What's a good way to know about changes to the system & software? HIPS, BBs, etc.

This combination of Sandboxie, Tiny Watcher and on-demand scans has made my computer noticeably faster, even though I have an over-clocked multicore and 1600MHz ram.

Does anyone know if Tiny Watcher misses enough on a 64bit system that there would be a vulnerability?

 

If it allows wild cards it may not be such a PITN.

 

Since I am not sure how secure Tiny Watcher is running on a 64bit machine, I am going to use WinPatrol. And because WP might not be powerhouse protection, I put NOD32 back on for now. I'll keep reading about this topic of notification software, looking for other solutions.

 

AnVir Task Manager was mentioned in another thread, and from the description, it seems like it would monitor all activity going on behind the scenes.

http://www.anvir.com/


And it will work for 7 x64. Does anyone have experience with this program?

 

If you insist on using WinPat, I suggest you ensure that WP's registry coverage is equal to that recommended by Kees1958.

Kees' recommendations are HERE.

If BillP is wise (he's the proponent of WP) he will have accepted Kees' recommendations & built the registry items into WP's default set-up. If BillP didn't add them, then I suggest you add them yourself.

Even with Kee's recommended registry coverage, WP will still lack full-scope in the important area of monitoring all sensitive system files. From that standpoint, if you are going to run a real-time HIPS (which is what WP actually is), why not run a full-scope one, such as Online Armor? IMO, even OA's free version surpasses WP's scope of protection.

 

@bellgamin:

tnx m8, i will try this (registry entries) with Systracer.

 

1. Common sense and avoid illegal and dodgy and sick websites.

2. HiJackthis

3. Runscanner

 

Bellgamin, thank you for the suggestions. I have tried Online Armor, and it runs fine on my computer except for when I load the rare program that triggers a ton of pop-ups from OA. I actually had about 150 boxes to check when installing Acronis (3 or 4 boxes a pop-up, including 'install mode' which you would think would help the situation, but didn't). I found the solution was just to disable OA during the install. But I trust your judgement that it is good protection, and will put it back on.

One question, is the free version a good HIPS, or would the Premium be better for that purpose?

 

Last time I tried it, it works in a similar way to WinPatrol, but can't detect native 64-bit programs and registry entries.

WinPatrol has better compatibility with Windows 7 64-bit, and more monitoring locations.

 

Have you tried running OA in Learning Mode when you install? That's what I do, and the process is quite streamlined. I don't know if it is advised, but it creates automatic rules, and that means the pop ups are held in check.

It is my understanding that the HIPS is the same in all versions.

 

Thanks for that info, J L.

Page42, I looked at the OA comparisons and couldn't tell if there was a HIPS difference, but I didn't think to look at FAQs. Thanks for finding that.

One more question about using a HIPS with Sandboxie and on-demand scans, would OA work better in that combination than Mamutu?

 

I agree with Page42's suggestion to use learning mode. During learning mode, OA will make a detailed record of the actions taken by the software during its installation -- that could come in handy if you later encounter problems. If OA is disabled during the install, you will not have any record of what the install did to your computer.

Additionally, before installing a new program I always scan it with my antivirus and then upload it to VirusTotal for an added scan. Also I make sure that I have a recent clean image of my system disk. If I don't have one, I make one before installing.

 

I didn't understand that ability of learning mode during installs. That solves the one big problem I was having with OA. And the pre-scan with an AV before intalling is a good idea. Thank you Page42 and bellgamin.

Online Armor and Sandboxie are now my main real-time protections. I'll keep it this way unless an on-demand scan finds an intrusion, and then I'll load a system image and rethink things.

 

@ justenough regarding OA HIPS and Learning Mode... you're welcome!

 

i also use zemana.
-if i use OA free..should i disable "system defense" in zemana?.think this is a light hips.
-and what about outpost firewall pro?.does it havre a strong hips or sandboxed?

 

You are correct -- Zemana's "system defense" is a light HIPS. I cannot unequivocably answer your questions because I use Spyshelter (SS) as my anti-keylogger (it also has a light HIPS).

IMO -- if you are running Win7 64-bit then it's probably okay to run Zemana's HIPS & OA's HIPS together since Patch Guard prohibits hooking the kernel.

In 32-bit, it is *possible* that both Zemana's & OA's HIPS are hooking the kernel. If so, there is a remote potential for conflict.
~~~~~~~~~~~~~~~~~~~~~~~~~~

As to OP Pro, it has a light HIPS that was (initially at least) mainly designed to pass Matousec's leak tests.

Sandbox isn't among OP's listed features. However, there is an *unlisted* sandbox -- but it's only a temporary location where objects reside while being scanned so that your system remains clean. It evidently isn't "documented" because the user has no control over its use. OP automatically decides when to use it.

As to running OP together with Zemana's HIPS -- better ask that question at OP's forum. Seek an answer from Manny Carvalho -- he's smart & friendly.

 

While Online Armor was significantly easier to use after turning on the learning mode during installs, it still was making itself known, even though nothing malicious was happening. Not a big deal, but after half a year of good results using Sandboxie, I just don't think I need a powerhouse such as Online Armor. So I've replaced it with the sometimes maligned but also loved WinPatrol Plus, for informational purposes only. Well, maybe it has hidden abilities, we'll see. But basically I am depending on Sandboxie, careful browsing, and scanning downloads with MBAM to keep me safe. And a system image as a backup plan.

 

SysTracer does NOT allow wild cards. However, modifying the list is easier than I thought at first.

SysTracer's screen for selecting Registry items & Files is a check list, as shown below.



SysTracer's default set-up lists EVERY registry item & file, with a check-mark by all of them. To reduce this lengthy list to just the security-sensitive essentials, simply use the "+" marks to expand the items then UNcheck all items that are not security-sensitive. You can use TW's list to determine security-sensitive items. TW's list is at THIS link -- scroll down to "Check List".

Having done that, click on the "Save scan filter as..." button at the bottom of the screen. Thereafter, you need not repeat this tedious task. Simply reload the list you saved & you're good to go.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you are talking about the redirection issue, read THIS.

64bit Windows operating systems use C:\WINDOWS\system32 for 64-bit apps. Therefore, 32-bit apps are redirected to C:\WINDOWS\SysWOW64.

Since TinyWatcher (TW) is a 32-bit application, a 64-bit Win OS would ordinarily redirect TW away from the system32 directory. This redirection is not desirable because the user wants TW to scan the system32 directory.

However, Win OS makes it easy for 32-bit applications to access the system32 directory. I quote from the link cited above:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Therefore, modifying TW for 64-bit *should be* easily done as explained below.

1- On the Start button menu > Programs > Find Tiny Watcher and click it for TW's menu > On that menu, click Options.

2- On Options screen, click More Options > then click Directories and Files.

3- Cut & paste the following entry into the list of Directories and Files so that is added to the list as is shown below:

$windows\sysnative\*%



NOTE 1: I added the sysnative entry rather than substituting it because user may still have 32-bit apps. If user does NOT have 32-bit apps, TW will simply ignore the 32-bit entry.

NOTE 2: I am *fairly certain* the above will work. If someone tests it, please let us know the results, one way or the other. I cannot test it myself because I am running a 32-bit OS.

 

Im thinking about using an on demand antivirus scanner, Systracer on demand as well and only running LnS and Spyshelter in real time with images. Anyone think Systracer is up to the task as long as I configure for what TW watches as well?

 

With my limited Windows experience, I hesitate to test this modification, so I will wait to see if someone reports on this. If it works, I'd like to try Tiny Watcher again, since it had little or no impact on my computer, which is why I am using Windows Firewall and Defender, and WinPatrol. The one program I am now willing to pay a price in speed for is Sandboxie.

I looked at the link for setting up SysTracer, and it seems easy enough to set up once. But would you still have to dig down through folders to find changes? This seems to be Tiny Watcher's advantage, it puts the notification of changes in one list.

 

no.

just take 2 snapshots.
after the snapshots on the "Snapshot" main page click on the "View difference list" button at the bottom right.
it will then show all the differences by categories on a page.
keep in mind that you can use filters to filter out unwanted informations.
--------------------------------------------------------------
if you click on the "Compare" button then you will be taken instead to tabs where you have to drill down through folders to see changes.
it is quicker i think to use the "View difference list" instead.

 

yes.
it's an IT tool after all.

Systracer can also be used as an "uninstall" tool if you take a snapshot before and after installing a software to see the differences.
you will have to exercise cautions though as some entries might be unrelated to the install.

 

Bellgamin any idea what registry keys need checked in SysTracer for an x64 system? Ive noticed the first one on the list at TW isnt in the registry.

On x64 there is only RunOnce and Run in the CurrentVersion section.

 

oh.

I'll try it again, setting it up according to bellgamin's link to TW's list of files to watch, and then using the 'View difference list'. Thank you.

Edit: From what whitedragon551 just posted, I will wait until a good method is sorted out to watch for changes on a 64bit system.

 

No, I have WinXP 32-bit. However, if you list non-applicable registry items in TW, it ignores them. So no damage using TW's unexpurgated list.

We should bug Kees 1958 to make a *pure* Win7 64-bit update to TW's registry list. Or maybe moontan will do it.