New leader at Matousec

All the products that are scored very good or even better are recommended by matousec so your statement is completely useless. Why do that type of statements? if you don't like a product it's simple don't use it.

 

New results
New products added
http://www.matousec.com/projects/proactive-security-challenge/results.php
OSSS 99%
OA premium Level10
OA free Level 10+

 

Online Solutions Security Suite 1.5.14905.0 99 % 10+ Excellent
http://www.online-solutions.ru/en/products/osss-security-suite.html
Its out of Russia...so it may well be good stuff??

p.s. no comment on number one
OA...expected should be there
and when Outpost Seven Final Goes Gold
should be number one.....

 

OSSS is much harder to configure than (for example) Malware Defender. Also, the current version tends to forget custom rules from time to time -- not every time, but too often. I reported the forgetting of rules to them 2 weeks ago, but they have not yet replied.

Bottom Line: OSSS is fairly new & shows great promise. It's a tad too "beta-like" for my tastes at the moment, but I have it on my watchlist for future re-trial.

 

Do they have any free products??

 

It will be interesting to see how OSSS and Comodo compare on x64 when Matousec gets around to it.

 

I agree: I used many previous versions of OSSS: great product, but again in the growing phase.

 

How OA premium got 10
and OA free got 10+

 

I read the two PDF reports, but I can't undestand the reason for.

 

Probably because this is their way to show that the the extra features you get by using Pro are not worth paying for. Therefor they rate the free version higher to show the Free version is in their eyes the best deal.

 

I'm beginning to take Matousec results with more and more grains of salt... I mean, OA is good. Really good. It does in fact detect behavior that e.g. Privatefirewall doesn't. (For instance, when a program tries to get a list of files in a directory.)

It also gives many, many more popups, at least with near-default settings. Which makes it much more annoying and hugely increases the risk of user error.

Whereas Privatefirewall is pretty much designed to keep popups to a minimum. Okay, so if you deliberately execute a file that turns out to be malware, and click "allow" the first time it does something dodgy, you're screwed. But hey, that's what Jotti, on-demand AVs, and sites like CNET are for.

IMO a HIPS, at least the kind I'd use for day-to-day security, should not give me a detailed account of everything that any installer does. If I click on a link that tries to install a rogue antivirus, it should tell me that the rogue is trying to load a driver, or trying to modify an active process, or whatever, and let me block and terminate it. Heck, all it really has to tell me is the name and location of the file; that's generally enough for me to know if it's bad. Anything more may be useful in theory, or even in practice for e.g. security researchers and software developers. But for me it's not really necessary.

I think what I'm getting at here is that Matousec is biased towards HIPS products that are unnecessarily strong. And that, due to the nature of HIPS, that kind of unnecessary strength is a liability for most users. Basically I think the Matousec tests are completely ignoring the human side of the equation; and that, in real-world situations involving drive-by downloads and stuff, "weak" HIPS like Privatefirewall or PCTools may be just as effective.

Assuming, of course, that the KHOBE/TOCTOU exploit doesn't become widespread. Then they're all doomed, I guess.

[/stupid rant]

 

You saying that you want a HIPS to give the message like this: "XP Antispyware (Rogue) is trying to load a driver" doesn't make any sense. Because that is exactly what antiviruses have their signatures for. Something you read a lot on Wilders is that a signature-based defense is not enough and you need a proactive defense like a HIPS (or sandboxing/virtualization), so you install a HIPS, why would you after that ask a HIPS to start using signatures?

 

No no no... I'm fine with a HIPS telling me when anything tries to load a driver, or modify the memory of a running application, or somesuch. But I don't need it to tell me that some program is asking for a list of files in some directory. And I'd much prefer it to assume that, if I answered "yes" once for an application, I think that application is trustworthy.

Basically, I'm saying that (IMHO, and feel free to correct my view) a good HIPS for desktop users should not even try to be effective against stuff that the user deliberately executes, because that's never going to work out well. A good "desktop" HIPS should be simpler, not stronger, because if it sets off too many warnings the user will just ignore it - and a HIPS is only as secure as its user's decisions.

 

Now it does make sense

 

This is exactly the reason for the HIPS born and exist: to enable the user - the power user - to check every activity running in his system.

For this, many HIPS are more modes: High, Safe, Training...

 

Ya, but reading the reports, I have not this idea...It seems the contrary.

 

I suppose. It just strikes me as monstrously impractical to do that for day-to-day security.

True... In which case, contrary to what Matousec says, "maximum" may not be the best option for protecting one's system from malware. Obviously that's not the case if you're tracking the behavior of a known good program, or monitoring malware on an isolated machine. But most people who use HIPS are not doing that.

 

Thats why they created behavior blockers. So you wouldn't have the constant nagging of such and such program is creating dll injection or global hook.

 

The show's gonna go on while Matousec uses the score system ignoring PC users. While the score system is based on an amount of popups per app.

 

I suppose. Though I have suspicions about behavior blockers, e.g. even when turned up to maximum I've found that Threatfire fails to report when gmer or other ARK tools try to load their drivers.

(Then again it could just be Threatfire being Threatfire. I've never bothered to try Mamutu, and PrevX with its iffy business tactics doesn't appeal to me.)

 

BB are looking for suspicious behavior. It varies from BB what it maybe looking for. Take a look at Emsisoft mamutu run down:
"In addition, the Behavior Blocker can monitor and stop any of the following actions:
Installation of new drivers and services
Any kind of process manipulation like DLL-injection, code-injection, patching, termination, etc.
Installation of new BHOs (Browser Helper Objects)
Changes to your Internet Explorer configuration
Hidden installations of software
Changes to your Hosts file (redirects domains)
Installations of debuggers on the system"
Thats alot of changes. Of course programs like Malware defender, considered classical HIPS, kind throw up a lot of alerts.

 

I'm using Mamutu at the moment. Have seen reviews on youtube and desided to be reassured - I've downloaded 8 variable malware samles... The one has refused to work, ok. The rest has shown the next - 5 were caught by Mamutu, 2 passed freely where they wanted. That's funny - Windows defender popped up once and never appeared again although I've tested it twice. An updated Malwarebytes Anty Malware the next day has caught and removed them all.

 

Windows Defender is like that. I recently cleaned up a PC that a rogue AV had installed on - WD had been running the whole time, and there was nary a peep from it.

(Of course the same thing could be said about McAfee, which also utterly failed to intercept the rogue. Thus my decision to enable UAC and IE Protected Mode, and explain to the user how that worked. Anyway...)

As for Mamutu, 25% success rate doesn't seem so great to me, unless that was vs. seriously exotic malware. BTW please tell me you did that on an isolated box, not your main desktop!

 

Sure, no funny things. Has restored the whole system after each test... As for samples - I've taken the first was able to download, 4 trojans if I remember correctly and some others, can't remember. Thanks for reminding ;

 

I went my own way and did my own tests but not versus some synthetic tools but versus real malware that I have kept in a folder on my PC. I did the test on a virtual machine and the products I tested were: Comodo Internet Security, PC Tools Firewall Plus, Online Armor Free, Outpost Firewall Free, Privatefirewall, Malware Defender, System Safety Monitor Pro and Real-time Defender.
The biggest disappointments were Online Armor Free and PC Tools Firewall Plus.
The first was too buggy and wouldn't allow MBAM to run control scans sometimes. It also just allowed one piece of malware to just go through directly on the second run. Yes, that's right. I ran the malware once, blocked as much of it as OA allowed me to and ran it again after that. The second time OA was completely silent. True, it isolated it after the reboot but it was never supposed to go down like that in the first place. Rootkit Unhooker had some problems starting as well. On my real machine OA has caused some sever slowdowns most likely due to incompatibility of some kind, although I never tried to actually figure out what it was. All in all Online Armor Free to me is just too unstable and buggy, which kind of negates its strong sides.
The test of PC Tools Firewall Plus just confirmed what I was already 97% sure of: it's just a stupid placebo program. It just gets patched to pass the Matousec tests so it would look like a really effective product but in real life it's very weak. Actually this can be confirmed to some extent by the new Matousec tests, as PC Tools Firewall Plus scores very badly compared to the previous sets, whereas the rest of the programs basically retain their relative score.
PC Tools and Real-time Defender were the only products to allow a rootkit installation.

Not a very professional test by any means but more practical than Matousec's tests.