DSA or SSM

Discussion in 'other anti-malware software' started by Hipgnosis, Jan 16, 2007.

Thread Status:
Not open for further replies.
  1. Hipgnosis

    Hipgnosis Registered Member

    Joined:
    Aug 26, 2003
    Posts:
    297
    Location:
    Witness Protection Program
    I would like to hear from the people who have used both System Safety Monitor (free) and Dynamic Security Agent and get your recommendations on which of these you think is best and why.
     
  2. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    good question. i'd also like to know the answer to this. i know the free version of SSM doesn't have low level disk access protection (the paid version does of course). does anyone know if DSA free has low level disk access protection? it'd be pretty sweet if it did.
     
  3. KDNeese

    KDNeese Registered Member

    Joined:
    Dec 16, 2005
    Posts:
    236
    I believe the main question is "How much control do you want over your own system?" SSM is more user-involved, and allows the user to set rules for applications or processes. DSA, on the other hand, doesn't really have any rule-making capabilities, other than allowing or denying pop-ups. Also, with DSA, if you allow or deny a process, there is no way to go back and "undo" your decision. The only thing it allows you to do is to allow or quarantine applications and other processes. With SSM, on the other hand, if you find you made a mistake, you can access the rules and edit them. For me personally, I liked DSA for the most part, but became frustrated with the lack of rules editing. It kept prompting me for certain applications time after time, and I had no way of accessing any rules to make it shut up. For me, that is the advantage with SSM. It is mostly a matter of preference as to which one to use. Both are very good programs. For a person not familiar with system processes, SSM might be a bit daunting and difficult to use. DSA would be much simpler, as its prompts seemed much easier to understand. DSA filters Internet traffic, although this is somewhat redundant if you have a good firewall. The paid version of SSM also has network filtering, but again, is redundant if you have a firewall. Also, with SSM, if you place it in learning mode for a good length of time and allow it to learn your system processes, you receive very few popups, and the ones you do receive are not difficult to understand. SSM also allows you to choose which registry keys you want it to monitor, and it is very easy to add additional keys. Bottom line - if you don't understand how your computer works, go with DSA. If you want more control of your computer and more flexibility in creating rules, go with SSM.
     
  4. EASTER.2010

    EASTER.2010 Guest

    Agree. One <GOOD> firewall is plenty enough, BUT, DSA comes with thier own version of sorts and of course now is released as the PrivateFireWall app.

    If you want to play with these type Prompt Programs, they are beneficial to learning some ins and outs of your system/processes etc. and you can review what is actually passing as normal signals (malware) compared to normal signalling of XP throughout it's OS circuit.

    If given the choice as per the title of this Topic though, my choice continues to rest with SYSTEM SAFETY MONITOR bar none. It's enough for my interest and peace of conscience to know it can quickly & efficiently intercept entries and offer the user a choice plus protect other apps from being completely terminated.

    I'm still convinced DSA is a nice app too but not nearly at the level of a SSM, imo.
     
  5. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    For me, ssm is definitely the best, it offers more comprehensive protection but can be harder to use as a result.
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I have used both.

    First I have to say that we are using a hardware firewall router as shield before our PC's. I think this is important, because you will need a (free) good software firewall (Jettico, Kerio, Comodo, Look'nStop) when not being behind a hardware FW, see Wilders of have a look at FireWallLeaktester.com

    Second the amount of control you would like to feel safe in regard to your surfing and P2P habits (as stated earlier by Kdneese).

    DSA:
    - is a basic application and network firewall on application and process level
    (allow or quarantine)
    - has a system and e-mail anomoly checker (e-mail checker is for preventing
    to be a mailbot)
    - I also have the experience that some settings are 'forgotten/lost' from time
    to time (e.g. updates of my antivirus from a temporary with the name of
    the update/release)
    - has a learning option

    SSM free
    - is a application firewall only and also protects against termintion,
    modification, global hooks, allowed libraries etc.
    - also basic protection for IE,registry and services, the registry module is
    fully functional so you can add your own entries
    - the ini protection module is functional though empty (but you can add your
    own *.ini entries in it)
    - I have not used the filter for internet (last module)
    - has an option to be quite (no pop-ups) with the user interface
    disconnected
    - has a learning option (is in paranoid mode for thightest security)
    - offers the broadest functionality as a freeware version (e.g. compared
    to ProSecurity, Antihook, ProcessGuard, etc).
    - Free version does not check for internet initiation

    Although a basic internet connection firewall, DSA chew every leaktest I have thrown at it. So lack of TCP/UDP control rules did not reduce protection against data theft.

    Third what other security programs do you have?
    A diagram of a IT-research institute (Gartner or Forrester) explains this.

    1. At what moment of the flow of events of a malware attack does the security application offers control (Entry, Access, Trigger, Damage and Exit control)
    2. What is the level of protection (Hardening, Blacklist, Behavior, Whitelist) they offer

    I will explain with a little story.

    1. Flow of events of a malware attack

    A general rule is "the earlier, the better".

    Entry
    An inbound firewall is like a guard standing at the gate of a large office, the guard determines whether you are allowed to enter the premisses or not. This is called entry control

    Acces
    An sandbox HIPS like GeSWall/DefenseWall is standing at the reception of the building. It allows access to different stores of the building depending on the credits (rights) a person has when entering from outside. Visitors from potential harmfull places (like e-mail, Internet, P2P, chat, floppy drive, USB stick, DVD Rom ect) get a badge (marked untrusted) which dows not allow them to visit certain stores of the building. By not giving them access (isolate them) they are not able to disturb the integrity of building (the host system). This is called access control

    Trigger
    A classical HIPS (like SSM and Prosecurity) focus on the triggers which might disturb the safety/integrity of the building. It is like a constant surveillance camera which monitors the movements of vistors inside the building. When a visitor wants to enter a specific door (trigger like dll or data injection into a process, adding registry entries into vulnarable files of the OS, adding drivers or start up new programs) the guard checks whether the visitor is a allowed to do so. By not opening secured doors or only opening harmless doors ths type of trigger control of the kernel and the vulnarable files guarantees your system integrity, this is called trigger control.

    Damage
    These type of guards check whether a visitor infects other inhabitants of the building (a virus or a disguished trojan). These programs are the old and familiar Anti Virus programs which check at every read or write operation of data whether something harmfull is left behind. There are also guards which check whether a visitor is allowed to talk to another visitor or groups or visitors. These type of programs are called data firewalls (like SensitiveGuard and Data Sentry). This data firewall protect your system by not allowing certain visitors (e.g. programs with Internet access) to make changes to sensitive folders or read, create, modify, delete certain types of data (like *.exe, *.dll etc). This protection is focussed on preventing data damage.

    Exit
    These are the guards standing on the exit and allow only ligimate visitors to exit the premisses (the outboud firewalls like Comodo and Kerio). This guarding can even be on a detailed level (allow to drive to a certain specified place IP adress, from certain exits = ports). Outbound firewall protect against data theft for example (the prevent the bad guy to run away after a theft).


    2. Protection level
    The guard have several options to deal with visitors treaths. In general the protection strength increases with the options downward.

    Hardening
    Guards (like SafeXP or Wehntrust) shut down certain services or facilities in the building. By shutting dow a service (e.g. closing down the restaurant to prevent poisining of food) this service or facility can not be mis-used. Hardening leaves all other facilities untouched and are therefore the weakest protection (they close down services you did not need/use anyway).

    Blacklist
    A guard using a blacklist is like a 'wanted' poster. A blacklist contains identities of known criminals, when the guard makes a positive identification match the visitor/malware is catched and either imprisoned (quarantained) or shot dead (deleted). The good side is that they have a high protection rate of known criminals, the bad site is that new or unknown criminals are untouched (like zero day treaths). Also criminals who are very good in changing identity (polymorphic treaths) are harder to arrest with blacklists.

    Behavior
    These are very well trained guards looking intelligently at suspicious behavior and called behavorial blockers. They allow every one to go in, but when the visitor makes a suspicious move the visitor is arrested, leaving it to the judge (you) what to do with this visitor. The good thing is that only suspicious behavior is punished, providing strong protection to 'staged/successive' treaths. A malware can start as an innocent visitor but by gradualliy develop bad behavior. The down side is that is very difficult to draw a line (what is good and what is bad behavior) and over time the assessment of bad and good behavior changes (like in real world society). Therefore behavorial blockers always tend to protect with some margin.

    Whitelist
    A white list is like a guest list where only known trusted visitors (like employees) are identified and allowed to use the building. A whitelist can also be an 'inverted' whitelist (marking what is not trusted, like sandboxes do). This requires a lot of knowledge (identification) of the inhabitants (the OS and the programs you have on your PC). Although the strongest form of protection it is also the most labour intensive form. Exceptions on this configuration effort are the inverted whitelists of sandboxes which are easier to define because they 'tag' a treath gate as untrusted (and all the programs using this gate) and pre-configured white lists (often shared across the web like Prevx1 for instance).

    Hope this explains (see example)
    Regards Kees
     

    Attached Files:

    Last edited: Jan 18, 2007
  7. Hipgnosis

    Hipgnosis Registered Member

    Joined:
    Aug 26, 2003
    Posts:
    297
    Location:
    Witness Protection Program
    Thanks for the feedback everyone and good analogies Kees1958. This is the type of helpful information I was seeking to help me make my decision. My interest in DSA and SSM is in adding a final security layer to prevent drive-by installs and other zero-day exploits.

    My current setup is:

    Hardware firewall/router with SPI
    Kerio 2.1.5 software firewall (with tightened rules)
    Avast antivirus
    SpywareBlaster
    WinPatrol
    *Generally safe web surfing habits
    *I don't use Instant Messaging or P2P.

    Thanks again for the very informative and helpful information.
     
  8. EASTER.2010

    EASTER.2010 Guest

    I have used BOTH running together and without serious issue but after a time i considered that maybe a bit much seeing as there needs be some room for CyberHawk which i have been highly impressed with since it's inception into this field of HIPS.

    DSA is been a work in progress IMO, however PrivateFireWall has been released from the Beta stage into public circulation.

    Time and experience should point to it's Shielding capabilities and how well they stack up with other Threat Interceptors :thumb:
     
  9. ciannicello

    ciannicello Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    25
    Thanks everyone for the feedback regarding DSA. We are always interested in obtaining real-world experiences with our products.

    Just to clarify, the 'learning option' within DSA is for our Process Detection, Email and System Anomaly sections. Our Application Security section which covers Application Security and WinAPI calls does not have a training mode in DSA.

    The System Anomaly and Email Anomaly sections need the the training period to establish a viable baseline of system behavior, and the Process Detection training period is useful to get a decent whitelist of your commonly used processes, etc.

    Thanks again,

    Chris Iannicello
    Product Manager, Privacyware
    www.privacyware.com
     
  10. Hipgnosis

    Hipgnosis Registered Member

    Joined:
    Aug 26, 2003
    Posts:
    297
    Location:
    Witness Protection Program
    As much as I liked DSA and wanted to use it, I had to remove it because it was blocking my company's VPN connection when I tried to log in from home. I could allow the VPN application to run and it would connect but something in the background was blocking back and forth communications. Since there is no logging there was no way to identify what was keeping me from establishing two-way communications so it had to go.
     
  11. ciannicello

    ciannicello Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    25
    Can you give me any additional details about your VPN? I'm going to check with development to see if there is any recourse in a situation like yours.
     
  12. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    If you install the trial of private firewall, you can edit the firewall rules with its interface and then shut it down and run DSA (if you save the program files from a previous installation or extract them from the installer), or vice-versa.
     
  13. Hipgnosis

    Hipgnosis Registered Member

    Joined:
    Aug 26, 2003
    Posts:
    297
    Location:
    Witness Protection Program
    I'll reinstall DSA in the near future and give it another go and see if there is any additional info I can provide.
     
  14. Hipgnosis

    Hipgnosis Registered Member

    Joined:
    Aug 26, 2003
    Posts:
    297
    Location:
    Witness Protection Program
    Reinstalled last night, ran my VPN client and same thing happened...it connected but then immediately disconnected. Don't know if any of the following will help but it's what I have:

    VPN is a Nortel Contivity VPN Client and this is from the README file:

    "The Contivity VPN Client is a Windows application that lets you create and store connection information for tunneling into an Extranet Access Switch connected to a remote corporate network. The Contivity VPN Client uses the IPsec protocol with the ISAKMP/Oakley Key Exchange protocol to authenticate and secure an end-to-end connection into a remote network."

    Prior to running the client I enabled logging (obviously some info changed for security reasons):

    Sat Feb 03 20:27:47 2007 : Isakmp : I : Logging subsystem initialized.
    Sat Feb 03 20:27:47 2007 : Isakmpd : I : Session End Notification setup for XP :
    Sat Feb 03 20:27:56 2007 : Isakmpd : I : Connection initiated to xxxxxxxxxx.com using Diffie-Hellman group 2.
    Sat Feb 03 20:27:58 2007 : ConfMode : I : IP Address xx.xxx.xx.x.
    Sat Feb 03 20:27:58 2007 : ConfMode : I : Overide Keepalives Enable by client.
    Sat Feb 03 20:27:58 2007 : ConfMode : I : Split tunneling enabled.
    Sat Feb 03 20:27:58 2007 : ConfMode : I : Route Added : xx.0.0.0 xxx.0.0.0
    Sat Feb 03 20:27:58 2007 : ConfMode : I : Route Added : xxx.xx.xxx.0 xxx.xxx.xxx.0
    Sat Feb 03 20:27:58 2007 : ConfMode : I : Route Added : xxx.xxx.0.0 xxx.xxx.0.0
    Sat Feb 03 20:27:58 2007 : ConfMode : I : Route Added : xxx.xx.0.0 xxx.xxx.0.0
    Sat Feb 03 20:27:58 2007 : ConfMode : I : Route Added : xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
    Sat Feb 03 20:27:58 2007 : ConfMode : I : Route Added : xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
    Sat Feb 03 20:27:58 2007 : ConfMode : I : Route Added : xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
    Sat Feb 03 20:27:58 2007 : ConfMode : I : Route Added : xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
    Sat Feb 03 20:27:58 2007 : ConfMode : I : Route Added : xx.xxx.xx.0 xxx.xxx.xxx.0
    Sat Feb 03 20:27:58 2007 : ConfMode : I : Route Added : xx.xxx.xxx.xxx xxx.xxx.xxx.xxx
    Sat Feb 03 20:27:58 2007 : ConfMode : I : Route Added : xx.xxx.xx.0 xxx.xxx.xxx.0
    Sat Feb 03 20:27:58 2007 : ConfMode : I : Domain name set to "xxxxxxxxxx.com".
    Sat Feb 03 20:27:58 2007 : ConfMode : I : Primary Domain Name Server "xxx.xxx.xxx.xx".
    Sat Feb 03 20:27:58 2007 : ConfMode : I : Secondary Domain Name Server "xxx.xxx.xxx.xx".
    Sat Feb 03 20:27:58 2007 : ConfMode : I : Saving Password on client is turned Off.
    Sat Feb 03 20:27:58 2007 : ConfMode : I : Primary Failover "xx.xx.xx.xxx".
    Sat Feb 03 20:27:58 2007 : ConfMode : I : Secondary Failover "xx.xx.xx.xxx".
    Sat Feb 03 20:27:58 2007 : ConfMode : I : Tertiary Failover "xx.xx.xx.xxx".
    Sat Feb 03 20:27:58 2007 : ConfMode : I : Current time on switch is 02/03/07 15:28:08 GMT.
    Sat Feb 03 20:28:01 2007 : NameSrvr : W : Adding DNS Servers "xxx.xxx.xxx.xx xxx.xxx.xxx.xx".
    Sat Feb 03 20:28:01 2007 : Failover : I : Failover list set to "xx.xx.xx.xxx xx.xx.xx.xxx xx.xx.xx.xxx ".
    Sat Feb 03 20:28:28 2007 : Isakmpd : F : The secure Contivity VPN connection has been lost.
    Click Connect to re-establish the connection.


    Like I said, I don't know if any of that will be of any benefit but it's all I got.
     
  15. ciannicello

    ciannicello Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    25
    Thanks for the information. I will see what we can make of it.

    Chris
     
  16. Someguy

    Someguy Registered Member

    Joined:
    Mar 23, 2004
    Posts:
    26
    @ciannicello:

    1) I noticed that DSA has not been updated in a while.
    Is this tool still being actively developped or will it just be integrated into your firewall solution and disappear as standalone?

    Can we expect to see any new DSA release notes soon? ;)

    2) Does DSA currently provide any protection against keyloggers using the browser (launched with parameters) for an outbound connection, like Kaspersky PDM has?

    Thanks.
     
  17. Hyperion

    Hyperion Registered Member

    Joined:
    Sep 29, 2003
    Posts:
    302
    I liked DSA for the fact that asks less things,but i had a slow but constant increase in RAM usage.Maybe because i was using p2p?I don't know.

    SSM is nice,but i tend to get tired after some time with constant popups,since i often try new programs.
     
  18. ciannicello

    ciannicello Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    25
    1) I noticed that DSA has not been updated in a while.
    Is this tool still being actively developped or will it just be integrated into your firewall solution and disappear as standalone?

    DSA is based on our desktop defense/firewall solution, Privatefirewall 5.0. DSA has the same functionality as Privatefirewall, but does not have custom rule setting, blocked URLs, firewall log, and some other features. So whenever we update Privatefirewall, we update DSA. We are working on a vista-compliant build of Privatefirewall and will try and incorporate some new features as well (some of them come from suggestions from Wilder's members). Keylogging protection is one of the things we are considering for the next build, for example.

    DSA will not be 'integrated' into Privatefirewall as DSA provides users with a free, unobtrusive yet powerful security solution. Privatefirewall is geared more towards users that like set customize their security environment, etc.

    Thanks,

    Chris
     
  19. EASTER.2010

    EASTER.2010 Guest

    If it come down to a choice between the two right now, System Safety Monitor would have to get my vote hands down.

    DSA looks promising in it's own right but AFAIK it will need to get plenty of prime-time and tests against all the most aggresive of malwares/rootkits and prove it's formidable in the areas of intercepting (Suspending), and Terminating them.

    Maybe others would like to post their results with this comparison.
     
  20. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    I've got DSA running next to CyberHawk and Snoopfree and of course my antivirus without a problem. Seems to be doing fine so far, after several days. I also always have either Sandboxie or Powershadow engaged. No slowdown on my computer noticed. Whether it's actually doing anything, I don't know. I did get an occasional warning at first, but nothing suspicious.

    If I have a complaint, it's the 7 day training period. I'd prefer that be user choice. When I install a security program, I reboot and spend a few minutes opening all the software I normally use, then would like to be able to turn off learning mode and be fully protected from the get go. I did check the boxes specifying user alert for everything, and I like that the DSA information is more understandable for security retards like me.
     
  21. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Chuck

    I think your security is a good setup: Antivirus + Firewall + Process level + threat gate protection + Anti-keylogger

    Regards K
     
  22. ciannicello

    ciannicello Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    25
    Regarding Training Modes, the System Anomaly and Email Anomaly detection features require a substantial time frame to establish a meaningful baseline for effective behavioral anomalies.

    The Process Detection feature can be taken out of training mode at any time by unchecking the 'Training Mode' checkbox from the Process Detection Settings section within DSA.

    So if you want to end the training of Process Detection early, this can be done at any time.

    Thanks,

    Chris Iannicello
    Product Manager, Privacyware
     
Thread Status:
Not open for further replies.