Cyberhawk

Nop,

I am running A2 IDS on one machine and CB Pro on the other. Did some basic treath tests and A2 IDS catches at least the same as CB Pro (with registry and file protection rules added).

So speedup your machine (only use A2 IDS real time).

Regards

 

It's really fun to watch Cyberhawk in action when you throw a ton of live malware at it, trying to figure out which ones it will catch and why. What I can basically say is that Cyberhawk IS a HIPS program - except with inbuilt rules designed to be as "smart" as possible. For example, Cyberhawk will generally leave programs that call the GetKeyState API functions alone until they try to connect to the Internet one way or another - at which it flags them as keyloggers.

How effective is it? There ARE holes in it - it's designed to be a "smart" "program" after all, and you can definitely bet your ass there'll be loopholes in the carrying out of such ideas. nicM's tests are special, I think, in the aspect that the tested malware attack the OS using undocumented flaws, some secret backdoor in Windows nobody (or very little people) knows about, if you will. From the broader spectrum of malware, however, I'll say that Cyberhawk is quite effective. Definitely not good enough to be a standalone solution, but if I weren't geeky enough to use a HIPS, I'd definitely be using Cyberhawk.

 

I agree. And I also wonder what it is doing. But as I am sure you know, you should not put too much in this test. I would like to see more testing of Cyberhawk. And I would like to see all these different HIPS and Beh.Blockers tested against a large number of malware.

I use Cyberhawk with Nod32 and windows firewall. Im not sure CH is a waste, at least I hope it offer some protection. But I dont feel that I am enough protected. I will add DSA, but not yet.

If I thaught that I could easily use and understand Prosecurity (full score in the test) I would probably just use Nod32, Windows firewall, DSA and Prosecurity. I tried SSM free but found it too hard to use/understand. I believe Prosecurity/SSM/EQS/Neoava Guard are the strongest, but also difficult to use. (But I will consider Prosecurity as I understand it is a little bit easier than SSM.)

A limited user account for increased security is not a bad idea:

https://www.wilderssecurity.com/showthread.php?t=181375

With a LUA you would get full score in the test mentioned

 

Bellgamin,

That is a bit hard on CB. Have a look on Castle Cops Wiki pages. Point is that behavior blockers are only a second layer to protect the user form mistakes.
For the real advanced treaths we use a strong HIPS or Sandbox as first layer.

For ease of use we use Avast + A2 IDS + DefenseWall HIPS. This is really the most easy to use and quite solution. A2 IDS provides such clear messages and it really works. Just unselect intelligent false positive reduction feature of A2 and you will see for yourself. I tested A2 IDS against some basic treaths and it did failed a few tests (basically a subset of Karelljag's test. not including the advanced test Nicm recently plubished). I contacted their support forum and they asked me to unselect the Intelligent False Positive reduction, guess what, I got very informative pop-ups when IDS prevented attacks).

For the power gaming machine we run Avast + CyberHawk Pro + GesWall Pro. Same story here for the major treaths we have GeSWall Pro, for the shoot in the foot mistakes (e.g. updates of games through downloaders) we have got CB Pro. CB Pro really is a nice behavior blocker, because you can add custom rules. Our CB Pro works against data injection, process manipulation, global hook setting, registry protection (Toni Klein's rules) and file protection/eecutable like download protection. With our custom rules it works as good as A2 with IDS (but it is cheaper), for what I have checked with my own tests.

When you are into freebies and a bit (over) security aware one can configure a nice setup including CB,

e.g:
- Avast (Antivirus + Antispyware)
- DSA (protects against to much to mention, but no process manipilation or data injection)
- CB free (covers the left overs of DSA)
- when running XP with a modern CPU, set DEP enabled for all programs

People high security fear could add Boclean (AT) and SpywareTerminator (nice IDS) when they have a strong dual core processor.

People with more advanced PC knowledge could add PowerShadow or Returnil to virtualize their Programs Partition (with only minor extra stress on your CPU, no noticeale slowdown)

Regards Kees

Regards Kees

 

I hope you are right. Whats important to me is if CH can protect against something where other will fail to protect. If CH can protect where Nod, Windows FW and DSA fail, then it is worth to keep in my setup. But if I had more knowledge I would use Prosecurity as I think it offer more protection than CH and DSA in combo.

(Forgot to mention I use CH free, not pro)

 

Hi,

I'd just like to add one piece of general advice for users new to HIPS - and that is if you believe HIPS programs are "difficult" to use, then their relative effectiveness, and especially nicM's tests, are completely irrevelent to you. No matter how powerful a HIPS program is, no matter how many things it can monitor, it is absolutely useless if the user does not know how to correctly respond to prompts.

Users who know what they are doing will be able to completely protect themselves with even just ProcessGuard, even though it scored worst in nicM's tests. Conversely, users who don't will be vulnerable even with ProSecurity, Comodo V3 or whatever top-of-the-line HIPS out there.

For new users, the correct way to use a HIPS program should be to run learning mode for a few hours or days, and after that block any and all programs they don't recognize from running. Irregardless of how powerful a HIPS is, such users will very likely be completely let down by their poorly-configured ruleset and an inability to answer prompts correctly, if they do indeed allow malware to execute because they think they're protected by their state-of-the-art HIPS.

 

Actually, DSA provides one of the better application defense modules I've seen (its data and registry protection are relatively lacking, though). If you're familiar with DSA's innards and know what the prompts mean, I'd say you probably don't need Cyberhawk.

 

I know and I agree. Thats why I so far has stayed away from SSM/Prosecurity/EQS and Neoava Guard. (I use disk-image tool, so I just tried SSM free for a short time to see how it was. But decided not to use so I restored an image and kept searching for other software).

Sometimes I see in other threads that people say that if you find SSM or Prosecurity hard to use, just put it in learning mode and go on from there. But this is not good enough for me. I want to know how to use it. And understand it. Know how to setup rules the best way. Im not a complete novice, but not knowledgable enough to understand these HIPS as good as I wish. I feel Im getting closer and will probably use one of them in the future, but for now I think I wait.

Cyberhawk and DSA in combo for now, and Prosecurity later But that may change

I will also consider LUA as it offers more protection than I thaught.

 

You may be right, but Im sure CH can protect against some threats that DSA will fail. RootKit EY2 in the test mentioned. Buffer o.f. for what its worth (dont know how it works, if it works or if DSA will prevent this).

We have seen some tests of DSA and I am impressed. I think it is good, and I rely more on DSA than CH. So if I had to choose one of this I would have chosen DSA.

 

I have seen one or two posts claiming Cyberhawk free offers as good protection as Cyberhawk pro. Do you guys agree?

 

If you don't consider the ability to add custom rules, then yes.

But then, if anyone wants custom rules, they should go for a traditional HIPS instead. Much more flexibility, configurability and less obscure.

 

I used it for a while, it flagged BOClean with a warning . Other then that nothing. Was I surprised, not really.

I think it has promise and will continue to watch it's progress through these forums.

Memory useage creep was high I thought.

 

My impression is that the free version does what the pro does except that it won't clean up or quarantine something that hits you, whereas the pro does. That and support perhaps...

 

I'm running Nod32 and CyberHawk now, and I'm seeing some odd memory eating behavior by one or the other, and I don't think it's Nod, as I've used Nod before without seeing this. I suspect there may be some kind of memory leak in CH, but not sure yet.. wouldn't surprise me though.. ram usage in Task Manager appears normal, however, available system ram keeps declining at an abnormal rate... something is amiss here..

 

Wouldn't be fair to splash cold water on CyberHawk as mediocre since right from the start it's proved to be very efficient in what it was designed to achieve, even though some preceeding versions seem to have made for issues in one respect or another.

I use NOD32 also and it's stable as a rock with ALL my other combos since sometimes i might use a FD-ISR snapshot config with SSM + PS or many other combinations of HIPS etc. i've tried including Cyberhawk, but recently i been holding out from trying CH untill PCTools & CH developers finish fine tuning it.

I do know i found some previous versions that used "4" drivers and perhaps one or a couple of those might be suspect?

I dunno, but on my machine even with ALL the CH drivers and it's main processes, it still run relatively problem free with the occasional issue encountered of removing it's componants when uninstalling.

 

Another good choice is Dynamic Security Agent (DSA) -- it's free AND its configuration menu gives a very full disclosure of exactly WHICH behavior anomalies DSA is monitoring.

Please don't get me wrong -- I am still VERY interested in Cyberhawk, once they actually make the upgrades that are now "in the mail." CH's rules module offers a very high potential for developing a super strong protection wall, and for importing good settings from other users who are more experienced & knowledgeable than I am.

On the other hand, I'm not about to buy a pig in a poke -- CH's proponents should offer potential buyers at least some idea of which behaviors are being monitored by their program. The line is narrow as between trust VERSUS blind acceptance.

 

Yes, I have tried DSA and liked it also. Right now, I decided to remove CH, because I'm pretty sure it was giving me some odd performance related side-effects here, and between CH and Nod, browsing was slower too.

I have gone back to trying out a Limited User Account again, with minimal AV and no HIPS. Gonna see how I like that for a while. No doubt though, I will be changing things again soon...

 

Solcroft,

Read the test NicM did with DSA, because it does not cover process manaipulation (e.g. injection), it failed a few tests. CB clearly fills in some left overs of DSA. I agree with you on DSA. It is easy and a provides protection against more than you think when using it (it looks like it 'only' is an anti executable and a outbound traffic monitor, but it covers much more).

Regards K

 

Bellgamin,

I agree with you that when you buy a behavior blocker, the internal rules are not transparent (of CB). But this is the very basic problem of a behaviort blocker. When the developer publish their advanced set of rules, they make it easy for the malware devolpers to think of work arounds (the police also does not make public their working methods of investigation).

I think that it is the basic of an advanced user when considering a behavior blocker. When you buy a fully configurable HIPS like ProSecurity or SSM Pro, you are in control. With a behavior blocker like CyberHawk it is unclear how it works. Being an advanced user you would like to know, before buying.

I think A2's IDS has solved the problem a little by offering you to define exceptions. From the exception list you get a clear idea of the protection A2 offers. CB only has the option to trus everything (in the Pro version). So the developers of CB should take a closer look at A2.

Reg K

 

I tried a2 few days back due to ur posts. I disabled signature based detection and enabled only behav based dectection with option to decrease false poitives. I tried few typical worms( Browsezilla, Brontok) and keyloggers( Home Keylogger, Family Keylogger) and a2 remained totally blind except for detecting autostart reg enteries. ( I found it is detecting legitimate driver installs as well BTW)
No comprison between CH and a2 IDS. CH is far superior.

 

Seconded. While CH is pretty much invisible during everyday use, it shines when you bombard it with malware. It does have its weaknesses, but the amount of unknown malware that it can catch is rather amazing.

 

I found it especially smart in catching worms! Kills them instantly.

 

Kees .
Please enlighten me as to what CB is . Many thanks

 

I think he means CH( typo).

 

Thirded. But I'm not worried about such threats.