AVG Identity Protection future of stand alone

Discussion in 'other anti-malware software' started by acr1965, Oct 4, 2010.

Thread Status:
Not open for further replies.
  1. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,995
    I received a support ticket back from Grisoft regarding my concern about the future of IDP as a stand alone product. Essentially the response was that IDP support would continue and that IDP users should manually check for updates. There are supposed to be updates available for release in the future.

    My take on this is that there are supposed to be updates available in the future, for how long - we don't know. We will just have to ride this out and see what happens. Version 257 is still what I have still and no update available.
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Hmm... was there any indication that it,s to be discontinued?

    May be like TF? I wish they make it free and develop more.
     
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Thanks for the news.

    @ aigle

    IDP is already provided for free, just not as a stand-alone. It's part of their free antivirus solution.
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Oh i never knew that. I wish they give stand alone free as well that wil give them good publicity. Also wil be good ad for behav blocker in general.
     
  5. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,995
    No indication that support for IDP is to be discontinued but also no ringing endorsement to the contrary. Just that support will continue and for IDP users to manually check for updates. The stand alone product is no longer advertised for sale on Grisoft. There is/was a sale for the product for like $2.75 each or so. That sale may still exist, not sure.

    I wish the IDP stand alone product was continued though as it, to me, was AVG's best product.
     
  6. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,557

    IDP NOT FREE!! o_O
    http://free.avg.com/ww-en/product-comparison
     
  7. progress

    progress Guest

  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I see AVG still hasn't updated their page. That ought to confuse a lot people! It sure confused me at first. No where I could find information, at AVG site, that IDP was available in their free AV, but it is. :)
     
  9. CiX

    CiX Registered Member

    Joined:
    Feb 22, 2010
    Posts:
    404
    surprise :p
     
  10. atomomega

    atomomega Registered Member

    Joined:
    Jul 27, 2010
    Posts:
    1,292
    ...a nice surprise indeed. however, on testing you can see IDP doing all the dirty work... seems that AVG's signature/heuristic engines are rather weak... by the way, wasn't this IDP originally meant to be an app to prevent online identity theft? therefore it's name... o_O
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Has anyone tested it? It was like TF so that means users of AVG free must be getting some pop rps to answer by this behav blocker. And AVG must have good detection against zery days due to it.
     
  12. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    last time i tried IDP (before it was IDP that is) this BB is on the extremely conservative side of things, rarely throws a popup, very quiet and IMO really bad, but maybe AVG has improved it dramatically since they bought it, but i doubt it
     
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I guess it's a great thing that AVG IDP isn't bad? :)

    Anyway, I'll place some info here that I have in a pdf file I downloaded some time ago from AVG Australia. Don't ask me where, I do not remember; it was through the search engine I use, when searching for more info regarding IDP.

     
  14. atomomega

    atomomega Registered Member

    Joined:
    Jul 27, 2010
    Posts:
    1,292
    @m00nbl00d

    Thanks for the info! :thumb: well, It's a good thing IDP has now been embedded into AVG's freebie. Like I said, I've seen it taking the bullets when throwing malware at it.... So since AVG is relying heavily on this behaviour blocker, I personally don't see it's development being stopped...
     
  15. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    No problem. Have you tried to disable IDP to see if the antivirus/antispyware could spot any of the malware you threw at it?
     
  16. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    It's a BB but also a hash scanner.
    Just run some malware and take a look at the packets.
    I don't think it's as good as Mamutu or ThreatFire, too many holes, e.g. it doesn't care about direct disk access.

    I have tested Antibot some time ago, it was sometimes way too late when malware installed a driver, it removed the file after the driver was already loaded.
    Maybe someone likes to check if it's still the same with IDP.

    Cheers
     
  17. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,995
    Under the help location of IDP is a list of "some characteristics of monitored processes". I copy/ pasted the list. I'm not sure how exclusive this list is though.

    Some characteristics of monitored processes

    This list displays some most important characteristics of processes monitored by AVG Identity Protection. Many of these are very typical for malware, but others can be either malicious or beneficial depending on the situation. When you select a process in the Monitored list, AVG Identity Protection shows all characteristics of that process.

    Writes to Program Files directory

    The process created another executable file in the Program Files directory, where most normal programs are installed by default. This indicates that this program is likely to be a normal installation program although some malicious programs install themselves in this directory.

    Registers executable to survive reboot

    The process modified the registry so that it will be restarted each time Windows starts. This can be suspicious, although legitimate programs can also have this characteristic.

    Changes executable mapping

    The process modified the mechanism by which executable files are started by Windows. This is highly suspicious behavior.

    Small executable

    The executable is small. Malicious programs try to be stealthy by minimizing the impact on the underlying system. However, many normal executables are also small such as some system processes and utilities.

    Properly installed

    The executable appears to be properly installed. This generally indicates a normal program although some adware and spyware programs also install themselves properly.

    Signed executable

    The executable is digitally signed. This does not imply that the executable should also be trusted. Check if there is also a Trusted installer entry. This means that AVG Technologies has validated the signature and found the executable to be trusted.

    System service

    The process is a system service managed by the Windows Service Control Manager.

    Shadows a system executable

    The process has the same name as a legitimate executable. Malware often uses this mechanism to hide on a computer - it runs with the same name as a legitimate executable but located in a different part of the file system. If viewed in the Task Manager, both will look like legitimate processes.

    An executable with this characteristic is suspicious. For example, the real SERVICES.EXE (the legitimate Windows Service Control Manager) runs from C:\WINDOWS\SYSTEM32\SERVICES.EXE. A trojan might be named SERVICES.EXE but is installed as C:\WINDOWS\SERVICES.EXE. If viewed in the Task Manager, which does not show the full path to the executable, both will look like legitimate SERVICES.EXE processes. The only legitimate executable that occasionally has this characteristic is the Java SDK and JRE. Java is often installed in many different locations on a computer, and often more than one version is installed. This can result in some Java processes having this characteristic.

    Has a double extension

    The executable is in the form MALWARE.JPG.EXE. with two or more three letter extensions. Windows is configured by default to hide known file extensions, so the file would be shown on the screen as MALWARE.JPG. An unsuspecting user might think that they were opening a JPG or image file instead of an executable. This is highly suspicious.

    Executable changed

    The executable has been modified on disk since AVG Identity Protection started monitoring this executable. This could be because the executable has been updated as part of a normal software update process, or that the executable has been modified by a malicious program to run malicious code.

    Hidden on filesystem

    The executable has the Hidden flag set on its executable on the filesystem. This is normally used for system processes, but is also a way for malware to hide itself.

    Window not visible

    The process does not have a window that is visible on the desktop. This implies that the program is trying to be stealthy and invisible to the user. The majority of malicious programs will have this characteristic although many system processes do not have visible windows.

    Hidden process

    The process is hidden from the user, probably due to some rootkit-like technology. The only legitimate processes that are hidden are those associated with some security software. This is highly suspicious.

    Process memory is compromised

    The process has had its memory compromised because another process has injected code into it. Code injection of this style is also known as DLL injection. The actions of the process may not be what they were originally programmed to be because process will be running the injected code. Some security software injects code into running processes, which would result in nearly all processes having this characteristic.

    For example, a Notepad process could be running code to cause it to listen on a certain network port and allow remote access to the computer, which is not within the normal actions of a simple text editor. A process with this characteristic is suspicious. The change is not permanent because the executable is not changed on disk, and if the machine is rebooted, the process will run as normal, unless it is compromised again.

    Network Facing Stdio

    The process has its standard in and out handles connected to a network port. This can mean that the process is the result of an exploit.

    Uses the network

    The process used the network, either as a client accessing services on other machines, or listening on a certain network port. Malicious programs need to use the network to communicate with their controllers, send out information, or receive software updates. Many legitimate programs also use the network.

    Unusual network usage

    The process used the network in an unusual manner.

    Terminates processes

    Some malicious programs attempt to terminate security programs (e.g. anti-virus or anti-spyware) to avoid detection. It is rare for normal programs to forcibly terminate other programs, except for security programs and utilities such as Task Manager.

    Installs a kernel module

    The executable attempted to force the operating system kernel to load a kernel module in an attempt to modify the behavior of the operating system. This characteristic could indicate an attempt to install a kernel-level rootkit. Several normal programs install kernel modules, such as anti-virus software, firewalls, and tools like Process Explorer, Regmon and Filemon (from http://www.sysinternals.com).

    Disables the Windows firewall

    The process disabled the Windows firewall. This is suspicious.

    Modifies the hosts file

    The process modified the hosts file, which is used in configuring networking on the computer. By adding or changing entries in this file, malicious programs can direct network connections to certain sites without the user's knowledge.

    Modifies the config.sys file

    The process modified the config.sys file, which contains the list of default drivers the system loads on startup. This may indicate an attempt to load a malicious kernel module as part of a rootkit installation.

    Modifies the autoexec.bat file

    The process modified the autoexec.bat file, which controls how Windows starts up. Malicious programs may try to modify autoexec.bat so that it loads them every time Windows starts.

    Altered browser settings

    The process modified web browser settings such as home page or search preferences. Although some legitimate installers can modify these settings, it is a common characteristic of adware, spyware, and browser hijackers.

    Started system service

    The process started a system service using the helper application net.exe.

    Stopped system service

    The process stopped a system service using the helper application net.exe.

    Survives reboot

    On each reboot, Windows automatically runs this program. Malicious programs generally need to survive reboot to be effective at stealing information from the user. Many legitimate programs also survive reboot.

    Probably survives reboot

    The executable was not explicitly registered to survive reboot, but it started immediately after the system was started and appeared to survive reboot. Malicious programs generally need to survive reboot to be effective at stealing information from the user. Many legitimate programs also survive reboot.

    Spawns other processes

    The process spawned child processes.

    Executes from the cache

    Programs that run from the cache are suspicious. Either they have been downloaded and run directly from a browser or email client, or they are programs running from the cache to hide themselves.

    Logs keys using a Windows hook

    The process has installed a Windows hook to log key strokes (a keylogger). Malicious programs install keyloggers to steal logins, passwords, or credit card numbers. Some legitimate programs, for example instant messaging, use keyloggers to monitor user activity in order to display that user's status.

    Executes from the Windows directory

    The process executes from the Windows directory on the filesystem. Many malicious programs run from the Windows directory in an attempt to avoid detection among the core Windows executables and utilities located there.

    Executes from Program Files directory

    The process runs from the Program Files directory on the filesystem. This is the default directory for legitimate software installation, but some adware programs also run from here.

    Logs keys

    The program attempted to log key strokes and is likely malicious.

    Executes from the filesystem

    The process runs from an area of the filesystem separate from the Windows, Program Files, or Cache directories.

    Registers COM objects

    The process registered a COM object, which is a code module used to extend the functionality of Windows. Legitimate installers often install COM objects, but some spyware programs do so as well.

    Registers protocol extension

    The process registered a Protocol extension, which is a way to augment the networking behavior of Windows. This behavior is suspicious.

    Registers a toolbar

    The process registered an Internet Explorer toolbar. While there are many legitimate toolbars, a significant number of them are malicious.

    Registers appinit_dlls

    The process registered a dll (executable module) so that it will load into each Windows process. This is sometimes used by security products, but is also used by malicious programs to implement rootkit-like functionality.

    Registers a Winlogon extension

    The process registered an extension to the Winlogon process, which is code that responds to system events such as shutdown, startup, or user login/logoff. The Winlogon process is one of the first to start and the last to shut down. Some security applications use these extensions, but some malicious software uses them as well.

    Registers a BHO

    The process registered a Browser Helper Object or BHO, which is code that extends the functionality of the Windows shell (explorer.exe) and Internet Explorer. BHOs are often suspicious.

    Registers a LSP

    The process inserted a Layered Service Provider (LSP) into the system network stack. This changes the way that the network stack handles some network events. While there are legitimate instances of LSPs, it is highly suspicious.

    Is terminated

    The process has died.

    Writes to the Windows directory

    The process created an executable file in the Windows directory. Although some legitimate installation programs copy executables to this directory, many malicious programs may do so in an attempt to avoid detection.

    Injects code

    The process attempted to inject code into other running processes, forcing them to run foreign code. This is also known as dll injection, and often indicates malicious activity. The only legitimate programs that inject code into others are security programs such as anti-virus and anti-spyware.

    Trusted

    The executable is trusted by AVG Technologies.

    Registers a URL search hook

    The process registers a URL search hook, which modifies the way that searches are handled by Internet Explorer. This is commonly associated with malware.

    Reinstalls malware

    The process has re-installed malware. This is obviously highly suspicious.

    Writes to the filesystem

    The process has created an executable on the filesystem. This is commonly associated with installation programs.

    Visible window

    The process has a visible window. This is usually associated with normal programs rather than malicious ones.

    Disables Windows File Protection

    The process has attempted to disable Windows File Protection, which protects core Windows executables from tampering. This action is highly suspicious.

    Is a kernel module

    The executable is registered as a kernel module.

    Registers a filter driver

    The process registered a filter driver, which augments the Windows kernel.

    Is an LSP

    The executable is registered as a Layered Service Provider (LSP), which is a code module that alters the way that the computer handles network events.

    Alters common startup area

    The process altered the directory that holds files to execute automatically on startup. This is highly suspicious.

    Trusted installer

    The executable is digitally signed by a company that is trusted by AVG Technologies. The signature has been verified, and this executable should be trusted.

    COM object

    The executable is registered as a COM object.

    Protocol handler

    The executable is registered as a network protocol handler.

    Winlogon Extension

    The executable is registered as a Winlogon extension.

    Browser Helper Object

    The executable is registered as a Browser Helper Object (BHO).

    URL Search Hook

    The executable is registered as a URL search hook.

    Toolbar

    The executable is registered as an Internet Explorer toolbar.

    Appinit dll

    The executable is registered to be loaded into all Windows processes using the appinit_dlls registry key.

    Installed via IM

    The executable was installed via an Instant Messaging program.

    Installed via email

    The executable was installed via an email program.

    Installed via browser

    The executable was installed by a browser.

    The executable is packed

    The executable is packed (compressed or encrypted). In general, this reduces the size of an executable. Many malicious programs are packed in an attempt to evade detection by signature based mechanisms.

    Hidden service

    The executable is registered as a system service hidden from the user. This is highly suspicious and evidence of rootkit-like behavior.

    Loads DirectX

    This process uses DirectX common graphics library.

    Alternate Data Stream

    This executable runs from an Alternate Data Stream. This is highly suspicious activity.

    Alters Active Desktop settings

    The process has altered Active Desktop settings changing what is displayed on the user's desktop.

    Unusual Network Server

    This characteristic indicates that this process is acting as a network server using unusually high port for communication.
     
  18. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    http://www.avg.com/ww-en/faq.num-2564#num-2564

    PRSC > Antibot > IDP > Over and done.

    Cheers
     
  19. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,995
    It's pretty low that they made a big sale first then announced the product being discontinued. I really don't trust Grisoft and will never be making a purchase from them again. That goes for the v3.co.uk store as well.
     
  20. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Shameful.

    How can a security vendor like this be trusted? First they sell IDP before 2011 products line came out like rabbits, for the sake of getting extra bucks... Knowing before hand this would happen?

    I don't know about you folks, but in my book that's rogue.

    I know Linkscanner it's not in discussion here, and I don't wish to deviate from the thread's topic, but the same will happen to it. It was only provided as a standa-lone during all this time to "capture" more people to later on user their free AV, and then move towards their paid products.

    Guess what? I've already downloaded AVG Free, and will be testing performance with only IDP component activated.
    Fortunately, it is possible to have it as the only active component.

    I wish everyone who had paid for IDP, these last weeks, to flood their AVG forum with complaints. They don't have a support forum for their paid products, so that would have to suffice.
    Hopefully, over time, both home and enterprise clients would stop trusting them.
     
  21. atomomega

    atomomega Registered Member

    Joined:
    Jul 27, 2010
    Posts:
    1,292
    i tried that this morning after reading your post (i didn't think about it last week when i first tested it) and the sigs were able to catch 89/126 of the malware i threw at AVG Free. it struggles during clean-up tho, some threats were detected at fist but i kept receiving pop-ups about the same sample over and over even after rebooting... which is an indicator about the fact that AVG relies way too much on IDP on this new 2011 line. I can bet that's why they included it in the freebie...
    I saw you are testing AVG Free with only IDP enabled... please let us know what comes out

    BTW, about AVG stopping IDP's dev as stand-alone... not clever at all... and selling it right before taking it out of production....... yet another scam... :thumbd: :thumbd: :thumbd:
     
  22. progress

    progress Guest

    Well done AVG :doubt:
     
  23. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    well done indeed:doubt:
     
  24. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I still have to download AVG AV Free. I thought I had it, but made confusion with Linkscanner installer (~60MB!). AVG AV Free is more than 120MB (something like that). Will download it tomorrow.

    I also still have to install Windows 7 in a virtual machine, because I want to see how it will play along with Microsoft Security Essentials and avast! 5, in terms of resources, with only both Linkscanner and IDP active and everything else disabled. (I know that AVG states both MSE and avast! 5 conflict with Linkscanner, but I'm yet to see systems crash due to them. I'm a lucky person! I already have two family members running their systems with Linkscanner + MSE/avast! 5, respectively.)
     
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Thanks for replies.

    PRSC is done for good. Another behav blocker is dead.

    I guess they will soon kill LinkScanner too.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.