Layered defence, how effective solution?

Discussion in 'other anti-virus software' started by Firefighter, Dec 15, 2004.

Thread Status:
Not open for further replies.
  1. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Just wondering before how effective that layered defence, or shall I say more clearly, patched defence, actually is? Now I have some experience of that real time protection with Ewido and some other scanners.

    As a summary, I have to say, that with some light memory consumption scanners plus Ewido 3.0 with real time scan, you actually may have quite impressive results.

    Best regards,
    Firefighter!
     

    Attached Files:

    Last edited: Dec 19, 2004
  2. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    I've always felt it was better to run an AV with a less CPU intensive real time Resident scanner, even with all options marked like AH, plus an additional layered defense then just relying solely upon one of the more intensive CPU AV resident scanners that might detect more but may impact performance unless you dumb down the detection options. Plus real time Heuristics 'zero-day' resident detection can add even greater day to day benefit over just using only one of the other top AVs that may score better on some of the tests but may not have any real 'zero-day' protection.
    https://www.wilderssecurity.com/showthread.php?t=58482

    This is just my point of view for my day to day usage.
     
  3. Diver

    Diver Guest

    That is rather interesting FF. Personally, I think the gains are marginal. That gets into a lot of stuff including your collection of baddies and how common the ones covered by the marginal improvement are.

    My experience tells me that you only need so much protection. I use KAV 5, a NAT capable router and spywareblaster. That is pretty much it. Addaware to pick off the occasional tracking cookie. Over several years I only had one hit from zero hour malware, and I was able to clean it up in about 10 minutes.

    McAfee 8i would probably make me feel as comfortable as KAV.

    I have actually had data loss indirectly caused by certain firewalls causing my network to malfunction. There was some fumbling during the troubleshooting process. My adventures with firewalls should be saved for another time.

    Believe me, my surfing habits are not all that conservative, yet I don't need a lot of things to keep the crapware off.

    In other words, you will not see me running two active scanning programs.
     
  4. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Personally, I don't care less about system impact if I'm using any other scanner than KAV based ones, even though I have only 512 Megs RAM in my 1 GHz Celeron. Even that I have KAV, I used to have other proggies as well, like BOClean, now Ewido too and some adware/spyware stuff.

    After my last scan I'm fully impressed how well Ewido patches DrWeb and Command AV. Unfortunately I was unable to move out my infected archives from their folders by using NOD or AntiVir in my scans to make sure how good combinations they will be with Ewido.

    Best regards,
    Firefighter!
     
    Last edited: Dec 16, 2004
  5. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    A lot can depend on what you are doing online. We use NOD and BOClean resident on a game machine that is used by a bunch of teens. Plus some antispyware apps on demand only. That provides a good degree of protection without a performance hit while gaming.

    On two other machines we use a KAV AV but those machines are not used for gaming so any performace hit is not that significant a problem as it would be on the gaming box.

    Trying the KAV AV on the gaming machine does cause a performance hit at our end. So the layered approch with a lighter scanner seems the best overall solution for that machine and its useage. Plus the NOD's AH protection does provide additional 'zero-day' protection on that machine which is the one most exposed due to it usage and the folks using it.
     
  6. TAP

    TAP Registered Member

    Joined:
    Aug 17, 2004
    Posts:
    344
    From my experience and opinion, if you are advanced user or you know what exactly you are doing. Prevx or other generic/behaviour-based method are the best real-time layered defence ever. Prevx can prevent unknown malware and zero-day attack that get pass traditional signature-based antivirus/antitrojan/antispyware and it causes no slow down on your machine.
     
  7. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    If that's true, why use AV:s, AT:s and AntiSpywares at all?

    Best regards,
    Firefighter!
     
    Last edited: Dec 16, 2004
  8. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Well, now we know that PG will provide a maximum of 3.2% of additional protection with the top dogs in this test. I wonder if it does? :)

    Rich
     
  9. TAP

    TAP Registered Member

    Joined:
    Aug 17, 2004
    Posts:
    344
    Prevx is not designed to replace antivirus/antitrojan/antispyware but Prevx is designed to be the last line layered defense or supplemental real-time malware protection to traditional security software. I've tried to infect myself by worms, trojans in my collection and spyware, BHO, toolbars on many porn/warez sites but (at least from my experience) no nasty things can successfully install on my machine, Prevx detects and prevents them all.

    And as I said, no nasty things can successfully install so this means that Prevx prevents malware successfully install on a machine but sometimes some malware's garbage files can place on a machine but the malware itself are not functional anymore so it's harmless. Prevx is still update itself to cover all possible infection vector areas.

    I'm sure that for some advanced-knowledgeable users he/she can safely use Prevx without any other real-time antivirus/antitrojan/antispyware software.
     
    Last edited: Dec 16, 2004
  10. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    If I may take a bit back to this new protection and I'll use only AVG 7 Free suplemented with Prevx, after that I'm so better protected than by using Kaspersky plus AntiSpywares/-Adawares only?

    Why that "WHEEL" is so rarely used, when it's so superb?


    Best regards,
    Firefighter!
     
    Last edited: Dec 16, 2004
  11. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    I was using Prevx a couple of months ago and something happened and during an abnormal system termination, my registry came out trashed and I couldn't repair it. I am not sure what happened, but my guess is that Prevx was unable to logically complete one of its steps - I doubt that they have a automatic log recovery algorithm - and left the registry in unusable condition.

    Based upon my knowledge of file/database management ( which the registry would be an example of) it is somewhat imperative that there is a recovery log that will ensure logical and physical synchronization of all registry entries in the event of an abnormal system termination. While, in the case of a single user PC, it is unlikely this will happen, especially if cache is quickly flushed, it is possible. I do not know how the underlying Windows XP operating sytem handles this problem, but it is possible that Windows is flushing all of the entries at one time with one cache write to physical disk. But I really have no idea.

    If I understood Prevx's underlying registry handling logicl, I may be more amenable to using it, but as it stands now, I think that any program that reads and writes to the the registry, outside of the operating system itself, has the potential of leaving it in an unstable state.

    Any comments would be welcome.

    Rich
     
  12. ghiser1

    ghiser1 Developer

    Joined:
    Jul 8, 2004
    Posts:
    132
    Location:
    Gloucester, UK
    Anything that causes an abnormal system termination on the system can cause corruption in any file open at the time - including the files that underly the regsitry. Did you get a Blue Screen, or one of those annoying rebooting in 60 seconds boxes?

    Any component wishing to manipulate the registry - even a kernel-level driver - has to use the MS supplied APIs. In driver land, these all begin with ZwReg. e.g ZwRegSetValueEx(). There is no other way of accessing the registry. Windows handles the flushing of data to the physcial files on disk. Appplciations and drivers have absolutely no control over it. I'm sure even hard-core driver developers would shy aware from attempting to influence the inner-workings of the windows kernel's regsitry handling.

    I think it extremely unlikely that Prevx write to the registry directly - in fact I doubt they write to the registry at all. From what I gather, from that Prevx Home v1.0 vulnerability description a few weeks back, they hook the kernel-level system-calls and then act as a filter. My bets are that Prevx denied access to a system-call, and the application trying to make the call couldn't handle the resultant error-code and crashed the box. It's a sad state of affairs, but there's a lot of software out there that doesn't check for or handle error conditions correctly.

    For example, with Prevx installed change the home page in IE and hit "Apply". You'll get a pop-up from Prevx. Choose Deny in that pop-up and your home page will not be changed (in the registry that is: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main:Start Page), but in IE it will look like the page did change. If you close the dialog in IE and open it again, the original home page will still be present. This isn't because Prevx wrote the original back to the registry, its because Prevx stopped the change being written there and IE was stupid enough to presume that its regsitry write could not fail, so didn't check for it.

    To prove that you can download RegMod from sys internals.
    http://www.sysinternals.com/ntw2k/source/regmon.shtml
    That will show you EVERY regsitry access both successful and unsuccessful on the system. If you filter for iexplore.exe you'll see the error returned to IE and it ignoring it. There's lots of useful tool on sysinternals that let you watch oter parts of the system - file, disk, processes etc.

    There are a lot of applications out that that do stupid things. MSN Toolbar for example re-registers its BHO every time you open an IE window - stupid, but true :eek:

    Have you seen any similar problems with the newer versions of Prevx Home. There's been at least 4 software updates in the last two months. BTW, did you contact Prevx support over the issue? Most people that have and have put feedback about it on these forums have found them very helpful and keen to make the product better.

    If you ditched Prevx at the time, I'd definitely give it another go with the latest version.

    I'm running lots of different security products at the same time as Prevx and haven't had any problems to date.

    It you want to learn more about windows internals and/or driver development etc. a good place to start is http://www.osr.com/
     
  13. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    I used PREVX 1 for awhile and liked it. I was reluctant at first to upgrade to version 2 but I recently decided to trial PREVX PRO.

    I like PREVX PRO much better. It is also a lot harder to terminate PREVX. I used to be able to terminate PREVX using either Process Explorer or DCS APT but with PREVX PRO it can not be killed using those methods. I think APT was only able to shut the GUI of PREVX PRO down using methods 7 & 8 ( I have to check again)

    This makes PREVX PRO a lot more useful because it can't be killed as easily any more. Before PREVX 1 had to be protected by PG. I think the need for that protection has lessened by a big margin.

    When I first installed PREVX PRO, I did get a few bsod but I am not sure if it is PREVX fault as much as it is that I now have so much security software that is driver related. It seems all security software are installing more and more sophisticated drivers and the more of these drivers that are installed the more unstable the system is. I don't know if tht is true or not but it seems so to me, at least on my system.

    That is why I am looking at solutions that will
    lower the amount of security software using drivers on my computer while still providing the same protection. I do believe in layered security but there is such a thing as too many layers as many people will most likely find out if they install too much security software that uses sophisticated drivers and find out that these many drivers sometimes conflict with each other or at least that is my perspective. I could be wrong.




    Starrob




     
  14. TAP

    TAP Registered Member

    Joined:
    Aug 17, 2004
    Posts:
    344
    This question is too difficult to answer, it depends on so many factors.

    Based on my experience, experiment and opinion, prevention from traditional mass-mailing worm and malware (adware, toolbar, BHO, downloader, hijacker) that attack via browser using AVG 7 Free+Prevx Home can offer much better protection than using Kaspersky plus AntiSpywares/-Adawares only. Because Prevx doesn't rely on signature in order to detect malware as KAV and other antispyware but it can detect malware that using known behaviour instead.

    But Prevx can not detect and prevent trojan/adware/spyware that disguise itself as normal file/software that AVG or other AV fail to identify and you manually install them.

    Except if you are advance/knowledgeable user that know how malware work, know where they install itself on system folder and registry area that Prevx tells you then you should notice some malicious sign in file you're installing and stop them, but this can be done in case you don't disable Prevx but this seems to impossible in real world.

    Probably because of it not fit to current situation. It's too difficult to use and understand, in corporate environment Admin would be busy with lots of warning if Prevx or other generic/behaviour-based method software installed on workstation with average employee. It's too easier to use traditional antivirus on average environment except on very high risk system. IMHO
     
  15. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi ghiser1,

    Thanks for the in-depth reply. I very much appreciate it.

    I agree with everything you say, and it comes down to risk/reward. Since I have KAV and Ewido running real-time on my system, and my browising habits have become relatively conservative as of late, the additional protection that either PG or Prevx provide me is relatively small, albeit meaningful in my opinion. Protecting against keyloggers from obtaining global hooks is one of the primary reasons I purchased PG 3.0.

    Of the two products, I have found that PG is more reliable on my system. It can be that Prevx is more stable in its most recent release, but with PG 3.0, KAV, and Ewido, I wonder, how much more protection that PRevx can provide vs. the instabilities that it may cause. Maybe some future tests will show.

    In the meantime, I very much appreciate you description of Prevx vs. other products. These technical descriptions and underlying architectures do impact the overall stability of products and their effects on the system as a whole, and it is interesting to know how each product goes about doing its tasks and how logical and physical inconsistencies may come about due to the entanglement of various programs.

    Rich
     
  16. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Quite interesting that when the gap between DrWeb and Command AV was 115 detections in the "Common PC Protection", it was only 21 in the combo protection alternative. Can we assume because of this, that NOD & Ewido combo is also capable to beat McAfee VSE 8.0i single protection?

    Best regards,
    Firefighter!
     
    Last edited: Dec 16, 2004
  17. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Just finished my first part of this combo av/at-test. Now you can enjoy a² Personal 1.5.2 Beta with almost 84k signatures results too.

    Best regards,
    Firefighter!
     

    Attached Files:

    Last edited: Dec 18, 2004
  18. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Thanks for sharing the results.

    Rich
     
  19. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    And now the final countdown. Now I have added those results with av:s that were not able to delete or move infected archives.

    If you want the best possible layered protection, choose Kaspersky engined av:s or McAfee plus Ewido. After that buy a new PC. :D

    If you want excellent patched overall protection, choose any av you like and Ewido. If you have other operating system than WinXP, choose a² Personal 1.5.2 (Beta) instead of Ewido. :)

    PS. I used eScan Free 4.4.7 only because it was able to update and rename/delete infected archives.

    Best regards,
    Firefighter!
     

    Attached Files:

  20. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    Ewido works with both Win 2000 & XP, therefore for non-NT systems you are left with a2 as your free AT scanner.

    Now FF can you repeat these tests with the trial versions of TrojanHunter and TDS-3? ;)
     
  21. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    I would say you are discounting one very important facet of overall protection. That is a good, proven zero-day defense.

    Example: https://www.wilderssecurity.com/showthread.php?t=58482

    Also Retrospective/ProActive Test:
    http://www.av-comparatives.org
     
  22. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Of course that's important too but in my mind much over rated. See my post in the test table here.

    https://www.wilderssecurity.com/showthread.php?p=318304#post318304

    My samples aren't so old because every week av:s are detecting more and more my stuff. I have not seen categories like my own anywhere else in heuristics tests.

    In my mind you have to detect some 90 % or more those "randomly met nasties" to have enough protection.

    Besides I have not get infected with these "zero" stuff ever, so where is that propability to be among those 12 hrs.

    Best regards,
    Firefighter!
     
  23. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    I've tried TH before but in my mind it's strenght lies on other issues than signatures scanning, less detectings than a².

    About TDS-3, too complicated to my limited brains. Besides I get headache of that black GUI. :D

    Take a look at VirusP test results against backdoors and trojans and compare these AV detectings against my own results. After that compare those AT results against Ewido in my tests, and you will see that the strength of the both programs mentioned by you are elsewhere, by executing these nasties I believe.

    Best refards,
    Firefighter!
     
  24. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    Hi Firefighter,

    I guess we will have to agree to disagree.:)

    For me a good "zero-day" protection is also very important for a lot of users. I wouldn't assume that someone like yourself would get infected. However, I think for the average user having to wait 1-12 hours for a definition can be too long.

    I also like an AV that can stop some infection from ever downloading to a machine which can cause problems later on for the less knowable user.
     
  25. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Where do you believe I have visited to collect my 3518 samples collection? I've met all kind of nasties.

    Besides, I just have shown to you that with Ewido, NOD is one of the best choices I've seen but not the ONLY.

    If you have seen my posts in here at Wilders some years ago, you will be surprised how different I think about NOD now!

    Best regards,
    Firefighter!
     
Loading...
Thread Status:
Not open for further replies.