claim to do what we do but when you put them to the test, they simple don't stop code execution. It's as simple as this, load up BluePoint in a vm and try to run a new batch file, a new vbscript or a newly created executable. It will not run without your explicit permission." }-
That helps to explain the point, and I see the distinction. However, like Windows Vista’s UAC, won’t a typical user over time be inclined to simply click-through all of these warnings because a warning doesn’t necessarily indicate that the software is likely to be malicious (but only that it is absent from the whitelist)?

In addition, isn’t this technique simply shifting the decision burden from the software to the user? For advanced users, doing so may be a benefit; yet, for the vast majority of “typical users,” how will they know if a batch file or VBScript utility that is flagged by BluePoint Security is malicious?

What information is provided by BluePoint Security to aid in that decision? Does that information change in real-time based upon the experiences of the community of users?

Thank you.

-{ Quote: "Please get a hold of coolwebsearch and then install NIS 2010 and execute cool web search and see what happens." }-
I do not doubt your experience. Hopefully, the released version of Norton Internet Security 2010 (as opposed to the beta version that you tested) has this problem resolved. You might want to give it another try?

-{ Quote: "The first instance BPS could not make a decision so it asked to decide since BPS rated the threat as low consequently, I executed it just to see BPS reaction." }-This is, I fear, exactly the sequence of events that many “typical” users might experience, thereby potentially mitigating the prevention capabilities of the tool.

-{ Quote: "pay special attention to the wishes and dreams of your customers" }-
Excellent advice for all anti-malware vendors! :)

-{ Quote: "Hi BluePointSecurity

I already tested BPS twice and we have included your product in our official testing schedule. First I would like to apologize to everybody that already contacted me for testing requests. I thought that I was going to be ready last August; however, I had to take some time off work. Now I'm contemplating mid October, sorry.

To me and without any subjectivity, I can say that BPS is a fantastic security product with zero code execution (98% of the time), who can ask for more . However, I have two constructive criticisms to convey:

1) BPS must have strong self protection of its processes such as bluepoint.exe and bp.exe (No, No, No bp is not equal to British Petroleum :-). At the moment I can say that BPS does not have any self protection at all. I used Process Explorer to successfully terminate all BPS processes without BPS putting up a fight .

2) BPS got fooled by a rogue Anti-Spyware. The rogue was packed inside Braviax installer. Even though BPS monitored the installation; nonetheless, it allowed the rogue to install. Another rogue got installed and BPS believed that setup.exe was from Microsoft and allowed it to install.

I have got to say also that on both of these occasions BPS did prompt me for an action. The first instance BPS could not make a decision so it asked me to decide since BPS rated the threat as low consequently, I executed it just to see BPS reaction.

After these two rogues installed I performed a full scan and BPS deleted them without a hiccup, and I was quite pleased. All in all I can unequivocally state that only BPS and McAfee VirusScan Enterprise 8.7 successfully pass all my tests with no infection left behind .

Right now McAfee VirusScan Enterprise 8.7 is installed on all on my work computers and I can say even further that if BPS enterprise product is as good as its home product then McAfee has a tough fight in its hands. The BPS upstart can only grow. .

Anyway do not let success grows into your head man, listen to wisdom and pay special attention to the wishes and dreams of your customers and you'll continue to be successful. " }-




Thanks for testing things out and sharing this, great info.

We will have self protection within a week or so, it was put on the back burner as malware is generally put in a catch 22 of not being able to execute therefore unable to terminate BluePoint under most circumstances.

Our weak point at the moment is rogue detection/prevention as a few testers have pointed out. Rogues are tough to deal with as they often blur the lines between a threat and a nuisance and rely heavily on the users decision to allow them. We're adding rogues to our detection database on a dailly basis.

We are actively seeking additional independent testing as of course, we are a bit biased :)

-{ Quote: "This is, I fear, exactly the sequence of events that many “typical” users might experience, thereby potentially mitigating the prevention capabilities of the tool." }-

That is a good point, we do depend on the user to make decisions occasionally on code execution and we can't control the human element that's involved there. We try to provide good indications as to the risk rating of the item attempting to execute. Most of our current efforts are going into providing the best feedback to the user as possible as ultimately if it's not a known virus to us, they make the decision based upon the notification we give them. Known malware items are auto handled. Most of the time, a risky type of executable will show that's it high or medium risk which hopefully helps them out to make the call.

Our thinking there is, it's better to let the user know something is going on before harm is done than not telling them anything. Worst case scenario, those that allow items that shouldn't be allowed (say a zero day virus and they ignore the threat rating) will be take care of by our av engine as soon as we discover the threat. I think if a new virus were to hit CNN today (in all their scare tactic glory!) users would be inclined to be very careful about allowing things, if they were given the choice.

The missed coolwebsearch detection above sort of exposes the problem I see out there, they'll add it to there list and it'll take care of it. What happens when the next threat comes along? Same cycle over and over, infection, discovery and cleanup. We're trying to break down that cycle.

-{ Quote: "Same cycle over and over, infection, discovery and cleanup." }-
In the “old days” when signatures were the main defense against malware, your assessment seems to have merit. But, today, the best anti-malware companies are not operating in this cycle. They are focused on prevention, especially for the class of malware that is becoming increasingly more common: polymorphic (unique) instances.

It is “relatively easy” to identify the very common cases in which software is bad or good (e.g., blacklisting Conficker or whitelisting Microsoft Word). The new challenge, however, is all about the “long tail”—the large number of cases with low prevalence that may be either good or bad, and for which user intervention may be necessary. It seems to be that the security model of BluePoint Security doesn’t provide the same level of insight to the user as one which is founded upon the concept of “community reputation.” The higher the quality of information provided to the user in these cases (and, providing information that rapidly improves in real time) seems to be advantageous. I infer (maybe incorrectly?) that BluePoint Security does not equip the user with such dynamic, community-based insights to guide the “safe”/”not safe” decision process. Please let me know if I am mistaken.

Increasing the detection rate at the expense of increased burdens upon the user to make "safe"/"not safe" decisions may not be a step forward in the evolution of anti-malware software, in my opinion.

-{ Quote: "In the “old days” when signatures were the main defense against malware, your assessment seems to have merit. But, today, the best anti-malware companies are not operating in this cycle. They are focused on prevention, especially for the class of malware that is becoming increasingly more common: polymorphic (unique) instances." }-

They are focused on prevention, but they are still very much behind the ball and constantly playing catch up. The coolwebsearch example is a good one, I haven't verified the fact that it's missed but it wouldn't surprise me. I read news stories on a daily basis about infections resulting in data being stolen etc. These are quite possibly targeted attacks with custom tools/malware, again these often run without being detected.

-{ Quote: "
It is “relatively easy” to identify the very common cases in which software is bad or good (e.g., blacklisting Conficker or whitelisting Microsoft Word). The new challenge, however, is all about the “long tail”—the large number of cases with low prevalence that may be either good or bad, and for which user intervention may be necessary. It seems to be that the security model of BluePoint Security doesn’t provide the same level of insight to the user as one which is founded upon the concept of “community reputation.” The higher the quality of information provided to the user in these cases (and, providing information that rapidly improves in real time) seems to be advantageous. I infer (maybe incorrectly?) that BluePoint Security does not equip the user with such dynamic, community-based insights to guide the “safe”/”not safe” decision process. Please let me know if I am mistaken.


Increasing the detection rate at the expense of increased burdens upon the user to make "safe"/"not safe" decisions may not be a step forward in the evolution of anti-malware software, in my opinion." }-

Again, I think identifying based upon actions and behavior is a hit or miss affair. Sometimes items are detected, sometimes they are not. We do provide the user with information about the item but it's not derived through user communities. I don't believe relying upon a certain amount of customer infections before informing everyone else is the way to go. We focus our efforts on solid prevention techniques rather than hit or miss types of solutions. Keep in mind there is a huge user base out there that is completely fed up with mainstream av for that very reason, they are quite willing to adopt a new solution that's outside of the heuristic/community/def box.

'We focus our efforts on solid prevention techniques rather than hit or miss types of solutions.'

I'm trying this again as suggested by JPM. It's definately an interesting program.
I read the quoted sentence and feel that what Pleonasm said is accurate.
I'm not a tech inclined person by any stretch of the imagination.
And when I see your blue box of curiosity pop up asking me if whatever.exe should be allowed or blocked I probably won't know the answer.
So I'm going to have to guess.
If I had the ability to see what the majority of others are doing with this .exe I'd be able to make a bit more educated guess.
Also, I know this is in the clouds software, but is there a way for me to get BPS to remember what I allow to run on my pc?
Perhaps what I've seen others do, I don't remeber who, would be easy.
'Allow, Allow once, Deny'.
Hugger

It wouldn't be a bad idea to show the user that type of information, how many users have clicked allow/deny, I like it. Generally it does give you as much information as possible, the file has been checked by our av engine and the result is shown in the risk rating area of the notification. It's sort of an extra layer that av is missing, yes we've determined that the item isn't known to us as an in the wild threat. The difference is instead of simply allowing execution, we ask permission. That extra layer makes all the difference in prevention. But yes, the human factor exists of course for items the av engine doesn't know about.

It should remember your allow decision, is it not?

The best examples I can give is HDTune and Real Temp.
Both reside on my desktop.
I double click them and I get your pop up box to Allow or Block.
Click Allow.
Shut down later and start my pc the next morning and I go through the same thing.
This forgetfulness includes the pop up that has the colored bar graph showing the level of danger. BPS is not remembering my settings.
Hugger

One point I would like to emphasize after testing BPS has to do with the fact that BPS needs to sign its processes. So far none of BPS processes were signed and Process Explorer was unable to verify them. It is the least that BPS can do in its fight against malware.

things that will be nice to have in BPS:
1)feature to protect the program againts termination/alteration etc
2)password protection againts program setting modification/alteration etc
3)to be able to add safe program in a safe list within BPS avoiding conflicts,etc
4)to be able to see what is running(active procesess runing);) task manager like with colors:)

-{ Quote: "things that will be nice to have in BPS:
1)feature to protect the program againts termination/alteration etc
2)password protection againts program setting modification/alteration etc
3)to be able to add safe program in a safe list within BPS avoiding conflicts,etc
4)to be able to see what is running(active procesess runing);) task manager like with colors:)" }-

In other words jmonge you want BPS to be CIS like ;D.

-{ Quote: "In other words jmonge you want BPS to be CIS like ;D." }-maybe;) but it doesnt have to be exactly the same;D :)

it is very important to have these in place;)