Having second thoughts, maybe dumping Av for AS ?

I've explored the option of running only non-signature security software, not without drawbacks.

Since I will be dumping my current AV very soon, I've been looking for a replacement. I don't know who stated it on this forum, paraphrasing 'AVs tend to catch spyware earlier than antispyware applications'. And while many, if not all AVs virtually ignored spyware a couple of years ago (perhaps with the exception of trojans, but what's the difference between a spyware trojan and a 'virus trojan', feel free to explain if you know), these days AVs are on to them.

I'm talking about real-time protection here, not on-demand scans.

Well, I'm having second thoughts.

After all, I consider real viruses (not sure about trojans) a virtually irrelevant threat. (Are there actually 'viruses' that act as spyware ?). Over the past five years, I encountered only a handful, unlike spyware.

In the past, AS' were quite effective in dealing with spyware. Typically, they were not as bloated as AV appplications. I'm really not concerned about real viruses. I'd probably be willing to ditch an AV, if I could get sufficient antispyware protection.

In a way, I feel a bit stupid to get an AV just to deal with spyware. If you look at av-comparatives, that's a weak spot for most AVs.

For as far as I know, there are no good antispyware applications with GREAT real-time protection, like blocking 90 % of spyware real-time (older version of the Spy Sweeper). In 'the old days', you could install a number of AS aplications (yes, all real-time) working together - if you knew what you were doing.

Yes, there is Counterspy version 3. Let's just say I have my reasons for not buying it.

MBAM is popular, but it is intended as a supplement for things that AVs don't catch. SAS real-time protection ? I have a couple of reasons for not adopting it 'right away'. 'lifetime license' ? That can't be sustainable in the long run. And I've read that SAS' real-time protection is not that great (poor?).

In the past, I could easily combine the Spyware Doctor with the Spy Sweeper plus the real McAfee ANTIVIRUS (not the antimalware program it is these days). Later I replaced the Spyware Doctor with Counterspy 2.x, great combination.

Is there any way to get first rate AS programs (more than one!) with real-time protection running, or is that something from an epoch that's over ? I'm talking about real AS applications, not about 'tech' options like LUA, SRP, Anti-Executable, Defensewall etc.

The Spy Sweeper is off the table, for several reasons.

 

I think the problem is that there are too many rogue/fraud apps out there and any of the AS programs out there can't keep up with all of them. That's why I don't do much downloading these days and if I do I'll use VT to scan the file 1st and then DriveSentry to detect exactly what is being done to my system when I d/l the actual file. I still swear by SAS/MBAB/A2 for there on demand capability.

Windows Defender isn't all that bad either when you join their "spyware community". It turns the app into a pretty decent HIPS. I've tested a few rogue apps with it and surprisingly it caught many of them w/ just its signatures alone.

Toby

 

All detection software has weak spots. There are no clearly drawn lines between viruses, worms, trojans, spyware, adware, etc. The different categories are not clearly defined. Each vendor pretty much has their own definition. Many types of malicious code the "definitions" for several categories. All of the anti-software is vulnerable when a piece of malicious code is new. It doesn't matter how many times per day it updates.

It's entirely possible to run a PC safely without signature based detection software. To do so, you have to implement a different security policy. AVs and other signature based detection software are based on a policy of default-permit. Anything not identified as malicious can run. A policy based on default-deny can replace signature based detections. With default-deny, the software that's allowed to run is specifically identified and only those apps and processes are allowed to execute. Everything else is blocked. The policy is restrictive and requires the user to know their PC well. It's not for users who install and try out a lot of software, but it's ideal for those with a "finished system", one that's set up and equipped the way they want it. Default-deny can be viewed as an anti-change setup. It makes it difficult and inconvenient to alter the system.

2 of the best methods for implementing a default-deny policy is with software restriction policies and limited user accounts. The other is a classic HIPS with tight application rules. The 2 can be combined. There's several threads that cover both methods in this section. Both methods have their advantages.

The above choices should be combined with solid control over the internet traffic with a router, software firewall, or both. The setup can be further strengthened by adding filtering of the permitted web content. This can include a restrictive configuration of the browser, browser add-ons like FlashBlock, NoScript, etc, or a free standing filtering app like Proxomitron.

A program like Sandboxie can also be an asset to a default-deny configuration by using it to effectively isolate the attack surface. For this purpose, the attack surface is:

• all apps and processes that have internet access,
• all apps that can be launched by the above items,
• all apps that will be used to open content or files from any outside source.

Sandboxie effectively isolates the potential points of attack, requiring the malicious code to first break out of that containment, if that code can even execute with a default-deny policy in place. In this type of setup, the only weakness is the user. Users other than the administrator should be prevented from launching all unknown executables, a task default-deny takes care of. If the administrative user exercises common sense in what they open and allow, not falling for social engineering tricks, the above setup will take care of the rest of your security problems.

 

I agree with running sandboxie.

But if you want a dedicated AS, with real-time protection, a-squared's anti-malware product comes to mind.

For the main reason, it specialises in spyware and trojans, with virus detection being added only recently, say in the past year with the Ikarus anti-virus engine (which has top detection rates).

If you check out their malware database, you'll see detailed descriptions on how programs install, the files and folders used etc. See first two programs I clicked on 1 and 2.

Also comes with the same behaviour based detection, which people here buy individually with their product 'mamutu', built in. You'll find it does an 'exceptional' job in finding all the problem files that AVs miss. There is an on-demand free version offered as well.

 

yes i tried Asquare Anti-MalWare and in my own testing left me amazed how this program catch/detect/remove malware in real time so i agree with SaraCeno

 

I agree with Saraceno: A-Squared, no competition as antispy/antitrojan. But the problemi is that most part of the complex trojans and polimorphe malwares are " viruses ", or better viruses, and not spywares, and they need an antivirus software to be detected and deleted, not an antispy. And an HIPS today is naturally anyway necessary.

 

I tried a random free program the other day, uploaded to virustotal, and all came back clean. Once installing, had components and registry entries of a 'high risk' program in a-squared's list. I felt like a fool!

I ran an on-demand 'a-squared' web scan which picked this up and deleted the registry entires, and got me thinking about installing the real-time scanning again.

It does use resources like running a couple of programs together, but the thing is, it's protection is like running a number of programs together, in the one program. For example, I rely on their separate hijackfree tool, but that's in their one AM program as well.

Not that there is anything unreasonable about the resource usage given the protection it delivers, but if resource usage drops (just like the leading market AV program which is now light on resources), more people will be raving about it.

 

i would try A-Squared but since it has 2 engines + BB i can imagine it being quite heavy, how is its performance for u guys? any system sluggishness?

 

Another for A2 Anti-Malware here,it's an awesome suite for Spyware protection.

@firzen771 Although I don't notice any real impact on performance it does consume quite a lot of resources.

 

No sluggishness, about the same speed when I ran Avast + ThreatFire. Maybe slightly higher (80-90MB), but with Avast+ThreatFire example, I'd need a spyware application. You can speed up browsing by disabling surf protection.

See following pic from their website:
http://www.emsisoft.com/images/en/a2am/securitystatus.png

All depends what else you're running and your system specs. I know I have a few programs running, but for now focussing on AS programs and excluding say programs such as Sandboxie/DefenseWall, if I had to choose only one program to run to feel 'secure' while browsing the net and downloading/installing files (not preventing from installing, intentionally installing), would I run this? Yes.

 

RAM isnt to big of a deal for me, im thinking if it wuld be noticeably slower than running Avira + Mamutu on CPU and responsiveness

 

I'd say Avira + Mamutu would be lighter. You meaning just the AV? I haven't used Avira with firewall etc. (Actually just saw your signature - you have the premium version)

With the on-demand free version, it's a good program, but if you don't use it in a few days, the definition update size will jump considerably in size.

But in the real-time version, that isn't a problem as it's updating every few hours.

All depends on the types of files you download, a lot from unknown sources for example. And also if you're paying for a number of programs yearly anyway, and you want to cut back the $$. If you're paying for mamutu, and an AV, paying an additional $13 for the full version AM program might be an option. Might also cut back on relying on other AS programs.

The Ikarus engine is a definite enhancement to the product.

 

I like some kind of signature detection as addition, even if I could probably run TF (and possibly also Prevx with it) alone. Avira has also proven effective with its heuristics and is seemingly light. So is Norton and has its SONAR which atleast catches new things sometimes. Then the others would probably come to help even before it does.

 

A2 being good ? I've used the online scan in the past, and never found anything but cookies. Has A2 been improved in a significant way ?

 

GW Pro and avira free (or regular scans with A2 free) would suffice if you have a hw firewall. Smart partitioning and data back up should fit in somewhere also. Rollback Rx maybe?

 

A2 was always a competent scanner but it's changed beyond recognition since they added Ikarus and Mamutu to the mix.Only downside is the number of FPs thrown up.
It certainly has scored very highly in the tests I've seen it take part in,at or very near the top,(99% + in some of them).Of course tests are only a guide but having 2 engines plus the best BB certainly feels secure.

 

Avira Free will for now definitely be my AV of choice for now I think. Gonna see if that edition also has automatic operation in real-time. If it doesn't I might as well buy one of the products available - it's worth its price, and you can still choose how many PCs it should be for, in comparison to my first choice Norton. The price at Symantec makes me switch.

 

If what you mean is does Avira free have real-time scanning then yes it does.

 

Nope, that wasn't what I meant. What I've experienced before is that you can't select pre-defined actions when malware is found in real-time. For example I like to have it as first repair, then if it doesn't work, quarantine - simply because it'll prompt over and over again if you've it on interactive, and I tested it today by simply running an EICAR-test-file. I would get about 4 prompts about that same, simple test-file, and I selected Quarantine every single time (seriously, just do what I tell you to! WTH you ask otherwise!?) as the Free-edition still only has interactive-mode for the real-time protection, and on top of that the "notifier" (in other words, the "spammer") (ofc I know how to disable it, but for those that don't, say the average Joe who decides to install and test their free version... not that attractive except for annoying the user to death).

I'd those pre-defined actions for the scanner too before, but I really like the new "Combined" alert as it's informative, yet easy for the eyes with its simple list and actions-selection. Wonder why it's not a part of the real-time protection... Anyway, that means I can set the heuristics to high here with no worries as I can just review what's found fast and easy.

 

Something else to consider.
Just when i thought i had my security figured out !

Thats very interesting.

I've never heard of a product that analysises a product that way.
Did it prompt you during the installation process ?
Or did it pick it up on a scan that it was installed that way


BTW What was your security setup at that time ?

I'm very interested in this .....

 

Usually when you say your setup, it can turn ugly lol.

I was using a popular free AV starting with A, that has no web protection.
And Sandboxie. Also have Shadow Defender, which can reboot, and remove all threats, but I was interested in finding what the program installed.

The problem program installed registry entries and another program, one that I've seen before. Think of it as trying to 'monitor' IE.

I wondered whether the 'mamutu' component of AM would have picked this up, I'm guessing it would have, but the full version wasn't installed. I just ran the on-demand web scan. You have ThreatFire, which is similar to Mamutu, and I'll either install ThreatFire again or Mamutu, or try the full AM again.

In previous wilders threads, I've installed some rogue applications. a-squared has pretty much delivered with detecting known problem files. Other AVs and programs usually do so a short time later, but emsisoft must be damn quick to add threats.

You might try their web scanner service, and let it run a deep scan. Also try the custom scan on a few removable drives for example. It's a very simplified version of their scanner.

 

I must have picked it up wrong then

I thought A2 was warning you of the registry entries as they happened or something.

So when you after you did a scan , A2 showed the registry entries as risky ?

 

Yep. And I opened up regedit and did a manual scan just to make sure the ones being deleted needed to.

You'd be fine running TF. I'm just addicted to installing cr@ppy applications. I usually recover a file from sandboxie, then install the file while sandboxed, then check how it tries to install. This time I was lazy and got caught!

 

I,ve abandoned AV's ever since SSM first proved it's POWER to capture "BEFORE THE FACT" even new or packed junkware (viruses) and indeed have enjoyed a very malware free system in simple surfing aside form my malware stalking duties, but in retrospect after all this time i must admit as formidable as a HIPS is proven to me to be, AV's i realize are equally if not more very critically important irregardless of their signature database detail watching protections. The two of them together makes more sense short of virtual systems, Deep Freeze, etc.

But to dismiss an AV strickly for just an AS no matter how well designed is, simply is not exactly as safe as one might think. I seen the best AS's including SAS & MBAM completely blind to what AV's have detected as a serious threat that could virtually disable a PC. And in like manner, the same applies to Anti-Spyware Apps. I seen AV's ignore what AS's clearly detected and rightly so, potential malicious spyware/crapware that can be nearly a job for Paul Bunyun to bust out from a PC.

So my answer would be that BOTH a AV + AS is very useful tandem indeed, and who can honestly say a virus or spyware from some determined clever programmer couldn't penetrate a Virtual System at some point in time, which is why i blow loud my horn for all users to at least keep a couple of known clean backup images in event of the seemingly impossible, because where Windows is concerned anything can happen, including the O/S itself self-corrupting.

EASTER

 

Thanks for the information.

I decided to give A2 a trial, mostly to test its usage of resources. I don't think Mamutu was part of it, it was listed seperately on the website.

I uninstalled all security applications, cleaned up the remains of McAfee with their tool, and installed A2.

Sadly, I couldn't get it to work. I could scan, the system wasn't frozen, but with that product on my computer I could not access the internet even though my wireless software indicated that the connection was up and running (using IE 7). I tried tweaking some stuff, but that didn't work. While I can't completely rule out that some remnants of uninstalled security software caused the problem, I suspect that it has to do with the firmware of my wireless router and USB adapter (uses WPA-PSK AES). I've noted a tendency of security software to interact with that on my PC. Too bad.

While not having a real place in this thread, I understand that there is a wizard in XP (service pack 2) to set up a wireless connection. I have always used the firmware instead of that, following the instructions in the manual. But for that wizard you need a lot of details of your ISP, right ? And would it work with WPA-PSK AES, especially if the router/adapter quite possibly don't completely confirm to the official standard (I even had to update/upgrade the firmware because the WPA-PSK software didn't function correctly) ?
There is no 'WPA2' in the manual.