I'm looking for a new HIPS program...any advice?

Discussion in 'other anti-malware software' started by ejr, Oct 8, 2006.

Thread Status:
Not open for further replies.
  1. ejr

    ejr Registered Member

    Joined:
    Nov 19, 2005
    Posts:
    538
    Basically, I want a program that monitors my processes. Before any ,exe is executed, if it's not on my white list, I want to be notified. Or if a program on my white list has been modified, I want to be notified. I don't need it to or want it to do much more.

    I had on-line armor, but that with the Comodo Firewall seemed to slow my system to a crawl. So my criteria is:

    1. Easy to use
    2. Low on resources
    3. Monitors my processes

    I'm considering Safety System Monitor. Any other suggestions?
     
  2. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Prevx1 isn't for you, because it's heavier than Online Armor. Faronics Anti-Executable is also simple in use.
    Try ProcessGuard or System Safety Monitor, they put the user in control, if he is knowledgeable enough.
     
  3. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Another vote for ProcessGuard,the free version fufills your stated requirements :)
     
  4. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    I say look at appdefend/regdefend or SSM


    Or perhaps Prevx if it works well with Comodo. It complements Outpost and LNS well
     
  5. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Maybe that was the case for you but in my setup i found replacing OA with Prevx speeded things up noticably. The OP would be advised to try it and see for themselves.

    muf
     
  6. ejr

    ejr Registered Member

    Joined:
    Nov 19, 2005
    Posts:
    538
    Thanks for all of your input. I really appreciate it. Based on this, I am thinking about:

    Appdefend, SSM, Process Guard, and anti-executeable.

    Question: of these programs, which is easiest for the novice user? I no longer consider myself a nocive, but I am far from an expert. I'd say I am pretty much an average skill level.
     
  7. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Of those four, Anti-Executable. Install, do some minimal configuration (if desired) and your done. The only pop-ups you get will be one's noting a block has occurred. No decisions to make. Default deny all unknown and that's it.

    Blue
     
  8. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Which "things" were speeded up? Word processing? Web surfing? It would be helpful if you were a bit more specific.

    Also, which OA (plain or AV+) were you running? Was it a beta, an RC, or a version?

    Can you post a screenshot of Task Manager showing ram/vm/cpu usage for OA and Prevx on your computer?

    I ask these questions because, as was stated by Erik, I have found OA much lighter than Prevx was when I trialed Prevx.
    ~~~~~~~~~~~~~
    I have become increasingly interested in AE.

    As I understand it, AE blocks a specific list of executables based on their file extensions. If I am correct in this assumption, is it possible that there is an executable file extension that is unknown to AE & hence not on its list?

    Also, what does one do when one wishes to download & install a program? Must AE be disabled in order to do that?
     
    Last edited: Oct 8, 2006
  9. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    i found that OA didnt slow down my pc anymore than not having it.
     
  10. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    Hi everybody,

    OA never slowed my system and has a very good execution control component

    Another good but different from OA is Neoava Guard Beta 2 and it's free

    You can try either one
     
  11. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    I would love to try NG, but I thought it was a "closed beta." If not, where can I download a copy?
     
  12. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    OA slows the boot time on my test system - I'd say the execution protection is easy but weaker than PG, AP defend or SSM


    For easy to live with I'd go for app/reg Defend or PG
     
  13. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
  14. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    An alternative to running as limited user is to instead run only specific Internet-facing applications as a limited user that are at greater risk of compromise, such as IE and Outlook.
    http://www.newsfactor.com/blog_article.php?aid=267470&t=5


    new limited user execution features of Process Explorer and PsExec from Sysinternals.
     
  15. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    You might want to consider something that doesn't just ask you every time something new wants to run. Software updates can confuse things, and would you be so sure if you saw what looks like a legitimate system file? Are you also confident in recovering if you should accidently block something critical? I ran PG for a long time, but found myself blindly clicking Allow after a while, especially later at night. Sometimes you'll have the right presence of mind to give them real consideration, but other times not. A slip of the wrist during/after some update can also leave you with a non-functional machine - that's happened more than I care to admit (too many of my days started off with disaster recovery).

    I've done a lot of malware testing, and have found Watcher to be a great addition for this kind of thing. If something new does get added you can see the whole picture (as well as the new process), you can easily look the file up on Google, and can clean up very very easily. Even rootkits do make visible changes, removing them can reveal the rest of the rootkit, which then Watcher can alert you to and allow you to remove. It adds some time to boot up, but it's not running afterwards so there's no performance loss.

    As for slowdowns, memory usage should have little effect unless you're running really low on RAM and it has to start swapping a lot of memory. I have licenses to both NOD32 and KAV 6. KAV 6 usually uses less memory, but NOD32 still leaves my system more responsive. It all depends on what the program is actually doing. In some cases some apps might perform better with lower memory usage, others may perform better specifically because it keeps more code in memory. There are also things you can do with almost any of your security software to improve performance, such as setting exclusions for all your security software. Different software will also run differently on different computers. All things being equal, things like the brand of your processor, processor bus speed/cache/features, bus speed or latency of RAM, how many chips the RAM has and what brand it is, the interface of your hard drive, various features of your motherboard, the number of free GDI handles, the number and kind of drivers you have installed (both for hardware devices as well as your other software), and any number of other things may influence how a given app may perform on your system. You can put two systems side by side that are of equal (relative) speeds but different brands of hardware and software, and with all things being equal one app may perform noticibly better on one of them, at least in certain ways.

    Put simply, there's a whole lot of factors that can influence a given program's performance, but you won't always find them in the task manager. You can use benchmarks to get a better idea, but the results may only apply to the environment tested, and a single benchmark may not give you a full overall perspective.. that's why you'll see sites like Tom's Hardware using a wide variety of benchmarks for each environment.

    SpikeyB and starfish_001 also make good suggestions :) A combination of both would really be ideal, if you want to talk about control - nothing could do much of anything unless you specifically log out and back in as admin. You could add the Shared Computer Toolkit for "drive protection" as well (deletes any new files when you log off). This is very highly restrictive and not ideal for every situation, but if you can do it then it would be very very strong.
     
    Last edited: Oct 8, 2006
  16. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England

    Firstly, i was using the full registered version of the plain OA. Not OA+AV or not beta or RC or anything else. Just the plain version that everyone downloads and installs.

    I can't show a screenshot as i no longer have it installed. But it used about 25 to 30 mb of memory. Prevx is pretty much the same.

    My pc used to take forever to boot up fully. For instance, i would boot up and i was in windows within 1 minute. Regrun, Boclean, Cookiewall and SuperAdBocker would all appear in my system tray. Then nothing! I would sit there for about two minutes and then suddenly OA appeared, then KAV and lastly Zonealarm. I'd also experience webpages loaded 'a bit tired'. Opening large applications like MS Word took longer. I also found it 'interferred' with some other apps, even when i had it set to allow. For example, yesterday i installed it again. Everything was ok, apart from the slowdown. But i was seeing if i could cope with it running along side Prevx. Anyway i boot my pc this morning and after about 30 mins i notice Ad Muncher is not logging any blocked ads or popups. So i went to Popup test and try one or two of the tests and Ad Muncher wasn't working. All popups were getting through. I uninstalled Ad Muncher, cleaned the registry of all traces of it and re-installed Ad Muncher. Rebooted and it still wouldn't work. I checked the programs permissions in OA and they were all set to allow Ad Muncher. So unistalled OA and rebooted and Ad Muncher worked again. So i've left OA off my pc for now.

    It was only after i uninstalled OA and installed Prevx that i really noticed the difference. I must have got use to the slowdown until it became the norm for me. After all i had used OA for 9 months none stop. Also, now that OA is gone all my icons appear on boot up pretty much all one after the other. None of this 2 minutes of 'nothingness'. Another thing. With OA installed, i found after a bit of browsing that my system settled at about 420mb commit charge. Without it, it settles at less than 370mb. So in theory OA was costing me 50 mb in resource even though task manager said anything between 25mb and 30mb.

    Just my experience. Won't be the same for everyone. But my pc is faster with Prevx than OA.

    muf
     
    Last edited: Oct 8, 2006
  17. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    What if an executable file is camouflaged with a non-executable extension ?

    If you want to install a new software, you have to turn OFF Anti-Executable according the manual and the executables of the new software will be added to the whitelist.

    If you run tests with several different combinations, you will find out what is possible or not. These are just details.
     
  18. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Let me just add one simple, but actual example, observation.

    I created a new file extension type .anyoldextension and associated it with the Application file type. I downloaded an unknown executable and renamed it with that extension. Is it flagged? Yes. Where? At Open, as you'd expect from the hooked services (see screenshot - those are all the services AE hooks). Can one get around applications like AE/OA/Prevx1/etc? No idea really (my programming is limited to numerics and such, not OS stuff), but as I've noted previously, if you wish to cover each and every hypothetical eventuality, you're going to be in for a long haul.

    Blue
     

    Attached Files:

    • ae.png
      ae.png
      File size:
      24.2 KB
      Views:
      551
  19. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Thanks for doing the test, that saves me time. :)
    It's not my intention to protect me against each hypothetical eventuality, because 100% security doesn't exist.
    I will try to get as close as possible to 100% in my daily on-line snapshot, like everybody does, but with a minimum security setup.
    I still have my special clean backup files and special clean archived snapshots to restore my computer in a healthy state and that is my 100% security instead of all these security softwares.
    I call them special because I don't use them for DAILY backups or archiving, I use them for restoring only. I use another group of backup files and archived snapshots for daily backup/archive/restore. Acronis is very slow in restoring, but FDISR is fast and I only need to recover ONE snapshot to get back in a healty state, because my off-line snapshot is always malware-free.
    I can't trust FDISR either and Raxco confirmed that they aren't sure about this either. So their industrial :rolleyes: snapshot technology can't be trusted either and that's why I need my special clean backup files.

    My backup/archivement/restoration problems are all solved, reliable, tested thoroughly and working properly. Case closed.
    Now I'm going to try to protect my daily on-line snapshot as good as possible.
    I only have to find the right softwares and the right combinations to protect it.
    It won't be easy, lots of major and minor problems need to be solved, I have much to learn/try/test/..., but I had the same problems with backup/restore/recover too and those are fixed.
    I never work with software names, like Prevx1, Anti-Executable, Online Armor, etc. ... I work with functions, features and combinations and I will change constantly until I find what I want.
    That will take lots of time, ups and downs and disasters, that's why I took care of my backup/restore first to cover my experiments. :)
     
  20. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    For that purpose, i don't think that a paid product is necessary.

    I suggest to take a look at:

    -Trust No Exe: executable filter: you can configure your white (allowed) and black (denied) list of executables (takes time for all executables, but very reliable sofware);

    -Soviet Protector: very basic: each time you run an executable, a confirmation pop up appears (like "do you wan to allow...");

    -Winsonar: easy to use and to configure, and uses crc32 integrity checking for processes verification: certainly the program that could be the more interesting for you.

    All the links can be found here: http://kareldjag.over-blog.com/article-1841115.html

    Regards
     
  21. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    THANKS!!! Trust No Exe is just what I wanted as a *fail-safe*.
     
  22. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    i was reading about people stating about OA slowing down boot time.

    which i know wont happern to everyone. with fsis intalled i didnt notice any more slowdown than without it. but im thinking that when i get antivir i miht get a slower startup with OA installed. so i might try antivir suite on its own first then try with OA. and if it does i can ask for support on OA forums.


    lodore
     
  23. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    In general I ignore all good and bad comments, regarding memory, resources, light or heavy footprint from other members, simply because they use another computer than my computer.
    Complaining about memory, CPU, resources, etc. is most of the time caused by hardware and when your computer isn't powerfull enough, some softwares will always be a problem.
    Or you improve your hardware or you don't use these heavy softwares and find other lighter alternatives.
     
  24. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    ok thanks, i will try both on my pc seprately when i get antivir and buy one of em.
     
  25. egghead

    egghead Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    443
    Location:
    The Netherlands
    If I remember correctly you are using SSM.

    SSM catches all executables until they have been allowed/blocked (once/always).

    allow always: here is your white list
    block always: here is your black list

    Fail to see what TNE adds o_O
     
    Last edited: Oct 10, 2006
Loading...
Thread Status:
Not open for further replies.