Abtrusion detector

Discussion in 'other anti-malware software' started by Pilli, Apr 27, 2003.

Thread Status:
Not open for further replies.
  1. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi All I found this little programme "Abtrusion detector" www.abtrusion.com
    I am running it on my test PC (XP Pro) Appears to do its job OK & has a simple easy to follow interfsace I believe it uses MD5 for file protection.

    The personal edition is free :D and does need appear to carry any eccess baggage!

    Are there any others users or ex users that would like to share an opinion?

    BTW I have absolutly no connection with this vendor!
     
  2. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Pilli,

    it reminds me a little bit of the Execution Protection or Wormguard of DCS... ;) But certainly it's doing its job! But I don't think I'll need it.

    Regards,

    Patrice
     
  3. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Hi Pilli, I haven't used that one but I use System Safety Monitor which some people say is basically the same thing.
    How they compare, I don't know, but I would feel nekid without my SSM running all the time now. :D
    If you haven't checked out SSM yet, you might take a look and compare.
    http://maxcomputing.narod.ru/ssme.html?lang=en
    I think this type of protection is needed to stay ahead of such stuff as Optix and similar malware.
     
  4. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Patrice, we must have posted at the same time.
    I can't speak for Abtrusion Detector, but SSM is nothing close to exec protection in TDS.
    SSM is a sandboxing type program that controls what programs start up and what other programs can start them up or shut them down.
    Security against leak test type exploits, plus.
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Thanks for your replies,

    Patrice, It does a different job really, It collects all the application & system executables into a database and checksums them, after you have allowed an application - Abtrusion detector will not allow changes to the executables - Any new application (which may include a trojan for instance) has to ask for permission to be installed - Anothe layer of protection for your system.
    It is not the same as Exec Prot.

    Root: Funnily enough I have SSM on this PC but have not looked at it in earnest as yet. I have had a few configuration problems (hardware related) with this, my main PC, so I am running a tight ship at the moment. I may try it on the test PC though.

    Cheers Pilli
     
  6. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    O.K. guys, thanks for the information. What's the link to this SSM? I would like to test it myself. :D

    Regards,

    Patrice
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Patrice, In roots post above :D
     
  8. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Ahh... Sorry I shouldn't work on my computer wearing my sunglasses! :cool: LOL
     
  9. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,

    It was already discussed on other threads ;)

    You have to be carefull and be sure you PC is clean when installing for it scans all installed exe, dll, etc.... Everything present on your post is allowed by default, even a trojan or another malware....
    No difference between the free and the shareware v except the default settings you have to adjust in the free v to be the same as in the shareware v.

    Rgds,
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Thanks JacK, Noticed that everything was allowed but fortunately it can also be disallowed easily & it appears to pick up any installs or changes very efficiently.

    I shall compare it with SSM although I beleive SSM is registry key based rather than checskum based & appears to have more functions, I was wondering which method is most kikely to give the best protection ? Certainly looks like AD is simpler to use but limited.
    I did use TTT when it was first released and you could get lost very easily but I hear the latest version is simpler to use.
     
  11. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello Pilli,

    Yes, it can be done easily, the problem is that lambda user don't know what to disallow after installing. But good protection too.
    ASFM I prefer SSM and the new advanced possibilities in Application rules (maybe for I am involved in it :))

    Rgds,
     
  12. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi guys!

    Thanks a lot for this good advice!! :D SSM really is a very nice tool! I wasn't aware of that until now. Now I have installed it on my computer and I'm testing it thorougly. It's improving my security and adapts well with F-Prot, Look'n'Stop (Application filtering), TDS-3 (execution protection) and Wormguard.

    But let's say I have to get used to all the hooked dll's. I'm not that familiar with those. When I started IE for the first time, some dll's showed up. How do you check them if they are malicious or not? Looking at the properties of it? Further advice is welcome! ;)

    Best regards!

    Patrice
     
  13. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Yeah, unfortunately there is no program out there that knows whether a certain DLL should be allowed or not since there are so many, from Windows and other programs.
    I don't use IE, so I can't help there, but if you have a question about some DLLs, there's nothing like Google for some quick and dirty references.
    SSM is not perfect as it requires some savvy on the operators part to make sure nothing bad gets allowed. It at least gives us a fighting chance to make a decision though.
    Not much goes on on my computer that gets by SSM.
    Just the Windows Trojan. :'(
     
  14. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi root!

    Thanks for the advice. I started to locate the files and look at their properties. There you can see, when it was created, of whom,... Certainly you can fake this information, but I think that you can nevertheless be almost 100% sure of the provided information. Try once to fake a Microsoft Property...

    Nevertheless this tool is for paranoid people like we are. Imagine someone else would use this tool like my mother for example! She would get crazy, if she would have to set all the different rules for it. :D Well to be honest, she already gets crazy now, when some minor errors occur... :rolleyes: LOL :D

    Best regards!

    Patrice
     
  15. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi guys!

    It's me again. Well, SSM is a nice tool, but somehow it's also irritating. It's certainly a tool for paranoid people like we are! :D lol

    But sorry, I consider myself as a "poweruser" and right now I'm writing my thesis. That means, I open Word, Excel, IE, Adobe Acrobat, Photoshop, Outlook,... all the time. Do you know how many alerts SSM sends out? :p Funny that I'm not yet crazy...

    That's why I had to uninstall it again. I cannot work properly with such a tool. It sure is a nice tool if everything is set correctly, but like that -no thanks! My final conclusion is, that this tool restricts to many things so that you aren't able to work in a proper way with the computer like it was intended to.

    Well, this is my opinion, I'm sure you see things different!

    Best regards,

    Patrice
     
  16. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello Patrice,

    I am running all programs from Office Suite XP and 2003 and lot of other too all the day long .

    Never an alert for any of them if nothing try to hook on them ? Did you tick always allow for those programs ?

    Rgds,

    Rgds,
     
  17. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi JacK!

    Sorry, I didn't explain it well! :oops: Yes, that's exactly my problem. I have to allow thousands of progs and dll's all the time. That was the reason why I almost got crazy...

    Regards,

    Patrice
     
  18. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello Patrice,

    Seems to be a bad configuration : when a program is ticked "always allow" you shouldn't get any more warning on it as long as nothing try to hook on it.

    What OS are you running ?

    No problem on Win2K and WinXP. Possible incompatibilities with non NT OS.

    Rgds,
     
  19. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Nope everything is fine with the installation. I'm using Windows XP Pro. The only problem is that you have to click away (always allow or only administrator is allowed) all these pop-ups. I know this is very good for safety, but not if you have to work a lot with your computer...

    If I have to allow every single program on my computer if I wanna run it, then I will go crazy...

    I prefer the Application filter of Look'n'Stop. It only asks me, if a program want to connect to the internet (and not if I wanna start it). That's much easier to have control over the applications. And it's indeed very interesting how many programs try to connect to the internet without your knowledge...

    Greetings,

    Patrice
     
  20. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello Patrice,

    Seems to me there is a little missunderstanding the way SSM works. It 's not intend to replace you FW, is a complement.

    You should try this : Admin Mode

    When a new application starts for the first time and you trust it, tick "Always allow". Note that some applications may call legitimately different *dll, exe, etc... according what you do (IE for instance, but also programs from Office Suite, etc..) not only about connexion request. Once everything is Okay, what you always allow and always deny. You will only get alerts when something unusual occurs.

    For instance, lot of programs have an automatic update feature. I put it on manual and when need as I update it, I tick allow this time only. For automatic update, I only let my AV and FW on always allow.
    With FP for instance, when you click on aperçu, it try to connect to the W3 : no need for me, I check on a local Web server, so I checked always deny and I get no popup at all and no connexion attempt.

    As for Windows help, I very seldom need to get help from the W3, only locally, so I get a warning to allow the connexion when need.

    The best way to start is after installing running all your current applications AND their differents options to set your own policy ALWAYS allow and ALWAYS deny,
    for the rest only (what depends on the circumstances sometime yes and sometime no) you will have an alert : that's up to you ;)

    The most alerts I got is when installing a new app and I can see for instance if something abnormal (spyware or other malware try to install itself in my back :))

    Hoping it helps,
     
Thread Status:
Not open for further replies.