Guide me...I'm up to here with pop-ups.

Discussion in 'other anti-malware software' started by AaLF, Nov 22, 2007.

Thread Status:
Not open for further replies.
  1. AaLF

    AaLF Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    986
    Location:
    Sydney
    Your advice / opinions please.

    I have Nod32 AV. This will not change as I am totally happy with NoD. The firewall etc is another matter.

    I've installed Comodo 3 and its very good. However, as I install/uninstall much stuff etc, it'll probably never quieten down. I made a comment in a DefenseWall thread which the reply from Ilya Rabinovich said;

    Well, CPF v3 has a classical HIPS onboard. So, it's up to you if you can use it or you would like to use more user-friendly HIPS solution like DW.

    I must say, Yes these pop-ups are annoying. And one is always busy doin' this and that to keep it happy. Not as annoying as SSM - that wins an academy award for stealing days from a bloke's life. My question to the members is;

    What can I add to NoD32-AV to create a more "user-friendly and QUIET HIPS solution rather than classical HIPS. And DefenseWall does appeal. I do want to be able to block some applications from Outbound access so I can pull my old kaspersky anti-Hacker out of the box.

    So what's some good quiet combos?
     
  2. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi,

    To control applications' outbound connection ? That is network control. It seems to me...

    Comodo firewall with defense+ that you mentioned or any other firewall with built-in HIPS can fill the shoe.

    DW to me is more like a sandbox, more precisely a policy sandbox application as our member Kees1958 has mentioned. It may be of any assistance to you, but I do not know how.

    Pop-ups is a part of cyber life, we need them to stay alert and to be fully protected. Because every second of that is passed without no challenges or dangers. Take care.
     
  3. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello tisatashar,

    Please take a look at the following links.

    https://www.wilderssecurity.com/showpost.php?p=1123429&postcount=38
    https://www.wilderssecurity.com/showpost.php?p=1048262&postcount=5

    Please take a look at post #5 in the following link.

    http://gladiator-antivirus.com/forum/index.php?showtopic=64340

    Please take a look at post #2 in the following link.

    http://gladiator-antivirus.com/forum/index.php?showtopic=64342

    As for using DefenseWall effectively, I ask that you remain patient and read the detailed and comprehensive help file which can be found at the following link.

    http://www.softsphere.com/online-help/defensewall/

    For technical support problems or questions you can either contact Ilya via email(support@softsphere.com) or start a new thread at the official DefenseWall support forums which can be found at the following link.

    http://gladiator-antivirus.com/forum/index.php?showforum=193

    Hope this helps.


    Peace & Gratitude,

    CogitoErgoSum
     
    Last edited: Nov 22, 2007
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Tisatashar,

    I have spend 5 hours to try the Defense+ of Comodo quiet. Because it is a real Vista64 application, I gave it a try.

    1. When you change the build in policies smartly you can get D+ a little more quiet.
    2. Due to limitation in options given in the (save) learning, you should make the isolated the reduced rights one (otherswise you ask for getting bashed with pop-ups).
    3. D+ allows you to add additional registry and file defense. A nice trick
    4. Problem is the Pending list. It does not like Avast nor a Raid setting. In striping (= raid 0) the files are split across two ro more drives, so a Raid by default is fragmented (which makes it fast). Although the data pieces are written to the disk in fixed length units (which you define when you create teh raid), somehow Comodo loses count and thinks that a file is modified, while it mau only be allocated differently in fixed data pieces (stripes) across the disks. After every re-boot a had 416 to 426 files to approve. The other issue is teh trick Avast uses (for faster scanning) to incorporate the (or a part of) teh black list in dll's. After every Avast update these dll's are considered suspicious and therefore get the untrusted label. No way in teh world you can fix this by changing the access righst of Avast's executable

    After 5 hours I gave up. For comparison: I posted the how to of EQSecure 3.3 when it had a strange hierarchy of rules and there was only CHinese documentation (all taken care of in version 3.4). My Chinese does not go any further than hello and I figured out how to use EQS and post the results in 3 hours.

    I think D+ is way ahead in time to market compared to others and protectio strength is amazing, also the FW of Comodo is great, but compared to D+ SSM/Prosecurity/EQsecure are very user friendly programs. First thing all comodo fans do when installing 3.0 is disabling D+. When you are not on Vista64, I would choose Webroot because it is a much easier to use, When you are looking for additional intrusion protection there are other options (TF, PRSC, A2 with IDS or DefenseWall, GesWall, SafeSpacePersonal).

    When you want something more user friendly try Haute Secure (soft sandbox), DefenseWall (policy sandbox), SafeSpace (Virtualisation Sandbox)

    When you are behind a hardware firewall you can use TreathFire with some custom rules to have some outbound protection https://www.wilderssecurity.com/showpost.php?p=1122407&postcount=32 and https://www.wilderssecurity.com/showpost.php?p=1122467&postcount=34 TF is also a behavioral blocker.
    Regards

    Regards Kees
     
    Last edited: Nov 22, 2007
  5. AaLF

    AaLF Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    986
    Location:
    Sydney
    Thanks for your replies. I forgot to say I am behind an ADSL FW/Router. Also my habits; I don't venture into the porno zones nor do I engage in internet-banking nor online gaming.

    As I read it from the links provided I see it as this;

    NOD32av v3 remains. DefenseWall replaces Comodo Hips (or even SSM) as they are noisy classical HIPS. A FW is primarly included to police outbound connections. However Threatfire is an alternative here.

    So as i understand NOD-3AV/DW/TF will be a much lighter though still effective combo for my habits.

    Though I am a little bit unsure about TF replacing a FW for outbound. Will I get more benefit from TF as opposed to say my old Kasperky Anti-Hacker 1.9.37 FW?
     
  6. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    I'm also behind a router and use TF instead of a s/w-firewall, using only the custom settings from post 5-7 here. Took 5-10 mins. and the couple of apps that I forgot to add resulted in a pop-up each. Check "remember my decision". Give it a try and see how it works for you...
     
  7. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    Please correct me if I have missed something but does not Comodo v3 not have an Installation mode which I thought could be flipped into when installing software so as to minimise popups? If so then have you tried that when you are doing all your installing/uninstallingo_O
     
  8. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    Hi, tisatashar

    Maybe ProSecurity could be a possible solution for your needs.
    I tested the Free Edition a few days ago and was impressed about its configurability (for a Freeware).

    Features: http://www.proactive-hips.com/diffedition.php

    There is an installation- and a learning-mode to avoid too many pop-ups.
    You can also handle network access for applications.
    So with your configuration there would properly be no need for an extra software firewall.

    ProSecurity seems also to be leak testers sweetie, as you can see here:
    http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php
    http://membres.lycos.fr/nicmtests/Unhookers/unhookers_results.htm
    Maybe someone even loves its ugly Win98 16 bit color mode look.

    I’m currently testing EQSecure, also a nice HIPS app, but without network control, so good old Sygate is the doorman.

    Cheers
     
  9. markymoo

    markymoo Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    1,212
    Location:
    England
    NOD32 Smart Security v3.0 Anti-Virus,Anti-Spyware and Firewall combines. The firewall analyzes every packet. It all works together well and is a light footprint. NOD32 and Kaspersky are best out there.

    One of best programs you get for ad blocking is Ad Muncher. It's written entirely in Assembler Code. If any program deserves any money its that one. There's loads of options of every kind. It will not just block your browser but block adverts from all ports. The program is only around 500k. Constanly Updated. http://www.admuncher.com/

    http://www.ccleaner.com/
    http://www.tallemu.com/
    http://www.webroot.com/consumer/products/spysweeper/?id=SSAV_BUYNOW_GetSS
     
  10. AaLF

    AaLF Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    986
    Location:
    Sydney
    I've used KiS and i agree. I own NoD AV and acknowledge it's top shelf stuff. However the world beyond this forum do not concur with your assessment of ESS (FW). And the ESS forum itself is a gloomy place. They (ESET) should have to follow MikeNash from OnLine Armor around to see a fine example of genuine support and caring. Shame on you EseT.
     
  11. AaLF

    AaLF Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    986
    Location:
    Sydney
    Install mode reduces but things still seem to pop up. Maybe I'll go back. A question though to Baldrick;

    I've tried ThreatFire which didn't agree with my system so I'm trying ProSecurityFree. I noticed that you frequent their forum, so I assume you use ProSec. Do you also run Comodo - if so in what form?
     
  12. Newby

    Newby Registered Member

    Joined:
    Jan 12, 2007
    Posts:
    153
    Baldrick have you actually tried Defense+ of Comodo?
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    But people seem to forget that there´s a difference between sandboxes and classical HIPS. If I´m correct, tools like DefenseWall, Sandboxie and SafeSpace have only one purpose: to protect you from zero day bugs. They will automaticly restrict certain apps, while with classical HIPS you can basically do the same but you will have to make the rules yourself.

    In addition to this, classical HIPS will alert you about any possible dangerous behavior from every app that you´re executing, so basically they give you a second chance to think about if you really trust an app or not, and you actually want to see these popup alerts! However, I have to agree that it would be nice if HIPS were a bit more intelligent. I´ve noticed that there are two things that trigger the most alerts:

    So it would be nice if these things could be fine tuned, for example, I´m not sure if it makes any sense to alert about every child executable that´s launched. Also, I have removed protection for a couple of registry keys because I noticed that a lot of legitimate apps made use of them, and besides, I don´t believe that allowing these registry keys to be modified are an immediate threat. I hope I´m not wrong. :rolleyes:
     
    Last edited: Nov 25, 2007
  14. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    Spot on. You wont get any pop ups while installing/uninstalling when it's in installation mode.
     
  15. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    I have and installation mode works perfectly well.
     
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Tisatashar,

    Are you on Vista then use UAC (or at least in quiet mode - see Tweak UAC)

    Nod32 is a decent AV, with DefenseWall your defense will be adequate. For extra notification use old Windows Defender. Remember that Defender is a much bashed Anti SPyware program, but has a relative good IDS. Set the scan option off (near to useless anyway), use the realtime protection with following options (others will be taken care of by DW)

    Real time (see Newby's post https://www.wilderssecurity.com/showpost.php?p=1125451&postcount=3 )

    - registry: auto starts
    - changes of system configuration
    - services and drivers
    - execution of programs
    - registration of applications
    - additions to Windows itself

    Make sure you also select the create restore point before effectuating you choises. When you regret you choice (of accepting changes), then you can use windows system recovery to restore to this point made by Defender.

    DefenseWall also has got a roll back function, read the help files (also a strong feature of DW).

    You will have a very light but strong easy to use defense.
     
    Last edited: Nov 26, 2007
  17. jfd15

    jfd15 Registered Member

    Joined:
    Oct 12, 2007
    Posts:
    234
    Location:
    Sacramento, CA

    yes, worked for me...i used to have to deal with 10-20 or more popups for every
    new program until i finally started using this option...Defense+ was only a minor irritation for a week or so, now i rarely get either popup..hopefully Comodo is as effective as they claim..
     
  18. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Jdf15,

    A lot of HIPS like programs are only focussed to keep the system in a static state. Every change is rewarded with a pop-up. Most users can not interpretate these pop-ups anyway and use training mode to let the system determine a base pattern (of exceptions currently running on your system).

    Same effect can be realised with a policy sandbox or running on vista with UAC or Sudown in XP, so why bother with all those pop-ups.

    Regards Kees
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    @ Kees1958

    As said before, sandbox tools don´t show any popups because they trap everything in the sandbox anyway. But what if you´re about to install a tool outside of the sandbox, on your real machine? That´s were classical HIPS come in play, they will warn you about any possible dangerous behavior. So that´s why I don´t understand why some people are recommending "sandboxes" when people say that classical HIPS are too noisy. They each have their own purpose. Also, running in a non-admin account won´t protect you against all malware attacks.
     
  20. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    If you trust the tool to install it outside of the sandox, you will give it all rights in your classical HIPS. Trust is the keyword here. How to create trust? Scanning at Virustotal/Jotti, submitting to expert systems (Norman Sandbox, ThreatExpert), digital signatures, hashes/checksums, other people's opinions, EULAlyzer, etc.
    GeSWall has a handy log where you can see all the actions performed by isolated applications. It also warns you about malicious behaviours.
    0031.png
    Using LUA will protect you against most of today's malware.
     
  21. AaLF

    AaLF Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    986
    Location:
    Sydney
    When it comes time to change something e.g. "install an application" on PS you tick "install mode" same applies to OnLineArmor, Comodo and so on. So you end up dropping your shields when they are most needed.

    I think classical HIPS are a digital copy of Homeland Security's Airport Screeners. All they do is hassle ordinary people in their day to day activities.
     

    Attached Files:

  22. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep, but I changed classical HIPS for behavior ones. Combo Sandbox + Behavioral HIPS (being PRSC, TF or A2 IDS) makes more sense: first layer i sandbox. When I install something I do not want the pop-ups of a classical HIP but the intelligence of a behaviot blocker.

    One exception though: I tried the chinese Micropoint proactive defense and was really impressed. All aps doing suspicious things to the OS were picked out, all the ones which would problably fire a classical HIPS alert were okayed. Cant figure out how to classify Micropoint. It seems to work like NeaovaGuard's point system (you know quarantaine above threshold) for aps trggering several rules (or how they are called in NG, I believe filters). Only big difference is that it seems to weigh the API's involved in such a smart way that 'real' threats are filtered out.

    By the way it managed one false positive (maxblast schedul2.exer), but it fired one FP less than ThreatFire (PRSC ruled with no FP, but was weaker in self protection). Stil using TF because it is free on XP, PRSC on Vista64.

    Regards
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    I have to admit that I have never really used "install mode", and I don´t have a clue what it´s supposed to do. You´re not going to tell me that it will make a HIPS monitor less, or even worse, nothing at all? That wouldn't make any sense to me. What would make sense is that HIPS would act a bit more smart and won´t bother you with any parent-child execution alerts, for example, SSM alerts about every .tpm file created when installing an app. This seems pointless to me.

    Not me. The only time when I turn off protection is when installing other security tools. They are the only tools that I completely trust, and I don´t even have a choice of course.

    Yes, this is a nice feature, would like to see something like this in Sandboxie and SafeSpace.

    Yes, but I´d still use HIPS even in a non-admin account. Also, with LUA you will never know what actions a certain tool is trying to perform on your system.

    OK, I see. I agree, a bit more intelligence would be nice. But with "intelligence" I don´t mean HIPS staying quite for no good reason, I´d rather see them a bit more finetuned to avoid getting useless alerts. And with "useless" I mainly mean certain parent-child execution alerts.
     
    Last edited: Dec 5, 2007
  24. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Combine a LUA with a behav. blocker or a sandbox and you become almost bullet-proof :)
    High security and high system performance for free.
     
  25. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    @ lucas,

    Except on vista64, UAC in quiet mode (with other defaults protection and installer recognistion/autoelevation off), free Defender (only realtime plus restorepoint before accept, options 3,4 off = taken care by HauteSecure) , paid PRSC, free hautesecure (with extra warns on BHO, ActiveX, Exporer settings, registry change and winsock)

    So nearly free (and behavioral plus soft sandbox)
     
Loading...
Thread Status:
Not open for further replies.