Just a few thoughts.....

You know, i was watching the review of Norton 2010 the other day on youtube
http://www.youtube.com/watch?v=EjWh0AJh58M
and all i can say is, im so glad i have DefenseWall on my system.
Norton 2010 has a 600MB installation size in the Add and Remove Programs.
If that isint bloatware, i dont know what is.
And to see these malicious URL tests done in Internet Explorer 6,
and to see the clunky way in which Norton was handling the situation....oh god.
There were even instances where the CPU usage was spiked to 100% as Norton was analyzing a file to determine if it was safe or not.
Oh yeah, 100% for a whole minute.

I was sitting there thinking, why in the world dont people just go in for HIPS solutions instead?
They are cheaper,
use less system resources, infact you dont even notice any system slowdown whatsoever,
will catch in-the-wild browser exploits that can easily bypass Norton and other AV suites,
and while actually stopping the malware from modifying and hijacking the system, HIPS products like DefenseWall make it look like child's play.

First of all, one should use firefox, No-script is recommended as an addon.
But if you do haveto use IE, then atleast do some research, and stumble upon some HIPS prducts.
You will never look back to your traditional AV's and their scare-mongering tactics.
You will know that simply any file that is downloaded from browsers that are marked as 'untrused', will not be able to do jack to your system. Period.

Now, a firewall is essential, for those not behind a router, like me.
So i use the free Zonealarm version.
I just dont know what the big deal is with the AV suites, apart from them being bloatware.
I mean, the protection that they provide isint even equal to HIPS products....i dont know, thats just my opinion i guess....

 

I believe most users are not knowledgeable to know what to allow/Deny with HIPS. Also, even more experienced users may become tired of the many prompts.

 

Yeah ssj100, Sandboxie is another in a very small list of what i would consider to be brilliant malware prevention software.
For me, the ability to have USB drives automatically as 'Untrused' is what made me embrace DWall.
You are right though, its all about getting comfortable with a particular setup that is just so awesome at malware prevention,
and yet is easy on the CPU usage.

 

yeah, i know what you mean.
But since the malware is brain-dead,
and cant do anything on the system,
except just sit there,
knowing that makes me chuckle.

 

Sure, if you are using Defensewall but its hardly a classical HIPS product. Most think of it as a policy based sandbox I would suggest. While DW protection is running any malware introduced via an untrusted source is 'frozen' but you either have to know its there and use rollback, find it and remove it using a standard AV blacklister or accept its there. I'm sure Ilya has recommended using an AV with his product in this scenario on a few occassions. A classical HIPS on the other hand will expect you to make the decision on whether to trust or not rather than the DW blanket 'untrusted' approach.

I also think its somewhat unfair to use the performance of a particular (brand new) product as a marker for all blacklist AV type programmes. Many are now very light on resources with the impact on surfing/downloading minimal.

Some are happy using just HIPS, others sandboxes/light virtualisation only and some just stick to AV/IS solutions but I think most still try to find a set-up that covers all those bases. After all if it's known to be bad why not have something that tells you that, if its unknown then HIPS, sandoxing, LUA, SRP etc etc come into there own.

Some may also consider some classical HIPS are guilty of using 'scare-mongering' with numerous alerts about safe processes.

Cheers

 

On my machine, NIS 2010 has a size of 10.9 MB in Add/Remove Programs.

 

I like your way of putting it "a policy based sandbox".
Its probably much more than that, but i can understand that part.
Classical HIPS is perhaps too advanced for me at this stage,
I've just started to get the hang of DWall,
and im loving what im seeing so far.
No automatic updates,
no slowdown during bootup,
and the realtime protection is rock solid,
even against the unknown browser exploit!
Just out of curiosity, what is the nature of the popups that say Malware Defender gives you?

 

Isint the installer itself 83MB?
The minimum installation requires 300MB space,
so clearly what you have isint right.

 

MD is a brilliant example of classical HIPS IMO. It alerts on almost all Network, Apllication, File and Registry access/activity/changes. Fortunately it has a learning mode which I think most would use in the early stages so MD can 'learn' the safe processes that take place in the background of the operating system or your safe programmes to prevent users being overwhelmed by alerts.

Have a quick look in this forum there are some brilliant threads on set up and configuration that will show you the power of the application and the granularity of control it can provide. Some screenies of the Alerts in most too.

Going back to your OP it is this level of user driven decision making that IMO tells you why most average users don't dump their AV for a HIPS solution. There are many on these forums that do because they understand their PC's internal processes and can spot potential malware activity but they could hardly be called average users.

Cheers

 

Thats cool Chris, i think im going to try MD in this 'learning mode' which as i can see, also keeps the protection just as high, without all the popups.
Need to go thru a lot of threads, but thats the fun part.

 

This is an analysis on NIS2010



64.17MB added to the file system, 101.2KB added to the registry and Add/Remove Programs confirms this size. The 2 running processes consume around 61,000kb of RAM.

Also i've never had the CPU spike to 100% much less for minutes at a time so something must be really messed up on your machine.

MD is excellent, just be sure to read the threads here because it has a steep learning curve.. But once you get the hang of the rules, i doubt you will want to get rid of it.

 

I don't think the problems stems from a product or lack of a product, but from the fact that my grandmother and my wife use the computer, and do so globally via the internet. *nix users love to claim how secure they are, as do Mac users. I don't deny they are better, but most people I know do not like *nix because it is not as 'noob friendly' as M$. And Mac, well, I can build a really nice machine for a fraction of the cost of a Mac, so why do we need Mac again?

It comes down to, IMHO, that M$ has made it easy and to a degree enjoyable for those who have never used a computer to get online and do things. Browsing, Ebay, Facebook, emails, paying bills, all of the things that people desire to do, they can do almost the minute they get on a computer, without needing to know anything or do anything special.

How do you protect these people? A firewall or HIPS that throws up lots of informative prompts as to what is happening? No. But an AV program, which normally says "I have found something bad, should I get rid of it?", this they can do.

I don't disagree that a HIPS can be very secure, and that many products are bloated to the point that knowledgable users despise them and curse thier names in public circles (like Norton LOL). But really what alternative do un-learned users have?

IMO while *nix is not noob friendly, whether you are going to use *nix or M$, beginners should learn how to run in LUA. Not a cure-all, but a good start. It is re-training the masses who have been running as admin for years that is the hard thing to do. But, maybe enough infections later some will 'see the light'.

And then, there are those like myself, who having already been down the HIPS and Firewall road, just don't want to see many more popup configuration/answer prompts. I would rather get infected and restore an image in a matter of minutes than go through a classical HIPS again.

Sul.

 

I don't think MD provides any protection in learning mode. You run it so MD knows what's on your computer. Also reboot a few times in learning mode. Once MD is trained you can put it in silent mode. That will block all and not give you any popups. MD has a multitude of protection possibilities.

 

Bingo! In fact, most people don't even know what "HIPS" means, other than part of ones torso.

 

some how thisa is true for the reason that you want to be able to work in peace and not attack with around 20 pop ups a day for example malware defender is very powerfull but alot of pop ups and i mean alot now DefenseWall is the only silent hips that dont give you this much pop ups

 

You are absolutely right here. Current persona firewalls are not user-friendly if offer strong security or user-friendly, but can offer almost non protection level. I'll change it soon, personal firewall have been re-invented...

For non-technical/novice users- policy-based sandboxes without partial virtualization.

 

that is why DW has a very cool feature call rollback nice and easy empty the toilet

 

that's ludicrous! Removing Norton is a nightmare too. It seeps into every crack of the registry.

 

Isn't that exactly what you've done with your LUA approach? If you need to install software with administrator rights under an LUA approach then you're in the same position as if you had run it as 'trusted' under DW. I struggle to see a real-world significant difference with your LUA approach versus what DW provides you. In fact, DW is arguably stronger and easier to manage. I'm not trying to knock your approach (and I have tried it myself) but I just don't see the security benefit versus DW. No offence caused I hope

 

AGREE and not only that same goes for sandboxie if you decide to keep a file unsandbox you must introduce the file to your real system then we are in the same situation here

 

that screenshot looks like a cool tool, what program is it?

 

It's Total Uninstall

 

When i uninstalled NIS09 it took just minutes, as for the registry do you want me to show you the registry captures of NIS10 and say Adobe Reader side by side?

Yes as Scoobs said, it's Total Uninstall. You can also export the registry details as a .reg file or all the changes as a .txt file and things like that. Yes it definitely does reside in my cool tools docklet.

 

The difference IMO is that if DW or any other software were to ever have an exploit, you (presumabely) run it in Admin mode, so any escapee now has root, essentially. Versus using LUA (which is not for everyone) where an escapee from some program (such as SBIE) would inherit only a Users rights, which is as we know, MUCH safer than being Admin.

Think about this, if you run in LUA, and you use SuRun to do some thing you need as an Admin, and you make SuRun 'remember' the answer to auto'magically' elevate the said thing to Admin, what happens if that said thing is exploited? Now, again, the exploit could possibly have root, even if you are running in LUA.

The safest bet is to just fire up your Coleco-vision and play some Donkey Kong, and forget about modern computers all-together. Or Intellivision, Atari, Amiga, Vic20, etc etc etc.

Sul.

 

Norton bashers are generally ill informed, and love to propagate the lies.
My NIS 2010 folder is 65mb.
NIS 2010 is not just a "traditional black list AV".
This is what you get for a very reasonable price (remember that NIS and NAV are frequently discounted and include rebates).
NIS 2010 features:

* Anti Virus
* Anti Rootkit
* Bot Protection

* NEW! Norton Threat Insight
* NEW! Professional Strength AntiSpam
* NEW! Norton File Insight

* Norton™ Safe Web - like WOT but better and also works with IE
* Smart Firewall - can prevent apps from phoning home
* Pulse Updates
* Network Monitoring
* Spyware Protection
* Identity Protection

* NEW! SONAR™2 Behavioral Protection
* NEW! Norton System Insight
* NEW! Norton Insight Network - cloud database of known good and bad files
* NEW! Norton Download Insight - prevents downloading known bad files
* Parental Controls
* Vulnerability Protection - protects against vulnerabiliteis in Acrobat, Flash, Office, etc. There must be around 1000 apps included.

The fact that these features are included in an integrated package makes them more valuable than piecing together separate apps to accomplish the same thing. They take up fewer resources and if a new kind of threat is identified, Norton can more easily respond since they have more options.
I've been using NIS for 3 years and it has found threats on my system. Recently I've tried Prevx, MBAM, Mamutu, Hitman, Secunia, various rootkit scanners, and a bunch of other apps, and they haven't found any malware on my system. So I know Norton is doing a good job.

OK. Continue with your anti-Norton propaganda.