Some tests I ran on Dynamic Security Agent

[zopzop]

I just recently discovered this pretty decent program by browsing the boards. I wanted to try it out vs some tests (process termination, keylogging, modifying the registry, leak tests). I think it has lot's of potential (and it's tiny only 3 megs installed).

The tests I ran :

**1) Advanced Process Termination from DiamondCS, DSA passed all tests easily. One note though, when it came to the "suspend process 1 and 2" the process was not suspended but DSA didn't give me a warning. Regardless DSA passed.

2) Advanced Process Manipulation from DiamondCS, once again DSA passed easily. APM couldn't do anything to any process without DSA catching and stopping it.

3)Simple Process Termination from the makers of System Safety Monitor, out of 16 different methods of termination, DSA failed Test 12, Test 15, and Test 16.

4)Keylogger Test from the makers of System Safety Monitor, out of 4 methods of keylogging in this test, DSA failed Test 1 and Test 2.

5)Martin's Undetectable Keylogger Test, DSA failed.

6)In the next test I used Procx from GhostSecurity to attempt to terminate a process but DSA stopped all termination attempts. I next tried to use the 'suspend process' feature and DSA failed to stop the process from being terminated, which is odd because it passed both APT attempts to suspend a process.

**7)In the Registry Test from GhostSecurity, DSA failed to stop a section from Test 1 (when the machine rebooted I got a failed message from Registry Test) and Test 2 hung and never completed.

8 )I tried a few firewall leak tests over at firewallleaktester.com, and amazingly this program passed everything I threw at it : PCFlank (which many PAID firewalls fail), PCAudit 1 and 2, DNStester, Surfer, Jumper, WB, and Outbound.

**9)I then tried the Anti-Keylogger Test at firewallleaktester.com, DSA passed the DirectX test, but that was about it. It failed both screenshot capture tests. But I was unable to really get a handle on the first 2 keylogging tests, they were buggy on my machine.

Can anyone try running DSA vs the Tests marked with a ** and tell me what the results were?

[ciannicello]

James,

Thanks for in-depth testing! We will try and go over the tests you list that we have not already tested DSA against. We are always looking for ways to improve our product and the members of the Wilders Boards have proven to be a great source of useful information and feedback.

Chris Iannicello
Product Manager, Privacyware
iannicello@privacyware.com
www.privacyware.com

[zopzop]

@ciannicello

Thanks for responding Mr. Iannicello. I really like this product and think it has potential. I have two questions :
1)Will you keep us updated on the results of your tests?
2)Do you guys have a forum on your website? I couldn't find one when I looked over your website.


Finally, there were two more tests I wanted to run vs DSA : morgud's threat simulator and the killdisk virus. I'm too scare to make the attempt, I'm hoping a forum member with a reliable backup program will take up the challenge

[zorro zorrito]

What a great job zopzop, I have used that program and I did like it, I hope ciannicello dont' forget this kind of tests to make a better software that is light, small and with grat potential.

[spindoctor]

Yes, nice tests Zopzop. Also glad to hear the DSA team responding. But I agree with the comments posted by Zorro zorrito, Please keep DSA light and not turn it into another "do it all" system resource hog.

[nicM]

Hi zopzop,

Nice to see your tests with this app .

I did test it too, with few rootkits, trojans, keyloggers and spywares [a while ago tough ], and results were good - just works as advertised. Will not post the link to the tests, I wrote it in french. But will maybe post new tests later.

Few screenshots, heeh , just 2:

Blocking Rootkit example:

http://img134.imageshack.us/img134/2...7053220ol2.png



Blocking trojan example:

http://img247.imageshack.us/img247/5...7055835fv1.png


Only test failed (on a otal of 6-7) was with Keylogger, but it was with Martin's one (and with the usual restriction that, process has to be allowed in the 1st place).



I hope this program will be updated, it does really deserve it .

Cheers,

nicM

I understand your specifically taking DSA to task but combined with snoopfree you'll get better resuts. Remember! Layered protection is more coverage where single programs always suffer from some limitations in one area or another.

Food for thought. I liked DSA for the time i tested it and it does have it's benefits, but IS NOT THE IRON WALL in single form alone. None of them are.

[Chuck57]

Will DSA run with Cyberhawk? My sole complaint with DSA was the week long training thing, and if I recall, it wouldn't allow you to turn it off. Had to run in training the full week.

[aigle]

I intend to try it some time. Wonder if it,s easy to use. Any conflicts? Resource usage?
Any body using it as aprt of his layered defence? Any slow downs, etc? Ofcouse I don,t find a place for it in my current setup!

[Chuck57]

I noticed no slowdown whatever, aigle. I never checked resource useage. It was very simple to use, to the point that even I could figure it out, and that's proof of its simplicity. I don't recall any conflicts with anything I had on board at that time, powershadow, avg antivirus and asquared.

I just wonder if they're ever going to update it. It's been at Version 1 for a while.

[Kees1958]

ZopZop,

Great work. I have used DSA for quit a while, see http://www.wilderssecurity.com/showthread.php?t=161400

A few comments:

1. The hang up of Regtest2, might be caused by GeSWall, are you sure you had it off during the test? Hanging regtest2 is typical for GeSWall and DefenseWall (they pass both, because you do not get the pop-up after re-boot).

2. At the time I used it, I only thought it was an anti-executable until I surprisingly read at http://wiki.castlecops.com/HIPS/IDP_programs/services of its extra defense capabilities. I thought an update was released, but still version 1.

In terms of CPU usage and speed it was the best I have tried. If only the developers could reveal what registry entries it protects.

Regards Kees

[Kees1958]

Quote:

Originally Posted by Chuck57

Will DSA run with Cyberhawk? My sole complaint with DSA was the week long training thing, and if I recall, it wouldn't allow you to turn it off. Had to run in training the full week.

You can turn it off after choosing 1 day learning. Adding CyberHawk only gives you extra protection against the Regtest of ghost. They overlap a lot (pick DSA instead when you are comfortable with it). EDIT: did test DSA against Zapass, it fails, so CyberHawk gives extra protection against process modification (DSA keeps track of the MD5-hash) and bufferoverflow.

Regards K

[nicM]

Quote:

Originally Posted by EASTER.2010

I understand your specifically taking DSA to task but combined with snoopfree you'll get better resuts. Remember! Layered protection is more coverage where single programs always suffer from some limitations in one area or another.

Sure, but when testing it, what I look is the program's own abilities, to evaluate it.



I reinstalled it last night on my test computer, and I must say EULA should in theory prevent people from disclosing any test/benchmarks results without Privacyware approval first . But I guess PW people do not take it too hard, according to ciannicello's previous post .

About the program: It's running light (8-12 K in ram), no cpu use, and out of the 3 components, there's only one I really test and use, it's process detection. I do not feel the need to use the "system anomaly detection" one, neither the "email anomaly one". They can be disabled easily.

Doing so makes it faster to set up, since most of the learning is related to cpu use training statistics, which can take one week or more to set. As for process detection module, you're free to stop learning mode when you want too, just need to uncheck its option.

What is missing for now, is logs, or a panel/window to review settings for each programs approved. It would make DSA better I think.

Cheers,

nicM

[Hipgnosis]

I agree with nicM that some logs, and the ability to review/tweak settings for approved programs would be a helpful addition.

I used DSA awhile back and really liked it, but as I posted at the time, it blocked VPN access to my company so it had to go.

[zopzop]

Quote:

Originally Posted by Kees1958

1. The hang up of Regtest2, might be caused by GeSWall, are you sure you had it off during the test? Hanging regtest2 is typical for GeSWall and DefenseWall (they pass both, because you do not get the pop-up after re-boot).

sorry kees, i did the test a few months ago and i don't remember (i thought i turned geswall off but i can't be sure now.) to make sure i presented to results fairly i marked the test with asterisks to let people know i may have fudged up the test i wonder if anyone can rerun the test to check the results.

Quote:

2. At the time I used it, I only thought it was an anti-executable until I surprisingly read at http://wiki.castlecops.com/HIPS/IDP_programs/services of its extra defense capabilities. I thought an update was released, but still version 1.

In terms of CPU usage and speed it was the best I have tried. If only the developers could reveal what registry entries it protects.

Regards Kees

it's been a while since i used DSA so i can't remember many things about it. it would be pretty cool if had antiexecutable properties like SSM or processguard.

the one test i wanted to try but i chickened out because i don't have a test machine was killdisk vs DSA. i wanted to see what would happen if killdisk was allowed to run, would DSA stop it from destroying the MBR? anyone with a test machine that would be willing to give it a go? i have a sample of the virus.

EDIT : don't try the killdisk test vs DSA, the link that kees provided to castlecopswiki, says DSA does not provide protection vs things like killdisk (lowlevel disk access).


pss. it doesn't seem like there have been any updates to DSA since last year. are the developers still working on it?

[Kees1958]

Hi Zopzop,

You test of DSA made me change my security setup. We now have a fully pop-up less PC (wife's PC) and a transparent (with DW it is easier to run an untrusted source as trusted, sounds difficult but it is not) PC for my Son

See Pic, thanks for the tests of DSA

NB most Bios have the option to protect the MasterBootRecord, so the killdisk test was not as brave as you think. You can make DSA more protective by quarantaining cmd, command and ntvdm.

Regards K

[nicM]

Quote:

Originally Posted by Kees1958

You can make DSA more protective by quarantaining cmd, command and ntvdm.

I think it's better just to remove them from the list, as quarantining may prevent them to work in case they're needed.

Personnally, I've removed cmd.exe, net.exe/net1.exe, telnet.exe, hh.exe, etc from default lists, as they can be used for both legit and unlegit purposes.

nicM

[Pedro]

Thanks zopzop, made me install it again... Wilders installation curse..

Quote:

Originally Posted by Hipgnosis

I agree with nicM that some logs, and the ability to review/tweak settings for approved programs would be a helpful addition.

Also, a resizeable window would be nice.

And not giving that error on install that there was an error, install was rolled-back, and system is just as before (when DSA is actually successfully installed).
Makes me wonder how did the installation really went. Is it all good?
This needs some attention/fix.

[nicM]

Quote:

Originally Posted by Pedro

T
And not giving that error on install that there was an error, install was rolled-back, and system is just as before (when DSA is actually successfully installed).
Makes me wonder how did the installation really went. Is it all good?
This needs some attention/fix.

Same here, happened twice. A reboot, and everything is running fine, so that it appears as an error in the installer runtime .

Another strange problem I had is, a dll is hidden from shell, but not hidden on another setup, I'm still waiting for a reply from Privacyware about that issue.

Cheers,

nicM

[nicM]

Quote:

Originally Posted by zopzop

it would be pretty cool if had antiexecutable properties like SSM or processguard.

BTW, it does!

[zopzop]

Quote:

Originally Posted by nicM

BTW, it does!

sweet!

if only we could figure out what the makers of DSA are up to now? will they update the program with more features (better keylogging protection, low level disk acess protection, etc...). are they still working on it?

Quote:

Originally Posted by Kees1958

NB most Bios have the option to protect the MasterBootRecord, so the killdisk test was not as brave as you think. You can make DSA more protective by quarantaining cmd, command and ntvdm.

hmm i got to check my bios then, that's a great security option. i'm terrified of viruses/trojans like killdisk. "once bitten, twice shy" as they say

ps by quarantining cmd, command and ntvdm that would have thwarted killdisk? i'm a noob at these things, that's why i'm asking

[nicM]

Quote:

Originally Posted by zopzop

if only we could figure out what the makers of DSA are up to now? will they update the program with more features (better keylogging protection, low level disk acess protection, etc...). are they still working on it?

Just got a reply from Privacyware team, and yes, they're currently working on it . Good news!

Quote:

ps by quarantining cmd, command and ntvdm that would have thwarted killdisk?

One more time, I advice people NOT to quarantine these processes, but just to remove them from default list. By quarantining it, you can expect some unattended behaviour, once one of these process needs to run for legit purposes! These will be prevented from running .

Whereas by removing it from the default list, you'll get a prompt, allowing it to run (or not), depending of the context. This way you do not have to build a rule; a rule which would always allow these to run would be bad, same as a rule always preventing them to run.

Cheers,

nicM

[bellgamin]

I began using DSA back in January 2007 because of zopzop's test report that started this thread. I have used DSA continuously since then. THANK you zopzop!

I like DSA a lot because it has strong Firewall capabilities PLUS its System Anomaly & Email Anomaly modules provide superb behavior-blocker HIPS-type capabilities.

As a firewall I have found that DSA keeps me fully stealthed. Plus I read somewhere that DSA also contains Personal FireWall's layer-3 firewall using Stateful Packet Inspection (SPI) technology running in the background.

After long use, DSA on my computer is now *well-trained*. I now have DSA's sensitivity threshhold set at 10%. Even so, I rarely get pop-ups (because DSA is so well trained), & when I do they are always significant.

I will use the "System Anomaly" module as the basis for two questions (probably dumb ones) which I hope someone will venture to answer...

#1- I set training period at 28 days & intend to leave it at that setting, even though the initial 28 day period was completed quite some time ago. So then -- what happens next? Does the module continuously update its experience data, or only once every 28 days, or what?

#2- Now that DSA's training period is completed (and then some), what is the purpose of the check-block titled "Require user approval for each alert"? If I didn't want to be alerted about anomalies, wouldn't it be more logical for me to disable this module altogether? In other words, why enable a fully trained module & then tell it NOT to alert me if something weird is trying to happen?

[Pedro]

Crap. Now i want to try Sygate, and have to jump a few hurdles.
Uninstall Avast!, place Antivir (conflicts). Uninstall Comodo, install Sygate.

I guess i have to turn off DSA huh? Or uninstall some more, and reinstall later.
(lol)

[Kees1958]

Quote:

Originally Posted by nicM

Just got a reply from Privacyware team, and yes, they're currently working on it . Good news!

One more time, I advice people NOT to quarantine these processes, but just to remove them from default list. By quarantining it, you can expect some unattended behaviour, once one of these process needs to run for legit purposes! These will be prevented from running .

Whereas by removing it from the default list, you'll get a prompt, allowing it to run (or not), depending of the context. This way you do not have to build a rule; a rule which would always allow these to run would be bad, same as a rule always preventing them to run.

Cheers,

nicM

Okay I stand corrected, I do not use DOS or Win16 bit aps, and adapted the habit that I close internet connection and all security aps, before doing 'low level' operations like errorchecking, changing partitions (image copies) et cetera.

Regards K

By the way why do we not hear anything of Kareldjag anymore?