ProSecurity v1.21 [HIPS software]

This maybe only a small different of technique details.

 

Thanks - I just wondered about the relative merit of the different approaches

 

i think its probably like the personality of the developer. For example how do you goto device manager ? control panel/system/device manager ? or right click my computer and goro properties ? or Win + break and device manager ?

Different ways of acomplishing same thing

 

does anyone have this problem, when system bootup came to 'XP' win logon welcome screen,after clicking 'ok' the winlogon say 'loading your personal setting' after that it return to welcome screen again. i have to shutdown system (not even restart solve this problem) and reboot again.but one thing i notice,after installing PS,system startup super fast compared to DSA,prevx, cyberhawk.

 

Have you manage to reboot successfully once after first installing?

try booting to safe mode and disabling PS and then reboot - locked out?

 

Those applications seem only to be Microsoft apps in the system32 folder, unless I've missed something. It could, however, take some creative persuasion to convince the developers to allow full control over everything, including the present apps with hard-coded rules

 

I am not looking for full control of the 3 windows applications that are hard_coded. Just my ability to able to set protection for these as I can with my other applications.

I am currently using ProSecurity, this gives me full control over all/every application on my system

 

Understood. It makes perfect sense to at least allow those options on those files. We'll see, I guess, how the SSM developers respond to the requests.

 

It looks to me like SSM managers are wavering on this issue of rules for csrss.exe, smss.exe and lsass.exe. I certainly hope so.

In the meantime -- just in case SSM stands firm against its customers' wishes -- I had better start considering a switch over to ProSec. I dread doing that because I am only just getting comfortable with configuring SSM.

May I have the opinions of those who have experience with both SSM & ProSec -- is ProSec easier to learn than SSM, or harder, or about the same?

 

the problem is every first bootup i will get stuck at the logon welcome screen.when i click 'ok' to sign in,it will show loading user setting follow by back to welcome screen again. 2nd reboot solve the problem,but my others tray icon are gone except Prosec own icon appear.other program start with window still running but their tray icon does not appear on it.

 

the comodo firewall's tray icon issue ,i think was block by PS.i thought i already let it learn my comodo firewall in learning mode but PS somehow block it from appearing in tray icon.
now i only left the boot up problem.anyone have any ideal?

 

This problem is caused by too early to disable learning mode, please keep learning mode enabled at least twice rebooting after installing prosecurity.

More information please read manual book:
http://www.proactive-hips.com/manualbook/quickguide.htm

 

Well, I do hope that SSM will allow the user to set/apply (at least) protection on these 3 windows app`s

I personally would say easier,... if you do set anything incorrectly, check the logs, (simply right click a log entry to create a rule, or change options on the rule creating the log entry)

 

i agree stem, i have tested both, maybe i am biased since i have been helping with testing and functional input since its conception, but as i see it the way they both work i would say PS is easier and less confusing. my opinion. simple to install, run in learn mode for a day, and do everything and i mean EVERYTHING you can possible think you would normally do switch user accounts , log off start screensaver load programs etc everything, then review your settings and options after this and put out the trash . . easy as pie

 

I really do not understand this. You are assuming you have a clean machine or are doing a fresh install of Windows. I have a clean machine but I cannot be 100% sure that that is the case. If you work in "Learning mode" then you are accepting everything running is kosher. What happens if it is not and goes undetected by PS? If you lock it out of learning mode at the earliest then you do have to go through a lot of pop ups but at least you have the option of deciding together with any help the program may give.

 

Hi David

But this is the case with all HIPS type apps with 'learning mode' PS, SSM, PG etc.

You either trust the integrity of your machine or not. Users choice. If you don't or are paranoid AND have the right level of knowledge, then running without Learning mode would be the laborious but safer option, I agree. Running any of these type of apps immediately after a fresh install and then keeping a tight rein on everything thereafter is probably the best scenario IMHO.

 

I am not just saying this against PS. As you say, it applies to any security app. It is the way I installed SSM, and PG previously. It does give you more work but I think it is the safer way.

It does pose a problem when someone who is perhaps new to these type of programs, sees these thinking they will give more security and blindly installs them accepting everything that is running.

 

Yes point is, if you are infected with something prior to installing HIPS you are already infected, if its a rootkit then trash your windos because you will only add insult to injury . . If you have something generally bad on your system PS or any other HIPS will see it and allow it. After a day of Learn mode you are no better off or worse off than you were before installing. After you remove learn mode, you then scrutinise the settings and allowed exe and make your expert or educated guesses on what to remove . . . You can always allow them again if you fluff up on it. Simple as can be to me.

 

SSM and PG have hard_coded rules for certain windows applications. PS does not,.. so to disable learning mode within PS immediately after installation could lock you out of windows,... the solution, either:-
Ask the creator of PS to create hard_coded rules for windows apps that require to run on boot
The user sets these permissions manually after installation
The user runs learning mode for a re-boot
The user uses PG or SSM

 

Sorry David, didn't intend to mean that was the case.

 

it just seems some people may mistakingly think that HIPS can clense a system . . well they cant. for example worst case if you are infected with a rootkit (which does happen) then nothing you do really is going to touch it unless you can find a way to detect it, which as we know is cat and mouse. HIPS potects you from after you install and config it. so best way for any HIPS is format your c:\ and install windows fresh and your security software's and be careful in fiture. failing this you will have to use learn mode and then use a fine tooth comb after the fact and you might be able to do something about it then

 

No worry Jon. Just that some are protective over PS and just wanted to state that I am not putting it down.

 

Thanks Stem

That is interesting. Had not seen that mentioned before. Presumably the only gripe you have with SSM is over the 3 files?

 

I think that is the way people read them. If you read the sites that is the image given by their blurb. Maybe if you read deeper you will. I have just looked through their manual quickly and the implication is that once it is installed all will be fine. So you cannot blame people for thinking they are safe.


Note for Stem

It says the learning mode is advisable to prevent pop ups - not esssential. You may of course be right about lock ups.

 

Ok, me and the developer have come up with a plan to help with the learn mode issue and we have a compromise between default rules and learning . . Advanced users will be able to do what ever they want and users who wish can opt to have certain system rules installed for them depending on their OS that they will choose i think. we will make standard installs of microsoft OS 2000 and XP maybe 2003 also, and give a list of these OS so you can import standard working rule sets for OS system resources only, This operation will not delete any previous rules you had, and will only change the system rules,so you also could use this as a fail safe if you messed with system rules you could just overwrite those system rules with presumably working ones and possibly salvage your system. Also in like 1 release away or so we will have running process info and see wether files have a microsoft certificate, this will help combat people cloning system files for example c:\windows\temp\svchost.exe you would see not varified or something. Also options to kill a runnin process via a KERNEL mode killing option , plus option to kill several programs at once due to a nasty experience i had 1 time with malware loading 2 or 3 versions of its self and it would reload its self, this way you can tick the process to kill, and kill all in one go. Hope this helps

WG