Sana Security Primary Response - Opinions

http://www.sanasecurity.com/products/pr/index.php

I'm looking for some feedback on Sana Security Primary Response.
How effective is it against unknown, zero day malware? I'm running the 15 day trial now and it's been running pretty smooth. It's been very quiet. I just have no idea how effective it is when it encounters a threat.

So, anyone else using it and seen it in action against malware?

Thanks.

 

Use the search option Norton AntiBot is same software, just re-branded

 

PRSC evaluates processes by assigning threat levels to the actions it performs, then flags the process when the levels go past a certain threshold.

This has its ups and downs. On the bright side, FPs do not come by easily. On the bad side, it is largely incapable of stopping malware propagation, and to some extent malware installation as well, because it assigns relatively low threat scores to self-propagation actions. An autorun trojan that does nothing but register itself to autostart and replicates itself across removable media, for instance, would slip right past PRSC, because PRSC deems those actions as not dangerous enough.

PRSC also has the problem of unable to handle massive malware bombardments. If only a trojan or two shows up, PRSC is able to function as advertised. If you visit a malicious website with a ton of iframes that launch multiple malware at once, for instance, then some will invariably slip past PRSC as it scrambles to deal with them. Again, this is a flaw due to its philosophy - PRSC seeks to block only malicious payloads, and certain less-dangerous actions like propagation and installation slip past it. When it finally does flag the malicious payload, the malware may already be too deeply-rooted in the system for PRSC to remove.

This is by no means to say that PRSC is ineffective - it's still a excellent layer of defense when coupled with a traditional scanner, and will provide good protection with minimal FPs. However, as far as I'm concerned, ThreatFire and Micropoint are the undisputed leaders of behavior blocker software right now, and when compared against them some of PRSC's shortcomings and protection level become readily apparent.

 

Hello Malcontent,

Assuming that you are inquiring about Primary Response SafeConnect(behavioral heuristic anti-malware), please take a look at the following links.

https://www.wilderssecurity.com/showthread.php?t=182336&highlight=antibot
https://www.wilderssecurity.com/showthread.php?t=176980&highlight=antibot
http://www.pcmag.com/article2/0,1759,2071441,00.asp
http://www.techsupportalert.com/issues/issue141.htm#Section_2.2
https://www.wilderssecurity.com/showthread.php?t=164863&highlight=primary response
http://membres.lycos.fr/nicmtests/Unhookers/unhooking_tests.htm
https://www.wilderssecurity.com/showpost.php?p=1051377&postcount=20
https://www.wilderssecurity.com/showpost.php?p=1057172&postcount=45
https://www.wilderssecurity.com/showpost.php?p=1083269&postcount=112

The following are current direct links to Sana Security and Primary Response SafeConnect.

http://www.sanasecurity.com/
http://www.sanasecurity.com/corporate.php
http://www.sanasecurity.com/products/home/index.php
http://www.sanasecurity.com/products/home/sc/faq.php
http://www.sanasecurity.com/why_sana/technology/activeMDT.php

FYI, Sana Security also has sells a product called Primary Response which is a IPS/HIPS that is only sold to small, medium business and enterprise(SMB).

Hope this helps.


Peace & Love,

CogitoErgoSum

 

CogitoErgoSum

We have PRSC on a vista64 box, you once emailed "PRSC is best appreciated by those of us who understand its strengths and limitations."

I tried some tests and really can not say what trigger PRSC to intercept. May be you can explain (sounds a bit silly after a having purchased the lisence).

Solcroft,

Where did you find that information. Reason for asking I did some testing (obviously simple single action tests) and PRSC kept awfully quiet.

I agree on ThreatFire as the best of the known (do not have experience with the chinese Micropoint) for free (but you have to have a strong CPU) and configurable with additional custom rules.

Regards Kees

Regards Kees

 

I tested AntiBot for almost three weeks by repeatedly executing live malware - not test programs.

Regarding TF, I disgree that you need custom rules to be effective. The thing is that you're trying to compare an intelligent behavior blocker that strives to block ONLY malware, and a "dumb" HIPS program that flags anything and everything, malicious or not. Obviously, with a "dumb" HIPS, you can lock your system down to the extent that nothing is capable of so much as twitching unless it has your express permission, but when it comes to intelligently blocking only real malicious code and not barraging the user with a ton of popups every time something gets executed regardless of whether they're legit or not, and (equally important) cleaning up the mess afterwards, ThreatFire and Micropoint are unmatched.

 

Hi, folks; I am using both TF free and PRSC paid on the same laptop. I have noticed these: when ever there is new program process added into system, TH will alert me with a pop-up seeking my approval, whereas PFSC just simply adds that process into monitoring list with few yellow-coloured squares designation, no alert. I think both are doing the same good jobs, except one is a bit more paranoid than the other. I remember some one says that PRSC will not be moved by a single behavior threat, just awaiting more of the same to confront with. These are just my non-tech observations so far. Take care.

 

I'm afraid I'll have to challenge you on that; TF does NOT alert you just because you add a new program to your computer. If you do have some screenshots of this happening, that'd be nice.

 

Hi, To satisfy your curiosity, I have listed two popular programs:
Prevx2 and R-Wipe & Clean. TH will alert and seeking user's approval re:
Prevx2 's browser lunch and R-Wipe&Clean's EXE creation and more. Sorry I do not have screenshots to prove it, but your DIY will see what I mean.. Take care.

 

Hello Kees1958,

Based upon personal experience, other than throwing live malware samples(viruses, trojans, keyloggers, worms and rootkits) at PRSC, tests that will elicit a response include the prueba malware demo, Morgud's DFK blended threat simulator, Scoundrel Simulator and RegTest. Keep in mind that removal of detected threats may require multiple reboots.

Please refer to the following link.

https://www.wilderssecurity.com/showpost.php?p=1057172&postcount=45

Hope this helps.


Peace & Love,

CogitoErgoSum

 

ThreatFire responses to creating exe files in the Windows directory.

Regards Kees

 

prueba.exe is NOT a demo. It's actually a variant of the Bifrose trojan, and a live malware sample.

 

Exactly right. TF will give popup whenever an exe is created in Windows directory or in root of C drive/ partition.

 

That's a very different case from TF popping up alerts just because you added a new program.

Many times it's not easy to distinguish installer programs from non-destructive malware, as they share many common characteristics: loading drivers, creating autostart entries, etc. I've seen TF throw up FPs on occasion when installing programs, but like I mentioned, this is a different story altogether from TF alerting you just because you added a new program; the installer exhibits some malware-like characteristics that caused TF to flag it.

Even with the occasional FP on installers (again, because installers and non-destructive malware often exhibit similar actions), behavior blockers are still infinitely more useful than a "dumb" HIPS when trying to install new programs. Just try to to install, say, a firewall program if you have SSM, EQSecure or ProSecurity enabled with a good ruleset. Voila, instant popup nightmare.

 

Not always. I've seen TF allow such actions by legit programs a couple of times. Seems like TF isn't just a single-behavior blocker; I'm beginning to suspect it inspects other characteristics as well: invisible window, packers, file path/location/size etc., maybe.

 

It,s the usual behavior of TF. Try copying any executable in windows directory or in root of C drive via ur browser or some alternative explorer( not windows explorer) and u will get an alert.

 

Tried it with Opera and Firefox. No such alert. =/

What explorer shell are you using?

 

Hi, folks: PRSC just updated to 148. This baby does not cry that much. Just stays low in the background doing its job. How they do it remains a mystery to me, although I wish developer could be more transparent, or at least come to here to acknowledge our gossips As I remember they showed up just once(?) when it was in beta. I know their bread and butter is in corporate sectors, but remember that little ants CAN move the Alps. Just a thought.

 

Hello solcroft,

I stand corrected regarding prueba. Thanks for setting the facts straight.


Peace & Love,

CogitoErgoSum

 

Hello Kees1958,

Here are some links that may help answer some of your questions regarding PRSC.

http://www.sanasecurity.com/common/files/prsc_eval_readme.pdf
http://www.sanasecurity.com/common/files/PRSC_WP.pdf
http://www.sanasecurity.com/common/files/TollyTS206125.pdf
http://infosecurityproductsguide.com/people/MatthewWilliamson.html

Hope this helps.


Peace & Love,

CogitoErgoSum

 

Hi Solcroft, See the alerts with UltraExplorer.
Just installed TF to check. No alert with the browser though.

View attachment 194367
View attachment 194368

 

NAB updated today to 148 as well. I haven't heard much from NAB either. It did complain about a POP mail checker gadget I had installed. It didn't work like I wanted to anyway so I uninstalled it and got another. NAB liked it better, lol.

 

Weirder and weirder.

I googled for and grabbed a copy of UltraExplorer from http://www.mustangpeak.net/ultraexplorer.html and then copied some arbitrary files to C:\ and C:\Windows (in this example it was the Webroot Desktop Firewall setup program). TF remained silent.

 

Copied to C from where?
May be u used explorer.exe by mistake.
Herre is the way i do it. Chane Ultraexplorer to dual panel mode. Open desktop in one panel and C drive in other panle. Use UltraExplorer,s file transfer button( that is located on the separation of two panels) to transfer an exe from desktop to C.

 

Ah, there we go. TF alerts now.

I stand corrected.