Katie DriveSentry

Kees,

Thanks I will test this config today, do you know how I can embed a Youtube video into a page on this forum of the results??

~interact

 

tbay2ahome,

Yes of course the viruses are as follows:

Trojan.PWS.Lineage.PP
Generic.Malware.PVPkg.915454D4
Win32.Bagle.BV@mm
Win32.Bagle.AX@mm
Win32.Bagle.AG@mm
Win32.Auric.A@mm
Win32.Asone.ABM@m

The three others are encrypted variants of:

Win32.Android.A@mm
Win32.Asper.B
Win32.Chet.A@mm

All these files are a format called PE32 and there are a number of tools that allow them to be compressed/encrypted and still run as normal. I have encrypted the above 3 to fool scanners so they cannot recognize the signature but the virus still runs. This is a good way to emulate a real zero-day attack. A number of AV tools can still detect them even if they're encrypted but the CPU overhead to do this is a good reason why some AV tools slow the PC down

If you want copies please PM me and I will send you a URL to a good site

~interact

 

Hi interact,

I think you should test more different kinds of malwares. Most of your samples are Virus and Worm only and seems a bit old. Some are variants
e.g.
Win32.Bagle.BV@mm
Win32.Bagle.AX@mm
Win32.Bagle.AG@mm

You may add such as
Infection type : Worm.AutoRun,Virus.Xorer,Virus.Delf,Virus.Agent,Worm.Viking

Trojan&backdoor : Trojan,Trojan-Spy.KeyLogger,Backdoor,Trojan-Downloader,Trojan-Dropper,Trojan-Clicker

And other types of malwares, e.g. Rookit,Adware,Spyware and so on.

More types of samples can be clearer to reflect software's ability.

 

It means that rules are there, either in some files or reg enteries and these can be backed up at least manually. Am i true?

Also what is ur opinion about this( current pop up interface/ options need work).

Also there should be an option to disable advisor completely without any more pop ups.

Thanks

 

Hi aigle,

Thanks for your comments and feedback.

1) Yes, rules can be manually backed by the user. But this is not something that DriveSentry facilitates, so would need to be an independent record/ backup.

2) Modification of the popup and the Options screen is in the pipeline.

3) I am not really sure what you mean by the last question? Notifications can be disabled through the drop down menu in the popup. Also automated popups can be turned off through the options screen or the wizard.

I hope this helps .

Kind regards

Kate.

 

Hi Katie!

Why is it so difficult to get an answer to the following question? (Both here on the forum or by PM) Is it too stupid or what?

-----------------

Is DS compatible with Actronis true image or other imaging programs?

How about Returnil or PowerShadow?

 

Hi Ako,

Thanks for your questions. I apologise for the delay

We use DriveSentry with True Image on a daily basis, so there are no problems there. Returnil has also been tested with DriveSentry and works fine.

I will pass a request on to the QA team to do some testing with PowerShadow. Has anyone else run DriveSentry with PowerShadow?

Sorry again for the delayed response.

kind regards,

Kate.

 

Might try their forum? http://forum.drivesentry.com/

 

OK. Thank you for the answer.

 

On a very short and provisional test - seems OK. No obvious (i.e. BSOD) issues immediately.

Blue

 

Hi BlueZannetti,

Thanks for your feedback. Much appreciated. That is very useful .

Please dont hesitate to contact me in future if you need any assistance

Kind regards,

Kate.

 

Katie,

Have you tried to fully vet DriveSentry against Limited User Account (LUA) and/or LUA/SuRun with DriveSentry supposedly running with elevated rights? It seems to be having some minor issues.

Blue

 

I mean if I want to turn off acess to online data base completely, what is the way?

 

Hi BlueZannetti,

We are currenly looking into this. I will get back to you on this.

regards,

Kate.

 

Hi Aigle,

To turn off access to Advisor completely ensure that the following options are set to "No".

Options ->

Auto block malicious programs - NO
Auto allow whitelisted programs – NO
Auto allow community trusted – NO
Upload stats – NO

Hope this helps.

Kind regards,

Kate.

 

No problem, the fix should be a very minor adjustment and the behavior should be easily replicated.

DriveSentry runs fine with Admin level credentials supplied via "Run as" under a LUA (as one would expect).

Blue

 

Thanks.

 

BlueZannetti,

I think they have a bug in their installer as I've installed Drivesentry on my GF PC as limited user OK. Here's how I did it:

1, Login as limited user
2, RunAs Drivesentry setup
3, enter admin user / password
4, At end of install UNCHECK start drivesentry
5, Close installer
6, Run Drivesentry all should work fine

I think when you run from the installer from "runas admin" then drivesentry tries to access the admin folder and cannot so errors.

~interact

 

Thanks Interact,

We have identified the problem and will be implementing a fix shortly.

regards,

Kate.

 

Those settings doesn't work. DriveSentry still connect to Advisor.

 

Not quite sure what's up, but I reset pertinent SuRun settings, and DriveSentry now launches fine. No net changes in settings were evident. Might have had a bit of a config. issue under SuRun. Works fine at the moment, basically unsure why, but seems more related to SuRun than DriveSentry.

Blue

 

Great discussion and topic posts here. Thanks Kate for taking the reins on both DriveSentry & our behalfs. This is abundantly useful and sure to advance interest in this application.

But i need help.

In a simple security setup which i use for everyday internet access now, minus NO Returnils or other ISR's "OR" AV's, but impliment only EQS beta 4 (HIPS) + Kerio 2.15 (Custom Rules) and dare i say an old version of CyberHawk i had lying around for a long spell but find it very useful and "Lite" + stable, can i benefit with DriveSentry? And where and how? Plus which of my current apps, if any, would it be better to remove should i bring on-board DriveSentry.

Lastly, is there anyway for a DriveSentry app to ward off MBR interference from an infector of that section or is it better left up to another form of coverage.

Thanks to all of you so very much for your inputs, concerns, and satisfactory reports so far.

EASTER

 

Is there any way to block that database download? Haven't tested that to block DriveSentry with firewall. Trying that next

I really like DriveSentry but I just want to disable Advisor and it's local database.

 

Hi MikeNAS,

By design, DS will attempt to connect to Advisor to retrieve program information and updates to the local database.

However, if this concerns you, you can block DriveSentry's access to the Internet through your firewall. DS will still protect your system, but you will not receive any program info in the 'Advisor' screen, no community statistics will be available and your local database will not be able to connect to the Internet to update itself when necessary.

I hope this helps.

kind regards,

Kate

 

Hello Easter,

Sorry for the delay in getting back to you . Help is here!!!

In answer to your questions - Cyberhawk and DriveSentry work well together. Any HIPS tools can be replaced by DriveSentry if they are file and registry focused. However, whitelisting and blacklisting technology set DriveSentry appart from the rest, allowing for the automation of program access decisions – greatly minimizing the popup notifications (experienced by conventional HIPS solutions). DriveSentry automatically allows access to whitelisted applications, blocks over one million known threats and queries the unknown.

We currently have a developer working on MBR and other additional security functionalities. Our primary objective for the near future is to work on adding more functionality available to the user to secure their system and data.

Thanks for your comments and questions I hope i have helped you.

Kind regards,

Kate.