Some questions

Currently I'm running process guard, but I see AppDefend has many more features (mainly interested in the outbound network protection, I want something lightweight for outbound because I love ghostwall so far, but would like some outbound protection), so I'm considering switching, but first, what are the main difference in AppDefend and pg? Also, what are the limitations/cut-out features on the free version of AppDefend?

 

see this thread concerning teh differences.

Also iirc, the beta from the website does not expire. I do not know if it is the same with the new alpha builds that Jason has released.

 

The current alphas do not expire - so that part hasn't changed.

 

I used to use ProcessGuard myself, before that I used SSM when it was free, I switched from PG to GSS (AppDefend & RegDefend) because I liked the way it worked and it was easy to use, the alerts are fantastic

I think one of the things that also made a big difference was that AD worked in the reverse way to PG, with PG you had to tell it what to protect and how, with AD it worked like a network firewall, I loved that so much, it protects all your processes and system without having to configure it really, through you do need to set rules to allow or block a particular action, like being able to terminate another process or accessing your network, a real improvement over PG

Comp01, the best advice I can give you is just try GSS, at the moment v1.110 beta is really stable and works really really well, you wont regret giving it a try even if you dont like it.....through I'm sure you will love it like everyone else has

Hugs,
Fluffy

 

Alright, I've installed GSS, so far its really nice, however it says the trial ends in 15 days? however once the final version comes out I will deifnitely buy, very nice program, very good work, very light and fast, anyways, what features will be disabled in the final version/when the trial expires?

 

Is there a way to test the driver install/rootkit blocking?

 

It isn't even blocking drivers/services...

 

I disabled regdefend, so is that what blocks drivers/services? If thats the case then doesn't the regdefend side expire? And then no more drivers/rootkit protection? I'd really rather not put out money on an app thats still in beta, so I mean if this is going to expire in a few days I might as well just switch back to PG til AppDefend gets out of beta/alpha stages...

 

AppDefend is responsible for blocking drivers/rootkits iirc. Have you checked its settings?

 

The default settings are Ask / Block for rootkits, however I don't get asked about it at all if RegDefend is disabled

 

I can start things that I know will install drivers, and still don't get asked.

 

I'll just go back to PG... This will be a nice app once out of beta, but it just doesn't block drivers/processes from installing, even though its configured to do such.

 

And I am correct, it seems RegDefend handles services/drivers atleast from my testing, so after the 15 days while the AppDefend beta runs fine and doesn't expire, it leaves you with a severe security hole not having RegDefend, and its stupid to pay for a beta app, so in 6-months to a year whenever AppDefend is finished I will switch to it permanently

 

I'm not certain of your definition of "handles services/drivers" but RegDefend does as the name implies....it defends the registry.

RegDefend

Bubba

 

Yes, but from my testing with apps that installed drivers/and or services, I would get no popups, no warnings, no blocking, what-so-ever, with RegDefend disabled, with ANY settings, if I set rootkit/driver installations to just block (under the default rule) Services.exe was "blocked" from installing, and all system apps were blocked from installing, and I made sure every other app was set to default (which was block) and I still got nothing, drivers went through seemlessly, services went through, no prob, only time I got any warning was with RegDefend on, I sat here for quite a bit today messing with the configs, something should've worked.

 

I have just tested AD and RD with a rootkit, oddly enough, AD doesn't catch the rootkit driver at all. But RD catches it being entered in the registry.
I'm also curious why AD didn't see it.

 

This might help a little.... and I agree that the distinction is quite hard to fathom unless you happen to know what is happening

• The AD component is blocking abnormal ways of loading drivers
• The RD component catches more "conventional" attempts to load drivers because that requires registry keys to be created during the driver load process

 

Well it depends on the rootkit, they use various methods to install themselves. For a while there was a lot of research into trying to get around the usual "use the registry" approach, but I guess they realized it's almost pointless since most things won't block the registry in the first place. The other methods which aren't registry based are covered by AppDefend.

AppDefend in the future may cover the "undocumented non registry" approach to cover service only entries, I had to do the same thing for ProcessGuard so you could see the real process trying to do the service install. However you'll still need RegDefend for the processes which manually insert themselves into the registry (then reboot) rather than use windows API to do it.