Small test of Drivesentry

I tested DS with several 0-day exploits and malware. It did not recognise any of them malware, but blocked almost all of them (see next message for an exeption)

-The HIPS messages were too general and not very informative. (fig 2,4)
-The community votes seemed useless. (fig 1,3,5) low statistics and possibly false conclusions.

 

During signature update a serious infection was allowed! (fig 1,2)

Prevx scan after test (most files are dead, but one serious infection, fig 3)
I scanned also with DS: clean!

Obviously DS signatures (simple hashes) are almost useless against new threats.

Fig. 4 is an example of community "wisdom".

 

i consider it a dead project anyways...

 

Yep. It's been a long time since DS was an active topic here.

 

It was a memory resource hog and conflicted with my existing AV. It would have been better to create a standalone HIPS application.

 

Is it just me,or do I remember this software seeming to show some serious potential at the start?
Or was I blinded by the cute girl Avatar of the spokesperson?

(Probably really a 250 lb Welshman with beard like a rhododendron bush.)

 

You mean KatieSentry who used to post here? I sorta liked half of it but three things turned me off: the huge file size, the CPU load and finally it became shareware.

 

Yes,and the way it just seemed to languish undeveloped.

 

Yep,

They could have easily done that.

Just remove the stupid limitation of HKEY_LOCAL_MACHINE + HKEY_CURRENT_USER entries of the SOFTWARE hive to be added.

Skip the local data base and use it only to check at community rating when an unknown program tries to access a file/extention or registry key/value for the first time, using more or less existing mechanismes:
a) known hash
b) Is it blacklisted
c) does it has a valid comminity advice?

RED ALERT: B = YES (A only for dectection speed)
ORANGE ALERT = A: NO, B: NO, C:NO
GREEN ALERT (or auto allow) = A: YES, B: NO: C: YES

With current DS community validity (e.g. 90% positive with at least 20 votes) and trust levels can be set allready (trust program complete or only for this key/extention, trust program for file or registry value only).

Would have a pretty user friendly file and registry HIPS (with its build in whitelist).

 

Indeed simple and nice system. That could have made it pretty useful.