comparison of anti-trojan programs and intrusion protection systems when dealing with

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

thanx for sharing:

I got:
nod32
Ewido
Boclean
spysweeper
Tiny2005 pro (with all the candy it has)
amd64 exe armour (limited exe prot+firewall+ids)
WG
PG (wait till it get finalized my friends!!!! the potential is not seen till today in any other processguard product imho)
RD
shadowuser

and I got like 15 other tools which I am forgetting...

AND I DON'T NEED ANY HIPS/IPS/IDS/ or whatever anymore

how much do you need? please endulge me my friends, I always learned here .. but all this commercial stuff is killing me and my pc

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Sorry but you misled what I mean.

See this to see why you are not really getting 99.6% portection:
https://www.wilderssecurity.com/showpost.php?p=539349&postcount=39

Also I didn't say signature-based AV/AT/AS are bad.
Would you mind telling me why do you think so?

Care to read what HIPS can do on top of AV + AS + firewall?
Host-based IPS guards endpoints
http://www.networkworld.com/news/tech/2005/072505techupdate.html

Intrusion Prevention Systems: the Next Step in the Evolution of IDS
http://www.securityfocus.com/infocus/1670

Why You Need A New-Generation Intrustion Protection System
http://informationweek.networkingpi...SNDBCCKHSCJUMEKJVN?articleId=165600465&pgno=5

https://www.wilderssecurity.com/showthread.php?t=94258&page=1&pp=25
Especially under the sections of:
- Protection method
- Security design of the product itself
- Extra benefits
(Ask me if you don't understand since I can't explain everything in one single article. So it is good to ask first, so I have a chance to clarify myself)

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

A more complete list might look like this:
"Scan of applications while program start (Signatures first - no question as to that)
Live detection of Backdoor behavior
Live detection of Worm behavior
Live detection of Dialer behavior
Live detection of HiJacker behavior
Live detection of Spyware behavior
Live detection of Keylogger behavior
Live detection of Trojan downloaders
Live detection of code manipulators
Live detection of new drivers and services
Live detection of new autorun entries
Live detection of suspect behavior
Define your own ruleset
Exclude applications from protection
Self protection against shutdown by viruses
Protection of self defined applications"

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Let's just say, it might be possible to go around PG. I know that some people feel that programically that is is 100% impossible to go around PG but it might be possible.

Hey, you don't even have to go far and google up all sorts of wild, exotic "white Papers"...LOL Take a gander right here at Wilders.

Did anyone investigate this claim in this thread:

"Interesting , it can even kill processes protected by Process Guard!"

https://www.wilderssecurity.com/showthread.php?t=92427


Apparently, the new RegDefend beta can kill processes protected by PG......or can it? PG is supposed to provide 100% protection so of course no one has followed up on that. No one really wants to know whether malware can use the same methods to get around PG. No, let's pretend it didn't happen. Let's stick our head in the sand. Let's bow down to the HIPS gods because they are all protecting......

Sadly, I don't think anything is "All protecting"
I don't think computer security can all the time be programitically solved.......



Starrob

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Although I don't expect you to answer this question, anyway what's your stance about firewall? Do you recommend using firewall?

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

why wouldn't you expect an answer of me? I always try to help out here .. whether it is usefull around here or not

to answer your question: off course it's necessary: I got a belkin router, tiny2005 and amd64 hardware firewall which acts just like I need in conjunction with router and tiny2005

it's very much necessary to have good inbound and outbound protection and by outbound I don't mean processguard or any other hips/ips/ids/...

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

It's just my opinion only.
It seems I don't have great misunderstanding of a-square IDS. It's because all the following are what other AV are doing. And it seems what they do are different from what IPS does.
Here's my 2 cents.

PS: I don't understand much about exactly "Define your own ruleset" does. Would you mind explaining it?

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

DCS realized that they could not write a full explanation of everything. If they wrote a fully detailed manual, it would take a lot of time and end-users would probably ask more questions than get answers.

That manual does not explain all of the things that PG can do or can not do. Shortly after PG 2 came out, I became involved in a long discussion on whether PG should protect WFP (Windows File Protection) from being changed.......which by the way is one long shot theoretical way of getting around PG.

Now.....there are other things too. I still don't fully know all of what PG protects against and what it does. I don't think many non-experts do. I doubt even the inventors of the program know all of the specifics of the different aspects of PG.....they are working with many undocumented features. I seriously doubt they can explain to the layman how to exactly interpret the meaning of all their alerts.

A Global hook alert pop-up. Like whereisthebeef said, "Do you know the meaning of this alert and whether it is malicious or not?" The answer for most people is No. The instructions in the manual basically tell you to guess. It tells you to block the action if you feel it is a malicious program and allow it if you think the program is safe. So, basically what PG does is mostly put you in a position to make guesses.



Starrob

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Exactly .. so let us protect our boxes with hips

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

....edited, sorry

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

from the moment someone can explain me some serious questions about hooking and stuff ... I wouldn't trust any single kernel driven app anymore cause let's face it...when the questions are asked you get chewed answers (or copy pasted from somewhere else) or you get a very big silence...

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Most of the times Infinity we are going in the same direction. Right now, I am in the process of finding which security apps to dump. I am not sure how much of what I have is really necesarry.



Starrob

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Yes Starrob, I got the same about a lot of purchases I did last two years...I dumped already a lot .. the ones I paid for are the only ones at the moment and all the rest I don't like is just on demand (sic)

this will not happen to me anymore

but I understand but I will not let myself get carried away...especially with words like hips/ips/ids/pro active and radio active...

take care.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

To specify what I mean:

There are 2 claims which are against PG or HIPS:
- users will not know how to use them, it's going to be useless
- it is difficult to learn, and most poeple will not bother

If these 2 claims were true, it could apply to any preventive security programs or programs which requires users' answers:
- network firewall
- application firewall
- any ntrusion prevention system
- registry protection
- execution/process protection

To be extreme, it can apply to AV/AT/AS too since they will prompt you for some of their real-time protections:
- AV/AT/AS:
Advanced behaviour blocker, heurisitcs
It may prompt you that they are suspicious and ask you to make decisions. Again following the reasoning, these features are useless to them either

False positives AND false negatives
If users take their AV/AT/AS for granted without specific checking, there are chances that:
- you delete innocent files since your program issues claims wrong alerts
It is less serious for ITW malware, but more serious for Zoo malware

- you miss harmful malware since your program don't notice its existence
It is less serious for ITW malware, but more serious for Zoo malware

HOSTS, IE trusted/restricted zone protection, startup protection
Again it needs the users' knowledge when AS prompt you for a choice. Following the argument users don't know how to make their decisions, these protection are useless to them.

Script Blocking
It is hard to know if files lke *.reg, *.vbs are harmful or not, so the programs will ask you if you wish to allow them. Following the argument users don't know how to make their decisions, these protection are useless to them.

Don't make me wrong that the above are points to favour any proactive/preventive security programs!! Indeed, AV/AT/AS are still easier to use. So these points indeed favour towards them.

What I would like to point out is it is wrong to say user's knowledge is NOT required for signatured based programs like AV/AT/AS (if the user is stupid enough not to update their programs, it is equally dangerous than he always . But don't make me wrong that I'm saying AV/AT/AS requires equal level of knowledge when comparing to proactive/preventive systems.

After all:
- User is not only the biggest weakness to HIPS, but also all sorts of security programs (although the extent is different).
- no one can help stupid or no-brain users!

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

MY reason is : It's not that I don't know how to use them (please...), it's just I don't want to step up on the same boat for something that isn't that new after all ... maybe some features are new (lets wait on pg for that)

I don't see anything new after all (I am using ids/ips three years now)

there are some other reasons too...

and just because someone is a supporter of hips means he's smarter or whatever then a non supporter...
you got to be kiddin me...

I might have more pro active protection then 80% of the users here (I guess that means you too)

take care.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Where is the answer, feel free to post a link to a post where you gave the answer. The question again by the way is "How do you tell if a program should be allowed global hooks or not". or drivers.

Answer that , or admit you have no clue how to answer that question.

Agreed. Even if you knew all the ins and outs of PG, that still wouldn't help you with some other program you are running. It does help a bit, but it would still be a guess.

For everyone else, the guess would be no better than a random guess.

Or to put it another way puts you in a position to decide what to trust. An it makes little sense to run a program you don't trust.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Yes wai wai, if you don't get my point now, you'll never get my point.

so let's install three kernel level pro active and hips programs .. let's see how stable your machine will be...

there are various reasons why it is better to think first and then install something or bump on the wagon just because someones else says its magnificent!

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Here you go Wai Wai

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

What AV does the experts here use?
https://www.wilderssecurity.com/showpost.php?p=529368&postcount=12
https://www.wilderssecurity.com/showpost.php?p=529369&postcount=13


-rich
________________
~~Be ALERT!!! ~~

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

yes, and when you ask interesting questions they all remain silent cause they don't want to give any details about how stuff works...

those are the experts...

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Well they aren't exactly paid to be your teachers you know. You want details on how stuff works? Or to school or study on your own.

I can't say I blame you and Starrob and others for asking though since the products they hawk requires exactly that amount of knowledge and leads naturally to those questions.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

well, 80% of the experts here are sellers of software and I don't like that...they should get some other tag or something cause it's confusing...

this aint some critic to Wilders but it's just confusing ... but that would be my prob, I am aware of that.

about the teaching stuff, well I am doing my homework for a month now but there is sooooo much more I didn't knew it existed to be honest...

so I am a noob after all...I don't have a prob with that ... it would become a prob when I don't realise that.

grtz.

/edit: I mean they certainly are experts!! but a lot more too (vendors trying to protect their rights, which is understandable (that's the thing) and that is making it hard to answer such questions I guess.

anyway, I am doing some new stuff now .. just for my own and when I can I'll answer the questions cause I got nothing to sell ... got only to give.

/edit: I do appreciate a few bucks in a while though

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Well a certain member would tell you he dislikes the term "expert". But there are a couple of people I think worth listening to and isn't afraid to display talk about technical issues. Of course those people do this in hope of starting a discussion and learn more but sadly, they arent aware that it isn't happening because THEY are the ones with the most knowledge willing to speak up. ;0

Then there is a second group who want to learn more, they love it when people post links to white papers and whatnot, how much they get out of such technical papers is anyone's guess.

Well it's no shame to admit you are a noob. So am I in many respects. At least we know our weaknesses. It's much more dangerous for someone to delude himself into thinking he is more knowledgable and skillful than he actually is AND they can mislead a lot of novices with their flowery writing skills into thinking he is actually someone who is worth listening to.

Eg. I'm still waiting for someone who claimed he understand why a certain software required drivers....

Just because you run/play with a few antiviruses, HIPS, read wilders forum for a while, you suddenly start posting "Articles"? You go to your friends house and lecture them on how KAV is the best AV in the universe, and how they need to run PG,Regdefend,Wormguard or they are screwed?

You suddenly become qualified to advise ATs and Avs on their business prospects and lecture them on revenue model and service model?

I try to challenge such people whenever I can, and correct outright technical errors whenever I can, but that makes me unpopular I guess.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

yes, that's good. doesn't matter if it makes you unpopular cause most of the time this says more about the rest then about you.

grtz.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Just to make a few more notes.

I see people giving some good reasons about why they don't prefer HIPS. The reasons are:
1) they have weaknesses. Don't think your HIPS can protect you against their so-called areas/scopes
2) users will not know how to use them
3) users will make all sorts of mistakes when deciding on an alert
4) HIPS is useless. It doesn't give very little protection, not to say no
5) My computer is safe even without HIPS

Frankly, I have to admit not all the points are invlalid. If we consider the points on their own, all are correct(at least in some extents). However it seems too weird to say, although the points themselves are correct, they are used improperly to reach the conclusion of not using XX product.

Now forget about "AT vs HIPS", or whatsoever. Just focus on the following:

=========================================

IMPORTANT: The following are my personal opinion only. Just intend to express my ideas. I may be wrong. Also I may not explain well in some parts and lead to misinterpretation. Do ask me if you wonder what I mean/imply. Comments are welcome.

The following ideas may be VERY strange & VERY hard to accept. You have be noted seriously ( )

(1) Choice XX has weaknesses
The point itself is true. However you miss the fact other choices have their own weaknesses. No choice is perfect. And if you don't choose XX simply because it is not perfect. It is very wrong, I'm afraid.

Using this point to deny choice XX is unfair since all other choices share the same problem, but only choice XX is pinpointed.


(2) Situation A: People do not know how to use XX
(3) Situation B: People will make all sorts of mistakes when using XX

The point is valid & I do see the point. However the conclusions they make is not really accurate. They says due to situation A&B occurs, we should not choose XX. However these situations are not necessary situations. There are other situations (eg C, D, E) which haven't been considered to make the above conclusion.

The world is complex. Many things are relative in nature. However it is a common human nature that we would like to simplify matters, but this will fall into over-simplification and distort the real fact/truth.

Will it be better to say the following:
- we should not choose XX if situation A&B are met. But for other situations, choosing XX may be valid to them;
- instead of "we should not choose XX since we will encounter situation A&B anyway, and there's no point to choose XX"
??


(4) XX is useless
This one involves value judgement. Even if you & I know the benefits of XX fully, still you may say it's useful; I may say it's useless.

Instead of saying something is useless/useful , it may be better for people involved to comment on some major aspects of XX, so we can know each other why you/I feel so.

The process can be something like:
- Suppress any value judgement in this stage
- for both sides, keep listing any functions XX have (no matter you think it's useless or not)
- then we agree on the list of functions
- on either side, try to give comments/ratings on either function

This should be better for both sides to understand the value judgements of each other.


(5) I am fine even if I don't choose XX, so no need to choose XX
That point is valid. It is the use of personal experience to prove, However the validity of using this to reach conclusions depends on:

- does your personal experience tell lies to you?
Case: I ate a cake 5 minutes ago. After 5 minutes, my stomach felt pain. I thought the cake must be dirty.
Case: I ate a cookie. I did not have stomache this time. So I tihnk the cookie must be clean.

- how representative your personal experiecne is?
Case: When you ate a cookie, and you have no stomache. Then you claimed all cookies produced by XX company were clean, and recommend everyone to use it.
Case: A report shows that 70 samples contains XYZ virus in 100 cookie samples from XX company. So if we eat a cookie, it is estimated you have 30% chance that you will not be infected; 70% chance that you will be infected.
Case: For 30% people who are not infected, it is likely they recommend others to choose XX company cookies; For the rest 70%, it is likely they will discourage others from choosing XX company cookies.

==========================

Thanks so much for reading the whole post.
Ask me if you don't understand.