I want to replace PG with AppDefend but....

I definitely see the benefits of AD over PG. Especially, the ability to query the user for any changes, not just program execution.

However, AD still desperately needs a learning mode and it needs support for multiple user accounts, especially Limited Users.

Otherwise, AD will be unuseable to anyone except tech heads, who have the knowledge and patience to flip thru every alert that comes up every few seconds. And people who just, misguidedly, run in admin mode all the time.

Limited users on my PC, such as wife and kids, have no business messing with the alerts and such complexity.

Is AD ever intended for anyone but the hardcore users?

 

Hi jimmytop

I believe that GSS, like the recommendations for PG, should be installed on a known clean system. Clean referring to a system free of all types of malware. Once done the alerts are not that mysterious or numerous, and like PG if you tell it to always/remember the given user action for an alert then you will not be bothered by that alert again. This is not to say that something will not trigger a similar alert in the future, rundll32 is a perfect example. I feel there are to many apps/processes that depend on this to run, and with the protection of AD monitoring apps/processes starting other apps/processes you will get a different alert when this happens and another rundll32 entry in the AD configuration list. However I did talk with Jason about this very early in the first beta release, and was told he would look into doing something different in this area.

As for your limited user concerns, a quick search of posts by JasonRO turns up these:

https://www.wilderssecurity.com/showpost.php?p=732381&postcount=25
https://www.wilderssecurity.com/showpost.php?p=656647&postcount=9

There are probably many more about running GSS under a limited user account by others as well. It can be done now and I take it you don't get the alerts as the defined permission or the default setting, if a permission is not previously defined, will be applied. Yes I am one of those "... people who just, misguidedly, run in admin mode all the time.", we do not have children at home and the LAN is behind a router. I completely agree with you about limited users should not have to, or be allowed to, deal with any security program alert. There is to great a risk of allowing something that should not be allowed.

My thoughts and feelings on this, and given the above, is that:

As system administrator, someone in the household needs to be responsible for these tasks, that person needs to have a bit more knowledge about the OS, programs, and workings of the computer. That way they can give the users of the computer the best experience possible. While it does take some effort to learn this 'stuff', you are on the right track by running a security app such as PG or GSS. Also by visiting here or other security forums/newsgroups you will auto-magically pick up a wealth of knowledge.

I hope this has helped and I haven't confused you any. BTW, I hold a license for PG but have uninstalled it because of the added capability of GSS. Take care.

 

Even on a clean machine, this thing alerts too much. Not saying that the alerts are invalid, but if you know your machine is clean, and you just want your kids to be able to use the machine per their normal daily use, then the option to turn on learning mode for a day or two should be available to simplify creation of rules and such for those users.
The alerts are great for me when I'm in the admin account, I like to see what's going on. But the limited accounts don't need this. Their internet access is limited and they can't install new software, so the software they've been using is clean if the machine is clean per the original assumption. And I can always review the logs afterwards to check on them during the learning mode period.

Thanks, these are very encouraging - especially the comments about the better limited account support and the firewall improvements. Good stuff!

Yes, that would be me
Not sure why the fact that I want some simplifications to the administration must mean that I am not knowledgeable. Don't misinterpret my concerns about limited user support and the need for a learning mode as ignorance of my machine and of security - I am very much on top of administration of the PCs I own (more than one), and the accounts on them. I would never pretend to be an expert, but I do I take pride in staying current with security apps and methods for defending against malware, especially on my machines. That's why I think anything that can be simplified in a reasonable and secure manner, is worth consideration - not because I'm clueless

So...I still think this thing needs a learning mode. If, as you said, the machine should be clean prior to install of AD, then learning mode can only help. I have had no problems with PG, using learning mode only when necessary.

Yep, I agree - that's what I've been doing here for the past couple of years

Very helpful, thanks Disciple!

 

There is quite a demand for set-it-and-forget-it regarding PG and GSS.
Personnaly i do not thing this can truely be done unless HIPS morph into some kind of sandbox or use more Heuristic like PrevX wich is unfortunately a bottleneck on ressources.


However if you really want to play with the idea of allow/block no popup.
Then i beleive you can do it with a little workaround.

Each setting in GSS comes in pair. What to do when the gui is loaded and what to do when it is not. What i would ask you to do is to configure GSS in such a way that you are satisfied when the GUI is not running.

Then you'll see that the GUI of GSS is executed by the key
HKLM\...\...\Run

Remove that key and let the GUI of gss run per account by setting to start from

HKCU\...\...\Run

That way some user will have the GUI running and will answer prompt. Some other user will not have the GUI running and will use default confiration for that case.


-----------------------------------

The current setting (ruleset) of gss is defined in HKLM/software/Ghost security. In that key there is two value: AD_RULESET and RD_RULESET
Those value hold the name of the ruleset to use. If you move those value from the HKLM to the HCKU then you may be able to use different ruleset per user.

 

Interesting.... I will try those things. I can see the gui thing working. But I'm not sure about the rules....
Thanks