Prevx or SSM?

I currently use Prevx and thinking of switching to SSM but have the following questions:

1. I heard someone said that SSM is going commercial and might not be free in the future. Is that true
2. What provides more essential protection? I know Prevx can prevent Buffer overflow and SSM can't whilst SSM can prevent driver and DLL injections. What is more important prevention against Buffer overflow or DLL injection?
3. Is SSM reputable, I mean it's hosted on a narod.ru, whilst Prevx is reputable?
4. Which uses the least system resources?
5. Name which one (one word), overall is better without explaination

Thanks

 

I'd be interested in hearing this "PrevX versus SSM" debate as well, squash, although I'd easily welcome as much detailed explanation as anyone wants to provide

 

Hi,

Both products are quite different in regards to the "sentry points" they are guarding.

For example, SSM seeks to prevent driver and DLL injection by checking against a white list of permitted programs and "detaining" any programs that are not previously authorized. This is very early in a program's "execution stream" (far upstream) which I believe is most critical, since the malicious program is prevented from doing anything nefarious - e.g installing services, files, updating the registry, etc. Nip it in the bud, so to speak.

I tried out SSM several times but was never able to stabilize it on my system. For this reason, I ended up using ProcessGuard which is very stable and provides similar capabilities. It is possible, that SSM will be developed into a more robust product under its new development team, but my guess is that there will definitely be a price for this, since it is difficult for people to live on the revenue of free products. If you look at credit card companies, for example, you will see that they charge more money for a late payment than most security companies charge for a licensed product.

Prevx, on the other hand, is a little further downstream. It, for example, prevents unauthorized registry entries, and updates to system and program files. Since, by this time, the malicious program is in full execution, it could be doing malicious work in many areas of the operating system, but it probably can be prevented from permanently instantiating itself as a completed "object" by trapping entries to the registry and program/system folders.

I tried out Prevx Home several times. The first couple of times (about a year ago) were total disastors - at one point I totally lost my system and had to do a complete re-install (I am not the only person who experienced this problem as others reported similar issues on their forum). Being a brave person, I tried it out again about two months ago, and was pleased with its capabilities. I was in the process of moving to the paid version (which I was never able to sucessful install), when I learned that their Home (free) version, was monitoring each "alert", collecting the data for Prevx's own database, which was being sold to Prevx's own corporate subscribers (whoever they might be). This turned me off, and I decided to uninstall the product.

The licensed version of Prevx allows you to turn of this monitoring system (PAWS), and also allows you to set rules (which I never tried out) which can, as I understand it, limit the number of alerts a user might received (others on this forum might comment). Without these rules, Prevx can be quite "talkative", since there are so many points they are monitoring and requesting user interaction. I understand I new version will be coming out in a few months.

In place of Prevx, I use RegDefend, which provides registry sentry capabilities, but does not protect the folders that Prevx protects.

I hope this helps at least to start the discussion. There are many different opinions, but I hope my point-of-view helps you with your decision making process.

Rich

 

Like it was pointed out previously in another thread, Prevx will actually alert you to the file being put on the drive in the first place.. so it actually fills in both sides of what execution prevention covers. As far as the 'rules', the only thing the pro version does that the home version does not is allow you to edit them. If you make a mistake you just have to clear them all and start again. I've not found this to be that big of a deal.

Of course execution prevention isn't everything, and certainly isn't for everyone. If you have the resources, though, I say go for both.. they would compliment eachother quite well. To avoid getting too many pop-ups or potential conflicts, I would disable the options in one or the other that are covered by both (like certain registry areas) My personal preference for this is to let Prevx monitor it's areas and disable those areas in the other, this way you get a little variation in the types of pop-ups, which gives you a little bit of an idea of what the alert is before even reading it.

 

And watch out for problems with SSM. I can't seem to get it to run on my xp system. Maybe because I already run Prevx and both are running at the kernel level. Anyway if I start SSM it will sometimes freeze my computer and I can't do anything but a hard reboot.

 

Yes and important part that PG,SSM,RD et al doesn't cover.

Indeed. But I don't think what PrevX counts as execution protection?

That's what I do too! Prevx+SSM+PG+RD is what I use. Nothing gets through.
Anyone running just RD+PG is just leaving a big hole in their proactive defense .

 

Hi James,

From my discussions so far on this forum, it seems that a real hole exists if someone is not running a script sentry program such as WormGuard or ScriptSentry, since it would then be possible for malicious scripts to execute without ever being detected by other pro-active security mechanisms (including PG and SSM).

PG and SSM provide redundant protection, one using one does not leave any holes as far as I can tell. Ditto, for RegDefend and Prevx, each of which provide some further protection "downstream", in the event that some malicious software gets past the primary defense and has a chance to execute. But at this point, both Prevx and RegDefend have their own "holes" (some of which are covered by the extensibility of RegDefend). For example, based upon the Buffer Overflow thread, Prevx apparently does not cover all Buffer Overflow vulnerabilities. So it is best to catch the malicious code as early as possible before it has a chance to begin updating any aspect of the base operating system.

Rich

 

Hello Richrf

Yes of course, I run Scriptdefender. It covers exactly the same area Wormguard does, though it doesn't analysis the script as Wormguard does. I'll add Wormguard when I have the time to test.

My strategy is to use specialised tools that are the best of the breed for whenever area for best results, I don't like combo tools like Kaspersky Antivirus for example, no matter how good it's reputation. I prefer seperate tools for detecting virus/worm, trojans ,spyware and keyloggers.

NOD32 is my primary antivirus, because of its excellent Heuristics and it is light weight. I'm considering Panda's truprevent, as well.

Kaspersky's main strength is in its unpacking engine, so it doesn't lose much running as a backup scanner unlike other scanners. So that's what I do. Also in view of all the others app I run it's too heavy to run in real time.

For antitrojans, my primary defense is Ewido Security Suite for it's excellent coverage and memory scanner. I use TDS-3 as a backup because it's dangerous to rely on too products from the same company as your main line of defense. I don't like using A2 squared yet, because it's IDS system is covered a little by other proactive defense systems I have.

For antispyware , my primary defense is Counterspy. I turn off all the real time protection except for process scanning and some monitoring of files. Registry monitoring duties are transfered to my software that guard registry Spysweeper might be better but it conflicts with other software.

For antikeylogger- I use privacy keyboard and spycop on demand to detect keyloggers by signatures.

For exe control, various threads have shown that the execution protection of PG is insufficient for real protection of that. That's why SSM comes in.

For anti-termination/process modification -PG is used to protect my security apps of course.

For buffer overruns, I run Stackdefender

For Registry protection, I use RegDefend like everyone else with group sets modified from watching what Counterspy polls in the background plus some other sets posted.

Prevx Pro is used for control over file areas, though it needs more work


For Firewall ,I use Outpost pro for component control and hidden window control.I don't need open process control with PG on the job.

This just covers the main areas of my setup, I also do various other measures, use privacy enhancing software etc.

Overall, I got a pretty secure setup and even then I occasionally find trojans on my system. I suppose I could use some imaging software but currently I don't use them.

I believed in layers, that's why I run specific scanners for specific classes of malware, that's the only way to go really.

 

Thanks James for the additional information.

I had not read any threads where it was indicated that in some ways SSM provided better execution protection than ProcessGuard. If you, or anyone else, can provide me with a link, or specific information in this regard, I would very much appreciate it.

My own approach is more lean.

I use KAV as my primary sentry, hoping to stop malware before it gets started. ProcessGuard and WormGuard to catch them "as they are trying to start". And RegDefend and Ewido, if they somehow get past the two primary layers. I too, use backup scanners such as TDS-3 and AD-aware to help confirm the integrity of my system.

Of course, I can understand if someone wanted more redundancy. Redundancy can only hurt if one piece of security software prevents another one from performing its function, should malware be detected. It did happen to me a couple of times when multiple registry sentries conflicted (in this case it was Prevx, Giant and Tea Timer) and between the two, sucessfully corrupted my registry so that I could not reboot.

In any case, since the topic concerns SSM (a moot point for me, since it is too unstable on my system), it would be interesting to know under what circumstances it provides a higher level of execution protection. Thanks for any info.

Rich

 

Just to clarify here - SSM will prompt for any application where a rule to allow or block it does not exist. If you reply "Always Allow..." or "Always Block..." then a rule is created for future use. SSM does not have a preset whitelist and this does mean that you need to take some care with its installation options - i.e. if you run it as a service without creating rules for core Windows processes, then you could lock up your system - running SSM in multi-user compatibility mode is safer in this regard since then SSM only starts when you login.

Anti-virus/anti-trojan background scanners will check new files and they are the better tool for this. Would it really be practical to have an alert every time a program created a new file?

If you're running Process Guard with the Block Global Hooks option enabled, then it will block keyloggers so these programs are likely to be redundant, especially Privacy Keyboard since it is almost surely using the same methods as Process Guard (given their "no signatures" claim).

 

Hi P2000,

Thank for the clarifications. Your explanation of SSM's actions might explain why it was unstable on my (and others) machine - i.e might not have been installing it correctly. I hope the new development group will carry on the good work started by the initial development team.

I believe most of the anti-keyloggers work in the same way (either by blocking or detecting global hooks) which is why I decided that PG's protection was adequate. Once in a while, I will run Security Task Manager for confirmation.

Thanks again for the additional info.

Rich

 

SSM's prompts inform you of the calling as well as the called program (e.g. you will get a message that xyz.exe is calling iexplore.exe while PG would just inform you that iexplore.exe was being called, if you had not previously created a rule) so they are more informative. SSM's rules can also be more finely grained (allow program X to run Y but not Z) than PG's allowing for tighter control over vulnerable programs.

However both perform similarly in terms of trapping program calls though PG's prompts are mouse-only (both a strength and a weakness - it makes it harder for PG-aware malware to spoof an answer but also leaves you up the creek if PG is blocking your mouse driver or related software causing your pointer to disappear).

 

Thanks P2000. Yes, I now recall the issue regarding "child processes". Interestingly, it is now recommend by DiamondCS, that the "services" process no longer be given permanent permission to Install Drivers/Services. I also, for the same reason, give only Permit Once permission to rundll and explorer.exe. SSM's capabilities in this area are definitely useful.

Rich

 

Only for critical file areas of course. Wouldn't you like to know if something in windows\system32 is being added? That's what PrevX Pro does. Granted PG and some other firewall apps do a md5 hash of changed app, this doesn't help against new files added, or against dll and other files being altered.

Besides Antivirus/Anti-trojan background scanners are signature based approaches, something I use but only as one layer.

I'm afraid that isn't the case. The really good antikeyloggers, do not merely block or notify you when SetWindowsHookEx is called. I can see this is the case, because when I run Trillian, its doesn't flag it, while Processguard and other inferior antikeylogging tools do.

From some postings, I think there is some clever propertary algothrim at work too.

Of course, it might just be some whitelisting that is at work.

 

Since Paranoid2000 has already explaiend why SSM is superior, let me comment on this only.

The nice thing about the tools on my list is that they are extremely configurable. That is why I'm very careful to ensure that they don't overlap too much. For example, it is foolish to run PrevX,Giant AND teatimer without any tweaking.

The last is clearly inferior in everyway for registry monitoring and it's process scanning for spyware hasn't amazed me. So it's out

PrevX Pro, should be carefully configured so as not to fight with Regdefend.

As for Counterspy, turn off everything except scanning for spyware.

Similarly, I don't use PG to Block Global Hooks usually, because Privacy keyboard provides a superior, more accurate monitoring of that area.

So there isn't any problem.

The process scanners (AV,AT,AS) might "fight each other" I guess, but then again, people run a antivirus and a antitrojan together, and they arent worried about the issue, so adding Counterspy purely for scanning processes won't hurt any.

I believe in a layered approach, trusting only your Anti-virus as the only protection in your scanning layer is way too dangerous.

 

Additions to \system32 are rare - but could also be blocked via NTFS folder permissions (and not using the Administrator user for everyday use).

That does suggest a whitelist or signature approach. Given that relatively few legitimate programs need to set a global hook (mouse/touchpad/keyboard drivers, a few games), I'd suggest that the benefit of flagging every attempt (100% detection) would outweigh the costs of setting a few exceptions - but that's an individual judgement (though there is the additional benefit of being able to remove one background program).

 

Where do I download SSM?
It appears that for some reason, I don't see a download link and if there is, it is 404...

Thanks

 

You have to have javascript enabled in your browser or you won't see the download link on the SSM website.

 

Thanks theanswer, that was the answer! lol

 

I have the problem of ignorance in the programs that I use, like which, in the case of overlaps, to use, and which do the job better, and how to configure some to not protect the areas that others do a better job. Perhaps a forum to examine the programs one has and suggest how to configure the programs in a specific systems configuration. For example I have ZoneLab Security Suite (eTrust Antivirus, ZoneAlarm, and MailFrontier's spamfilter), ProcessGuard, TDS-3 with execution protection enabled, Trojan Remover (only boot scan), WormGuard, PrevX Home (I am considering Pro in the future), Microsoft AntiSpyware, Spybot Search & Destroy, Ad-aware Personal SE, SpywareBlaster, Mike Lin's StartupMonitor, and the DiamondCS freeware Registryprot. I plan to add RegDefend. It seems apparent that I would discontinue Registryprot if I add RegDefend, but other potential conflicts and useless overlaps are not as apparent. I would like some guidance in configuring each of these to work together and which ones, especially the freeware if a commercial product does a better job. I do favor, in my ignorance, ZoneLabs, DiamondCS, and Ghost Security, mainly because of their transparency, openness to suggestions; also the trinity of Spybot S&D, SpywareBlaster, and Ad-aware Personal SE seem to have done a good job. I do not use Teatimer; it is not enabled by default. I have respect for defaults from responsible companies. I do, as stated, have execution protection enabled in TDS-3; although it may conflict with some other programs. (Aside: Jason, I need guidance toward resources to help me learn assembly.) I apologize for verbosity. I need help and I will ask, beg, wheedle, for it.

 

It seems to me that the primary overlap will be in registry protection: MS Anti-spyware, RegDefend, Prevx Home - especially if you use the RegRun and Tony Klein RegDefend extensions. I am no longer using MS AS and Prevx Home, but if you can get some guidance on how to turn off (or fine tune) registry protection in these programs, it would probably remove lots of overlap. Beyond this, I do not see any major overlap among your real-time products (overlap possibly causing conflicts or an overly-talkative system).

Hope this helps a bit. I am sure others, may recognize other overlaps.

Rich

 

New version due out soon, I would wait until then to decide

 

I think forget one of the most important points; reliability.
My experience with many of these products when it comes to reliability are very poor to say the least. Conflicts is another issue. Personally I think a lot of these products don't deserve to be labeled "quality product".
I mean, what's the purpose of having a Ferrari or BMW if they're in the garage all the time for repairs....
And that's what I don't understand, that this issue doesn't get enough attention on this board. Everybody advices dozens of products, yet few seem to care whether it's reliable, doesn't cause any conflicts, doesn't slow down your system, doesn't use 40MB to get the job done, doesn't show memory leaks, etc. A lot of products have the potential to be top products, but all these issues make them (for me at least) totally useless. My WinXP has never crashed in all those years (and that's an OS!), so why should I use a 10MB application that crashes a few times a month or messes up my system. Maybe it's just me, because I have a professional IT background, I don't know, I just want reliable software, period!

 

Hi David_M,

I do believe, on an individual basis, members do report on their own reliability experiences concerning different products. In particular, I know of several members, including myself, who have reported that SSM was highly unreliable on their machine. On the otherhand, there are members who are successfully running SSM, so it is difficult to make a definitive statement about this or any other product.

Personally, what I look for are "patterns" of unreliability and I stay away from products that exhibit these patterns. But, unfortunately, it is very unpredicatable. There are products that are widely used but not only fail to run on my system, but real mess things up. So, I just make sure I have a good image copy of my system before I try to install a security product. If anything, it is probably good to keep advising people to have a good image copy (or comparable) in case of a really bad installation.

Rich

 

Yes, SSM does cause to have the Blue Screen of Death (I'm on XP) when I'm occasionally installing some news apps. But if I don't, it works fine and reliable as it should be.