Another Combo Group

OK, so i test and rootkit and trojan my units basically to follow the paths the droppers take and what behaviors they perform.

I'm relatively skeptical when it comes to keeping a permanent safety/prevention set-up.

I like All-Seeing Eye but it goes overboard for me with prompts even though you do need to establish rules with it, that much i understand.

After some members reviews my curiosity is led to setting up a combo which includes SuperAntiSpyware, Dynamic Security Agent, InfoProcess Lauch Monitor, and of course SSM.

On-Demand is A2Squared:rarely used:

Of all these my favorite is ShadowSurfer which drops the session when activated and returns everything as was similar kind of like System Restore but with more security IMO.

Any thoughts to this combo and what do you see as favorable in this series of PC preventors/interceptors.

Probably needed is a external hard drive to keep a Clone of the perfect clean set-up in case of malfunctioning Windows or something gone awry.

Peace and Safe Surfing Habits My Interest.

 

i dont know about InfoProcess's Launch Monitor, but i do think Dynamic Security Agent and SSM overlap some. how do u configure the two or do u not mind the overlap?

 

So far WSFuser i've not noticed overlap you refer to regarding SSM and that very well could because i reverted to version 206.5.6.8 which does all i need it to do without hassle or issue. I'm extremely skeptical when a vendor pours out a series of updates in succession like SSM has recently. I find the new registry feature not satisfactory to the earlier one for one matter and the heavier the program gets the less interest i take in it.

So that's likely why they both work without issue. I checked the SSDT table with Ice Sword and others and see just where DSA and SSM cover and so long as they keep to those areas without competing that's ok for me.

Launch Monitor takes up some residence in that table also without issue so i suppose they are positioned where they are without conflict, at least none that is caused any concerned for my units.

Thanks.

 

im not very familiar with DSA, but as long as theres no overlap then its good i guess.

 

All-Seeing Eye is very good at telling you your system has been hosed, but doesn't do a whole lot to prevent it. See the following review:

http://kareldjag.over-blog.com/article-1061426.html

There is a lot of overlap with DSA and SSM. You really only need one or the other. The free version of SSM doesn't have network control, but the user has more control over the program itself, which I feel is important. Also, I found out there are certain areas in which there is the possibility of conflict due to both programs performing the same duties and fighting each other for control. Also, it takes a lot resources to just run one of them. I feel SSM is the more powerful of the two and many times more configurable. There really is no menu for changing rules in DSA - simply approve or quarantine a particular program. If you make the wrong decision and click the wrong answer in DSA, I'm not sure how to reverse it - something that is very easy to do with SSM. I also found with DSA that I kept having to answer the same questions over and over. SSM can be very vocal at times also, but rules are much easier so that prompts are decreased. I've never heard of InfoProcess Lauch Monitor, but sounds like some kind of startup monitor. Is this correct? If so, again, this would be redundant if running SSM with the registry module enabled.

If running a HIPS, I feel running an anti-spyware program real-time is redundant and a waste of resources. SuperAntispyware is an excellent scanner, but if you use a good AV, it will catch malware long before the AS will. SSM will cover the other bases. I have run Ewido, CounterSpy, Spysweeper and several others real-time along with NOD32. NOD always caught the garbage while the AS programs sat silent. For real-time, if you run ShadowSurfer, SSM and a decent firewall and AV, that should be sufficient. Running anything else would be mostly overlap and really unnecessary. There are some who say AV is not needed with sandboxing software, but that is incorrect. My understanding, however, is that AV should run outside the sandboxed environment. I don't personally run any kind of sandboxing utility, but that is my personal preference. They give some a false sense of security. More and more malware is being developed lately specifically targeting sandboxing programs, and many are easily getting through to the user's system due to haphazard surfing by those believing the sandbox will protect them from any malware. That's why it is imperative to have a good firewall, AV and HIPS, whether running sandboxed or not.

 

And that Combo really boils down to the bottom line as an excellent prevention mechanism which is about all that's required for total safety.

Firewall is imperative irregardless of trust in a Sandbox setup or not for that safety net. Without one and running a sandbox who is to say an overload wouldn't unload a ton of intrusions that would just stall out a PC completely and theres no sense competing with that type of annoyance on any level.

I agree these other additions are indeed overlap and perhaps unneeded but it does offer for me a degree of examination on just how they can or cannot perform well together, but that's just my choice to see which one stands up the most to different intrusions (locally forced ones mostly).

Almost left out RKUnhooker as a standalone reviewer/detector that covers areas many others can be bypassed with clever enough coders, and we know there are those who are wise enough in windows internals to turn the tables on the most formidable of protectors many of us take for granted.

 

Interesting approach, but not sufficient.

PS WSFUSER was referring to overlap in function, which certainly does occur.

PSS Don't quote me on this but DSA's HIP functions seems to be mostly usermode...

 

I will anyway because UserMode is a far cry from deep Kernel core and therein lies the possible vulnerabilities to fool the lightweights (userlanders) detectionors. And is exactly why virtualization is the prevention of choice on this end. I use ShadowSurfer! myself.

As to overlap in function, those i use right now and mentioned do not offset (so far) or for lack of a better term, cancel each other out but take up their respective places & station in separate sections of SSDT instructions while the other, say safemon.sys fills in it's own areas of that table.