Defend against keyloggers, hooks, rootkits etc.

Yes BOClean can kill and remove preinstalled rootkits and whatever else it finds in your computer

 

I would not rely anti-malware to do the cleanup at all. It is also too late when the malware is infecting your files and destorying your system, so this part is not a concern to me.

If your system is infected, it is hard to tell whether the anti-malware can clean the virus COMPLETELY. Some infected files mgiht be left undetected during the cleaning process. Your system may be re-infect again later on.

The best way is, if you have kept a snapshot, simply roll it over to the last clean state.

 

One thing which makes me very difficult to choose among these security products are there're nearly no indepedent tests to compare their performance.

Do they work as they intend to? How good do they achieve their goals?

 

Prevx1 has whitelisting and blacklisting that's sophisticated enough to catch such things and polymorphic malware, and also has a more true memory scan (more like BOClean than most others) that can detect things like rootkits while they are running and cloaked and DLLs injected into system processes (and so, yes, should detect preinstalled keyloggers). Of course you then have behavior blocking, generic detection, and heuristics for those things that are unknown to the community database, which is further enhanced by the fact that you don't get prompted very often. If something unknown is allowed to run, it will continue to check with the community database for updates until it's been marked good or bad. If something you're running has been marked bad, it will kill it and remove it. Also remember that the realtime reporting and live lookups do a lot to close the gap that poses problems to "blacklist-only" based solutions. By combining whitelisting, blacklisting, and generic protection with the live database you get the advantages of all with much less of the drawbacks. You can put Prevx1 in Pro mode for a greater chance at blocking behavior by files not already determined by the analysts, and all sorts of new generic and heuristic detection methods are being added all the time.

 

hmm i never tried geswall vs a rootkit but i did try it vs morgud's threat simulator (which drops a rootkit) and geswall stopped it. gentlesecurity's website also touts geswall's ability to stop rootkits cold as a big "selling point". and geswall seems pretty good vs keyloggers too, i tried it vs martin's undetectable keylogger and geswall stopped it from logging ANY alphanumeric keys.

hope that helps aigle.

 

Thanks zopzop. Nice to see u again.

 

thanks, that looks nice. Will try it at sometime against rootkits.

 

that,s good.

 

I agree -- assuming, of course, that you know when your computer was TRULY in a clean state.

 

Creating CLEAN snapshots and backup files is quite easy, when you install your computer OFF-LINE.
The trouble is that more and more softwares require an internet connection during the installation and even winXP requires an internet connection to make the activation possible.

This is WRONG. Each software needs the possibility to be installed off-line and that gives users the opportunity to make at least one clean backup of their system partition. That clean backup allows users to re-install their computer from scratch without doing it manual.
Another and even better reason why this is wrong is that not every computer has an internet connection. At work we use pc's without internet connection for many years and we still do.

Once I connect my computer to the internet, I consider my computer as infected and that's why I try to keep my computer clean with a frozen snapshot or refreshing on-line snapshots with clean archived snapshots, because restoring a clean image backup file every day takes too much time.

There is no other way for less-knowledgeable users, because any other method
- has too many holes or
- requires too much knowledge or
- is too vulnerable due to wrong user decisions.

I don't want to guard my computer like a hawk and watch every move it makes and spend alot of time on cleaning it.
I prefer to use my computer for work and fun.

 

Agreed. For the most part, I avoid software that requires an online install, but there are things you can't get any other way. Microsoft for example won't make separate downloads available of certain items, telling you you have to get them thru windows update or whatever they call it now. It's irritating and an unnecessary risk to have to go online to get patches to protect yourself from certain vulnerabilities and expose your system in the process.
I can't say if this will work on XP the way it does on my 98 box, but I found that I could capture those updates from their temporary locations on my system. The standard method M$ seems to use is to download the update to your system, launch and install it via a command from the net, then delete the installer. I found I could interrupt that chain with either a HIPS to alert me when the installer tries to start, or by removing the firewall rule permitting IE6 internet access and having the firewall ask each time. Kerio allows you to reply "allow this time only". The 2nd can be a pain as I'd get a new connection alert for each step in the process, but between finishing the download and launching it, I'd always see another connection alert, which told me that the installer was complete and I could copy it to another location.
When using HIPS, instead of just allowing the updater to run, I'd go to the location where the updater was downloaded to and make a copy of it first, saving it for another use later. SSM names the location. The same general idea works with the firewall intercept, but you have to hunt for the new installer. You don't always find them where you might expect.
Just a little something you might want to try the next time you visit windows update.
Rick

 

Agree! It is annoying that I need to online to complete the registration. That's stupid, isn't it? Keep the registration process as simple as possible. Making it complicated just annoy the users.

Yes, the only pre-requiste to get infected is to simply connect to the Internet (or get it from other external sources like infected CDs). That's it! You don't need to do anything else.

It is said:
- the number of reported entry attempts is averaging over 1.1 BILLION attempts per month. Remember that this only represents a small percentage of the actual number of port scan attacks, those that are reported by participants.
- the current "survival time" (the average time for an unprotected system to be attacked and compromised) is only 9 minutes. This means that a newly installed unprotected operating system connecting to the Internet for the first time will, on average, be attacked within 9 minutes and compromised in some way.
[From http://www.tweakhound.com/xp/security/page_1.htm ]

If a hacker knocks at your door and infect you with its new malware, you may get infected if your system is not strong enough to protect the exploit or can't detect that malware. It is just a matter of minutes to attack your computer. Don't think it is too far away.

One day, my anti-virus program warned me for virus (invasion) once I closed my firewall. See! How fast it is to come by your door.

It's a dream for all (except the bad guys).

 

Anti-Executable offers only limited scope of protection. It uses a whitelist approach; while Prevx1 and Online Amour offer a wide range of protection. Depending on your existing security on your computer, you may wish to use specific products or the generic ones.

Both Prevx1 and Online Amour are community-based HIPS. It is good for less savvy users where they cannot decide on their own.

Unlike most HIPS and security products, Prevx1 is a "it-tells-you-what-to-do" type of HIPS. It is not for people who like to keep control of their own computer. It decides everything it knows about on your behalf (you can't change that). If it thinks the program is bad, it will block and kill it immediately. It doesn't ask for your permissions at all.

With Prevx1, I'm becoming a slave. Prevx1 is my master now (joking). I would prefer it tells me the recommended action, but it is me to make the final decision.

For undetermined items or programs, you decide what Prevx1 will do - auto-allow / prompt / auto-block.

Since it is the security software which makes the decision, you may run into problems when things go wrong. There are some cases where Prevx1 generates false positive and kill the genuine process, or prevent your from installation, or stop the program to make some changes. It can by very annoying and this may interfere your rountine and work. It has a place where you may place your program as exclusion, but it doesn't work well - a partial solution.

I find Prevx1 less configurable too. For example, you can't customise the protection mode. You can disable nearly none of its protection components.

If you use Prevx1, you are forced to particiate in the reporting and feedback. For Online Armour, you can opt in or out. Online Armour is better in the aspect of configuration and user controls.

You may wish to try Online Armour as well.

I would strongly NOT recommend running either Prevx1 and Online Amour as the only security product. It is against the philosophy of layered security protection. No security product is fool-proof. They have holes. They may not work what they claim to. Malware writers can always find workaround to bypass your protection.

 

If there's certain things you want Prevx1 to block from programs marked Good, you can always switch to Expert mode and block the action with the "Always remember" option checked to create the personal rule. Just remember that the reason it was changed to not prompt you on everything was because that proved ineffective against malware (unless you're a malware expert). In the case of at least one high-profile worm, over 70% of instances were allowed, and equal numbers of legitimate processes were blocked as well. With the current

This is available in the family license.

Right, the whole point is the automated (and realtime) malware research. It puts new processes through tons of generic detection and heuristic rules, then passes the info on to the analysts who make determinations in realtime. It's not solely based on behavior blocking or signature detection, but a hybrid of both, so you get the best of both worlds with less of the drawbacks. Without the community database, Prevx1 would be just another signature based product with the same long response times with behavior blocking tacked on. As it is now, we see a lot more malware and get detection added a lot sooner. Of course nothing is 100%, but this way does have some serious advantages.

I'm wondering if you've perhaps not allowed the initial scan to finish. The primary reason for this scan is to build a catalog of what's on your drive so that you're not prompted on anything already installed. It then verifies everything to make sure none of it is malware. If you've allowed the initial scan to finish, you should be presented with anything detected all at once, at which point you should be able to move any false positives to Probation where you should not be prompted for them again. If it's not doing exactly that, please write in to support as your Prevx1 install is not working normally in that case. For any false positives you encounter you can double click on the entry in the Jail tab (from any of the sections) and click the "Disagree?" link to have it fixed in the community database. These are normally fixed within a few hours, depending.

 

Straight from the Anti-Executable Manual :

A simple black & white philosophy, but very efficient and above all UNDERSTANDABLE for EVERYONE.
If AE fails, any change will be removed by the frozen snapshot after reboot.
If my frozen snapshot fails, I still have my clean original archived snapshot.
How many layers do I need more ? Until I have 30+ security softwares on my computer ? No way man.

For the moment, I'm satisfied with the theory, because I don't have the time to test it in practice,
but I already noticed that AE is very STRICT, because the security is set to HIGH.

Prevx1 is indeed alot more than just that, but Prev1 also requires daily updatings and my frozen snapshot
doesn't allow updatings of any kind, unless I do it myself.
The question is : "Do I need any updatings ?" After all no change means NO CHANGE.
That frozen snapshot is working fine and needs only GOOD changes if it doesn't work properly anymore.
I thought I was clear about this, maybe my English isn't good enough.

 

The only updates you'll get are software updates, which are not daily. All the determinations in the database are looked up when the new process tries to run. There are no database update downloads like in your antivirus, that's the whole point of the community database (having access to new determinations as soon as they're made, without having to wait for updates). You should be getting program updates maybe once a month or so, not daily. With DeepFreeze, however, it won't be able to store the determinations locally, so it will have to look up anything new each time it runs. The way around this would just be to run anything you install in Thawed mode before rebooting to Frozen mode, as well as checking for updates at the same time.

 

Your English is fine.

As to your "rollback" security system, how do you solve these problems outlined here:
https://www.wilderssecurity.com/showthread.php?p=843848#post843848

Does Anti-Executable stop only executable files like *.exe? How about others?

I haven't tested this product, but I heard someone said it couldn't stop malicious scripts.

How about Process Guard? It can do what Anti-Executable does plus more. To your interest, here's what it can do:
(Sidenote: I notice you don't like answering popups, so this program is probably not suitable to you)

Known Attacks - Introduction

It is quite amazing how many different types of attacks processes can launch against other processes. Many can be fatal, allowing the attacking process to completely bypass all security put forward by another. In this chapter we explain some of the main attacks, as briefly described here.

Termination - The attacking process attempts to terminate or otherwise fatally kill the target process. This is the most common attack and can be accomplished easily by a number of ways, but the most common method is to call the TerminateProcess function, located in the kernel32.dll module. For detailed information about process termination please visit the website for our freeware Advanced Process Termination utility.

Crashing - The attacking process attempts to forcibly crash the target process. This is just as effective as termination, but often results in visual giveaways on-screen such as error messages from the operating system. Termination is usually preferred for this reason, but crash susceptibility is still a security concern, and error messages can easily be hidden by the trojan if its author wants it to do so.

Modification - The attacking process attempts to modify or inject code in the target process, usually with the intent of changing the behaviour of the target process, or hiding its own code in the context of the target process. The target process remains resident and active, but in a modified state. For example, an attacking process could modify an anti-virus scanner so that nothing is ever detected, or modify a firewall so that all traffic is allowed in and out.

Suspension - The attacking process attempts to suspend the target process (usually by suspending all threads belonging to the target process), leaving it resident but in an inactive, frozen state. Often this can still leave the visual impression that the program is ok, especially if it's only visible in the system tray or taskbar.

Leaktests - Leaktests are demonstration programs that test various methods of bypassing firewalls often used by trojans. The attacking process (in this case the Leaktest program) attempts to transmit data to the Internet, usually using advanced techniques such as hooking and thread activation in order to bypass firewalls. Although never designed to be an anti-leaktest program, ProcessGuard has been demonstrated in real-world tests to have remarkable results against many firewall bypass techniques due to it's process-protecting nature, making it possibly the strongest program available today for securing firewalls.

Rootkits & Drivers - Kernel-mode drivers (.sys files) have the power to perform very low-level system functions, and in the case of rootkits (advanced trojans that modify operating system functions to try to gain stealth) they can actually modify the behaviour of critical operating system functions and security processes.

Hooks & Injections - The attacking process attempts to inject a DLL (the hook) into all processes on the system, allowing it to then perform functions on behalf of other processes. When an application has been hooked it can make termination attacks a lot easier, as well as open up certain firewall leak-tests.

Physical Memory - It's possible for user-mode applications to read and even write to kernel regions of memory by using the "\Device\PhysicalMemory" object. This opens the door for a plethora of attacks against other processes.

User Imitation - Malicious programs can generate the same key strokes and mouse clicks that human users use to shut down programs. The attacks are program-specific but nonetheless very effective and fairly easy to execute. ProcessGuard is able to protect against such attacks by combining its advanced Secure Message Handling and Human Verification techniques.

Process Execution - You'd be surprised how many programs execute on your system without your knowledge, and there have also been various operating system and software exploits discovered over the years that allow attackers to execute programs on a target system. Controlling which programs can and can't run on your system is one of the strongest ways you can prevent the above attacks from occurring in the first place, so by allowing you to control program executions ProcessGuard provides you with two layers of security in one.


All of the attacks above represent a very serious and very real threat to local system security, particularly because the majority of people execute programs on their system without actually knowing exactly what all of the code in the program does, but all of these attacks can be easily protected against by DiamondCS ProcessGuard, as demonstrated in further detail in this section.​

 

Sorry, but that's not true. I got updatings every day since I have Prevx1 and each time Prevx1 asked to be restarted again.
And I updated my snapshot with these updatings.

 

This is one of my very few grumbles with Online Armor.

@Notok- Is this a Prevx support forum? Why not put such guidance in a PM, I wonder?

Actually, since this thread is gradually turning into "my program is better than yours" debate, I am well protected by SSM -- which has its own support forum over Yonder.

 

Windows Defender and A-square have the same problem. I find this very ANNOYING and I'm very angry with M$, because of the online activation of winXP.
When the good guys are helping the bad guys to infect your computer, that's for me the limit.

 

SSM isn't good for less-knowledgeable users, way too complicated.
My type of users have neither the time, nor the will to learn such softwares.

 

....this security task is assigned to BOClean. I highly recommend it.

 

I have only one problem with BOClean. I can't try it without buying it.
If I don't like it or my total system doesn't like it, I know I get my money back. I wonder how I will get my money back in Belgium. International payments aren't cheap.

 

Just trying to clear up misconceptions, that particular issue is being, and will be, further dealt with in private. Since Prevx1 is a bit of a new approach I know that it's not always clear how it works. It's neither a pure scanner or behavior blocker, and it even took me a while to really get the whole concept. I hope I can at least give a good idea of how the program works and why it is that way. Sorry if I gave the impression that I'm trying to push the program in any way, that's not my intention.

On another note, to add to the original topic of defending against keyloggers and such, one of the things that most people don't seem to realize is that a lot (if not most) modern keyloggers actually don't use hooks anymore. Rather than intercepting keystrokes as they are typed, what a lot of them are doing is capturing the information your browser submits, just before it's encrypted and sent. So when it comes to keyloggers, you don't want to rely entirely on blocking hooks and such anymore. Martin's Undetectable Keylogger is a novel approach, but not really used since it's not particuarly reliable. If you've got protection against rootkits, however, then you'll at least be covered enough for your other anti-malware to have a much better chance of detecting and removing it.

 

Personally I don't see this thread as pushing Prevx1. I am following this thread with more than average interest. And I hope as long as the mods don't jump into it this discussion can stay public.
Just my opinion.

Gerard