PrevX Edge, DefenseWall - Easy for general public?

Discussion in 'other anti-malware software' started by robbcrg, Apr 15, 2009.

Thread Status:
Not open for further replies.
  1. robbcrg

    robbcrg Registered Member

    Joined:
    Apr 15, 2009
    Posts:
    22
    Iangh: I agree, a firewall and black lists are still a good strong deterrent, especially for people who play it safe. Add AV on the mail server and things look even better. The problem with the general user, or even me, making the decision is that sometimes the decision isn't exactly obvious, especially after an auto update and running 5 other programs you get interrupted and come back to see:

    "itconnect.dll - allow yes/no"

    Um.... looks good to me .... depending on if I have had my coffee or not. Or deny it and then figure out why a background program for some critical element is failing later that afternoon.

    After my recent experiences though I can see the merits of something a little bit extra than black lists. The trick is how little for how much. But in the end it has to be minimally intrusive, otherwise it will be turned off. I am an adviser, not the boss, and people have got to get their work done.
     
  2. robbcrg

    robbcrg Registered Member

    Joined:
    Apr 15, 2009
    Posts:
    22
    I am felling more confident all the time in the simple solution I am leaning towards, nice to know others in my same predicament are finding it works.

    In general the hard part of this type of security is that is is proving a negative, impossible. You can test it against everything that exists (AV should catch that), toss a few custom modified virus/keyloggers/etc. at it (if you have those resources) and read reviews. But in the end, their isn't a good solid test, nor can their be without a deny everything sandbox environment or rollbacks. And then we either have the user to make the decision (no matter how smart, we are all dumb at sometime and usually the exact WRONG time) or a centralized IT which is expensive and cal be slow.
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    @galileo and @robbcrg

    DefenseWall does not have a steep learning curve, see https://www.wilderssecurity.com/showpost.php?p=1447297&postcount=6

    The 5 designers/technical engineers were used to MAC and took it up without a question. Trusted applications can update without needing to fiddle DW.

    Just stay with IE or Chrome (firefox with all its plug ins, needs trusted update user intervention) as browsers, then you will be fine.

    DW is much more quiet than PrevX. PrevX needs as much user intervention for installing software as DW (DW just right click set to trusted).

    In the example above we also tried PrevX, but since it needs internet connection and a lot of data was also added to the system via USB devices, this could lead to delayed malware recognistion by PrevX. To be honest, during the trial it did not occur (this to the benefit of PrevX). PrevX also rated better than DefenseWall on company strength (since Ilya ia a one man band operation).


    Regards Kees
     
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    For what its worth, could you please let me know what user intervention you are speaking of? Prevx 3.0 is completely silent during virtually all software installation (except for malware :D) so I'd be surprised if you are seeing anything at all.
     
  5. robbcrg

    robbcrg Registered Member

    Joined:
    Apr 15, 2009
    Posts:
    22
    Thanks for the comments Kees1958, I really like the idea of DefenseWall, and for my internal use it looks to be a great solution. But I am not at liberty to dictate to my clients what software they use or do not use and Firefox is quite popular especially among those that use the plugins for web development (Firebug, CSS tools, etc.). So far my experience with "Is this OK to run" has been that users, under the gun to do work, have a greater chance to make an error than the black lists.

    How does Chrome escape the FireFox plugin issues? Chrome also has updates (as do Adobe Reader, Java, etc.), don't these also require user interaction to push into the main environment? Making any of those trusted does not seem to me a great idea.

    In a stable environment where software updates are modest then DefenseWall or even imaging becomes a grand solution (I think imaging should always be part of the mix, beats re-install). The post you mentioned describes a single environment, I have 7 different, geographically separate environments with different software and business objectives. A much harder environment to watch/monitor. In addition my client's staff is not normally trained in computers to the same level as the users in your post. Thing front-desk, accounting, billing, dental hygienists, etc. Staff that are always under time constraints and use a computer as part of their direct job, not life.

    I am still testing DefenseWall, and have no problem with single author (although a small team is always nice). My experience has been that the odds of a larger company dropping support for a product, it being sold and left to die or changing the product beyond recognition is as great or greater than the risks of a single dedicated individual.

    My environment is vastly different than what I see described by most posters. And the more I learn the more I appreciate the difficulties facing security programs. Protection is only one part, deployment and management are an entirely different beast and can change the picture in very complex ways. One reason a central monitoring or deployment system appeals to me. The problem is that I am pretty small, most such systems are for much larger entities and cost far more than I can justify to deploy.

    All that being said, I have a few clients that personally could benefit and would be able to manage DefenseWall or Sandboxie on their personal office machines or home systems. I am testing both to get a good feel for how they work. In the end I use the same tools I recommend, otherwise I find it nearly impossible to offer useful support. That's one reason I am being careful and getting lots of opinions. Once I switch I will roll out the solution to all, and I really don't want to develop a new solution next month and I have little doubt that DefenseWall or Sandboxie will be on my list as optional components. Probably depends on which one I personally find most useful :). Its good to know that both tools are pretty simple to manage for people that care about such things.


    In my very limited testing installing many programs PrevX has not issued a peep. My only issues with it so far were two false positives, both sent to PrevX.

    If I understand PrevX/ThreatFire and related tools properly, it uses some sort of behavior analysis. So a file copied would not always be detected until it was ran or re-scanned in it's target location. Is that correct? In that regard it is similar to DefenseWall, ThreatFire, etc. in that detection (or isolation) requires an environment, not a file.

    I am concerned with the Internet only aspect. My clients do not use USB or external devices (yea for me!) and are always on the net. But I would still feel better with a light AV solution for on-demand scanning. The problem is finding one I can use for commercial use that isn't a performance issue. Or one that is very cheap to deploy.
     
  6. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,024
    Location:
    Christchurch, UK
    F-Prot may one to consider; cheap as chips for Corporate users.
     

    Attached Files:

  7. robbcrg

    robbcrg Registered Member

    Joined:
    Apr 15, 2009
    Posts:
    22
    Thank you! I love this forum! I will research F-Prot this afternoon. If I could treat all my clients as under me that wold be pretty cool. Then I could maintain their licenses for them (they hate that part).

    PS: I really selected the wrong title for this post. The content is perfect but the title is, in retrospect, not quite right. "PrevX Edge, DefenseWall - easy to support" or something like that.
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    @Robcrg

    I think DefenseWall is not (or better any policy based solution) is the best choice when your customers are forced to use FF. I am little biased towards FF, see https://www.wilderssecurity.com/showpost.php?p=1447620&postcount=15.

    Chrome's clear architecture is the reason why it is no problem. With DefenseWall trusted sources are allowed to change trusted sources, so 100% of the trusted (not internet facing) applications will update seamlessly. Same applies reversed, untrusted is allowed to change untrusted unless expliciely prohibited in DW's resource protection. So an untusted resource is allowed to update itself (covers 95% of the 'common' untrusted applications). Only with messy software architecture this becomes more difficult to handle (for instance Flashplayer updating in C:\Windows). You said DW throws po-ups, due to the core essence of policy based protection, these type of applcations do not throw a popup with : is it okay to run. Also being policy based and not virtualised, trusted and untrusted files are kept where they are (transparent for the user), with sandboxing applications you do have to know where they are (in or outside a sandbox) when clearing sandboxes or allowing programs to run.

    Considering security is:
    a) keep me out of risky places
    b) contain the risk by reducing the attack surface (possible exploits to mis- use)
    c) keep known bad guys away
    d) have a first recovery band aid at hand (to check start up entries, reverse some exploits, PC tune up)
    e) backup images and data

    I have two suggestions for you
    First
    a) Browser defender to keep yout of risky places (free)
    b) EdgeGuard Solo (free policy containment, contains only on processes, not on files like DefenseWall or GesWall)
    c) DriveSentry AV plus registry and data firewall (with small lifetime lisence fee)
    d) Risings new PC doctor free

    For Vista configurations use UAC and Norton's free UAC tool

    Second
    a plus c and some extend d) AVG 8.5 with linkscanner now included (even free for commercial use I think), you can hide the AVG search bar (without disabling its plugin)
    b) Appguard (like EdgeGuard Solo, only with management console and a lifetime fee)
    d) Risings new PC Doctor

    Regards Kees
     
    Last edited: Apr 16, 2009
  9. robbcrg

    robbcrg Registered Member

    Joined:
    Apr 15, 2009
    Posts:
    22
    Thanks Kees, I will take a look at those tools as well. I also do not approve of FF low-level architecture. But I do find its plugins quite powerful and useful for a variety of tasks and solutions. So I deal with it.
     
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I understand, then I would prefer PrevX over DefenseWall
     
  11. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    This is correct (and actually a fantastic way to verbalize it as well :)) While Prevx/others can detect a file on-demand, the real benefit comes in realtime analysis, which we do automatically in the background.

    Files lying dormant on disk are not a threat to the user, only when a file starts loading or has the potential to load (via the registry, location in a system folder, etc.) is it actually threatening - which is where our scanning is focused.
     
  12. robbcrg

    robbcrg Registered Member

    Joined:
    Apr 15, 2009
    Posts:
    22
    asiatrek,

    PrevX requires an internet connection to be effective. That's one reason I am looking at other low-cost AV scanners to operate when I am not on the Internet but need to scan a device (say a drive on my work-bench). Fortunately for me and my clients the major threat point is Internet.

    A school or maybe office environment where programs on USB/CD/DVD are passed around and Internet is not always be present would represent a serious issue compromise point. But in that situation one of the "restore image on boot" type programs would be a good solution.

    PrevX does allow for ignore lists, although my personal experience has been a submission to PrevX of the false positive results in a very fast (few hours) response and without any action on my part PrevX dropped the warning. If you use ignore lists I would clean them up occasionally.

    The nice thing is there are many, many possible solutions and this thread only covered a very small fraction of them. If your situation is different than mine I encourage you to ask about. The knowledge and willingness to help is amazing at Wilders, and as a bonus many of the companies/authors participate as well. For example you may find that DefenseWall or Sandboxie will contribute to your security in a very strong way.
     
  13. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    I personally hope that Prevx will become faster when doing that process. Now I've to wait a couple of seconds for everything that Prevx doesn't know about, and that's probably worse than the heaviest AV available right now. It's also one of my reasons for hesitation on renewal except for "real" 1 PC support.
     
  14. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    We are always optimizing everything but the delay should only be on the first time that you see the file. Are you experiencing it later as well?

    We should be able to work something out with 1 PC support, but if we don't by the time you come around to renewal, let me know and we should be able to put a workaround in place for you :)
     
  15. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Thx Joe, appreciate it. ;)

    Well, no, I don't think I experience it after the first time, not often atleast... my issue is that it can be pretty irritating when it's for example a setup file that you won't run more than one time anyway, and I'm very fanatic when it comes to the speed and automatic but effective operation. :D
     
  16. robbcrg

    robbcrg Registered Member

    Joined:
    Apr 15, 2009
    Posts:
    22
    To answer my own post title: Yes, kind of, it depends .... :)

    Still playing with DefenseWall and Sandboxie for my advanced clients and my internal systems. These seem to be very different products with different user profiles. In trying to understand the core differences I am going to try to simplify things as much as possible, mostly from an end-user perspective. I am still very new to this so I am sure there are some omissions in the following.

    **WARNING: Neither support Vista in 64 Bit mode due to Microsoft's kernel protection elements. This is explained in detail on both sites and various forum posts. Suffice it to say that if you are in a 64 bit Vista environment (and probably Windows 7) neither solution will be useful to you at this time.

    * DefenseWall
    Places a fence around an application (assuming it is untrusted). The application cannot exit that fence, but any changes done such as settings apply to the main application. If the application is infected the infection is either stopped or is limited to the application fenced area avoiding infection to other applications. There is a way to shut down all untrusted applications. Cleaning up infections follows the standard AV style cleanup.

    For the most part it works seamless with the exception of FireFox and some other applications that require a brief run in trusted mode to apply updates which otherwise exceed the fence limits applied to the application.

    Support is extremely good and is guaranteed to 3 days with support often issued within hours if not minutes from my experience.

    * Sandboxie
    Creates a separate application environment to run in. Any application started via Sandboxie is executed in this sandbox. Initially it receives the same settings as the main application, but after that it can deviate with all settings, changes, etc. isolated to the sandbox. Any infection will be limited to the sandbox. All downloads, settings, bookmarks, etc. are in the Sandbox only. I have been able to run FireFox in normal and Sandboxed mode simultaneous giving me two browser sessions. Sandboxie areas (1 in free, multiple in registered) can be flushed, eliminating any problems in the sandbox and starting over.

    Support is not quite as good as DefenseWall, probably because Sandboxie is donation-ware. There is an explicit no-support guaranteed clause associated with Sandboxie.

    ** User cases I have to work with

    A) Single user that is computer /security aware if not literate: DefenseWall is a good choice here. The minor issue of switching to trusted to update those few applications is a good trade off for the added and always on protection.

    B) Stable install environment or managed environment: An office or other location where updates are centrally managed or take place very seldom is another great environment for DefenseWall. Another example would be the kids or auxiliary home workstation that a more advanced user can quickly manage as needed. If all your applications fit within DefenseWall (Chrome and IE both work, FF needs extra effort) then DefenseWall is a near maintenance free solution.

    C) Remote locations that are not centrally managed: DefenseWall becomes harder to manage in this situation (not specifically DefenseWall's fault, it is the nature of the methodology). This is especially true if FireFox or other applications that have update methodologies that exceed DefenseWalls fences. In these cases any HIPs type approach may be more effort in support than the benefits and call for another approach such as AV/behavior blockers/etc. (ThreatFire, PrevX, etc.)

    D) Advanced user who occasionally needs to isolate sessions for experimenting: Sandboxie is well suited to this mode since it can be quickly cleaned up. But users need to be disciplined when/how Sandboxie is used to avoid confusion with configuration settings. In this mode Sandboxie could be considered a limited and transient virtual environment to play in, not a place to live.

    So which one? One simple experiment is to install DefenseWall, update all your applications and see if the updates stick on a restart of the application and windows. If it does then DefenseWall may be a perfect solution. If they do not, then you will have to decide if the extra protection afforded by a HIPS like solution warrants the extra maintenance work and that may well depend on how many and where that maintenance work occurs. Due to support issues with Sandboxie I would tend to lean towards DefenseWall for a large roll-out where support is essential.

    Of course both work together since they do very different things and many use them that way. My case right now is to select the one that is best suited to my user base and me so I can easily support it. For that reason I think Sandboxie combined with PrevX is a good compromise. Sandboxie provides a safer haven to play with unknown elements or to setup browsers to default to Sandboxie mode for guests.

    Current proposed solution:

    * ALL: PrevX - Quit, fast and works well with the applications used. My support costs (questions as well as configuration) is very, very low. I may add a lightweight/low-cost AV as well to fill int he gap when Internet is not available.

    * ALL: Windows Firewall. Those with a Linux box as a file server: Linux Firewall (Shorewall), File server is RAID 1 (hardware) or UnRaid depending on needs. Router NATS if available.

    * ALL: JungleDisk backups to Amazon S3 for all data elements.

    * Most: Disk image solution

    * Advanced/Internal users: Sandboxie: Mostly for home systems and in my development area

    * Internal: ShadowProtect running in continuous increment mode using a separate SATA drive. I tend to install/uninstall a lot of stuff when researching and this makes it easy to undo. I looked at Rollback and others but I wanted multiple partition support, and minimal intrusion. The idea of Rollback/EAZFix/etc. is very cool, but I am concerned with the various issues I found on forums. ShadowProtect does require a boot to separate media to recovery which is a tad tedious, but overall it provides a reasonable rollback type methodology with imaging. I can copy my images from the 2nd SATA drive as often as needed. Remember all user data (documents and such) are saved every 24 hours off-site.

    * Internal: WinPatrol Pro - mostly for diagnostics and research, included because it does have registry monitoring which works as yet another layer. But I did not install/purchase it for that capability.

    So there is my current proposed solution and reasoning. Minimal by some standards. Essential PrevX for all, add Sandboxie for those users that can handle it and need it.
     
  17. robbcrg

    robbcrg Registered Member

    Joined:
    Apr 15, 2009
    Posts:
    22
    Just an update on some real-world results:

    I have deployed the PrevX solution to 7 systems so far. 3 systems reported trojans AND adware that nod32 missed -- none appear to be false positive. PrevX seems to be plenty easy enough for everyone to install and enter the license codes, even the cleanup seems to be going better than I thought.

    So PrevX is plenty easy enough for "my" general public, no worries there. Performance seems to be fine. The monitoring PrevX provides via my.prevx.com is very nice, if a tad limited (I wish I could add a description of nickname and see last IP - would help identify systems better than the system name from Windows).

    Sandboxie and DefenseWall are, as expected, a little more complicated. I am still testing these out before I deploy them to some of my advanced users. Sandboxie fits better into my experimental mode of operation than DefenseWall. Of the two Sandboxie seems a better fit for the way my users tend to work. I may use both internally, but costs become an issue rapidly.

    So that concludes my testing and I have the great community of Wilders to thank for helping me make some sense of all the options available.
     
  18. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Blacklisting solutions are always simpler in use, but there are always false positives and false negatives for that type of security products. Sandboxes do not have this problems, but, naturally, more complicated in use. There is always a balance between simplicity and protection level.
     
  19. robbcrg

    robbcrg Registered Member

    Joined:
    Apr 15, 2009
    Posts:
    22
    Perfectly said and exactly my findings, false positives and all. If this was just for my local development staff I think I would have used DefenseWall as my primary protection, Sandboxie for experiments and a cheap AV to clean up any infections trapped but not prevented by DefenseWall. We are all technical (although DefenseWall does not need a great deal of technical skill to run, it helps to have a tech around) and I am right on hand to deal with any issues such as program updates and such. And the number of systems is 3-4 not 20-30 so costs are less of an issue.

    As my users became farther from me, and dramatically less technical (in some cases less caring about such issues as security) I found a black-list with moderate behavior tracking the best solution for me.

    Of course this could all change if I find that false-positives, or missed infections are occurring over time. Then back to yea-old drawing board, well actually DefenseWall.
     
  20. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    In fact, blacklisting solutions like AV are in need to automatically remove malicious modules from hard drives as:
    1. It would be too complicated to manually remove them according "file and registry tracks" list.
    2. Signature updates time is not any essential as sandbox will take care about 0-day infections. The problem with any blacklisting solutions is they are one step behind the threat, sandbox fills this gap.

    According my observations, sandbox defense penetration is very rare thing.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.