Best free complement for SSM Free

To be honest I think that EQSecure could replace SSM Free entirely. Is anyone aware of any functionality that SSM Free provides that isn't covered by EQSecure?

 

I asked a somewhat similar question in post #39, and am still waiting for the screenshots to be provided by Easter..

 

Solcroft & Glentrino2duo:

Features EQSecure - SSM Free

EQS has
- low level data access control
- A regsitry protection module with wildcards (which SSM-free lacks)
- Data protection (define any extension, directory to be guarded)
- Key logger protection
- Driver service control (not polling services like SSM-free, in SSM free you only
can get warned, you can not block starting/stopping of services)

Glentrino2duo
When you would like on top of SSM-free:
- registry control with wild cards
- data protection (of vulnarable files/directories)
- network control over listeing, sending data and initiating traffic

Have a look at the latest Winpooch (0.6.6) it is written in C, reasonable fast and not that demanding on memory.
The default rules have enough examples to figger out how the application works. I use on my son's PC recently together with an old CyberHawk (1.2.0.39) version. This gives him compleet protection (with offf course DefenseWall) and all controls are set to ask (cyberhawk default) and ask + block (WinPooch). Works quite well until now.

regards K

 

Just a point of mention...

SSM Free can stop keyloggers reasonably well, since it tracks global hooks. It does lack the capability to distinctly specify that a hook aims to log keystrokes, though. I haven't tested it against API key state functions... any ideas how it fares against them?

 

I do not recall which keyloggers SSM-free fails, EQSecure captures also global hooks and some specific keyloggers:

Keyloggers
1. Anti-Keylogger Test at firewallleaktester.com
- GetKeyState = pass
- GetAsyncKeyState = pass
- DirectX = pass
- both screenshot grab tests failed

2. Keyhook (auditmyPC) = pass

3. Keylogger HelpprotectMyPC = pass

4. Martin's undetectabtable keylogger = pass

 

Nevermind. I just tested it for myself; SSM Free doesn't block the API getkeystate functions, only keyloggers installed via global hooks.

 

What you're asking for here is a firewall by definition. Controlling internet traffic is the primary task of an internet firewall. I realize that you like CHX-1 and that you also have the PC tools firewall, but you are asking for a HIPS or HIPS complementing application that will perform the duties of an internet firewall instead of requiring one of the firewalls you already have to do its job. No matter what the app you choose is called, if it controls internet traffic, it is a firewall or has a firewall component. Whether you use the different features of each or not, you'll end up with 3 firewalls installed and will be at a high risk of system conflicts, at least at a driver level, possibly at a kernel level if the new application is a type of HIPS or behavior blocker.

I strongly suggest that you limit your PC to using one internet firewall and one HIPS. Controlling which apps have internet access (in either direction) is the firewalls job. If CHX-1 can't control traffic the way you want, maybe it's time to consider another.

Regarding SSM free and the keylogger tests, the results of any tests done with these utilities needs to be evaluated in context, starting with the fact that these are tests that you had to allow to run in the first place. Users let these tests run because they are tests. If they were real keyloggers or malware, most users would never choose to let them start or ever download them. SSM free does block the process from starting, so whether we're dealing with a test file or the real thing, SSM free does protect you, but not from yourself. How well SSM free does against the various methods the tests use is useful for information purposes but is of little use in real life situations. It's very unlikely that a user, one who permits an unknown and potentially malicious process to run, will suddenly choose to block the activities of that same process. If they permitted it to run, they'll permit it to function.
Rick

 

Hi Rick! I most certainly agree with you.
It's just that certain HIPS offer basic network control. Because of this thread, I actually received helpful suggestions like ProSecurity, AppDefend, even DSA and WinPooch. I have nothing against PCTools, it's just that if I can do basic network control on a HIPS level, even though in principle it's the firewall's job, why not? Then I can ditch PCTools as I am satisfied with my inbound protection provided by CHX-I. Or if PCTools will keep on improving their features enough for me to trust it's inbound protection, I might ditch CHX-I and stick with my SSM Free/PCTools combo. I'm still juggling my options and appreciate all the information I receive here at Wilders.
We cannot just tell those HIPS developers to stop including network control in their products because it's the firewall's job. I like SSM Free so much and I do not like to see myself parting ways with it which is why I asked the best free complement for it in this thread.
btw, SSM Free and AppDefend seems to be a good combo. AppDefend is complementing nicely with SSM Free in basic network control and SSM Free is doing a good job taking care of AppDefend's nag screen.

 

It's all nice and good when you KNOW a file in question is malware or not. It's a different story entirely when the user is tricked into believing a trojan as a benign program. Trying to excuse the inability of a HIPS program to block certain actions by saying the user shouldn't run suspicious files is a weak an argument as excusing poor detection rates for an AV by saying users should watch their browsing habits.

 

Sorry for the delay, you can thank FirstDefense for it since i only recently jumped on that bandwagon and been frantically restructuring ALL my hard drive systems and storing myriad copies of ARCHIVES for safe keeping.

Just so you know i am right now running EQSecure 3.3 & Kerio 2.15 with nothing else whatsover and am going to gauge how well it stands up to normal surfing and hit some drive-by download sites as well as unleash some malware on it. It's perfectly safe what i'm doing because i zeroed out (twice) a rather enemic 15GB Maxtor HD and even carved a 3Gb partition on it. I'm free to let things run amuck because i also have RoolBack Rx on it. Of note also: Running EQSecure with a fully unpatched XP Pro ATM which you would think is ripe for exploits if not for the fact that malware writers tend to try to keep up and ahead of patched systems. We will see.

I am however totally amazed with EQSecure and the mention above that it could easily replace SSM free is certainly no myth from what i see of it. This puppy contains all the potential to outdistance even Cyberhawk if you ask me.

 

I think that pretty much goes without saying.

Cyberhawk isn't much of a HIPS anyway, with very limited rule creation options and all. It certainly doesn't give you anywhere near the level of control you get with a traditional HIPS program.

 

Easter

As a matter of fact I did (having a SSM-pro license, but using EQSecure free). I am eager to try the 3.4 version of it. Due to it stupid rules inheritage of the default rules (when allowing a new program), I have EQSecure configured as a behavior blocker with block in stead on ask on dangerous operations.

I only wish they implement the ease of use of Appdefend in their coming releases

Regards K

 

For this reason (shoot in the foot mistake), I replaced SSM by EQSecure )on my wife's - surfes only, downloads music and occasionally a program) and with old CyberhAwk version and WinPooch on my son's (he downloads a lot and has problably unsafe surfing behavior, so allowing aps upfront lowered strong protection of a white list anti-executable totally).

Regards K

 

True, but consider Winpooch. You will have less overlap (SSM and Appdefend) and the same registry protection features as Regdefend plus data protection as a bonus.

Regards K

 

If a user is "tricked" into allowing malware to run, what makes you think they won't also permit its activities? With that type of logic, the bold section should read:
"Trying to excuse the inability of a HIPS program to defend against the ill advised decisions of the user......"
Apps like SSM were never designed to do that. It's designed to give the user control over applications and what those apps can do, not to compensate for the users decisions. No security-ware can completely protect a PC from the users decisions. Some malware writer will eventually find a way to defeat the activity control, sandbox, etc, and the users PC will be compromised. Sure, the vendor will fix or update their product and the cycle will repeat, but the users PC was still compromised. Hopefully, they'll be aware of it when it happens. Expecting security-ware to protect your PC from the activities of malware when you allow that malware to run (deliberately or not) is the equivalent of trying to see how close you can get to the edge of a cliff without falling off. Sooner or later, it will happen. If you want something that can protect a user from their own bad choices, it's called system backup software.

Many AVs and anti-spyware apps have options that will let you ignore a specific item. If you choose to do that and that item messes up your PC, is it the AV or anti-spyware apps fault?
Bottom line. SSM gives the user control over the PC and the responsibility to properly use it. Apps that are intended to compensate for the users choices do the opposite. Two completely different methods for different types of users with different needs.
Rick

 

Herbalist,

I have configured EQSecure to block all illegal activities except a few OS-related aps (for instance windows access the physical memory t check whether you have a legal version).

This means my wife can still download and use innocent applications (like an interior designer from a well known scandinavian furnisment warehouse, or a calendar designer which uses your own photo's and let it print digitally).

I first used SSm with the user interface disconnected (because she accepts all, thinking the Antivirus will deal with it), but that restricted usage to much. She does not want her PC completely sealed, but she accepts that tricky programs are risk. In this way a behavioral blocker, although having weaker protection than an anti-executable, is safer due to self inflicted shoot in the foot mistakes of teh user. With behavioral blocking I can restrict the shoot in the foot mistake to a reasonable standard.

Due to this user bound behavior I like sandboxes also (they restrict rights on a XP home machine adequatly).

Regards K

 

The whole point of a HIPS program is to alert the user to suspicious activity running on a PC. Taking keyloggers as an example, after being tricked into running the file, a HIPS program is supposed to alert the user that the process is trying to log keystrokes, thereby giving the cautious user a chance to deny it.

Following your logic, no security software is required on any PC, ever. All users need to do is not run anything suspicious, end of story.

"Expecting security-ware to protect your PC from the activities of malware when you allow that malware to run (deliberately or not) is the equivalent of trying to see how close you can get to the edge of a cliff without falling off." I really don't get it. Following your line of thought, security software is effective only when the user KNOWS a file is malware and does not run it. What's the point of security software, then?

 

Allow me to take that statement even a step further.

Unlike classic AV's and AS's, HIPS are very unique in nature. HIPS developers have mapped out most ALL the key points of entry as well as the most common Window's core code instructions at BOTH user level & kernel, and then impliment their monitoring of those internal signals in order to intercept by immediately SUSPENDING any process indefinitely, while it passes (via prompt), it's review including path over to the user and awaits the decison a user will give it be it up or down.

In that way, and so much more, A true HIPS far excells beyond the limitations always found in signature-only security apps, especially AV's and was the chief reason early on i chanced to eliminate anti-virus apps from my machine entirely, and i HAVE NOT been disappointed in the least. A HIPS is far more stable in comparison also provided the development is dedicated in that purpose.

 

We all know SSM is a classical HIPS of sort and for user who want full control of their computer, it's really the way to go. But up until this point, I still couldn't figure out EQSecure, how it complements or even able to replace a SSM. When I tried it, most are duplications of what SSM does. But am really impressed at the GUI, especially the transparency thing heh

 

Simple. It provides all the capabilities of SSM Free, and more. Most noticeable advantages over SSM Free are the ability to monitor the creation/deletion/modification of files, a more powerful application defence module (intercepts low-level disk access requests as well as API keylogging functions, among others) and REAL-TIME registry and windows services monitoring and blocking, as opposed to periodic polling.

 

Is that all? no wonder, a considerable number of forum members are so enthusiastic about this security app... am keeping watch, but might wait for 3.4

 

The official V3.4 will be released in a few days ; as V3.4 Bata3 has been published for testing , still some bugs need to be fixed. ( the core developer of EQ is no more than one person--so, IMO such delay is understandable , plus the app is completely free ) According to the developer , V3.4 is much more powerful than previous ones, which will add some important functions such as net communication control .......Just wait and see.

 

After several days of usage, I can now say that WinPooch 0.6.6 complements pretty well with SSM Free. It's light and stable unlike the earlier versions that I was able to try sometime in 2006. I had it replaced PC Tools Firewall Plus, which I only use for basic application network control..
SSM Free + WinPooch = great combo!

thanks Kees!

 

Hmm, v. 6.6 heh. When i first tried Winpooch it was another app that impressed me. I forget the version i used but it was quite stable and really good untill the next release then i experienced problems with it. Likely because it clashed with my other security apps at the time. I agree it is a very good compliment and seems to hunt down some items that the others don't or at least it's first to jump up an intercept. That's what early releases of Cyberhawk done too. But Winpooch seem to cover more real estate. Right now i'm still testing the first EQSecure release ALONE with nothing else and so far so good but Winpooch indeed ranks right up there so long as it works without issue for you.

 

Standalone, I won't use Winpooch because it doesn't do hash checking of files. But used with SSM Free, which does the hash checking, you're pretty much covered. Which is why, for now, I prefer Winpooch for network control over PC Tools Firewall because the latter does check file hashes, which is not actually a big deal in most cases, but I do not want two programs checking file hashes each time...
This is aside from the fact that like Sensive Guard, Winpooch reports the parameters (IP addresses and ports) used by the network connection, while PC Tools PFP does not.
But I am keeping close watch over the development of EQSecure