OutPost - Component Ctrl - Normal vs Max?

Can someone explain in easy to understand detail what the difference is between "Normal" and "Maximum" Settings for "Component Control" in Outpost Pro 2.7 ??

I read a description on the Agnitum forum, but what does it mean when it says Maximum checks All Components, since it appears to me that Normal Mode is checking for All New and Changed Components too, so what does Normal not check that Maximum checks?? .. Confused.

 

Normal Mode ignores component changes within the application's folder. Maximum warns on all changes.

 

I personally turn off component control. Unless I'm doing something wrong I find there far too many innocent notifications, meaning that it is hard to spot a real threat.

 

Now I thought that most Trojans, Malware that change or add .dll's to Internet Explorer would actually chg or add .dlls in the same folder that Internet Explorer is using for its .dlls (which I think is the the windows/system folder).
.... So, if I am correct about this above statement, then I would say that Normal Mode would not offer protection against these types of trojans. I would think that you would really need Maximum Mode to warn you get this type of trojans channging Internet Explorer's .dll's.
... Can anyone that uses Outpost comment about this?

 

Internet Explorer is quite likely to be in its own Program Files folder (it is on my Win2K system) so additions to WINNT\System or Windows\System should still be flagged by Component Control in Normal mode.

It is important however if using a feature like Component Control, to restrict what changes are made on your system - specifically you should disable any automatic updates (including Windows Updates) otherwise you have no way of telling if an alert is due to a legitimate change or not. Instead, apply updates manually and rebuild the Component Control database afterwards (Options/Application/Components/Edit List/Rebuild Database) - this should greatly reduce the number of false alarms.

Also note that there is a Component Control FAQ at the Outpost forum with plenty of useful information.

 

Paranoid2000,

Thanks for quick and detailed reply!
... I just have a few remaining questions, below:

1) What if a Trojan or malware chgs or adds Windows\System Folder - Components ? The application is Windows itself (aka the Windows/System folder), so does this mean that these chgs and adds of windows system components will *not* be flagged by "Normal Mode" of Component Control ? ... Is "Maximum" mode needed to detect these windows system components chgs and adds?

2) Would you know, .... How much performance hit (addt'l cpu resource %, mem resouces, if any) will generally occur by using "Maximum Mode" of Component Control on a Win 98se PC ?

3) With Component Control, does monitoring of components mean monitoring *only* .dlls ?

4) Sometime dll's have several file extension types. So, are Dll's with the file extensions of either ".dll", ".drv", ".fon" monitored?


Thanks in advance.

 

1) Outpost monitors components of applications that request network access - so if a Windows component gets changed but is never loaded by a program accessing the Internet, Outpost will not check it (this would be more the job of anti-virus/anti-trojan background scanners anyway).

2) Component checks will occur when a program opens a network connection. The performance impact will therefore depend on what program you use, how much you use it as well as what other software you have loaded - it is not therefore possible to give even a rough estimate of component control's impact on a specific system. However since it can be disabled, you can easily test it for yourself.

3). .fon files contain fonts, .drv files are drivers. Neither are program components so neither should be checked.

 

1) So, then it sounds like Maximum Mode gives the added protection of detecting component (dll's) chgs and adds, for those applications that keep their .dll's in their own application directory instead of placing them into the windows system folders and are applications that make network connections.
....... Am I correct about this

2) Do you recommend Normal or Maximum Component Control and Why?

3) Would you know by any chance whether Sygate Pro , .Dll Fingerprint monitoring basically was doing the equivlant of Outpost's Normal or Maximum Component Control
...... As you may have guessed (another Sygate to Outpost converter), I have given up on Sygate (now that future is unclear and is with Symantec) and I am trying to understand the equivlant (or better protection) afforded by Outpost

 

Yes. Most (well-behaved) applications will keep their DLLs in their own Program folder but some software (mouse/touchpad drivers, desktop software like WindowBlinds, WindowFX, etc) works by injecting their DLL into every other running application. Normal Mode will alert you to such outside injections (this is the most likely route for malware, since the writer isn't likely to know in advance which applications you are running) while Maximum will include everything - which does mean that application updates will trigger an alert also.

See A Guide to Producing a Secure Configuration for Outpost for recommendations I have made in setting up Outpost.

Sygate's fingerprinting sounds similar, but I'm not familiar enough with it to draw exact comparisons. However Outpost Pro is available as a 30-day trial download which should be plenty of time to make your own decision.