Need advice please: Online Armor, ProcessGuard, Antihook, Ewido, ZA 6 Pro, Ewido, etc

First off, I'm fairly new to Wilders. So far I'm very impressed with Wilders -- it's very informative, there are many knowledgeable people here, and most importantly everyone is very willing to help. In fact, it's the best forum I've come across in my many years on the Internet.

Also, I'm InfintyAz not Infinity (who is a frequent poster here and much more knowledgeable than I).

I need some help/advice. Currently, I have two computers, a desktop and a notebook. Both computers are relatively recent (i.e., decently fast) and both have 1GB of RAM. The desktop is running Windows XP Pro and the laptop is running Windows XP Home.

The desktop is my main computer and I use it for work and play (online gaming, surfing, news, music, video, email, etc.). The laptop is my backup and I use it also for work and play (not used much for gaming as it runs a basic Nvidia mobile video card). I always test programs on the laptop before they ever make it to the desktop machine. I am usually fairly careful but do visit some nefarious web sites from time to time an am exposed to some malware (generally caught or stopped by my currently running software).

I do a yearly clean install on both machines, whether they need it or not. I also maintain multiple backups of important files/documents on portable hard drives, CDs, and DVDs. I am an intermediate to expert level computer user (depending on the area).

Both machines currently run the following security and/or cleaning software (if it doesn't list free in parentheses then it's a paid version):

Router (with NAT firewall)
Firefox with NoScript, Adblock
Sygate Personal Firewall (free)
Bitdefender w/ basic registry monitoring (real-time)
AntiVir (free)
PcCillin
KAV, F-Secure, Panda online scanners (free)
Ccleaner (free)
Axcrypt
RegSupreme
WinASO Registry Optimizer
Hostman (free) with MSVP hosts file
Spywareblaster (free)
Microsoft Anti-Spyware (real-time) (free)
Sygate Personal Firewall (free)
Spybot (free)
Ad-Aware (free)
A-squared (free)
Ewido (free)
Spyware Doctor (free)
Systemsuite 6 Professional
System Mechanic 5.5
SyncBack (free)
Novabackup

The machines are running quite a bit more software than this but it gives you a pretty good idea of what I'm using to maintain my computers.

Bitdefender does a good job of catching many problems before my machines get infected. Every weekend I run most of the programs listed above to clean and disinfect my machines. Once a month, I run the online AV scanners. Usually the only items found are a few cookies and generally they are not much of a threat. On occasion, more serious threats are found but so far I've always been able to deal with them.

What I'd like to know is what else I need to run, whether by itself or in combination with other software?

I don't need NSA level security. I'd like to be well protected but I want software that is efficient (low CPU utilization, less worried about RAM utilization within reason, reasonably priced or free). I don't mind software that is somewhat talkative in the early learning stages but after an initial break-in period, I don't want constant interruptions (i.e., I want to enjoy my time online and with the computer and not be constantly interrupted, especially with false-positives). I also realize that considering my preferences, some malware will eventually make it through but I'm willing to accept this trade-off as long as I can deal with it fairly easily.

I think I'd like to avoid registry monitoring software since I worry about them being overly talkative and/or intrusive.

I'm not adverse to spending money on software but don't believe in spending it on commercial/shareware if freeware will do a good enough job. However, at times the most efficient/best protection requires commercial/shareware versions, in which case I buy the software. I am, however, starting to get sick of all the yearly maintenance fees (both in the virtual and real worlds).

I also want software that I can easily terminate or suspend when I do online gaming. In fact, I shut down all non-essential software and services but always keep the router/hardware firewall running. When I finish gaming, I start everything back up and keep it running.

Here's the question finally:

What, if anything, should I add to my machines (keeping efficiency in mind (i.e., cpu utilization, ability to suspend/restart protection, cost, low or no yearly fees, etc.))?

The programs below are some I'm considering based on what I've read in the forums over the last month but I am open to any other ideas.

- Online Armor (although the yearly fees may be a concern)
- Antihook
- ProcessGuard (free or paid)
- SnoopFree
- Ewido (paid)
- Zonealarm Pro 6 (triple defense, etc.) with ProcessGuard free

- or -

add nothing you're fine as is.

I welcome and appreciate any suggestions but would definitely prefer recommendations based on actual experience and effectiveness. Thanks for everyone's help and I look forward to any recommendations you may have.

 

Hi InfinityAZ

Just for clarification - Online Armor's pricing is a one off $39.95 which includes a year of updates. If you do not elect to then take additional years of updates, you are not obliged to. Online Armor will continue to work - you just won't get updates

During the next year we'll be significantly adding features to OA. I won't go into it again here, but you have a full 12 months to decided "Did I get value from this product", and for you, "Is the additional upgrade/subscription worth the money?"

Of course, only you can answer those questions. However, over the next 12 months I hope to demonstrate that yes, we do keep our promises, and yes, we will continually improve and support our software.



Regards

Mike

 

If you have a look at what I posted under 'A Perfect HIPS?' <in PRIVACY AND OTHER ANTI-MALWARE SOFTWARE> Mike has stated that OA is aiming to do everything I want from HIPS, so it's definitely worth having a look at (still a few things to add yet).

Personally I havent been infected since february, when I installed Prevx and Process Guard (I don't install much though, and these two programs have been mainly for online security). I do have hardened IE settings. I'm also running OA now...hoping that OA will enable me to reduce my security software to just a firewall, HIPS and AV.

The other thing you could consider, is a program like ShadowUser or DeepFreeze, though these programs are really only for people who don't install software much.

 

Re: Need advice please: Online Armor, ProcessGuard, Antihook, Ewido, ZA 6 Pro, Ewido,

Thanks Mike, OA sounds like a great product. What are the yearly maintenance fees? Also, what empirical test results are there for OA that demonstrates its' effectiveness?

 

Without wishing to hijack this thread Mike , may i also ask as a supplement to infinityaz question about yearly supplement fees, whether the trial download has a trial key now? or is the key obtained by email ?
tia
ellison

 

Some people are using SafeNsec.

 

Re: Need advice please: Online Armor, ProcessGuard, Antihook, Ewido, ZA 6 Pro, Ewido,

Hi InfinityAz,

First of all welcome.

Let me briefly describe how I organized my security, and hopefully, by example, you can pick up some ideas that would be most suitable for you. This is how I developed my security:

1) First line of defense: NetGear Hardware router to keep out unwanted vistors coming over the lines. This is very nice and keeps things pretty quiet. ZoneAlarm software firewall to trap programs that may be trying to communicate from my computer to the outside world. It provides me lots of information about what is happening at the communication protocol level.

2) Second line of defense: Kaspersky AV which has a superlative signature database that covers all kinds of malware: viruses, trojans, spyware, etc. This is the primary program for trapping malicious software since it detects malware "on access" (hopefully before it can do any malicious work).

These two lines of defense are probably adequate for almost all situations but not perfect. Because I transact financial data, I decided that I wanted more "backup" defense to help ensure that no important financial or private data is captured by "devious means" (this has happened). So:

3) Third line of defense: ProcessGuard HIPS to stop executables (and now trialing Online Armor) and WormGuard to stop unauthroized script execution. Both products immediately notify me if any new, unauthorized (whitelisted) program tries to execute. ProcessGuard also notifies me if any process is trying to install a driver/service, keylogger, rootkit, etc. If I do not recognize the process, I immediately stop it so it cannot do any damage within my system. Online Armor detects other potentially dangerous actions such as unauthorized ActiveX executables. Both of these products need refinements, but as they stand they provide excellent backup defense.

45) Fourth line (interior) defense: RegDefend: Protects my registry from unauthorized updates. To do this, the executable must have begun processing, but this line of defense allows me to "correct the mistake" before two much damage is done (though it may be too late).

I also run Ewido in real-time. It also serves as backup for KAV, though truthfully I would be very surprised if it actually ever detects anything. But I did pay for the product and it has served me very well in cleaning up other machines, so I have no problem supporting the company on an ongoing basis. Ditto for Greatis (correction a la SteviO) and their UnHackMe product which is designed to detect rootkits. I purchased the product to support the company.

Hope that this gives you some ideas of how you may approach your decision-making process. I am sure others have equally reasonable, but different ways, of approaching the problem.

Regards,
Rich

 

Hi Rich, i think you meant Greatis Software for UnHackMe, not SI.

Nice list of products you have, i'm in no doubt you are well protected.

Regards,


StevieO

 

Maybe you mean Rootkit Revealer ?


StevieO

 

yeahhh...what about that?? how secure do you feel?

...

 

Re: Need advice please: Online Armor, ProcessGuard, Antihook, Ewido, ZA 6 Pro, Ewido,

Thanks for the correction StevieO. I also have Rootkitrevealer, which I haven't run in quite some time, but it is around if I ever feel I need it.

Regards,
Rich

 

Re: Need advice please: Online Armor, ProcessGuard, Antihook, Ewido, ZA 6 Pro, Ewido,

Actually, I feel quite good at this time. It is a minimal set of "pro-active" programs, which I think will alert me when there is any kind of abnormal behavior on my machine. I believe that within a year or so, this list of programs will be even smaller, and the programs that I will be using will be tighter, more comprehensive, and therefore more secure. My current bet is on Online Armor, as long as they can make a "business" out of this space. But I may be pleasently surprised by other vendors such as ZoneAlarm or Kaspersky.

I think, what we have her with HIPS programs, is a very nice new paradigm for preventative security (I never felt good about trying to clean up the "mess" after it has been allowed to happen) and it needs to mature a bit. I am more optimistic about security now than I have been in a long time.

One thing I should mention, is that if I ever have any doubts whatsoever, I go back to my last, clean image copy.

Regards,
Rich

 

Re: Need advice please: Online Armor, ProcessGuard, Antihook, Ewido, ZA 6 Pro, Ewido,

HIPS...what's in a name Rich? do you know? what about other four letter words? That would be fantastic too...

pfff....don't get me started about suites Rich...

 

yeah, know what that feels like / OT : ... trying nforce4 at the moment ... / OT

 

Re: Need advice please: Online Armor, ProcessGuard, Antihook, Ewido, ZA 6 Pro, Ewido,

HIPS: Just a way of categorizing. Makes it a bit easier to communicate. But every "category" ever so-named, can be debated as to what is contained within the category set. So, if you do not want to use this particularly category name, then I am sure you can find a name that is more conducive to what you wish to communicate. I still remember the very, very, very long discussions I use to have regarding the definition of "database".

I wouldn't consider these "suites". They are more of a good architecture for "watching a sequence of events" transpiring on a computer. An analogy would be a "fixed" security camera which can only observe one event in an area, vs. a "moving camera" that can watch a series of events as they are unfolding.

Regards,
Rich

 

Re: Need advice please: Online Armor, ProcessGuard, Antihook, Ewido, ZA 6 Pro, Ewido,

LMAO, I bet you sell stuff


I know my friend..I just don't like it that's all ... HIPS .. talking about pro active stuff don't like that either too fancy for software ...


don't mind me...

/edit : talking about good architecture .. try browsing for zonealarm and issues...

With all due respect to the users of Zonealarm...there wasn't any good architecture since two months ago apparently ... I will not jump any wagon in two months ago ... especialy with bad records ....

about Kaspersky... they have good records ... I can give you that ... we'll see how it finishes ... that wasn't either the best experience I had ... but all credits to them!

Take care,

 

Hi - at the moment the annual fee is set at $14.95; Today, you need to obtain keys by mail but when the new site is up, we'll fix that.

On the question of testing raised by InfinityAZ - no test results are publically available; however, even a very quick trial of OA will show you that it works - we've spent months making sure of it.


Mike

 

Talking about tests Mike...I read on some website (can't remember where exactly...spywareinfo I think), you were looking for some CWS trojans to test OA against. I didn't see any results posted, and was curious as to how OA faired.

 

Re: Need advice please: Online Armor, ProcessGuard, Antihook, Ewido, ZA 6 Pro, Ewido,

Hi Infinity,

lol. Truly, security is very much a matter of taste. But this new approach is the first thing that makes sense to me in a long time. I can now observe who is trying to enter into my house, before I actually allow them in - and I can watch their behavior after I was so kind to let them in (some guests just don't have any manners. ). It is interesting sometimes to observe what these programs are doing, and the more info the better (as long as it is relevent).

But, everyone has different objectives and that makes for a very large marketplace. Suffice to say, I have not been this comfortable in a long time. Objectively, I can say that HIPS seems to be working, since even my non-technical friends and family who are using ProcessGuard have been well protected (those mid-night emergency calls don't happen anymore). It is all very new, so we'll see. I wouldn't be surprised if lots of people don't purchase this software, and I wouldn't be surprised if lots do. It's a "big world afterall ).

Cya around

Rich

 

Re: Need advice please: Online Armor, ProcessGuard, Antihook, Ewido, ZA 6 Pro, Ewido,

I was given a list of CWS sites by Dog (thanks!) - I've added them into OA as "not trusted" on the central list of sites; As a result, when browsing these sites potentially dangerous content is automatically and silently blocked. Of course, if someone wants to accept activeX objects from these sites, then all they need do is add it to their trusted list, which overrides the centrally made decision.

I haven't yet grabbed a CWS trojan and ran it against OA - as soon as we get the server move finished, one of the next things on my list is to collect samples and get them into the OA database to help with decision making.

regards


Mike

 

First , I am only stepping in as I have used OA from day one . IT WORKS ! Period ! It works well . For those thinking it is an app to watch , so be it . Everyone here is too damned paranoid . Mike is a great guy and the company is is superb . OA will GROW . NOT get better . Meaning that it is already excellent at what it does . What it does , it does to perfection . It will grow because they are CONSTANTLY wanting to add . It is sad that more people cannot see the value in this product already . Oh well . Keep in mind that this product was going to be offered at a lower initial price . ( sorry Mike but , I figure it is cool to say since it was posted on your site in the beginning ) The price is higher because of how good it is and how much has gone into perfecting this . The new website , well , I will remain mum on that but , there is NOTHING short about this company . For most , only time will tell . But hey . You always have Rich ! Geez . Why not make him an administrator as he adds little but questions everything and responds to anything with little value . Anyway , enough said . I will now be absent again but , great product at a VERY fair price . Good luck to you all

 

Thanks for the info Mike.

Interesting. An attacking response. Yet, with no independent/thorough testing you have come to this conclusion by yourself...and seem to expect others to automatically reach the same conclusion...

Let me clarify, I like OA. I 'believe' it works as intended <because I havent seen an independent test confirming this>, but also...I can't quite piece together everything that OA is intended to do...so at this stage I have no true idea of how effective it is.

Mikes responses to my posts and suggestions have been first rate, and his list of ideas for implementation into OA are great... and for these reason I put OA in the very promising category.

If OA had no need to get better, it would not need to grow either (unless you are talking about the addition of a firewall...which to me would be 'growing')

Unfortunately I find such remarks rather disrespectful to those who have yet to find a full explanation of the pruduct (how and why it works), and who wish to see independent testing results.

There is also the problem, that most of the people making such comments (it looks promising) already have HIPS programs, and are waiting for OA to overtake their current programs before deciding which to keep...hence OA 'looks promising'

 

Re: Need advice please: Online Armor, ProcessGuard, Antihook, Ewido, ZA 6 Pro, Ewido,

Ok, you can expect a long-ish post from me coming up soon. (just grabbing a bite to eat)


Mike

 

Hi Mike.

Thanks in advance for your upcoming post. I'm not having a go at OA...just pointing out my reasoning for holding off on getting rid of all my other HIPS

And I just realised something interesting :

Most of the HIPS that require user input to function properly...are 'fairly' transparent in what they do and don't protect from...a lot of this transparency comes from the customisation of the program....Prevx Pro is a prime example here...I took one look at the custom settings of Prevx Pro, and I understood what it could protect from and how.

Most of the 'intelligent' HIPS don't have the same level of customisation, nor a detailed explation of what they do...and it's a lot harder to judge the effectiveness of them (Prevx1 is a prime example here....'if' I didn't know about the previous Prevx Pro structure, I'd have no idea about how it worked, nor it's effectiveness).

So far I only know of 3 intelligent HIPS. Safe-n-Sec, OA, and Prevx1. They all seem to have the same problem in this area (admittedly I never got SnS running on my machine, so not really qualified to judge...it was just an impression I formed at the time).

 

Re: Need advice please: Online Armor, ProcessGuard, Antihook, Ewido, ZA 6 Pro, Ewido,

My marketing weasels will execute me if they read this so keep it to yourself, ok?

First of all, a list of OA features are online at http://www.tallemu.com/features.html - if you just go to the front page, you will get the abbreviated version. We're working on the new website which is bigger, stronger, faster and contains lots more detail about OA, screenshots, FAQs, product guides, etc, etc. There is a rope here in the shape of a noose with a small sign saying "dont show anyone the new site, or we'll use this on you") - but the site should be up very, very soon.

OA started off as a product we called BankSafe. You can read the initial story on it here (it may need registration, for which I recommend the use of bugmenot.com )http://www.theage.com.au/articles/2004/10/22/1098316833867.html?oneclick=true

It was pretty simple - trying to stop password stealing stuff from getting onto the PC. Without signatures. There are a certain number of ways you can nab passwords, so rather than try to grab 500,000 virus signatures and employ a hundred or so people to try and keep up with the lastest nastiness, we thought that was a good way to go. It picked up BHO's, HOSTS file nastiness and behavior based detection of keyloggers. The sole focus of the app - making online banking safer.

When we started trying to take this to banks, we had an "interesting" time. I won't go into it any further, but we changed our mind and decided that we'd need to take this directly to end users. So, back to the drawing board - added a number of features, the ability to take action when something was found and the product known as Online Armor was born.

So, what is it supposed to do? Well, the idea has grown a little - it's supposed to keep "nasty stuff" off your computer. But, the problem is - how does a user know what nasty stuff is. Now, I can deal with it when it gets on my PC, but when it gets on friends and family PCs... well, I'd rather have my toenails extracted than explain to my mum in the UK how to get malware off her computer. Really.

So, we decided it needed to have a few characteristics:

* Cover various methods of attacking a computer
* Be very easy to use, with as few popups as possible
* Try to hide the complexity of what we were doing as much as we possibly could.

My favorite trick question to ask someone when they don't quite get this is "Should I allow services.exe to run'. If they say yes, I tell them that they're wrong - it's a virus. If they say no, I tell them they just killed a perfectly innocent part of windows. And that's the point, which is why we have a central list of "trusted" apps in OA. My mum doesn't know that Winlogon is good - and neither should yours (unless, of course, she's a support engineer)

So, we have (I think) a neat little GUI, a central list of "stuff" which can be updated as frequently as hourly,and we don't want to harass mum with popups, because we know that every time she gets a popup, she'll call me - and I'd rather be drinking beer. I figure the same applies for most people.

So, the key features of OA:

Keylogger protection - behavior based detection of them. Not the app signature, but how they actually do it. So, if you write a keylogger this afternoon, chances are good that OA will detect it. Unless, there's a method for logging we don't know about - in which case, we'll tear your program apart, figure out how you did it - and add the *method* we use to our list. That way, the next time someone uses it, we'll scream and scream and scream...

Of course, some programs (Yahoo IM, for example) record what you press on the keyboard to detect if you're idle or not. (There's a perfectly good WinAPI call to use, but as I recall it was not available on older versions of windows).

So, when mum's there sitting typing away at 6 words per minute and she gets a keylogger warning, she'll kill yahoo, restart it again to tell me - and get the warning. Repeat. One international phone call later... well, you get the idea.

So, the trusted list is basically this - a list of programs which may trigger the "sensors" in OA, but shouldn't.

The same thing applies with IE objects. These are also monitored by OA - and covered by the trusted list. Try installing Surf Sidekick for example, and you'll see what I mean. Same popups, same list of safe/not safe objects. There are toolbars, BHOS, menu items - all of which can be used to break.. or extend.. Internet explorer.

We look after the HOSTS file, we also check for DNS Cache poisoning by comparing your local DNS lookup against one done by another server. If there's any mismatch, its an indication that something is wrong.

So - we can protect against messing with the browser, we can protect against DNS/Hosts related attacks, and keyloggers. What if we can stop the program running in the first place?

Program blocker does just that - you try and run something and it checks to see if you really want to do it. As that could get a little tedious, we've also got a safe application whitelist that covers many common applications. So if you run calc.exe (and it really is Calc.exe, not a cunningly named trojan) then it'll let you be. But, if the program isn't recognised we'll ask you "Is that what you want to do?"

Of course, mistakes can be made - so when the user authorises a program to run, OA logs file created in a heirachial format, reg key creation so you can see what's going on (if you are so inclined) or so that OA can remove those files and reg entries, and then prevent the program from running again once the user has realised the error of their ways.

The last major feature is the oft. overlooked web shield - a transparent HTTP proxy. This little fella filters HTTP traffic and applies a set of centrally defined rules against it - one of which is to check for the use of International Domain Names. If it finds one of these, it will throw up a warning dialog. It also does this for java applets, activeX objects and various http related security exploits. ( I wanted to play a flash game, accepted an ActiveX object in IE and the next thing you know BAM! 4 BHO's installed. The HTTP filter idea was conceived about 5 minutes after I scraped that stuff off my system.)

Again, we have added a bit of intelligence here - there's a central list of untrusted sites - untrusted sites don't throw any popups, they just filter out the potentially nasty content. Trusted sites don't throw popups either, but they allow the content. Unknown sites ask you for each bit of content, unless you say "dont ask me again".

So, we can - detect potentially dangerous stuff in websites; prevent stuff on the PC from running (and track it if it does), monitor hosts files, keylogger attempts by processes that *are* allowed to run. Check startups, protect browser homepages (firefox and IE only right now). Did I mention the cookie cutter? Conversion of persistent cookies to session cookies (before they hit the browser)

I think this post is long enough without going thru my testing. For those of you still slogging away here, my test was to go out and grab some nasty spyware (ahhh, the good old kazza installer, Surf Sidekick, random rubbish sent via email) and check that created files were detected, program execution was detected, reg keys, and that OA could remove it all cleanly.

There was (obviously) a lot more to it than that- but I have to run for a meeting fairly soon, I know that Vikorr is waiting for this post Hope it didn't disappoint.

I've had AWESOME feedback on OA - and by awesome, I don't mean just the nice posts. One of the key bits of feedback I have had is that many users want to have absolute control of what they allow and dont allow, and the current iteration of OA does not, by design provide this. I'm sorry mum, but I dont want you making decisions about the Winlogon notify keys in the registry.

However, a future release of OA will have an advanced mode which will expose everything

The new website will contain lots of information and questions/answers and descriptions of OA without the lame attempts at humour. As always, if people have questions they can mail me or PM me.


Mike