Can this be a better combination than AppDefend\RegDefend or ProcessGuard?

This definitely shows the differences in how we view this situation, and the difference between intrusion detection and intrusion prevention. If I received a prompt regarding an app I don't know wanting to start, I'd deny it immediately. It doesn't require a god to use a "default deny" or "block the unknown" policy. If it's not something I installed or part of the OS itself, I'm going to block it. When I put this version of my system together, I saved a complete listing of evey file that was part of the initial installation, then used Inctrl5 to monitor and make a record of every software install, including MS updates and patches, new drivers, etc. All auto-updating is blocked. I update everything manually. If the item in question is not listed in those records, it will be blocked and investigated.

Sounds a lot like the behavior of the updaters for a lot of software, no visible windows. Checking on those could get old in a hurry.
Ric

 

I just installed SSM. Could you explain the "Paranoid Setting"

...screamer

 

@herbalist

"If I received a prompt regarding an app I don't know wanting to start, I'd deny it immediately." ... "If it's not something I installed or part of the OS itself, I'm going to block it."

I was talking about the following scenario. User downloads trojanized software package from non-trustworthy source and voluntarily installs it. This is when an IDS comes into play.

You are cautious and will never act in the above-described way. Basically, I am convinced that you don't need any security software at all.

But security software developers are interested in the normal user who wants to have fun, uses filesharing networks and does not care too much about security soft. Such users are at risk. And an IDS will help them.

 

Ntl isn't really saying anything new.

 

Perfectly true. But do you agree or not? ;-)

 

Wrong. In this scenario, run the non-trustworthy source in a protected environment, ie, sandbox or virtualised environment. And for the remaining non-trustworthy sources which can't run in this area, this means that they perform illegal operations and therefore do not desserve your trust to be run on the real system (in order to make it work).

Regards.

 

@BZJet

I like virtualization. The last program I tried perfectly screwed up my computer ;-) But once this type of software works it will be great.

By contrast, VMWare or VirtualPC are no real alternative.

Anyway, no "normal" user will consider your suggestions. Unfortunately.

 

@,.-,

You are talking about total virtualisation system. Honestly I was talking about security softwares based on virtualisation, either completely (see my sig or look for green border) or partly with DW from Ilya.

I really believe "normal" user can use this (I consider myself as one of them), as it becomes more and more simple, more and more transparent, almost childish.

I think anyway that if users don't come to it, it will be implemented by default in next generations OS.

 

I haven't done much with IDS, save trying out SNORT for a short time. Unless these have gotten a lot more user friendly, I can't see the average user even considering it, let alone understanding what they're looking at.

None at all? I'm not that well behaved. I use P2P and will download exe's and zips. If anything, my paranoia and caution has only made me see just how much I do need such a system. Having a tightly configured HIPS enables me to have fun, with minimal risk. It seems to me that you're looking to defend the user from himself. Unless someone else configures the IDS (or HIPS) for them, I'm not sure this can be done with any degree of certainty.
Regarding total virtualization, even if this is made part of the OS instead of being separately installed, sooner or later someone will figure out how to defeat it. Trying to clean a system like that could be a nightmare. If something like total virtualization could be added to a "live CD" operating system, problem solved.

Screamer,
The paranoid setting in SSM is a much more restrictive setting than the "block processes" setting. Instead of blocking just processes for which there is no rule, it blocks all behaviors not specifically permitted by existing rules. Processes are allowed only for the specified parent processes, not just allowed on an overall basis. For example, you want to be able to access the control panel of your firewall. This is normally launched with windows explorer. The rule gets written so that the firewall control panel is a permitted child process of windows explorer. Now if your browser or media player tries to open your firewall control panel, SSM will alert you to this and ask you if you want to allow this, if SSM is in the administrator mode. If SSM is in user mode, it will just block it silently. The same applies to system hooks, drivers, etc, but the paranoid mode isn't quite as restrictive with these.
The ability to control what processes can be launched by each individual process is the strength of this setting. Only the combinations you specify are allowed. One thing needs to be said here before you use the paranoid mode. make absoluely certain that the rules for your entire boot process are completed, all the needed parent+child settings finished. If you engage paranoid mode with the learning mode disabled before this is done, you'll lock your system up solid. Figuring out what you overlooked in this situation is a real pain that I learned the hard way. There was no learning mode back then. Process Explorer from sysinternals can be very helpful here. It's tree view clearly shows the parent+child relationship of the processes, making it easier to be sure you have them covered.
Rick

 

Thanks Rick, I think I've good a good idea now. I'm sure I'll be back w/more Q's about this app though.

...screamer

 

Which just goes to prove that the SSM group are fiercely serious when it comes to protecting the windows computer system and have analyzed intensely just what it takes to slam the door tight on intrusions ever again.

This is what gathers my confidence like none other ever before, they don't play games with your system's safety or lead users on a long drawn out ordeal of fix-ups and other annoyances that have plagued users indefinitely and been cause to make you pay and pay only to have to pay again later because some new malware is been released. My motto and belief has always been stop the buzzards before they even get a chance to roost in the first place, and untill HIPS everything else is been only a loose bandaid to catch 'em only after they done communicated and were responded to from Windows lame code designs. Anyone can plainly see they intentionally allowed their code to become easily inhabited by even a script kiddy which shows their intent is never really been security or protection for your investment in their product OS's. Otherwise they could have addressed those issues long long ago.

As far as i am concerned, with programs like SSM firmly in place, malware developers only recourse left is to try to discover some magical way to hijack the very electrical current that runs these desktop appliances because their craft is reached it's final apex and now that HIPS are on the scene have efficiently and confidently returned control of the windows systems where it always belonged in the first place (to it's rightful owners)

 

Quite a bit of hyerbole here I think.

 

IT'S THE WHOLE TRUTH AND NOTHING BUT THE TRUTH!!

Skepticism and scrutiny has raised the bar to the point where some groups have not only accepted the challenge but have FULLY SUCCEEDED!

Sorry but money and profit doesn't always drive the most intelligent! Bottom Line is you can go a lot farther with exercising thoughtful and intellectual designs then feed the greed that fuels motivations in the way that many pride themselves on and have done in this technological field.

Everything at one point or another comes around full circle leaving no more room for neglect.

 

Some of my users are amateurs. They have no problems using DW as it is already easy in use and transparent (and I'll be simplify DW in the future).

I beleive in it too. It is the future of the OS-based anti-malware protection.

 

Call up the main menu and click on the "options" tab. On the left side, click on "applications". It's under program behavior. On the newest version, it's labelled
"Block everything (paranoiac setting)
The user iterface can be disconnected by right clicking the tray icon. It can also be done from the main interface by clicking anywhere on the title bar. They tray icon is green when the UI is connected (administrator mode) and blue when it's disconnected (user mode).
Rick

 

@Ilya

I was talking about virtualization software like Altiris etc. At first sight, it seems to me that DefenseWall is similar. I assume that you will be familiar with the products of your competitors.

Can you describe the technical differences between Altiris and DefenseWall?

Are there any additional functions that you hook?

Is DefenseWall rock-stable (not alpha or beta) and does not screw up my computer?

 

There are various postings that defensewall is the most stable of all sandbox programs out. It is also them most effective as some of the other ones seem to be based around the "application firewall" concept.

dja2k

 

DefenseWall has been very stable for me - from early beta to date. I have had the occasional problems but support has always been very responsive

 

I glad this didn't turn into a "which approach is better" debate. It's obvious that many support all these methods and apps, because they're all good. All have their strong points and potential problems. Each approach favors a different type of user behavior.
IMO, the ideal approach would be a combination of these. Run a sandbox or virtual environment on a unit already locked down with a well configured HIPS. Even if something does break out of the sandbox or virtual environment, there wouldn't be much it could do against the HIPS defended system. Ideally, these should be completely separate and independent, not part of some suite or package where they might share components and possibly weaknesses.
The sad part of all this is that when Vista comes out, we'll have to go thru this all over again with a whole new set of vulnerabilities and exploitable code.
Rick

 

I think you underestimate the intelligence of malware writers. These things are made to slip by even advanced users, and when you get the statistics (on effectiveness of behavior blockers in practice) you see that they very often do. Think about it; do you think it's the simple stuff getting past scanners?

I think you might have to clarify that one. Behavior blockers have been around for many years, and haven't changed much. Prevx1 is the only one that I know of to take the concept into a new direction.

 

*cough* *cough*...

 

herbalist Quote

"The sad part of all this is that when Vista comes out, we'll have to go thru this all over again with a whole new set of vulnerabilities and exploitable code."

Not if you don't install Vista you won't !


StevieO

 

If you want a new PC, best to buy it before Vista comes out. When XP came out, our OEM pricing for windows 2000 was more expensive than XP. I suspect that they'd do the same thing again to encourage Vista uptake.