More Behavior Analysis Programs to come?

Discussion in 'other anti-malware software' started by duke1959, Jul 21, 2007.

Thread Status:
Not open for further replies.
  1. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    Seeing the various threads on Prevx 2, a-squared Anti-Malware, and Cyberhawk. I wonder what other programs there are that offer it, how effective this type of detection is, and are there more Behavior Analysis software programs to come?
     
  2. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    10 If seeking list = yes then HERE else 10

    round & round she goes... bellgamin :cool:
     
  3. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    Nice post bellgamin. I think out of the list Prevx and Cyberhawk have come a long way in improvements and are the easiest to use.
     
  4. mrhero

    mrhero Registered Member

    Joined:
    Jul 15, 2005
    Posts:
    297
    Location:
    Ankara , Turkey
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Primary Response Safe Connect from Sana Security( PRSC)
    ZAP HIPS
    KAV PDMs Beahavioral blocker component
    A-Squared IDS( never tried)

    Personally i don,t agree with castle cops list. They mixed traditional( calssical) HIPS with behav blockers. There are only two pure behav blockers so far: CH and PRSC/ Norton Antibot.
     
  6. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    So those two actually block the behavior and then notify, where a-squared's IDS notifies, but doesn't instantly block. What about Prevx Jailing the detection though? Can't this be from the behavior analysis besides it's other means of detection?
     
  7. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    A) Nonconcur. CastleCops definitions of "behavior-based" versus "policy-based" HIPS are spot on. If you google "behavior-blocker HIPS" you will see for yourself that CastleCops is pretty much using the concensus definitions of various Wiki's & ITs & security blogs/forums across the net -- such as definitions put online by Safe'n'Secure, F-secure, Wikipedia for SSM, Sophos, SecurityPlanet,Networkcomputing, & on & on it goes.

    B) In actuality, the delineation between various HIPS program categories is growing more & more difficult to define.

    *For instance, SSM generally is referred to as a classical HIPS, but will block any process which manifests (as examples) the *behavior* of trying to hook the kernel, or the *behavior* of trying to change a system file, or the *behavior* of low-level keyboard access, etcetera.

    *DSA's 2 anomaly modules are most definitely behavior blockers, but DSA is also a firewall of sorts.

    *CH is generally categorized as a behavior blocker, but its Pro version's rules module makes it pretty much the equal of many of the so-called "classicals." Unlike PRSC, CH does not disclose WHICH kinds of behaviors it blocks, so who know exactly WHAT it's doing?

    C) Therefore, I feel that the CastleCops list is quite helpful & accurate, considering the foggy boundaries between HIPS categories nowadays. I am very sad -- almost despondent -- (sob) about being scolded for having the temerity to suggest its use. :oops:
     
  8. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    Running Prevx 2 and a-squared Anti-Malware together and so far PC is running smooth, but I haven't enabled a-squares's IDS yet. Wouldn't Cyberhawk be the purest Behavior Blocker out of these three?
     
    Last edited: Jul 21, 2007
  9. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    As noted earlier, CH does not disclose which behaviors it blocks. DSA clearly discloses the behaviors that it blocks. So does Primary Response Safe Connect from Sana Security. CH does not, & that's one reason why I have a *wait & see* attitude toward that app.

    Example's of PRSC's online "disclosures" can be viewed HERE, HERE, and HERE

    Contrast that with CH's blurb at THIS page, which is basically just an advertisement that discloses NO specific information about the types of behaviors blocked by CH. Of course it is their right NOT to disclose such information, but I would prefer to spend money on something like PRSC, where they are a little more open in providing prospective users with at least some specifics of how their software works, & what exactly it protects.

    However -- to each his own. :cool:
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    No offence pls, I was not criticising you. It,s just my opinion. I was not referring to exact definitions. I was referring to the meaning taken by us in general discussion. Nobody of us think of classical ant-exe HIPS like SSM when we talk of behav blockers.

    I hope u get my point. Sorry if I made u unhappy.
     
  11. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    N.P. amigo.

    Back on thread -- I do recommend a test drive of DSA for anyone seeking a good behavior blocker (BB). DSA is free but -- unlike some other BBs, it is NOT crippleware. And -- unlike some other BBs, DSA has actually been tested AND tested AGAIN.
     
    Last edited: Jul 22, 2007
  12. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    heh. Maybe we should take a poll. :D

    Bellgamin should really chill out, it's just a silly wiki. anyone can write stuff there. The way he is defending it, one might think he wrote it lol. It's not the gospel truth. change it if you are not happy, aigle.

    Besides definition things are slippy, i bet if you poll 100 professionals, you get 100 different concepts.
     
  13. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    Good points about Cyberhawk as far as what it blocks bellgamin. For example I saw on the DSA website that it protects against Drive By downloads. That would be something I'd want my Behavior Blocking Program to do, and I can only guess CH has this ability. I think a-squared, and Prevx does by what it lists right in the program as far as it's protection, but CH doesn't do that either. I like and want to use CH, but they need to clarify a few things first.
     
  14. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    CH is owned now by PC Tools and doesnt have to clarify anything for me. Sometimes, you just have to trust folks. I also had no issues in trusting Becky when she owned it.
     
  15. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    Went back to Prevx 2. Cyberhawk is nice and I do believe you can trust it, but Prevx in my opinion is just the more polished of the two. I do think Behavior Blockering technology will become more and more common in many programs in the future, and can see PC Tools incorporating CH in an all in one suite.
     
  16. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks: CH, in general, is a not too bad app, provided that your system can tolerate it. After PCTools' acquisition and free offer of its pro lic, IMO, its days stay as a stand alone app are numbered. PCTools will utilize CH's client database to strengthen and improve its Internet security suite. The task may not be easy but it is forthcoming. Stay tuned.
     
  17. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Can I ask anyone who has used DSA. Does it disable the Windows Firewall by default? I installed it today and whenever it runs, i get a security alert that says the Windows Firewall is not running. I closed down DSA and re-enabled the Windows Firewall and then when i started up DSA the Windows Firewall got switched off again. I can't find anything in the DSA setup, help file or the website that suggests it does this. Even so, it appears it is doing it.

    muf
     
  18. tepe2

    tepe2 Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    539
    I tried DSA only weeks ago, but only for a few days. I liked it a lot. The reason I dont have it any longer is I had some trouble with Windows Update and had to restore an image. (DSA had nothing to do with my trouble). I will soon install it again.

    DSA did not disable my Windows firewall, and I am sure it is not supposed to do so. Sorry I dont know why it does in your system. I hope other users can tell you.

    Edit: Do you use Learning mode? I would choose "require user approval for each alert". It will create some popups in the beginning, but still. Maybe it will ask you before disabling the firewall. Also you could take a look in the quarantine list to see if firewall is listed there. If so, you can remove it from the quarantine list. (See User Guide)

    Dont know if it helps, but thats all I can do. (And now I go abroad with my family to relax in the sun:) Back in a week.

    Good luck:)
     
    Last edited: Jul 23, 2007
  19. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    I shut down Windows FW the first day that I installed WindowsXP, so I cannot answer your question based on direct experience. Consistent with tepe's helpful comment, I have read elsewhere that DSA is designed NOT to interfere with any existing FW on your system. However, for an answer to your question *from the horse's mouth* I suggest contacting DSA support. They DO answer.
     
  20. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Thanks for the advise. I have had a response from support saying DSA overrides the Windows Firewall. I noticed now that i am no longer getting messages saying Windows Firewall is disabled. Instead it says in the Security Center that DSA is my Firewall.

    I'm behind a hardware firewall so the software firewall is only an 'extra'. Happy enough with DSA as my firewall.

    Again, thanks.

    muf
     
  21. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    If I run Pro Security being a classical HIPS like SSM, what compliments it fine as a Behavioral Blocker besides the KAV PDM?

    UPDATE: GUESS I ANSWERED MY OWN QUESTION.
    After disabling KIS PDM, I installed Cyberhawk and noticed that the welcome screen flew directly to the windows desktop. Wow never knew what was holding it a few seconds there, but now I know it was KIS PDM in some way. Hmm I wonder if someone else has ever used Pro Security with Cyberhawk. Anyway I know some of you have used Cyberhawk with SSM with no problem, can Pro Security be the same?

    dja2k
     
    Last edited: Jul 26, 2007
Loading...
Thread Status:
Not open for further replies.