Cyberhawk -- is it for the birds?

Discussion in 'other anti-malware software' started by bellgamin, Aug 27, 2006.

Thread Status:
Not open for further replies.
  1. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    Ooooo!!! Where can I get one of those chocolate teapots? {I looove chocolate!} :cool:

    You aroused my curiosity, so I tried it. I, too, couldn't find a way to disable community AND still retain update capability. I suppose that the rationale behind this is that you have to give unto others if you want them to give unto you.

    As to whether or not CH's *community* encroaches on privacy, kareldjag's HIPS review had the following comments (quoted-in-part here)...
    As to CH's resource usage, my Task Manager shows 2 processes are running (CHService.exe & CHTray.exe) using (in round numbers) a combined 12MB ram & 4MB virtual memory. CPU usage is <0.1% (no doubt, she's a hooker).

    I have CH running alongside of non-free System Safety Monitor (SSM), DrWeb, & Kerio 2.1.5. No evident conflicts. No perceptible slowdown.

    Since I run non-free SSM, I probably don't *need* CH, but I am interested in further testing of CH's community concept, so I shall continue running CH until I get a good reason for uninstalling it -- which might not be any time soon. I LIKE this program!:thumb:
     
  2. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    bellgamin, do you think Cyberhawk has surpassed Winpatrol Free and Arovax Shield, and maybe even equal to WinPatrol Plus?
     
  3. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    First, I rule out Arovax Shield and WinPatrol Free. Those are okay programs but aren't yet powerful enough to be regarded as Intrusion Prevention Systems.

    WinPatrol does more things than Cyberhawk. It monitors startup on most (NOT all) of the autoruns/startup hives. It monitors HOSTS, file associations, IE helpers, cookies, services, hidden files, IE home & search pages -- LOTS of stuff in your computer's groin area. It also lets you click right into a large database to find out the nature, use, & *danger* of the various active tasks, processes, hidden files, & services on your computer.

    Bottom Line- WP+ is a fine research tool & teacher. Since it doesn't *truly* hook the kernel, it is not fast enough to spot & block a new (potentially nasty) process before it has a chance to do damage. It is fast enough that it *might* catch a nasty on time, but there's no guarantee that it will.

    On the other hand, Cyberhawk DOES hook the kernel & will spot and block stuff before it has a chance to do anything.

    Now, as to Cyberhawk versus WinPat --

    Analogy (comparing WP & CH to doctors):
    WinPat is a diagnostician
    Cyberhawk is a surgeon who specializes in castration

    Allegory: Let's say that Fred McNasty is a malware berserker who wants to enter your house in order to rape & pillage.

    Here's how Win Patrol deals with Fred- During or soon after the time when Fred enters your house & starts doing baaad stuff, WinPat lets you know that Fred is acting suspiciously.

    Here's how Cyberhawk Deals With Fred- Hawk spots Fred while Fred is still trying to jimmy open a window. Hawk grabs Fred by his testes, and asks what you want to do with the SOB.

    In my opinion, CH (it's free) plus WP+ (it's damn cheap) are an excellent combo to go with your AV, Firewall, & anti-spy. Of course, there are TONS of other options besides CH & WP.
     
  4. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    Thanks bellgamin, that was informative and funny. I have installed Cyberhawk, and it's two processes are only running around 15MB for Memory Usage, and 6.8MB for Virtual Memory Size. Events Analyzed so far are at 2666 as I'm typing this, with 103 Programs protected, and no Suspicious Events Detected. So far I see no slow downs on my PC with two user accounts running at the same time. I will log off one now and see what tomorrow brings, but so far I like this program. I do wonder though, if it can do what it says it can on the Website. According to the Testimonials I also read there, some people swear by it. Take it easy, and thanks again.
     
  5. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    Cyberhawk could be a great program, but I think that still needs a lot of work to start using or recomend it to my friends...

    For now I use the real-time features of "Spyware Terminator", that are very well made and are very, very low on the system resources, and I'm very pleased with it... :)

    I will continue to check the incoming versions of Cyberhawk to see its progress...
     
  6. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    Hello VaMPiRiC CRoW, I know you're a big fan of Spyware Terminator, and I like that program alot as well. I have it on board, and am just using it as on demand while trying out Cyberhawk. Don't know what to say about CH though, other than low Memory Usage, and as of now no slowdowns. Probably like you however, I like the way ST is much richer in it's GUI Features than the, this is how many Events were Analyzed, and how many Programs are being Protected way CH shows things.
     
    Last edited: Oct 21, 2006
  7. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    Yes :)
     
  8. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    V.C. Do you think CH HIPS, is better than the HIPS used by ST?
     
  9. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    I don't like the current programs HIPS, but I may prefer the HIPS features of CH.
    I have the HIPS feature of ST disabled...
     
  10. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    I don't think CyberHawk and ST's HIPS is comparable. The latter is the sucessor of PG type HIPS, lots of alerts.

    The former tries to be more intelligent.
     
  11. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    What about running Spyware Terminator with RealTime Shield activated, but not it's HIPS, and using Cyberhawk instead as HIPS protection? Or is this simply too much protection for most users? The reason I ask is. I tried that New Trojan Test that is referred to in this forum from the trustware.com website, and although I doubt the validity of it, Cyberhawk was the only program that popped up a warning, and a fast one at that. AVG Free didn't at all, ST with HIPS activated at the time didn't either, and Comodo Firewall just asked to allow or deny the Trojdemo. exe. access to FireFox (which I believed stopped it anyway). Wether the test is legit or not, the fact that CH alerted me so quickly made me feel good about the program. They seem to be running well toghether, and System idle Process is at 98, but again maybe it's just too much for the average user to run at the same time. Appreciate some responses from ST and CH users. I have used PG Free and SSM Free seperately in the past, and they were definitely more than I felt I needed to have for protection. I do however, like both ST and CH. They have a low impact on my system (so far) and apparently both have good RealTime protection as well.
     
    Last edited: Oct 22, 2006
  12. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    Even with the HIPS disabled on ST, if you use these programs at the same time, maybe they will conflit because they monitor some of the same system areas...
     
  13. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    I knew you would respond VC and thanks. I like using CH and ST together, but I just don't know if I really need this much protection. However, since they both seem to be running fine together so far, I may wait a day or two before uninstalling CH to hear what some others think about using them together. I believe ST is probably more than enough protection for my needs, but I like CH. Now maybe after CH adds Spyware Protection as had been mentioned by them to soon be coming I may reconsider using it again. Hey did you try that test on trustware.com? As I said CH alerted me right away, but I don't think the test is all that legitimate.
     
    Last edited: Oct 23, 2006
  14. Simon6776

    Simon6776 Registered Member

    Joined:
    Apr 3, 2004
    Posts:
    282
    As well as the potential risk that having too many security apps running together may cause conflicts, as VC said, worse still, could it cause them all to miss something vital, if they are all fighting over the same system area? Is it possible that they could end up cancelling each other out, and leave you more vulnerable?
     
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Gents

    ST and CB are a great couple for users not having the knowledge (or wanting to invest the time) for a granular defense like SSM of Antihook.


    ST = blacklist spyware + IDS + HIPS (application monitor which creates a white list by investigating your hard drive. In plain English the ST HIPS feature stops unknow applications when they start.

    CB = basic registry and windows directory protection PLUS protects against DLL and Data injection of processes.
    In plain English CB stops malware when it tries to insert itself into an harmless application (like explorer or calc)

    DEP (Data Execution Prevention)= when your processor supports it, enable it for all programs in XP (google on DEP and XP). In Plain English, DEP allows only memory to be executed when it is marked as code, so memory heaps/stacks can not be misused by overwriting memory from data locations (overflow attacks).

    Pro's: without having the trouble or knowledge with ST + CB + DEP the average user wil have 90% of a combined SSM+BO-clean level of protection.

    Con's: ST + CB are easier to attack (they do not protect themselves like SSM or Antihook for instance).

    :thumb:
     
    Last edited: Oct 23, 2006
  16. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    Could Cyberhawk replace a third part Firewall then? I use Comodo which has dll injection protection and wouldn't give it up. But I wonder if Windows XP Firewall and Cyberhawk wouldn't just be enough for the average user, along with an AV and AS program?
     
  17. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    The v1.7 of ST will have self protection...
     
  18. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    They are different programs...

    Cyberhawk doesn't have detection of outbound network connections, so every program could connect to the Internet without any problem...
     
  19. Simon6776

    Simon6776 Registered Member

    Joined:
    Apr 3, 2004
    Posts:
    282
    Just like Windows Firewall then. ;)
     
  20. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    No you are right. CyberHawk is not an replacement for your Firewall. The advanced rules have an option to detect out-bound traffic, only the advanced rules options do not work yet in CB.

    The discussion was whether cyberhawk was usefull as an add-on. When you look at firewalleaktest dot com, you will see most firewalls only prevent a percentage of the breakouts (Comodo for instance only 35%). 35 percent is better than nothing, but still not comforting. It is fake security. Also download the Zapas test which does a dll-injection. You will see that Comodo fails against Zapas (in my test with Comodo Zapas was able to inject DLL into calculator, while CyberHawk stopped it).

    After throwing away a paid version of Norton Internet 2006 on my wife's PC (she got mad of the pop-ups), I did not bother anymore on outbound protection. It is like a bank putting more effort of preventing the thiefs to run away in stead of preventing the theft.

    When you have a good (paid version) firewall (see firewalleaktest) I would be the last to advice not to use it, so keep on using it.

    When an unknown application is prohibited to start and overflow/process manipulation is prevented, you have a good change of surviving a break out test as well. You have a fair chance that a breakout which is smart enough to overcome that, will also break through your firewall (as the firewallleaktest shows).

    I have for instance the following setup: Antivir, DynamicSecurityAgent, CyberHawk (all free) and DefenseWall (paid). This set (no additional security aps) with DEP enabled for all programs survived a lot of tests while using IE7!
    To mention a few of the tests: DFK threat simulator 2, Trojan simulator, Trojan demo (BufferZone), CPIL (of Comodo), Greenborder test, GeSWall test, Wallbreaker, Thermite, CopyCat, MBtest, Surfer, Jumper, DNStester, Breakout 1 + 2.

    Although windows recognises DSA as a firewall it is available as add-on to PrivateFireWall. So according to the real firewall adepts I survived without an outbound firewall.

    Please have another look at the firewalleaktest site and make your own conclusion. AV + AntiSpy + FireWall is just not enough protection. That is why I am positive about Spyware Terminator and CyberHawk (plus using the build in protection of you CPU with windows = DEP). I think it is great that the average user is able to configure a good protection with freeware with for instance: Antivir + SpywareTerminator (HIPS enabled), CyberHawk, DEP, FireFox with BufferZone for FireFox and McFee Siteadvisor for FireFox.


    Regards Kees
     
    Last edited: Oct 23, 2006
  21. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    The site is outdated, particularly with respect to Comodo. In fact despite its other flaws Comodo is the king of the leak tests only perhaps Outpost 4 is comparable.

    You sure about that?




    Reasonable quiet setup. But I wonder how necessary Cyberhawk really is, at least with it default settings given that you already use DSA.

    Of course cyberhawk does give you more options for more customized control over files/folders and or network connections. So does Geswall, coreforce etc.

    But offhand I would say that cyberhawk's network controls don't offer any additional protection against leak tests (if that is what you are concerned about) compared to most firewalls anyway.

    Off hand, I would say that DSA is enough.
     
  22. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Devils's Advogate,

    I waited with Comodo until they supported 64 bits AMD's. I had read often that it was a good firewall. When I downloaded Comodo (two weeks ago), I noticed that it also protected against dll-injection. So I tested it against Zapass. It failed (I could have thrown away CyberHawk when it passed).

    The advanced rules you mention of CyberHawk do not work yet. It is true that I do not have CyberHawk to prevent leaktest. The combination of a application monitor (like DSA) and CyberHawk would help against leaktest.

    The firewalleaktest site mentiones 2003-2006 in its header. I did not know these test were outdated (apologies to all Comodo fans). I started to google after Comodo failed Zapas. After the disappointed of failing the dll-injection test and the header (2003-2006) made that I problably had a coloured vison on the data they presented. Again I take you word for Comodo being the (anti)leak king.

    Regards Kees
     
  23. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Actually comodo passes this one. Altough you are able to 'inject the implant', when you try to download, comodo warns that the memory in IE is modified, and if you block it, it doesn't manage to download anything.
     
  24. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    As i said it doesn't stop the injection per se, but it notifies that IE is modified and warns you, giving you a chance to stop the connection.

    Really? Where did you get this information from?
    If so this makes cyberhawk pretty useless.

    Out of the box, my testing indicates that DSA pretty much covers everything Cyberhawk does. Cyberhawk is supposed to be smarter, but that aspect I was unable to test yet.
     
  25. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Devil's Advogate

    I started Zapas from my harddisk. It was able to implant a dll into calc while Comodo was active. Comodo did not gave a warning, while it promises to do so.

    I added some custom rules, noticed it did not work. I asked the CyberHawk help desk and they said ther were working on it. Still CyberHawk is a usefull add-on (prevents data and dll-injection), for example on Comodo (just kidding)

    :)

    I just tested Zapas against DSA. DSA prevents start up, but when I allow it it is able to connect to windows calculator. So it seems not to prevent DLL injection
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.