A question for any Dynamic Security Agent users

Discussion in 'other anti-malware software' started by Wordward, Oct 27, 2007.

Thread Status:
Not open for further replies.
  1. Wordward

    Wordward Former Poster

    Joined:
    Jan 12, 2007
    Posts:
    707
    I just installed the new Webroot Desktop Firewall and enabled all the DSA features in it. So far the pop ups have been limited and very concise, and I have seen tests that DSA has done very well in. However I am still looking for some encouragement that DSA is a good program and it's worth keeping WDF with it enabled. Thanks.
     
  2. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    There's no point in fishing for replies just to make you "feel good" and reassure you that you've made a wise choice. If you're happy with it and it works for you, stick to it, 'nuff said.

    But for what it's worth, it's a good program.
     
    Last edited: Oct 27, 2007
  3. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
  4. Wordward

    Wordward Former Poster

    Joined:
    Jan 12, 2007
    Posts:
    707
    Fishing around would imply I'm being coy. (reluctance to make a commitment) I already made the commitment and simply asked for encouragement. (to spur on) If you need the definition to spur on let me know. LOL. Seriously I didn't want to simply ask if DSA is better than ThreatFire or other HIPS programs because I was afraid this thread may turn into one of those dreaded "closed verses threads". LOL. But thank you for letting me know it's a good program solcroft. Also thanks for the link acr1965.
     
  5. RedZero

    RedZero Registered Member

    Joined:
    Oct 22, 2007
    Posts:
    34
    Relax, he just wants to know what we think of DSA, that's all! :)

    Personally, I wouldn't bother with DSA. It lacks control and at times it can be very inconsistent and buggy. However, the next version of DSA might be worth checking out (if it isn't bundled in a suite that is).

    Have you tried SSM yet?
     
  6. Privacyware

    Privacyware Registered Member

    Joined:
    Oct 21, 2007
    Posts:
    12
    Hi Wordward -

    Beng a Privacyware representative, I am certainly biased, but WDF 5.5 is a very complete, rigorously tested, desktop defense package that provides advanced control over ports, applications, processes, system and application behavior along with a number of other cool management and reporting features. WDF 5.5 includes all of the features offered in Privatefirewall 6 (to be released under the Privacyware brand soon), wherein DSA is fully integrated, and is now also fully integrated with Webroot anti-spyware and anti-virus offerings.

    This issue does not concern DSA specifically as you are essentially using Privatefirewall 6.0 with the added benefit of full WR integration. For those who do not require or desire such granular control (RedZero is correct regarding DSA's limited control and configuration features - this is by design), DSA is a complete desktop defense application that combines conventional, although basic, firewall capabilities with behavioral components in an easy to use and free product. Hope this helps.
     
  7. Wordward

    Wordward Former Poster

    Joined:
    Jan 12, 2007
    Posts:
    707
    Thank you Privacyware. I really like the Program so far and use it with a-squared Anti-Malware running with no problems, and so far it seems without any overlap. I do want to make sure I have DSA enabled correctly though. Here is what another forum member said about enabling it.

    "Therefore it looks like activating DSA is achieved by going to:

    File-advanced settings and then enabling each-Email Anomaly Detection-System Anomaly Detection and Advanced Application Settings- plus the previous suggestion of turning the Process Monitor to High/Ask.

    These functions all seem to be part of DSA ;"

    I would go further and say these functions ARE DSA-plus the Registry module which Bellgamin confirms is present without the option of turning on/off.

    However is there registry protection in WDF 5.5 as well?

    RedZero, I have used SSM Free, but it scared me a little. LOL. Seriously though I liked it, but it just wasn't something I felt I needed. Also thanks for sticking up for me. It gets brutal in here sometimes. LOL.
     
    Last edited: Oct 28, 2007
  8. RedZero

    RedZero Registered Member

    Joined:
    Oct 22, 2007
    Posts:
    34
    You're welcome. ;)

    Did you try SSM in learning mode? Learning mode takes care of all the decision making and creates a default rule for each prompt that you would usually receive if learning mode were off.

    However, I would only suggest learning mode if you're certain that your machine is clean to begin with.
     
  9. Wordward

    Wordward Former Poster

    Joined:
    Jan 12, 2007
    Posts:
    707
    Hey RedZero. I did use learning mode, and to be honest I even liked it a little better than ProSecurity Free. However if I used any other program right now other than WDF with DSA integrated, it would be Online Armor Free. I just like the way Mike supports his products here in the forum, and the fact he has given people a software program that offers so much protection for free. It was nice to hear from a Privacyware Rep here too though.
     
  10. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Yes. It just isnt customizable.

    I.e in some of the hips (e.g ssm, prosecurity) you can choose to monitor additional registry keys on top of the default ones (or you could remove the default ones). In DSA and probably WDF 5.5, it already monitors most of the standard autostart registry entries plus probably a couple of others (not sure about this).

    Given that you are not the type to fiddle with settings like this , you probably don't want or need configurable registry protection, so DSA/WDF is fine for you.
     
  11. Wordward

    Wordward Former Poster

    Joined:
    Jan 12, 2007
    Posts:
    707
    Thanks Lusher. Alos, I am using a-squared AM but there are some overlaps with WDF/DSA and I was wondering if a-squared is even needed? I could just un-check the IDS protection if so. Also what about using ThreatFire with WDF/DSA?
     
  12. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Sigh. At this point or later someone is probably going to chant the mantra about "layers" and tell you to not only check the IDS protection but also add Threatfire and a sandbox like Sandboxie or GeSwall and something like siteadvisor and.....maybe add ProSecurity on top of DSA and ....

    Supposedly the A2 squared IDS rules are now being touted as comparable to threatfire, so someone "knowledgable" will tell you they don't overlap with DSA..... cos one is smart one is dumb...

    And if we go by the layers principle, which if i understand the way it is interpreted here by many, if the functions don't overlap, we **MUST** add them. (Some believe even if the functions overlap, you should still add them because of the redudancy principle)

    My advise, learn to use WDF/DSA properly and to understand what the prompts mean, that will be of more value than adding more and more security programs. That plus a quality antivirus is more than sufficient.

    But I know this is not conventional wisdom here, where many of the regulars (including some moderators i believe) run 2 or 3 HIPS together.
     
  13. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Tests of DSA HERE and HERE.

    The latter test is discussed by Wilders folks HERE.

    Also, DSA scored "Good" on firewall leak tests HERE.

    IMO --- DSA is an excellent HIPS-type adjunct to a firewall but it is not a full-scope HIPS in the same category as SSM, ProSec, Neoava, EQsecure, et alia. I think you will get good, well-rounded protection from the Webroot firewall with DSA aspects enabled.

    P.S. When it comes to layers, I prefer Rhode Island Reds to Dominicks or Leghorns.

    bellgamin <== (ommmm ommmm layerzzzz layerzzx ommm ommm) :)
     
  14. Wordward

    Wordward Former Poster

    Joined:
    Jan 12, 2007
    Posts:
    707
    I have to ask here if anyone thinks the HIPS in Online Armor Free, comes close to the protection DSA offers?
     
  15. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    The HIPS features in Online Armor (assuming that you use the advanced capabilities thereof) are much more comprehensive than the HIPS features of DSA. In fact, OA's HIPS are pretty much on a par with SSM, ProSec, etc.

    DSA's HIPS mainly alert you when process or email activities become significantly DIFFERENT from what is usual/normal for your computer.

    In order to set *norms* DSA "watches" how you use your computer for a period of time specified by you, and then DSA alerts you when actions deviate from that norm. You can specifiy how big or small a deviation that you want DSA to call to your attention.

    Let me GENERALIZE the differences as follows...
    ***Classical HIPS (SSM, OA, PS, etc) notify you when a process acts in a way that is significantly typical of the way malware acts.

    ***DSA notifies you when a process acts in a way that is significantly NON-typical of the norm for YOUR computer.

    The above distinctions are not rigid. For example (comparing DSA with OA)...
    ***DSA's "Process Protection" & "Application Protection" modules are highly redundant with what OA does.

    ***On the other hand, DSA's "Email Anomaly" & "System Anomaly" modules will give alerts about process or email events that are not routinely noticed by OA.
     
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Lusher,

    Well spoken. I only use a hardware FW/sandbox-HIPS to protect me against the majority of threats. Behind this a behavioral protection IDS (auto quarantaine disabled) to have some additional protection when installing new software. Although this makes me fall into the category of people using two HIPS, this makes sense because I have to lower the sandbox defense to install a programs with trusted (admin) rights. After the install I like to have the behavior blocker to keep an eye on my config. Only use an AV on demand scan before image backup (no realtime AV).

    Regards Kees
     
  17. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    This is SO VERY WRONG.

    bellgamin, you need to turn off Learning Mode to see what DSA is actually monitoring behind-the-scenes. I think you'll need to turn your statement in your whole post COMPLETELY the other way round.
     
  18. Wordward

    Wordward Former Poster

    Joined:
    Jan 12, 2007
    Posts:
    707
    Ok so what's the true consensus then? Is the protection offered by OA Free close to that of DSA's protection, slightly better, or no where as comprehensive?
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Please provide some arguments Solcroft, this is al i can do with just an oponion statement ;)
     

    Attached Files:

    Last edited: Oct 30, 2007
  20. Wordward

    Wordward Former Poster

    Joined:
    Jan 12, 2007
    Posts:
    707
    LOL. Yes some facts for me also would be welcomed.
     
  21. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    To be honest, I'm surprised. I think this should be painfully obvious to anyone who's ever used both before. bellgamin's description of DSA's abilities is very very lacking, and covers only the anomaly protection it offers.

    OA's HIPS provides application-level defense and autostart locations of the registry only. DSA, on the other hand, provides monitoring of application activity as well as modifications to file/registry data. I don't have both programs at hand right now to compare the specifics (not on my comp right now), but that alone is enough to claim that DSA offers far more protection than OA's HIPS, though most of DSA's protection happens in the background due to learning mode turned on for 7 days by default.

    OA free's HIPS do NOT come near what other applications like SSM or ProSec offers. It's just an application-level HIPS like PG and AntiHook. It's (somewhat) good at defending attempts to manipulate or hijack legit processes in memory or other actions that don't involve writing data to physical drives, but that's it, and it doesn't even do it as well as other HIPS (SSM, EQ and ProSec come to mind) do. It won't prevent modification or deletion of critical files, or changing of sensitive registry data. On the other hand, DSA does, although its protection cannot be configured.
     
  22. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    There is no concensus WordWard, just people with differing interpretations and opinions. Very few people (probably no-one) has down enough technical tasks for the degree of differentiation you are asking for.

    Even if you were asking just for size of feature set (and not "protection offered" which implies quality of implemention), it would still be a hard task for comparison, because despite similarities among all HIPS in their class, their features still don't always match up nicely (as i found out when trying to do the castlecops wiki article!)

    If you ask me, either package is fine. The only major difference is that the Webroot firewall package has superior capabilities (filter by ip) than the OA Free's firewall. You can't do it for OA free's firewall.

    HIPS wise, either package provides a high level of security. Any edge (if any) held by DSA or OA in this area is probably not big enough to worry about.

    My advise, try both, and keep the one that you find nicer.

    Trying to use this forum to get the "truth" about whether OA Free is close to that of DSA's protection, slightly better, or no where as comprehensive as going to be futile.

    You can choose to listen to me (and I'm after all *the* author of a highly inaccurate but neverthless oft cited wiki article on HIPS by many people in Wilders), or you can choose not to, your choice.
     
  23. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Without adding more fuel to the fire, I must say I totally agree with what Solcroft has said in that post.

    "OA's HIPS provides application-level defense and autostart locations of the registry only. DSA, on the other hand, provides monitoring of application activity as well as modifications to file/registry data"

    Yes. "protected file objects" if I recall correctly is the term used.

    "OA free's HIPS do NOT come near what other applications like SSM or ProSec offers. It's just an application-level HIPS like PG and AntiHook. It's (somewhat) good at defending attempts to manipulate or hijack legit processes in memory or other actions that don't involve writing data to physical drives, but that's it, and it doesn't even do it as well as other HIPS (SSM, EQ and ProSec come to mind) do."

    Yes. Agreed. except for the very last bit from "and it doesn't even do it...." which i withold judgement because ,that one is based on technical data that I don't have.

    Bellagamin has being a long time user of DSA (and other hips), and I have never found his description of DSA versus other HIPS to be so off , that is what makes his post in this thread quite surprising.

    I wonder if someone hacked into his account? Or there is some miscommunication here.
     
  24. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Solcroft, Lusher

    To my knowledge DSA does not protect against dll injection. So OA has a plus here. Stating that OA "is (somewhat) good at defending attempts to manipulate or hijack legit processes in memory or other actions that don't involve writing data to physical drives, but that's it" is a bit unfair (when comparing to EQS, SSM and PS), because DSA lacks more on this area.

    Also OA free has the option to run programs with limited rights. Another bonus of OA against DSA that at least OA remembers what you enter. DSA has a reputation of forgetting the choices the user made. On the other hand DSA has a lot of good surprise features (meaning the additional defense it appeared to have and proven in Nicm's tests).

    Anyway I think it are both good programs (considering that they are free), also Webroot FW with DSA elements and OA free (with FW) are both nice free FW's.

    Regards Kees
     
  25. RedZero

    RedZero Registered Member

    Joined:
    Oct 22, 2007
    Posts:
    34
    Good point. Also, DSA lacks consistent hashing control.

    I just think that in the long run you will want or perhaps even need something with more control in regards to rules, parent/child configuration, etc.
     
Loading...
Thread Status:
Not open for further replies.