Can this be a better combination than AppDefend\RegDefend or ProcessGuard?

Discussion in 'other anti-malware software' started by dja2k, May 18, 2006.

Thread Status:
Not open for further replies.
  1. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Some of you have tried these new products, CyberHawk and the SSM 2. What do you think putting those in combination against Appdefend\Regdefend or even ProcessGuard? Maybe they aren't the same, but if you compare protection, what combo would be better. I know both Cyberhawk and AppDefend are in beta still and SSM has more time out. There is a thread here on Cyberhawk giving it a good name and someone said that it works great with SSM 2. What do you think about that for those of you who have tried them together? Or any other comments? What if you add Neoava Guard to the mix, what then?

    dja2k
     
  2. .....

    ..... Registered Member

    Joined:
    Jan 14, 2005
    Posts:
    312
    What about Online Armor & Safe N Sec. This combo will cover more than AppDefend/ RegDefend. The question is weather you actually NEED them.

    OA covers execution and web content. Safe N Sec from termination, network activity, proccess modification, registry, file writing to specific areas, driver/ service installing and loading and more between.
     
  3. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    No desputes on OA. OA AV+ is in my primary defense. Safe'n'Sec is okay, but it is a yearly subscription when some of the others I mentioned are a one-time and even free.
    Comparing Safe'n'Sec to System Safety Monitor, might be wrong, but kinda offer the same protection and SSM is more configurable.


    dja2k
     
  4. .....

    ..... Registered Member

    Joined:
    Jan 14, 2005
    Posts:
    312
    SSM and SnS cover SOME of the same stuff, but they also cover alot of different things.
    I dunno weather i'd agree with your statement that SSM is more configurable tan SnS, you have the rule creation thing in SnS, that allows you to edit/ add/ delete ANY security profile it covers.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    I am running OA,SSM and Ghost Security(APPDef and Regdef) in conjunction with KAV 6.0 beta's.

    All seems well only on the lastest KAV 6.0 beta I have to disable some of the PDM protections, as they now conflict with I believe SSM.

    Personally I think SSM is far better then Process Guard. Solves some of the problems with being able to protect services and rundll32 etc. In PG once you give Services.exe permission it can be abused. In SSM you can control who can run services.exe. Big difference.

    I've dropped Safe'n'Sec for a couple of reasons.

    1) Never got builds beyond 670 to run. The later bulds cause hangs on my
    system.
    2) Has the rule editor but that is so confusing....
    3) The license key limitation. I like the option of multiple uninstall, reinstalls
    and their 5 install limitation was a pain. Granted they always sent a new
    key, but still it was a nuisance.
    4) I think the game copy protection may have taken a big toll. Main guy
    I contacted in support suddenly didn't reply, and I'd been told a new beta
    would be available in April. When I recently inquired, I was told it is on
    indefinite hold. Doesn't give me a warm fuzzy.

    Pete
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi, SSM and AppDefend together is not a duplication?
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    Hi Aigle

    Yes it's a bit of an overlap. But thats okay by me. They run fine together, and it helps protect me against my worst enemy. ME:D
     
  8. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Well I am running SSM next to OA AV+ just fine. Cyberhawk gave me a BSOD right away after running and never went into windows. So cyberhawk is out of my list. I was a beta tester for Safe'n'Sec and to tell you the truth, it was good, but there is something in my system that doesn't agree with it, so I never went back to using it. Also my activations wouldn't last me a week since I like to restore a lot. The reason I said, SSM is more configurable is because I like the fact that you can easily set what to allow plus set the special permissions. I'd have to agree that SSM doesn't have all the registry power as Regdefend as SSM only based on a limited number of registry keys. Maybe that is where Regdefend should come into the picture. Don't know how good Safe'n'Sec got in the registry protection, maybe only as good as SSM.

    dja2k
     
  9. .....

    ..... Registered Member

    Joined:
    Jan 14, 2005
    Posts:
    312
    You might want to try PrevX1R too.
     
  10. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Already tried Prevx1 "R", but I am one of those whom had slowdowns especially when running adminstrative tools which I do a lot. Prevx1 "R" is running fine on my laptop along side an antivirus and firewall only.

    What do you guys think of ProSecurity and Neoava Guard compared to the other apps in this thread. It seems to me that most do the same thing especially EXECUTION PROTECTION.

    dja2k
     
  11. .....

    ..... Registered Member

    Joined:
    Jan 14, 2005
    Posts:
    312
    ProSecurity is in very early stages of developement. Its not mature enough to rely on IMO.
     
  12. comma dor dash

    comma dor dash Registered Member

    Joined:
    Jun 5, 2005
    Posts:
    146
    IMHO it does not make much sense to run after each new IDS/system firewall.

    I had a quick look at CyberHawk. Despite the aggressive marketing it seems that the IDS rules a VERY basic (compared, for example, to the more sophisticated rules of the A2 IDS). Example: execute a Lithium trojan that does not register itself (because autostart entries are set by an installer or a batch file) and does not copy itself to the Windows directory (because this is also done by the installer or batch file). CyberHawk won't detect it because it (apparently) does not feature "intelligent" rules that determine whether a process is hidden (= no window) or not.

    As regards SSM: nice app. But have you ever tried to attack it? I did and the last time it was far less robust than Process Guard.

    Online Armor: I have not noticed ANY useful features (that are not already included in another application). Why do you use this program?

    I would not waste too much time with too many alternative applications UNLESS the developer is in a position to exactly describe HOW it works and what technology it uses. The developer should explain what unique features his product offers.
     
  13. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Watch out what you say about Online Armor. Later it might just replace all your AV\FW\HIPS programs into one solid suite. OA's customer service is excellent. Mike at Tallemu is fast at responding to posts, emails and personal messages.

    dja2k
     
  14. comma dor dash

    comma dor dash Registered Member

    Joined:
    Jun 5, 2005
    Posts:
    146
    ok .. ok...but what does it DO? (EDITED: I read the webpage of course. But which features are really good in your opinion?)
     
    Last edited: May 18, 2006
  15. lu_chin

    lu_chin Registered Member

    Joined:
    Oct 27, 2005
    Posts:
    294
    Personally, I like OA's ability to give me a second (not third or fourth :) ) chance before an application is launched. Also, t does not slow down my PC's too much and is compatible with many other security programs when running together.

     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    So u prefer SSM/ AppDefend on PG. What are the points for ur preference.
    Also how good is SSM in protecting the registry?
    Thanks.
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    For protecting the registry Regdefend is tops in my opinion. That said, SSM is probably on a par with the new PDM module in KAV 6.0. Probably adequate for the average users.

    Why SSM/APPdefend on PG.

    Some key issues.

    Services.exe

    PG You can either allow it to install services or not
    SSM You can control what program can use services.exe and also control what services.exe can do.

    Global Hooks.

    PG you either give something permission or not.
    SSM you can either give permission or not, or when a program requests permission for global hooks, you can restrict it to global hooks from the specific DLL it wants to hook. So malware couldn't use the process to hook anything else.

    Learning Mode

    PG. It's learning mode first blocks something a program wants to do, then gives it permission. On a new install this can be a disaster.

    SSM It's learning mode just lets a program do whatever it wants, and it learns and makes rules based on what happened.

    Appdefend parallels, but also has differences with SSM. Key difference is it also controls network access. I have found it gives better control on this then most firewalls.


    Pete
     
  18. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    I am using OA AV+ of course its better than the original OA because it has the anti-spam and anti-virus protection. I like the antivirus becasue it is very descriptive when you try to run an infected file like the DFK Threat Simulator (DFKTS). The OA original and OA AV+ have the startup monitor which asks for permission to set RUN on startup to unknown programs plus execution control for all program execution. The webscanner is also good cause it helps to know what sites have Active-X (allow or deny them) and well the OA AV+ incorperates the AV part to that scanner as well. OA AV+ uses KAV engine, which is good casue most people here agree that Nod32 and KAV are among the top 2 AV's recommended; if you disagree, check this out HERE.

    OA AV+ helps me elimate the need to run another seperate AV, a startup monitor, a IE extension checker, a host file checker, keylogger monitor etc. Don't get my curriousity wrong, OA AV+ is on my permenant list of security, all the rest I add\try is just for extra security or to try new things out.

    dja2k
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks Peter! So just some more qs.
    How resistant are SSM and AppDefend against termination by malware as compared to PG.
    For average user which one is easier to set- SSM or AppDefend.
    What abour ViGuard?
     
  20. herbalist

    herbalist Guest

    I can't address AppDefends performance, but preventing unwanted termination is one of the things that the SSM team has been working on. It's getting much better. As for its being terminated by malware, this could only happen if you already had the malware on your system or allowed it to both install and start. SSM would intercept the installer and the process itself. If you allow both the installer and the process itself to start, the fault isn't with SSM, or any similar application. These programs are only as good as the answers you give to the alerts. They can't compensate for bad decisions.
    It can't be over stated that these programs are for clean systems, not malware infected ones. While I understand peoples concern regarding how resistant such apps are to unwanted termination by a malware program, you still come back to the questions:
    Why is that malware running on your system in the first place?
    If a system or software exploit is used for the termination, why haven't you patched it, or if necessary replaced the offending software with something better?
    These programs don't clean systems. They prevent them from being infected. Malware won't terminate any of the better of these programs if it can't install or start.
    As for the learning mode in SSM, it works well if your system is clean to start with. BTW, you can use learning mode with SSM in the "paranoid setting" and get a pretty nice ruleset. It's not as good as the rules an expert would write but they're plenty good enough for normal usage. The system has to be clean to start with, no matter which program you use.
    Rick
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    On the termination issue I thing herbalist said it all

    As far as which is easier... I say they are both about the same. Maybe a slight edge to SSM with learning mode.

    I've not done anything with Viguard
     
  22. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    No one has mentioned anything exciting about ProSecurity except what Afrodude mentioned.. Who has tried ProSecurity? Looks like it does or going to compete directly to processguard with its process protection and ristriction tab. Also saying that a program is not mature enough is kinda contradicting and misleading don't you think because programs like appdefend are still in beta and still get compared equally to other programs in their final stage, but I agree too, prosecurity is too early to tell.

    dja2k
     
    Last edited: May 18, 2006
  23. EASTER.2010

    EASTER.2010 Guest

    System Safety Monitor alongside Cyberhawk and it finally reached a point of pure boredom just trying to infect my units locally. AV is out 100%. Rely only on an online periodically to see what if anything is penetrated this combo unknowingly and the results continue to return a clean slate each and everytime.

    As indicated already, so long as the security programs protect themselves solidly from being closed or terminated, attacks of any sort are only motions that lead to nothing.

    The feature that stands out best among the many others with SSM i like is that you can select that SSM keeps your other safety programs from termination. They might could be closed momentarily but they restart immediately and continually if something malicious kept reclosing them.

    That is an excellent feature. CyberHawk is a TERMINATOR! and fantastic interceptor in it's own right. That combo with a good firewall and intrusions are nothing anymore than a waste of effort no matter how well conceived or drawed up IMHO.

    It's been high time that HIPS programs have finally entered into this arena and now have proven to put a total lockout on ALL intrusions. They are doing masterfully well and then some.
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    @herbalist
    @peter

    thansk a lot!
     
  25. comma dor dash

    comma dor dash Registered Member

    Joined:
    Jun 5, 2005
    Posts:
    146
    1.
    Peter's description of SSM is useful. The biggest problem with SSM was (when I last tested it) that it could be bypassed/disabled by various tricks. (For further information, see the SSM forum.) In addition, SSM had (and may still have?) more compatibility issues than Process Guard. Therefore, I would hesitate to solely rely on SSM as a system firewall until it has been properly tested by an experienced person. (Remember how many times we attacked Process Guard. Wayne was always angry when this happened. But finally it helped to make Process Guard a robust application.)

    2.
    "That is an excellent feature. CyberHawk is a TERMINATOR! and fantastic interceptor in it's own right. That combo with a good firewall and intrusions are nothing anymore than a waste of effort no matter how well conceived or drawed up IMHO."

    Most people fail to distinguish between mere "execution control" (as it is offered by many many applications including personal firewalls), "control of low level activities" (as it is offered by various system firewalls like SSM or Process Guard) and "IDS/behaviour-blockers" (as provided by A2, KIS or Cyberhawk).

    While execution control and control of low level activities is useful it FREQUENTLY does not help you to distinguish legit applications from malware. It really does not help too much if an execution blocker prevents the execution of each and every program. By contrast, an intelligent IDS will detect suspicious behaviour (e.g., a program has no visible window and opens a port). That's much more powerful (but does not make a system firewall redundant!)

    If you want to test whether your IDS/behaviour blocker is more than a bad experiment you should try the following: take a trojan that does NOT copy itself to c: and that does not register itself (no autostart). Reason: such suspicious behaviour can and will be easily avoided by modular malware (e.g., installer packages). Execute the trojan so that it opens a port. (Do NOT block the execution. You must not assume that your are god and know whether a program is malicious or not.) Wait for the alert of your IDS. There is no alert? Well...you use the wrong IDS ;-)
     
Thread Status:
Not open for further replies.