Hard decision

Discussion in 'other anti-malware software' started by Kees1958, Jun 8, 2007.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi folks at Wilders,

    I want to hear your opinion on the following dilemma.

    I notice that programs more and more start to use drivers to get the highest rights and easiest access within XP. Security software counters thsi trend by trying to get security up as soon as possible and remain active just before system shut down. The down side of this that is nearly impossible to choose for prompt + block option with a security program.

    With Neova guard beta, Appdefend beta and EQsecurity 3.4 beta I ran into a BSOD after selecting to prompt + block installation of drivers. Okay, the up side is that those security aps are able to interveniate as soon as possible, the down side is that I can not choose Prompt (or Ask) + Block as an option, because the GUI is not up and running when these programs notice the installation of drivers.

    Is this security worth the risk of BSOD's? I have had three now in two weeks, before I could track down the cause (non standard IDE drivers loading on one PC, not on the other). With my data stored on a external harddisk I could have had three serious malware infections with the same impact (only wasted time). Bottom line, by trying to achieve a better security I have caused more self inflected pain in two weeks than malware has been able to do so the last two years!

    Regards K
     
    Last edited: Jun 8, 2007
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,694
    Hello,

    Is your question: how standard are they?
    Where's the decision then?
    So what's the dilemma?

    I'd like to help, but you'll need to enlighten me a bit more.

    Mrk
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Dilemma:

    The race for earlier protection in the driver installation process will cut the user out for making decisions in real time. How usefull will this protection then be?

    Early detection in the logon process is what you want, but the GUI is not on yet, so:

    - Option prompt + allow always causes an allow
    - Option prompt + block always causes a block, because the GUI is not up and running, you might run into other problems (a system BSOD-ing because critical driver are not loaded).

    With the current implementation the HIPS becomes an IDS (you can check afterwards in the log) or a possible system crasher.

    So my dilemma is: am I going to tighten security against the risk of BSOD's? Obviously there is far greater chance that I will become the security risk!

    (Note: reading the first post back I noticed that I wanted to write my frustation of 4 lost hours of my mind, Mrkvonic that is why I edited the first post, you were right it was hard to guess my question)
     
    Last edited: Jun 8, 2007
  4. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    Yeah theres definitely a trade-off, personally i prefer to leave the default ask/allow to keep errors to a minimum. Naturally this reduces my security but i'm confident enough in myself to take that risk.
     
  5. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    hi, folks: I am not a magician nor an expert in computer science. But I do know that when too many fish are trying to kill one another in order to get to the next available food, that is when the sky comes loose upon you. Three is too crowd, do you think these three are somehow overstep one another's toe? There is just so little room in low level space for them to breathe. I have been there, packing all HIPS I can get my hand on, then BSOD is a common occurrence daily. I have since trimmed down, down and down. Now My box workouts more sleek more flexible. IMO. if you do this for a research purpose, an excellent tryout, but if is for daily computing, God knows. Good luck.
     
  6. glentrino2duo

    glentrino2duo Registered Member

    Joined:
    May 8, 2006
    Posts:
    310
    I had this problem too with the EQS 3.4 RC2.. I have clean system (fresh XP install) so I just put it in learning mode and restarted a few times, then modified the rules a bit, took it out of learning mode and everything went well after that. :)

    I went back to 3.3 because of some english translation problems with RC2, though.

    but I do believe that, in principle, if you've pretty much protected every possible startup options, services and drivers, you don't need HIPS to run ahead of them.. so, I still prefer EQS 3.3 approach to run at normal startup. it's way faster IMO.
     
    Last edited: Jun 8, 2007
  7. EASTER.2010

    EASTER.2010 Guest

    I noticed so far that no updated version be it beta or release candidate is up to the same levels i find with 3.3, so untill proven otherwise looks like i'm sticking with it, who knows, maybe that will become the first & last stable version. o_O
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,694
    Hello,

    For me, it's always:

    - functionality first
    - "security" second

    I can take care of security, but I cannot invent functionality.

    I would not use software that causes BSOD.

    Mrk
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi! all of these HIPS are beta. They are certainly not stable ATM esp EQS and NG so it,s not unexpected.

    HIPS take a lot more time and a lot more users to reach a stable version, provided their development is fast. And if there are only few users and develpment is also rather slow, u should expect any thing from a BSOD to a comletally unbootable system. Don,t forget the conflits as well, especialy when u are using many kernel level security software.

    To me( and I expect that to all), of course, functionality is more imp than security. I don,t expect an atomic attack on my PC. Most of these software I use are mainly for fun.

    For trouble free security I will like a good AV( trouble free, with good detection, very few or no false positives- norton-norton-, light and without any HIPS functionality like PDMs), and a router. A trouble free sandbox like SandBoxie if anything more.

    Or I will prefer a Mac infact.
     
  10. herbalist

    herbalist Guest

    Matbe I'm just missing something here. These programs that are installing the drivers, are they part of something you already have installed and use, something you're trying out, or something you didn't ask for or didn't expect from a particular installation?
    Rick
     
  11. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Perman, Aigle, Herbalist

    I did not try them at the same time, but sequently after each other. The Beta stage did not cause the BSOD's but the blocking of drivers (ask + block is in practise a block when the user interface of XP is not yet up and running). All of these 3 programs did what I told them to. I did not realise that these programs were not able to communicate with me in that early stage of XP log-on/boot process.

    The point is, they start to protect so early that an ask + allow is in fact an allow always, because there is no user interface up and running. On the other side an ask + block will increase the chance of BSOD's.

    Reg K
     
    Last edited: Jun 10, 2007
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Thanks, that is the point/angel of discussion I was looking for.

    The point is that the earliest protection is useless because the user interface is not up, so the system can not communicate with the user, so a

    - ask + allow = turns in to an allow
    - ask + block = might block critical drivers to load and crash your system.

    So a better angle would be the one you mentioned: you do not need to install first when you got all startup options covered. This is also according Mrkvonic principle (functionality first, security second because you can cover this by controlling the startup entries).




    Thx
     
    Last edited: Jun 10, 2007
  13. walking paradox

    walking paradox Registered Member

    Joined:
    Feb 9, 2007
    Posts:
    234
    To ensure I understand the substance of this discussion, what precisely would these tasks entail?
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ok, U used them separately but they are still beta( each one of them). Also I think u try to configure very tight rules( more security, less functionality is the rule).
    BTW I always ut a HIPS in learning mode and boot my system twice or thrice to make rules automatically and to avoid such system freeze ups/ glitches.
     
  15. EASTER.2010

    EASTER.2010 Guest

    I actually have the first beta 3.3 working to perfection for the most part. Yeah, it may lack in some respects here & there, but for the most part when that's evident i team it up with my fully featured HIPS to work in tandem, although i've experienced no ill affects at all from version 3.3 and nothing is compromised it yet in some of my malware tests.

    As far as regular surfing it's plenty enough for me. I guess i really fancy the information it offers, and theres plenty of that to examine and take note of. LoL
     
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    At least the startup entries Toni Klein defined once (I do not know the link any more).
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    A bit OT, EQS 3.3 is running here as well instead of SSM free. No major issues ATM but i will watch( there were some system lockups while making rules for file protection).
     
  18. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yes, but for instance AppDefend work well for four consequetative boots, then changed Ask + Allow into Ask + Block and bingo.

    Neoava Guard has an internal rating system, when a program acquires to much points it can be quarantained. So with NG you are never certain (when you have chosen for that option). This bad behavior points system is a splendid idea, only I want to be notified when a program enters the danger zone.

    EQS 3.4 had nothing in the log files (when you try it, I also noticed that it does not remember the choices made at system shut down), so I changed it to soon (I know). But the log did not show anything.

    I am walking the path from SSM with user interface disconnect (and blocking everything without qsking the user), to asking the user at exceptions and loosing security from Anti Executable to Behavior Blocker (Prompt + Block is my default now for EQS 3.3).

    Regards K
     
Loading...
Thread Status:
Not open for further replies.