Anyone Tested DriveSentry?

Discussion in 'other anti-malware software' started by FatalChaos, Jul 10, 2007.

Thread Status:
Not open for further replies.
  1. FatalChaos

    FatalChaos Registered Member

    Joined:
    Aug 6, 2005
    Posts:
    98
    I was looking around for a HIPS program for vista, and a program called DriveSentry showed up. I haven't really heard anything about this, has anyone ever used this program or knows of a website that has tested it?
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    I've played with it and it doesn't offer me anything beyond what I already have. But it won't hurt you, so give it a whirl.

    Pete
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,728
    Location:
    Texas
  4. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Gave it a run a while ago and Allow and Remember button wouldn't light up but decided to try it out again after re-reading ronjor's links.

    Installed it into an XP VM and seems to be running ok atm.

    You can stop the pop ups and sending data out through the gui if you look around a bit to find the settings.

    Only played with it for a little while but at least the Allow and Remember button worked for me this time around.

    I think it may have some potential and have saved the vm for more testing a bit later on.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Seems like a new beta version with a couple of new features (v3) is online, will take it for a testdrive, but I now see that you first need to login to your account before you can use this tool, the same with A Squared Anti Malware, I really think this is ridiculous. :cautious:

    http://www.drivesentry.com/news.php?view_id=21
     
    Last edited: Aug 20, 2007
  6. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    I have been using v2 for 6 weeks and i like it a lot. Very unobtrusive, Lightweight and has given me a good number of alerts. Many in the early stages of it's use and this has reduced(naturally) the more i've used it. Currently very quiet but in the last week it alerted me to defensewall changing after i upgraded it from v2.01 to v2.03. One thing that did concern me about the beta for v3 is this "Active beta testers will receive a version of the final software for FREE!" Well as it's currently free for personal use, this suggests that it is going to be paidware. It doesn't seem to confirm this on the website but i suspect from the wording i highlighted that it is going that way.

    muf
     
  7. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks: The last time I tested it was the time it offered as a freeware. I noticed that it uses the same concept as Prevx2--community database, and its capacity at that time(few months ago ?) is around few thousands. I did not like that number, therefore I dropped it. Hoping this time around, its database has grown exponentially, :doubt:
     
  8. interact

    interact Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    121
    Location:
    Paris
    I've also been using Drivesentry for sometime as I like the different approach of controling what can write to my drive and registry rather than just preventing execution. I downloaded Drivesentry v3 (beta) a few days ago and so far here are my findings:

    Good things: :thumb:

    - Auto allows good "whitelisted" programs about 12,000 + 30,000 from community which reduces pop-ups.
    - Auto denies bad programs checks with it's online community database which is currently holding 154,315 malware signatures.
    - Detects malware files (not just apps) being written to the drives. If it detects malware then it allows you to quarantine and delete them.
    - Detected all 14 tests of "modified" spycar samples attacking key files and reg settings compared to Norton 360 detecting just 2!
    - Detected malicious actions of a "modified" virus to emulate zero-day threat which PrevX 2 failed to detect.
    - Scans folders and drives for malware from the online database.
    - Detects memory attacks to other processes. (only tested with writeprocess)
    - Install is 1.5mb and is damn quick with no reboot!
    - Uses little resources disk, mem or CPU.
    - Slick interface and simple to use.

    Bad things: :thumbd:

    - Have to sign up to use the software which requires an internet connection.
    - The disk/folder scanner is slow (65,000+ files took a few hours) as it has to connect to the online database.
    - Only monitors by default attacks to certain settings, filetypes and folders. If you click a small padlock icon on the floating window then it monitors the whole drive. This should be on by default!
    - Their website has no info on this versiono_O


    Drivesentry have told me that the software will continue to work after a trial period but they will stop the auto-allow/deny feature after x-days. I think this means that you will get pop-ups after this time even if it's white/black-listed. The virus scanner and other functionality will continue to function. A paying user will also get some extras but they didn't divulge any info.

    ~interact
     
  9. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Ever since I've seen them badmouthing other security vendors on their blog, I've stayed away from this product. That and their policy of asking users to register for an account makes me uneasy. But from a technical standpoint, I must admit DriveSentry seemed sound during the period I tested it.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Checked it out quickly, and for some reason it still needs to load some randomly named executable at start up, it even shows up in the taskbar, can´t believe they didn´t fix this. I´m not sure what to think about this app, does it offer better file protection than other HIPS? The only thing that I do like is the GUI. But I hate community based tools, so I will not be using it anytime soon. ;)
     
  11. interact

    interact Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    121
    Location:
    Paris
    The random named exe seems to be a guard process which pops-up a message when the main UI is terminated or the drivers are shut. I checked it out in Syser and that's all it does. I read their blog well you've got to admit they have some balls to criticize the almighty Symantec but when great tools such as AVG, BOClean and AntiVir are around who the hell needs Norton 360 anyway :cool:

    ~interact
     
  12. AwareSoul

    AwareSoul Registered Member

    Joined:
    Jan 16, 2006
    Posts:
    14
  13. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi,

    You must have some sort of knowledge regarding these tests/malwares, in particular, the test results.

    what are they?

    I do not have a slight idea that there are so many tests are available to test it. :doubt:
     
  14. AwareSoul

    AwareSoul Registered Member

    Joined:
    Jan 16, 2006
    Posts:
    14
  15. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, I just did. Can only say this to folks:

    I took it out for a test drive, but did not pass the first intersection, thanks, but no thanks, developer.

    As soon it launched, it immediately froze my box (with 1 gb memory, and duo core 2 processor) due to extraordinarily high RAM usage). After waiting 5minutes for shutdown, I resort it to the hard way. Sh...t , Have not had this sort of problem since bought this baby.

    For those folks who are eager to test it , please be advised to do it with test machine or virtual one.

    Just wish some one could encounter a better fate than mine.

    Take care and am trying to be happy after this.
     
  16. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    Although i haven't got around to testing it much yet i've been using the latest version 3 for a few weeks now and its been smooth sailing. The built in malware scanner is a great addition to my AV software.
     
  17. interact

    interact Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    121
    Location:
    Paris
    AwareSoul,

    I've tested the latest version of Drivesentry with the following:

    Advanced Process Terminator (APT) = Passes all tests.
    Driver shutdown = Passes all tests.
    LeakTesting = DS detects process writes.
    System test e.g. shutdown = DS doesn't protect against.

    Killdisk and known threats =

    It's virus database has nearly 800k+ virus sigs and new ones are added real-time locally every 10 minutes. By default killdisk and many others are detected automatically.

    Zero day threats =

    Drivesentry now has behavioral monitoring similar to ThreatFire and Sana Security:

    To really test the software I did this hack test:

    1, Shut down Drivesentry (this has to be done as it now has background scanning so if a process writes a known virus then it will be detected)

    2, Find some viruses (I would post a URL but I will get banned, anyway there's some good sites out there!)

    3, Delete it's local database C:\Documents and Settings\All Users\Application Data\DriveSentry\DriveSentryData.db

    4, Disconnect your Internet so Drivesentry cannot goto its online database to check threats if it doesn't have it's local database.

    5, Re-run Drivesentry and run a virus.

    The detection results were very impressive definitely equal to Threatfire. If it's local database is not deleted then it detected a number of nasties that ThreatFire didn't :eek:

    I've had a freeze with Zonealarms while running Drivesentry and I've run it alongside the following before with no problems:

    Comodo Firewall
    PCTools
    Sana Security
    Threatfire
    PrevX
    Norton 360

    I hope this helps....

    ~interact
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    I just did a test against a real Virus, and it wasn't very encouraging. See this post.

    Pete
     
  19. interact

    interact Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    121
    Location:
    Paris
    Peter2150,

    I just did a similar test and it worked fine when I clicked quarantine on the pop-up. The test you did was very good as I wonder if SSM or OA take control of processes (e.g. viruses) from other protection tools and then allow them to carry on their activity. I hate to imagine what they all seem to be doing at the kernel level :rolleyes:

    ~interact
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    Oh forsure had I clicked quarentine, it would have. SSM, and OA will also block it. I was allowing partly because I wanted to see what the virus was doing, and also to test if the other software was protecting the drive. What was disconcerting, is I didn't respond either way, and drive sentry didn't stop it. That is bad. If I ever get their admin response I will post to their forum.
     
  21. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    Peter, could you please refer my to some post where you describe your methodology, which backup software you are using etc. Even if I could figure out this myself, it could spare me some time.

    Regarding the DriveSentry test, if I understood it correctly, does it mean that the virus will continue with its activity, and that it´s not freezed while you consider which action to choose? Have you done a similar test with Threatfire and other behavior blockers? I wonder because since they contact the community server, if this could be a "normal" approach for not bloating the system it runs on. For example some registry monitors/watchers are polling and then rollback the activities if you choose to block.

    /C.
     
    Last edited: Dec 2, 2007
  22. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    I used to use v2 of Drivesentry and liked it a lot. One day it reported the database was corrupt and wouldn't work. So I uninstalled it and cleaned out the registry and HDD with everything relating to it. Reinstalled it and the same thing. Corrupt database. So I looked on the website and saw that v3 had been released and it was now a paid for application. Very disappointed that either v3 database had uploaded into my v2 and was not compatible, or more sinister they purposely disabled my free v2 so I had no choice than to move to v3. The thing was that I did have a choice. I uninstalled it completely...

    Liked v2 but didn't like how they disabled it without notice.

    muf
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    The thread where I describe what I did, is here It now is a fairly long read. Not sure why you ask about back up software. I was testing in a VMware VM machine, which has a snapshot feature, so when I was done, I just revert back to the starting point.

    No I haven't tested Threatfire, and it wouldn't have mattered. I was monitoring the virus install with both OA and SSM. Clearly early on I could have blocked the actions with either of them. But I allowed the actions, as I wanted first to see the behavior, and 2nd to see specifically, if the software protecting the 2nd drive did it's job. With both SSM and OA, until you click either allow or block the process was halted. When Drive Sentry presented me with either ignore or quarintine, I assumed it was halted, but it wasn't. WHen one of the early challenges was ignored I kept answering the challenges from the other two programs, and the virus was completely installed. Even without that I wouldn't trust for the purpose outlined in that thread. The object was to protect the 2nd drive period. Not give the user a chance to screw it up. The programs I rated a pass, never asked anything, they just protected the drive.

    Pete

    PS. Do keep in mind this was all for a narrow purpose, Erik's approach.
     
  24. AwareSoul

    AwareSoul Registered Member

    Joined:
    Jan 16, 2006
    Posts:
    14
    Thanks interact, Peter2150 and others who have contributed their insights regarding DS. They are all very much appreciated.


    AwareSoul
     
  25. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    No, and neither do I :D. I meant VM softwares.

    Thank you for linking to your post where you describe your methodology. I completely forgot that you had already mentioned it in your first post in that thread.

    Edit: I´ve decided to use a separate machine for testing, using returnil in combination with another VM software. I first looked at the one you use, VMware Workstation, but $189.00 is a little bit to expensive. Could you, or someone else, recommend me something similar? Thanks!

    /C.
     
    Last edited: Dec 2, 2007
Loading...
Thread Status:
Not open for further replies.