Discussion in 'other anti-malware software' started by aigle, Feb 24, 2007.
Hi CH users, I want to ask is this normal regarding CyberHawk service I/O bytes history?
I thought CyberHawk was really a marvellous security feat with the protection level and ease of use they realised in their first software releases.
This is because behavorial protection has some architectural disadvantages and user friendlyniess advantages.
Because they were so good, they were compared with classical HIPS, Sandboxes and Antivirus software applications. To fill in the blind spots (very hard to detect with behavorial analysis), they included a blacklist. This new feature needs I/O, therefore you see this IO characteristic. I should not worry, just a pitty that a champion in its class crosses to another mean of protection, black listing (I have an AV for that=black lists, so CyberHawk please stay the champion of behavorial detection, I do not mind that you do not catch things you were not designed for).
I already told to developers to improve the resources usage, but until now...
That's why i've tried nearly all builds and uninstalled them a couple of days after
But until now they say that blacklist is only used when a maliious behaviour is discovered.
You should not be worried about 372 bytes/s and probably it isn't actually writing or reading.
For example for Jetico 1 there is a lot of I/O activity (mainly Other I/O) but the actual writes and reads are minimal:
Stil seems much more here.
In one way i can understand what Novatix is trying to strive for with the blacklist but i really have to agree with the above, it's really not needed and is only complicated what has been a very formidable interceptor/Terminator! of suspicious files.
I was very amazed at it's lightning fast rapid response to suspicious behavior when it first came out and it quickly won me over when i discovered it also could Terminate files on a dime when commanded. Later releases did not fair as well with my system mostly, such as causing a Lag like some AV's used to do, plus i had some trouble uninstalling it too.
Now with this latest release all those earlier issues have disappeared finally but new ones have surfaced although not anything like previous system lags, instead i got a load of Possible Keylogging prompts from about every process from Notepad to IE and on at least 2 of my TRUSTED programs that "are" keyloggers, they were quickly flagged by CH and yanked right away into quarantine which is a good thing i suppose, but i would have rather made that decision for myself. Even if CH malfunctions and pulls a good file into quarantine, it is easily restored so no real damage is possible from that new feature, just a little un-needed IMO.
I do hope Cyberhawk at least breaks up their versions into one WITH and one WITHOUT a blacklist if they feel the need to keep it that way, because just like you allude to, an Anti_Virus pretty much supports those duties.
As I know latest release has fixed this issue.
Never experienced so BTW.
I see Cyberhawk in behavioral blocking as a pioneer in much the same way as SSM is to HIPS and RKUnhooker is to ARK's.
That is they have early on set a form/standard for others to follow. I hope they continue on that path and not deviate as some seem to suggest they are finding.
Please see my other post here on the blacklist issue.
Cyberhawk does NOT compromise security by using a blacklist. Our use of a blacklist is only complementary to the initial behavior detection technology, and is used to facilitate some user interactions AFTER a known malware has already been detected through behavior analysis. In fact, it may help to not think of it as a blacklist since that term has other connotations and meanings not in play here. Instead, perhaps think of it simply as a database that is checked ONLY after a malicious behavior has been detected.
Hi Becky, no comments about the original topic of thread?
Unfortunately, no. That's a bit outside my area of expertise, so I'd direct you to our technicians at http://www.novatix.com/support. They're very quick to respond and can quickly let you know if what you're seeing is normal.
Please keep us posted. Thanks.
Hi, folks: Lately I noticed that each time members of this forum have questions and posted them here, often receive a kind reminder from Becky at CH to redirect their querries directly to CH support. I would regard it as a change of heart; Folks at CH may or may not aware that CH has been widely tested by members of this wonderful forum. A member's concern could very likely be ecohed by many others, and these people would like to know the solution as well. Sending question to support is often regarded as a private matter. If folks at CH opinion this forum is not an appropiate place to discuss or address problems openly, then I would strongly suggest them to open thier own somewhere out there. Problems surely bring in solutions and often businees progress can be followed thereafter. If CH's tec can reply concerns in e mail, I can logically assume they can equally reply them by posting here. Just Loony sense.
The lack of posting and returning posts about specific questions is because we were asked to refrain from doing so, and which we are trying to at least, respect, by the Admins of this forum. I apologize if it seems rude.
About the I/O Bytes History, yes that is normal. Cyberhawk is monitoring the system for RK behavior, hence the pulsing I/O stats that you see. The amount depends on what you have running. On one system with the McAfee suite, the I/O reads around 202KB, with Comodo, VMware, outlook, Skype, Msnmessenger, ff etc... it reads around 310KB.
Hi, folks: Hi daniel, I am very pleased that you have come out to clear the air. I did not know that this forum does have some kind of restrictions of postings, especially from respectful developers. I do hope the ADM. of wilders can re-evalue its policy to allow certain types of reply to be posted, not only will our members be benefited, but also will encourage us to participate more discussion and healthy debate. Again, just my loonie sense. Have a nice one.
Thanks for reply.
That,s OK I think.
Separate names with a comma.