Does OA has protection against direct disk access?

In other words, can it withstand against the malware like KillDisk, Robot Dog etc and tools like CleanMBR and Sector Editor etc?

Thanks

 

I'm very fond of this new option "Run Safer Unknown Programs". But anyway I think direct disk access should be intercepted. And Mike said they will address it in the coming release.

 

It wil be really nice to have this type of protection added.

 

That,s OK but I think such a builtin filter in OA HIPS is very important.

 

I'm very fond of this new option "Run Safer Unknown Programs"

Where is this feature.I have OA paid 2.1.0.131

 

Further, as to "run safer unknown programs" -- can anyone give OA's definition of "unknown program"?

1- Does it mean: "Unknown to OA's central database of whitelisted programs"?

OR

2- Does it mean: "Not on user's personal list of 'Allowed' programs?"

 

It's a feature of an upcoming version of OA, not available in version 131.

Cheers

 

Thanks, I thought it must be

GH113

 

OA defines a program on users PC as trusted or unknown after it is installed and the Safety Check Wizard is run. It uses a white list defined by OA lab. Updates to that list are done via what they call dictionary updates. The exe's hash is one of the variables used.

As a beta user, I have FF, MS excel, word and Outlook all of which "face" the www (or can) and I choose to set them as "run safer" which has the effect of running them as a limited user.

As well, there are some exe's that are allowed by OA and are trusted by their lab where I choose to override their settings. IE 7 is one of those and I not only block it from accessing the www but block it from running at all.

On windows explorer, I let it execute but block it from the www.

I hope these examples help clarify what is possible. The FW rules plus the HIPS let users "tweak" or "optimize" to match their secuirity policies.

 

@Escalader- Vary interesting. Thanks for the information!

Has there been any further word as to when OA will offer full-scope registry protection?

 

@ Pete2150 & Greenhorn113 That is what I like about Mike of OA (and Ilya of DW), they are open to customer feedback

@Bill. The paid version has the autostarts registry protection of Tony Klein, he has set up rules sets for regdefend. So the paid version has all the registry protection you need.

 

My bet would be 1-3 monthes (after Vista version release which already in public beta)

Edit:

I mean additional registry protection, actually. In other words user-defined rules editor for registry. Currently it has hardcoded registry protection.

 

They are really fast. Beta build 151 was just announced
==
Hi Guys,

Pleased to say we have a new build - 151

It includes the following bugfixes, and a new enhancement

Free version confuses with advanced mode pseudo-switching - fixed
Sometime you can see junk in the autorun popup - fixed
Import "sites.sav" file to My Websites doesn't work - fixed
"Run OA At Startup" cannot be turned off - Fixed
Learning mode issue after restore install - fixed
"File system scan is done" message issue - fixed
Keylogger detection adjustments
Direct disk access control - added
^^^^^^^^^^^^^^^^^^^^^

 

We got partly through this process and then I stopped work on it, to make sure we get our Vista version out as soon as possible.

Right now as Alex noted - we're in a beta phase with Vista - and busy squashing bugs and fixing/tweaking things.

Unless something pops up out of the blue, Registry is the next stuff we'll be doing - with our own twist on things.

 

Oh, sorry, I meant this just appeared in the beta of V3. Mike plans to release it within a month.

 

That,s good news indeed.

 

Grrrreat, Mike!

 

You got a knack for that piece of Plutonium Glad you tested it though and it passes, that insidious KillDisk and some others can be real system blasters, this type protection is vital! and should be implimented into all these type apps IMHO.

 

What is KD.exe?

Thanks

 

Doesn't "Run Safer" protect against this as well ? (Or, of course, just avoiding running as admin)

 

On the other side with 151 I noticed that almost every program requests direct disk access under Vista and doesn't do it under XP. Then I thought there is something wrong in implementation and quickly managed a small program that opens device "\\.\C:" with CreateFile. And I was astonished that Vista with UAC allows THIS. I got zero sector of disk C: (allowed by me on OA alert) with WRITE rights.. This is just incredible. I mean this is just incredible that Vista with UAC allows it !. But the fact almost every program under Vista requires direct disk access is also incredible. It looks like not a program itself but some API call ends in this. But then how can I diffrentiate between good and bad ? Then being puzzled I decided to block direct disk access to all the non-system programs to see either it will make them to feel poor. No, ti didn't. They felt themleves pretty good being denied DDA. Confusing results ..