Process Guard, Prevx, Online Armour?

Thanks for your replies. But it doesnt show anything..!? See pic.
Maybe I should reinstall or is there some setting that I should enable? I assume that it should show something?

I do run Prevx in ABC mode because I love the popup free existence and I understand that I am very well protected anyway? I love this approach (set and forget) that Prevx (and ComodoFW) has, where they let the user decide how much they want know.

I have been running GSS for quite a while now. It is a superb program but I have learned that I do not get any malware so GSS is a bit overkill for me (ie I dont have the need to probe, or rather, know about everything that happens in my computer anymore). Therefore I think that a software like Prevx1 would suite me better (for "just in case" protection). The price of the software seems to be fair too imo.

 

Isn't running a *pop-up free* security program tantamount to making an assumption that the program in question is perfect? NEVER makes errors? NEVER malfunctions?

No offense, but I am not quite ready to put my brain into "park" and remain in blissful ignorance to quite that degree. When I load & run a process for the first time on my computer, I am NOT willing to assume that silence by my HIPS program means everything is okay.

The HIPS I run DOES let me know if something out-of-the-ordinary takes place. That fact is not a flaw in the HIPS program I use. In fact, it is one of the reasons I bought a license to use it.

I have (on average) ~24 processes running on my computer at any given time. I know what those processes are, & I know that their checksums are safely ensconced & monitored. I get maybe 2 or 3 pop-ups daily, on average. Ninety-nine per cent of the time I can readily tell if the process covered by a pop-up should or should not be allowed. I don't find that this is a major disruption to my enjoyable computer use -- any more so than taking an occasional glance at the dashboard gages while I am driving my car.

The HIPS program I use allows me to decide which programs/processes can do WHAT on my computer. For example, I have restricted a few programs (such as Explorer & Internet Explorer) so that they are allowed to do ONLY certain specific actions, under certain specific conditions. The HIPS I use does not REQUIRE me to micro-manage to this degree (and I do so only rarely) but it LETS me do so if I want to.

I have several other processes (which run on-demand) that are quite *white* but are constrained by me as to the specific actions they can take. In other words, there are not only whitelists and blacklists. There are also GRAYlists.

I appreciate advice from *communities* or *experts* but I want to be the one who decides WHEN I ask for that advice, and WHAT I do or do not choose to do about it. Big Brother will NOT take over security decisions on my computer, thank you very much!

Does this mean that the HIPS I use is strictly for experts? I hope not, because I am certainly not an expert. This same HIPS also runs on the computer used by one of my youngest granddaughters (8 yrs old). It took me about a half-hour to explain to her what to do about pop-ups, and how to do it. That was several months ago, & her computer still runs clean -- as far as can be determined by scans by several AV/AT/ASW programs.

Don't get me wrong. I think set-&-forget security programs are great for those who need & like them. I have high esteem for such programs, and for those who feel constrained to use them.

The market for security products is wide. The needs & preferences of users are diverse. Ergo, I do become concerned when programs that are designed to allow lots & lots of configurability and decisions by users are criticized as though it is a FLAW for a program to allow that degree of user flexibility.

Configurability and decision-making abilities are NOT flaws to those who WANT to manage computer security more precisely -- or who, because of job circumstances, NEED TO take personal responsibility for computer security within their organization.

All 3 of the programs mentioned in the title of this thread provide superb protection, as I said in an earlier post. If a program lacks in protection, that is a valid criticism. However, the fact that a program doesn't enable set-&-forget to the extent preferred by a particular sub-set of users does NOT mean it's a *bad* program, as some have inferred.

 

bellgamin,

I can see the benefits in what you say. I percieve how Prevx benefits slightly differently. It has a whitelist of known good and bad apps which are checksum verified. I installed the latest version of BOClean the other day and it alerted me to it as an unknown. Obviously the latest version was not in it's database as it had only been released a few hours. If i wanted to i could put Prevx in Expert mode and get prompts for everything, same as your chosen HIPS. As i already mentioned, i have a licence for OA and used it a while. If they extend the database then i will look at it again. I'm not ashamed of swapping backwards and forwards from one app to the next month after month. I use what i like best for my browsing habits at the time. In a months time Prevx may not suite my needs. But i do not like lots of popups. I'm a serial application tryer. I'm always scouring the net looking for new apps that may give me something useful. I'm installing uninstalling on practically a daily basis. OA wasn't suited to this and i was getting many prompts per day. Prevx is much quieter, but only because it has a much larger database. My circumstances require a 'quieter' HIPS. If i get fed up with installing new apps then i could change to expert mode or reinstall OA. But for anyone out there who wants a quiet undemanding HIPS then i feel that Prevx fits that perfectly. It does have the benefit of the expert mode for those that like to have full control. OA, PG, AD, SSM etc are for full control only IMHO. I've only used OA and SSM out of 'other' HIPS, plus i suppose you could count Kerio 4 and KAV 6's Proactive are HIPS. They all fall into the category of 'full control' HIPS. It's down to the users preferred way of controlling what they have running on their pc, but each application 'used correctly' will keep you well protected.

This is the reason why i prefer the 'extensive blacklist/whitlest' approach. I install a new app i want to try. My HIPS alerts me to the installation of many files. I sit there and ponder what to do. I can either start tracking down what each file is by doing a Google or i can cross my fingers and click allow. Ok, i'm running Prevx and i try the same thing and it pops up and tells me it's stopped 'known malware'. That's the benefit of running a HIPS with an extensive whitelist and blacklist. But as i said, this is how i feel now. Next week i could change my view. I won't be ashamed of that. installing/uninstalling apps, trialing them, paying for them. This is my prerogative. I've got about 50 cd's with licences for different apps. Some i've not used for years, and never will again.

Take care.

muf

 

sukarof,

Somethings not right in that screenie you show. Your recent program activity should have 'something'. I suspect one of your other apps is blocking it. Try shuting down some of them until you find what may be clashing with it. Look at my screenie for an example of what you should be seeing.

muf

 

Thanks for your reply muf.
Yeah, I think something in my machine doesnt play well with Prevx1.
I dont know how much "set and forget" this software is, but surely it should warn about leaktests trying to inject and connect the net (ie leaktest passes without any intervetion from Prevx1) and unknown programs starting.

The only activity I see from Prevx1 is when a program terminates and scanning of processes now and then. It is the same even if I change the mode to "Prevx1 expert"

I have removed Prevx1 (with the special uninstaller) and reinstalled.
Could Ghost security Suite (even if it is turned off) block something? I will uninstall GSS completely to see if there is any difference, although I can not see that it could do any harm if it is turned off. I disabled appdefend and regdefend and then turned GSS off, because if one turns GSS off with app and regdefend turned on GSS will block all new executions.
I guess Comodo shouldnt interfere?

 

Well i've never used Commodo or GSS. But it may help to disable them while you install Prevx. I hope there are some other GSS users out there who also use Prevx. Unfortunately i can't advise on this combination, but in the past if i've even suspected something is not playing well then i usually disable everything while i install then re-enable everything. Let me know how it goes.

By the way, Commodo does have HIPS. Do you have it enabled. If you do then it's possible it could be the 'culprit'.

muf

 

I have now uninstalled GSS, Comodo, Sandboxie, Altiris VS, but still no go with Prevx1
I guess there is something else that prevents Prevx1 from working correctly on my system.

I will try Prevx1 again if/when I do a total reinstall of windows.

 

I'm sorry to hear you couldn't get it to work correctly. You may do well to send a message on them regarding your problem. http://info.prevx.com/supportpagew2.asp There may be some technical help they can provide. i.e running a particular tool on your pc that gathers information that may lead to establishing what it causing this problem.

This is the reason why it's best to try out various apps. Some work on some systems perfectly well, while others have trouble. PC's have all sorts of configuration's. But the Tech support people are usually very good in helping resolve issue's. Give them a try.

Good luck with it.

muf

 

Thanks. I have sent them the log created by Prevx1. But it is weekend now so I guess I wont hear from them until next week. If they see something that I can do (except uninstalling my Firewall) I sure will try it again.

*edit*
Update:
I have installed Prevx1 on a clean Windows XP and not very surprised I find that Prevx1 works as it should.
It is some software or remains of software that are conflicting with Prevx1. I do test alot of software, especially security related ones, and they are known to bury them selves very deep into the system (just found out that Infoprocess Antihook, which I tested a couple of months ago and uninstalled, has left 50+ registry entries in the registry and some of them cant be deleted)
Prevx1 has contacted me (on a weekend!) and are working on it.

 

Waal folks if you want to know about a security app just ask a paranoid pseudo-geek, especially one who had a massive impact array of security programs at one time. It was through the posts and questions here and another good forum that my overkill is in remission. One other thing that is important; the constant questing, questioning, and skepticism is a good. Security is not an end; it is a journey.
Okay. You have three modes in Prevx1. The ABC is set and forget. This is good for the newbie, and the newbie who won't change like my great aunt Lizzie. You have the Pro mode which is between the ABC and the Expert mode. The expert mode is for those who wish to decide in all the events. If you open the Prevx1 console, click on Advanced, then the Protection tab, and click on the crosses to the left it will show in a detail the execution that Prevx1 protects against and how it protects.
The Prevx Limited folk claim that all you need is Prevx1 and a firewall. Since I am still a raving paranoid, though in remission, I still have a sandbox for my browsers, ewido anti-spyware, ZoneAlarm Pro (with an anti-spyware), an antivirus, ClamWin (on-demand only, but can be configured to schedule hourly, daily, weekday, and weekly scans; in addition they update signatures daily and sometimes more than once a day), plus the on-demand scanners Jpegscan, CWShredder, and RootkitRevealer; also I have the passive protection of SpywareBlaster, Wormguard, Trojan Remover (although not passive, it only scans at boot, so only active then, also may be used on-demand) and the intelligence programs Port Explorer, ProcessExplorerNT, and Autoruns. Prevx1 allows variants of protection for attack vectors that are not real-time; thus they are not running processes using your resources all the time. I used to have more than twice the active processes and unneeded redundancies like Process Guard along with Prevx1. Search my posts here and at Castlecops you will see that. I refused the suggestion by one poster to encase my computer in concrete and drop it in the ocean. Prevx1 is a good program, at a good price, as stated before. I suppose that if you have enough hard drive space, you could have as many on-demand scanners as you wish; because of Prevx1, the redundancy in protection of all attack vectors, and a locked-down OS I could discard some scanners like Ad-Aware, Spybot S & D, real-time antivirus and anti-rootkit programs.
So you don't have to just rely on Prevx1, but you can choose low impact, programs with small ramprints for the other security niches. Not mentioned here, or I missed it. is the support from the folk at Prevx Limited. It is easy to access through the console, and they are friendly and concerned. The folk at DiamondCS give friendly support too. I don't know about the folk at Tall Emu Pty Ltd, but I assume that they do too because they are small and Australian. It seems that some of the best security companies now are British and Australian. You can see that I have several programs from vendors in those countries among my mainstays.
A young friend from S.I.N. is here; he believes that I still have too many. He says Prevx1 and ZoneAlarm Pro (with its anti-spyware and other features) are enough. Pshaw! What does he know? He's only 20. So what he has a PhD in this field? I feel comfortable with my redundancies. Each of us have to feel comfortable with the programs we choose, but when there is a big performance hit you have rethink your choices.

 

I´m using both GSS and Prevx1, and when I installed Prevx1 I clicked the "Always Allow" button on both AddDefend and RegDefend. No problem yet and everything goes just fine, except for some sort of a frequently CPU "pulsing". Didn´t have this issue before, but I know for sure it started from when I installed Prevx1.

Regards, C.

Edited 2006-10-09
O.k. I made some troubleshooting thanks to Process Explorer - CPU History, and I can confirm that I was wrong regarding Prevx1. The application making these "pulses" is a function in SuperAdBlocker - "Block Spyware Applications". By unchecking this future the pulsing effect is gone. I´ve an other application making spikes, BOClean, but that´s typical for that application. So, no problem with Prevx1 so far!

Regards, C.

 

Yes, you are quite right about that.

As it is found that many security vendors cannot come up to what they claim, we need to know how they *really* perform, not just how they *suppose to* perform. Otherwise many porgrams may look perfect, but in fact each product has their own problems, bugs and so on.

I would like to know what it actually blocks and how it performs, rather than keeping it silent.

Actually I'm happy to answer the prompt (unless it is just too large). What security programs like firewall and HIPS give me is flexibility and control. Now I can take the control back of my computer, not my programs. Some programs may do stupid things like calling home, displaying annoying messages, keep adding itself to autorun. Now I can control what they do on my computer.

Well-said.
That's exactly what I would say too.

Actually I would like to find a product which will advise me what choice I should make, but let me make my final decision.

For questions I'm not sure, I will follow the advice given by the HIPS.
For questions that is arguable (eg greyware issues), no matter whether it blocks or not, it cannot satisfy all users. Some may wish to allow it. Some not. How can a HIPS, which makes decisions automatically, solve this problem in these cases? I don;t think it's possible.

Fopr questions I know more than the HIPS (eg there's a flaw in the analysis, so the advice is wrong), this gives me the chance to see the problems/mistakes and correct it.

 

If the HIPS is quiet when you are doing something, does it mean you are safe? You just don't know.

 

That doesn't work quite well as how Prevx1 is designed right now.
First, for every instance it blocks, it will pop up a dialog. This will happen all the time. Even worse, the dialog is unmovable. Imagine when you are working on a document, the popup will keep disrupting your typing. and stealing your focus.

Second, if you put Prevx1 in Expert mode, it doesn't advise you anymore. I prefer it will still tell me its choice, but I can decide whether I follow or not.

 

I read your comments regarding the negative aspects of Prevx1. Yep, i agree with what you are saying. A HIPS gives you the option to say yes or no. You also have the option to allow something that many have determined is malware. You can also at any time change your mind and allow something you blocked or deny something you allowed. All this flexiblity is great. You have total control. And if you know what you are doing with this type of HIPS application then it should in theory be very difficult to allow something to run/install/activate on your system without your say so. The downside is that if you are not clued up on what you are doing then a HIPS in novice hands, or even in the hands of someone who thinks they know it all(but don't) will result in a system that is vulnerable to infection. If you are an expert in running a HIPS then there should be nothing to worry about. But you'll always get them scenario's where you look at the prompt and think "Should I allow that?". If you are prepared to do the homework and feel you are knowledgeable enough to make an assessment then you should be fine using this type of HIPS.

I feel that Prevx1 is ideal for the mainstream. Other HIPS like PG, SSM, AD, OA are more for the power user. Someone who is clued up and knows all about their system, process, files and what these messages really mean. "Process X has been injected by Z"? You think the mainstream understand that? What do you think they would do? "Erm, dunno what that means but it's probably ok. I'll click yes. Ah, there you go everything seems to be ok".

They are two totally different approaches. In my opinion they should not be compared. It's rather like comparing an AV to an AS. Sure, they are similar but ultimately they are different. You wouldn't use an AS if you wanted protecting from viruses. So using the same analogy you wouldn't use Prevx if you wanted total control.

muf

 

As I said, a HIPS can advise me how to do but let me make my final decisions. So in your example, if you don't know the answer, simply follow what the HIPS advises. However if you wish to take controls in some circumstances, you can do so.

For newbies who don't wish to make any decisions at all, they may simply tell the HIPS to act on their behalf. But for others who like to have some controls, or wish to see how it behaves or confirms the answer, they may choose the "advice + my final decision" approach.

I don't see what's wrong in this approach. It can satisfy both types of users, not just newbies.

Actually I'm not a malware expert, and I don't need to have complete control of my system. But I do wish to take some controls for some situations.

For example, I would like to take controls on how the HIPS make decisions on greyware - it is not malicious/destructive, but some of its behaviours may considered bad like displaying ads, silent connection to the network (non-malicious purpose), adding itself on autorun, calling home, and so on.

Would you still wish the HIPS to answer on your behalf, or you to make the final decision? We don't need an expert for these decisions.

I don't need to be either "non controls" or "full controls". A mix is what I want.

 

I think this is solved in Prevx1 with the setting for block "caution" programs, which has 3 options : query, enable, disable.

 

Assume an application makes all the security decisions for you, does it mean you do not need to worry anymore?

No, because the application is not going to be perfect. Mistakes and bugs are going to be observed.

What about if it has a flaw in its automation system in processing malware or new programs, or someone set a malicious program wrongly by mistake?

False positives produced by Prevx1:
http://www.castlecops.com/t156289-false_positive_possibly.html
http://www.castlecops.com/t165252-No_evidence_of_malware_Prevx1_claims_found.html

I'm sure it (will) have "false claims of clean processes" too.

I see it as an advantage to view its choice and ask me for confirmation, so I can act as the final guard to catch possible mistakes/bugs. I may not help all the time, but at least some. I recently noticed an application made a false positive on one process. After a bit of research on the net and some monitoring, I confirmed that it is actually clean. I then emailed the vendor and it agreed too.

PS: Don't get me wrong that I think Prevx1 is bad. It's principally a well-thought application. Its idea of community-based protection is great too.

 

If I understand correctly, programs are either "good" or "bad" in Prevx1.

"Cautions" are only used for new or recently-received programs which Prevx1 is still researching. The "cautions" will be gone once it has made its decisions.

As I said, there are many instances where an program may be considered bad for some, but good for some others. Thus the current approach of Prevx1 does not solve this problem.

 

I don't think it's for new or recently-received programs. These are known programs in the Community Database, which contains good, bad and caution programs.

Straight from the Prevx1 Help :

For me, all greyware is black. Never give the bad guys or even the good guys an inch regarding adware and spyware. Users who agree with greyware play with the devil.

 

Agree 100% with you on that one EA.

muf

 

Same applies with full control HIPS as well. What if you allow malware to run by mistake? Every anti-malware has flaws. Show me one that doesn't and protects my pc 100% all the time and i'll install it immediately. But there's no such thing. You use what you can, trust that it will be enough, and if it isn't. Well there's always the option to re-format and start again. And this is where my Acronis Trueimage comes into it's own...

muf

 

Indeed and mistakes can be corrected, if users report them.

 

This is an interesting thread. Good comments, well thought out. It's rather a shame that any in-depth discussion of OTHER HIPS-type programs might go too far off-thread from "Process Guard, Prevx, Online Armor."

One of these days, when my granddaughter isn't nagging me to play DragonQuest VIII with her, I might start a thread that discusses one of the best tested quadruple-A HIPS I know of. Namely, DefenseWall, as tested by nicM & Kareldjag.

The aforementioned test, by the way, was VERY instructive to me. It taught me things about HIPS that I wasn't even aware of before. If you haven't read it yet, I think you might enjoy it.

 

In Prevx1, I block "unknown" and "caution" programs.

If my computer can access the "Community Database" and
if a program exists in the "Community Database", there are 3 possibilities :
1. If the program is "good", Prevx1 allows the installation.
2. If the program is "bad", Prevx1 blocks the installation.
3. If the program is "caution", Prevx1 blocks the installation.
If a program doesn't exist in the "Community Database" the program is "unknown"and Prevx1 blocks the installation.
If my computer can't access the "Community Database", the program is "unknown" and Prevx1 blocks the installation.

This is in theory a "foolproof" system, because all possibilities are covered and the bottom line is that Prevx1 allows only GOOD programs and blocks the installation of any other program.

I'm only worried about malwares that aren't "programs" and therefore not recognized by Prevx1.
If such malwares don't exist, I have a "foolproof" protection.
If such malwares do exist, Prevx1 won't block the installation and my computer will be infected.
My question is : do such malwares exist and if they exist, which security software(s) do I need to protect me against these malwares