ssm vs appdefend

I hope I'm not out of line asking this question but since there are several folks on this forum who are knowledgable about such things...

Can anyone provide an objective comparison between System Safety Monitor and Regdefend/Appdefend?

Should one use one or the other, only one because the other isn't effective, or would it make sense to use both?

Any feedback will be appreciated.

 

From what i read and personal experience i garantee you than to use both is overkill.

On some point i prefer SSM as it use standart componment and have more option on certain cases. On other point i prefer GSS, even if ssm may seam to lead the race feature wise a new gss beta with alot of never-done-before feature should come here in a couple of weeks. You may also want to consider that ssm is a 4 persons ? compagny with buy at each major version licensing while gss is a one man compagny with liftetime licence policy.

as far as objective test go, I do not know of any. There are not yet something as HIPS leaks tester. Moreover those test can be questionable. HIPS work by asking permission to the user. If you know the file is bad and press block at each alert you receive you can say the hips blocked it, but for unknown file in the wild it's a different story.

 

hi Xwray,

I'm using both (GSS=Appdefend & Regdefend) and SSM.

the way I see it is SSM is the combination of Appdefend and Regdefend, the only option missing in SSM is the Network Protection (limited outbound control)
but at the moment even the combo of GSS cannot be compared against SSM. like f3x stated, SSM is realy on top of things, with updates and upgrades almost twice/triple a week !! Indeed this is not a one-man company and indeed there is no such thing as life time licence (I asked, I even would have paid for it).. ..

but as I am using both and if I have to be honest, SSM is one of the best HIPS around. the price is very very interesting. 25€ for the whole set = REgistry and Application protection while GSS for the whole set is 50€ so .. ..

plus their support at the moment is second to none, and the product is finished!

I guess the best thing you do is trial them both and see which one you like best but if you are indeed a newcomer on this field I would suggest SSM cause it has a fenomenal Learning mode .. ..

good luck,

http://syssafety.com/screens.html

 

This discution shall be moved to a more neutral ground that GSS support forum as Infinity post almost look like marketting

But seriously one thing you'll learn Xwray, is to never ask wich is the best type of question as no product are perfect and it is really a matter of wich highpoint / weak point of the product match the best with you.

A more usefull question is wich one are recomanded and both ssm and gss answer this question quite well, along with prevx and other hips mentioned in the *wich is the best hips* thread

Also regarding update frequency. It was a thing long discussed in here, the gss forum. Jason prefer to release well polished software once in a while that a lot of small update to fix what last update missed.

THe best you can do is to trial both and keep an eye open for next release of those two excelent software

 

no marketteer here...the question was asked, and we both have answered the best to our knowledge

indeed questions like this is asking for trouble .. I mean asking for actions and reactions .. anyway I would trial them both like we both say and then you can tell us what you like and don't like, that would be far more interesting imho !

best wishes,

 

Hmm wilders forum have ghost moderator and topic are found moved without leavign any traces

Anywais we're getting a bit off topic.
To xwray or anyone seeking to compare both product please specify in what particular area you want information. Infinity and I will take a pleasure to figth on the ring for you

 

SSM's Windows XP 'look and feel' is of a familiar and polished program, although some of the terminology and language employed (particularly throughout the current help file) isn't always familiar at first glance.

It didn't take much effort for me to understand how to control GSS for maximum effectiveness, especially after having used Process Guard. SSM is a little more complex, but you have more options.

When I was using a router and no software firewall, I felt the added network access control in GSS was worth having over other options.

 

Both products are works in progress and it is only natural that each will leapfrog the other with differing featuresets at different points of their development. Neither of the two companies have the baggage that a large company brings to the table so I would expect them both to be able to respond to changing market conditions (and competition) if they desired to

It is a pity in a way that there isn't a benchmarking program out there that measures the amount of overhead that each product adds to the system. I am not just talking about AppDefend or SSM, but also about the other HIPS offerings and the firewall+HIPS offerings in the marketplace

With any luck at least one of the vendors will make a decent benchmark that highlights both their own product strengths as well as its weaknesses in addition to doing so for its competitors

From my point of view its not just about leaktests and functional capabilities (even though that is the first thing tested), I also like to see the solution implemented with attention paid to performance. HIPS programs with their kernel driver components add at least some of their overhead to every process on the system, you cannot just look at the GUI component to judge the cost of running them

 

the problem is exactly what you have highligted.
their overhead is distrubued againt the whole system.

the only way i can see monitoring such usage is by using timestamp.
However it would be either solution specific (with no standart and possible way to cheat) Or would monitor only allow overhead.

here's my three tougth.

1) Solution specific: App / SSM take a timestamp when they enter in kernel mode. They also take a timestamp when they release the control back to operating system. There also need to be a way to substract the time waisted while wating the user to accept/denny, however the time waisted to draw the alert window is part of the overhead and should be keeped.

With that kind of monitor, you'll have info such as:
After 10 000 alerts you have spend 30 kernel seconds in policy management.
However it'll eb up to the devlopper to do that and there will be no objective comparaison point. Also it's very possible that requesting time information slow down the allow/denny process *a lot* 10-25% slower ??

2) Take advantage of operation chain:
While hooking the kernel two program can't hook the same function. the overide it to their own adress then pass to the next in queue.

so we can have:

[timestamp driver 1] > [HIPS] > [timestamp driver 2] > [normal kernel]

Of course the end timestamp will only occur when operation is allowed.
So we may need to add something somewhere-else that do:

[timestamp driver 3] > Error permission denied


3) Windows api test:
A simple loop that request the same windows api 10 000 time with and without the hips. however this also calculate windows overhead / can be affeted by caching etc. The least interesting but the easiest to implement.

 

I appreciate all the replies. Before I say anything else, what does the acronym HIPS stand for...I've seen it used a lot but don't know what it means.

Actually, I'm currently running Regdefend and am happy with it's performance. But, as with the other application software and system utilities I use on my machine, even when they are working OK I like to check around every so often to see it there has been anything "better" developed since the last time I looked. I try to be careful (thus the reason for my original post) and not get into a "don't fix it if it ain't broke" situation and generally find that in most cases, even though the software I'm using is old, there are no overiding reasons to change/upgrade but it does happen because sometimes there is just something better that pops up even if I "didn't know I needed it". This process also tends to keep me more current with what's happening in the development arena than if I just close my eyes to anything other than what is currently installed on my machine.

I originally became aware of SSM when I read about it on one of the threads in this forum. It looked to me like it was a utility in the GSS vein but possibly more "complete" at this point but I didn't want to install it before I had a chance to try the formal release of the APPDEFEND component of GSS...if that works as well as REGDEFEND I will no doubt purchase it but if it doesn't then I might decide to purchase SSM instead.

Actually, I don't generally care for "suite software"...seems to me that by trying to be all things for all tasks you run the risk of compromising what you could otherwise accomplish with dedicated software. That's not to say it's necessarily bad...I just happen to think that stand alone components that work well together are better than the "one size fits all" approach.

Anyhow, the question I asked at the beginning was directed toward this evaluation process. Note that I didn't ask which was best, but for an objective comparison between the two...that way I get to take advantage of the folks' experience who've already been there - done that. "Best" is at best relative while feature sets and stability should be a little less subjective.

Thanks again for the feedback

 

Host-based Intrusion Prevention System (HIPS).

 

hiya Xray.

Can you precise the contexte around suite software ?
Cause even if GSS is a "suite" it is composed of "individual componment that work well toghether" while ssm is not a suite but more like the componments merged together.

Or that suite paragraph was not to be interpreted in the ssm / gss context and rather pointed things like KIS / other av-spyware-hips-firewall-all-in-one suites ?

 

Hi...it wasn't specifically directed toward GSS. I suppose the major issue I have is that I've seen where an individual or company will develop a really good piece of sw for what it does and down the line they start adding additional features for whatever reason where those new features don't do their intended job nearly as well as the original. Sooner or later it transmutes into bloatware - norton comes to mind - and you wind up having to purchase the software priced to include what you don't want and load the whole thing onto your computer taking up resources which is of no use to you, especially if you have a piece of software that does the job much better than what was added to the original software. I prefer to pick and choose the best from each discipline/genre.

I suppose there is a sense of the esthetics of the software design/implementation involved too...that sort of stuff just plain bugs me when *in my opinion* it is poorly done.