Neoava Guard Questions

That,s nice.
BTW you have two HIPS now( SSM n NG) so there might be problems related to this.

 

There's plenty of autostart, and Windows services are just one of them. Assuming both aigle's and Rasheed's testing results are correct, NG monitors all tampering to Windows services, but only additions to the Run* regkeys.

 

@ aigle

Yes, normally I wouldn´t recommend it (you seem to use two HIPS too btw) but I still need SSM for a couple of things, and so far they both seem to work correctly, so no problem. Of course, even ZAP has a HIPS (which I disabled), so this may have caused problems too. Btw, since you have a bit more experience, can you perhaps give some tips about how to setup file/folder control in NG the best way, so that you won´t get any annoying alerts? Which folders do you protect?

@ Solcroft

My mistake, I thought n8chavez meant something else, if you disable/enable services, NG will always alert you (Arman even fixed a bug related to this), but if you delete autorun entries, NG won´t alert, I already addressed this issue on the official NG forum. Not a big problem for me since SSM covers this via the registry monitor, but another tool that can stop this is Arovax Shield (which I used to use), it´s not really advanced but it did do the job, however, it might or might not conflict with NG and other HIPS.

 

Wow, sounds like Fort Knox Overkill

 

I don,t use this feature of NG except for testing. For that I made a special folder in my documents.

 

@ aigle

OK, so I assume you´re using the feature only in EQSecure. I guess I will have to play with it, I´m still not sure how to use the file/folder protection feature effectively, perhaps I should protect the Windows and System32 folder from "writing" and put all of my important documents in a certain guarded folder. Or something like that.

@ Tommy

I agree it may seem like overkill, but I think it looks worse than it is. First of all, no system (and boot) slowdown or stability issues at all. And they all seem to be working correctly. Basically it´s like this:

SSM: Process/executable control + registry monitor
CMG: Anti buffer overflow
NG : Behavior blocker
ZAP: Firewall

 

U can,t do it in NG.

Yes

 

Hi,

I have a couple of questions:

1 If you mark a program as "internet" will all downloaded files via the browser be restricted automaticly?

2 Have you tested the "overwrite executables" feature? If I´m correct it´s not working correctly. I tried a couple of viruses and it couldn´t stop the damage when you choose "block" without terminating the virus. Comodo could stop it.

3 And I´m getting strange results with the VistaTweaker tool, I get a "listen for connections" alert and after this it crashes, can you confirm, and what might be causing this?

http://www.ajuaonline.com/software/vistatweaker/

 

1- I think so but not sure. There`was a post on their forums about that if I remember correctly.

2- I did not test it yet. Might do it some day. How did u test it BTW.

3- Can,t try. Needs netframework v 2.

 

1 - Yes, I also read it in the forums, but I have the impression that this isn´t the case.

2 - I´ve tested it with a couple of .exe overwriting viruses that I downloaded from the Sandboxie forum. I can PM you about it, and perhaps you can test these viruses against Mamutu, I can´t test it because of network connections problem in my VM´s.

3 - Why not download it?

 

Btw, I have to say that Arman did a great job, it´s better than I thought (if you can get it up and running), it´s real stable and blocking a lot of stuff. I wonder if more people are using this tool? I´m a bit surprised that other tools get a lot more attention. Stem are you still using it?

 

Hi,

I wonder if someone can test this, because I´m a bit confused. I have setup NG in a way that it protects the "C:\WINDOWS\system32\" folder, but not the subfolders. Then why am I getting alerts about "C:\WINDOWS\system32\drivers"? Isn´t this a subfolder?

Another thing, I think it´s probably best to make NG always ask you about certain behavior, instead of automaticly blocking stuff, because I´m not sure if NG can protect the system if a process repeatedly tries to do malicious stuff. If you get an alert, you can at least quickly terminate the process, without (or with less) damage.

 

Not a good idea at all. It will freeze ur system. I had tried it in past.

Actually ATM NG has no file/ folder protection like other HIPS( EQS, CFP etc). The currect protection is good only for confidential folders/ files etc.

Stay away form this type of configuration.

 

Hi aigle,

Yes I know, you should be careful with this feature, because it can freeze your system, or make it unbootable in the worst case scenario. But I´ve have been playing around with it and so far there are no problems. I think the key is knowing which folders to protect, and to avoid using protection against "opening" and "reading", at least when it comes to protecting system folders. At the moment I have set it up in a way that the following folders are protected against "writing" and "deletion":

I didn´t select the "protect subfolders" option because this might cause problems. That´s why I don´t understand why I got to see alerts about the C:\WINDOWS\system32\drivers folder when testing some malware. Actually, I don´t mind at all because this can prevent malware from tampering with drivers. So all in all, this seems to be quite a powerful feature to prevent malware from modifying system files (they can´t modify .ini, .dll, .exe, .sys etc. files) so I´m quite excited.

Well, can you tell me what´s the difference? I only noticed that EQS will even warn you when you´re about to delete a file yourself (manually), something that NG doesn´t do, but whenever a running process is trying to, it will warn you.

 

EQs warns as the deletion is done by explorer.exe, if u mark explorer.exe trusted or make an appropriate rule to allow explorer.exe to delete any file, u will not get prompt. I have made such rules for it and some other applications to avoid too many popups( infact file protection in EQS rules must be liberal to avoid headaches). By contrast explorer.exe is marked trusted in NG by default.

 

Yes, too strict file control can lead to headaches, so that´s why I´m pleased to see that during normal computer usage, NG stays quite, and that´s probably because trusted apps can still do their job. And I don´t think that marking explorer.exe as "trusted" is a problem, as long as other malicious tools can´t tamper with it. Btw, I´ve not setup a confidential folder yet, I´m still trying to figure out which files to protect, and how to avoid many popups.

 

One of the reasons I like NG is that it gives far less pop ups inspite of the fact that it,s a classical HIPS. Also instaed of usuall parent-child relationship, the relationship of trsuted-untrusted executables is more interesting and gives less popups while maintaining security.

 

I want to try it too. I only have to install this "smart" NG and it works or does it need my support first ?
Oops .... bad start ... website doesn't open.

 

It,s beta and has some bugs. I will not suggest it for U.

Here is the download link at bottom.

http://www.smokey-services.eu/forum/viewtopic.php?f=67&t=6157

 

Oops my mistake. I thought it was out of beta. It's always in beta AFAIK.
OK then I wait. The link might be useful for another member. Thanks.

 

Hi,

NG will likely stay as beta for a foreseeable future; the smart kid who develops this remarkable app has to take time off to get his well being together.

It is sad, but is not uncommon for new ventures, especially those are still in infancy. Wish him the best, and hoping his return will be much anticipated.