Neoava Guard Questions

Discussion in 'other anti-malware software' started by n8chavez, Oct 25, 2007.

Thread Status:
Not open for further replies.
  1. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,304
    Location:
    Location Unknown
    I'm trying out the latest beta from the Neoava Guard site. I like it very much but I am finding it difficult to protect processes from termination. Is there some sort of helpfile I could read? I've been to the forums but they don't seem to be much help, as NG is still in beta
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Applications> Rt. click application/ group and mark as secured. It will give that application termination protection. However ur trsuted applications will be allowed to terminate a secured application. A good balane of security and usability.
     

    Attached Files:

  3. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    OT: aigle, OpenOffice 2.3 and Firefox 2.0.0.8 was released ages ago. ;)
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    lol, I am fed up of urgrading each n every application. See how it goes: I have to download the new updated versions followed by uninstalling the older version, leaving behind some traces etc. Then I have to install the new version. If there is a major change in an application, I have to update their rules in my HIPS as well.

    All this practice is a big haslse. I have stopped updating my software including windows updates. I just update my security software. I guess everything on my system is locked down. I have no confidential data on my system. No banking, credit card etc on web. All my browsers run in GesWall. My main browser is Opera with java turned off, JS enabled for selected sites, cookies denied except for some site. I try to keep just Opera updated. I am a safe surfer too. Outlook is not allowed to run on my system. Almost no executable can run without a popup.

    I don,t claim that it,s correct but I am very well satisfied with this practice and I feel as secure as others can be.
     
  5. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    The very reason why I gave "dumb" HIPS the boot a long time ago. :D
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Classical HIPS can,t be afforded on an ever changing system.
    If I have a system like this, I will replace HIPS with behav blocker.
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Solcroft, Aigle,

    Still when installing software the only behavior blocker being silent is PRSC, TF fires and A2's IDS fires warnings. Only the adoption of rules made me move away from HIPS.

    Differences between the two is that you can freeze a system with a classical HIPS in silent mode and I am not refering to BSOD just the software configuration.

    Regards Kees
     
  8. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,304
    Location:
    Location Unknown
    Okay. I think I have that rule set up correctly. If there any way I could test whether the termination rules are working correctly? It does seem to be better than SSM Pro in a lot of ways. It is very customizeable but it would be nice if there was a way to export and import settings so that I don't have to redo everything when the next beta build comes out.
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It will be implemented in the next build.
     
  11. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,304
    Location:
    Location Unknown
    Any idea when that will be? The blog hasn't been updated since August and .302 was released since September 1st. It's been nearly two months.
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Not sure. The best way is to check their forums. Arman must be very busy as he has got a new job. I expect it to be soon though.

    They told that rules can be imorted/ exported by backing up registry HKLM\IDT but I never messed with it except once and I failed.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    I´m very disappointed, looks like NG will be dead for the coming months, and this means that none of the bugs will be fixed, and no new features will be added anytime soon, really sad, because it was IMO one of the best HIPS when it came to protecion. The GUI could and should be a lot better, so for now I have dumped NG.

    As a true HIPS freak I´m a bit sad, because I was still looking for a better HIPS than SSM Pro, but now NG is dead, and ProSecurity/Comodo Firewall are no options for me. Yes they are quite powerful, but not user friendly IMO. :cautious:
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I am also disappointed but will continue to use current version. Let,s hope Arman can restart the development after few months. He needs to earn as well, rather than working free.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Btw, I had some stability/freezing problems on my real machine, so that´s why I removed NG, and the GUI also annoyed me a bit. It does have a lot potential but it´s just not good enough at the moment. Same goes for Pro Security and Comodo Firewall, so for now it looks like I´m stuck with SSM, which also needs to be improved a lot, but seems to be pretty "dead". :doubt:
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It might be a conflict between two HIPS. Arman has said that he had not yet tried to make NG compatible with other HIPS.

    I am using NG and EQS without significant issues9 though sometimes I disable EQS and rely only on NG).

    NG has a lot of potential and many cool featrures absent in any other HIPS. Arman also had a plan to make it Vista compatible. Let,s hope that it will be revived after few months.
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Yes, could be some conflict, but NG also gives a warning upon install that you shouldn´t install it on systems with modified .exe files? Do you know what that exactly means?

    Btw, I decided to look how NG behaved on a clean system, so I installed it on my PC at work (I´m admin), of course I tried to configure it the best way possible to avoid any issues (only other security app on this machine was McAfee Active Virus Enterprise) but even on this "clean" machine it didn´t work correctly, it freezed my PC and after that it wouldn´t even boot anymore.

    So I can´t really recommend this app to anyone, seems to be full of bugs, configuration options are also not always remembered. I did get to see two interesting alerts, one about Maxthon trying to log keystrokes (quite strange), and one alert about "remote shell execution", not surprising on a corporate machine. But too bad that NG is not stable, it should have just worked! For example, I didn´t have any problems with Mamutu or SSM at all.
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    No, I don,t.
    During config wizard, did u marked McAfee as trusted and also did u alow NG to mark system files trusted( default NG behaviour)?

    Yes, u should not recpmmend NG to anyone expect one who can play with a beta( with some definite bugs/ problems).
    It,s commom alert and I get these alerts from EQSecure and NG both. I guess these are from GetKeyState and GetAsyncKeyState sued somehow by some programs. ThreatFire also gives such alerts.

    BTW I always had a hard time to install and get NG,s GUI on reboot but once its, doen after a couple of power resets etc, it,s working OK. No major glitches. I am using it with EQS and GesWall with Antivir on-demand.
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi lucas!

    NG has some unique features:

    1- Detection of making exact copy of itself( this feature catches most, if not all, worms even after their execution).
    2- Overwriting executables
    3- Deleting files rapidly
    4-Creating executables
    5-Sandboxing/ droping the rights feature( child executables created by browser are treated as untrusted)
    6-Reading windows address book
    7- Write into partition table( to me this filtet is better than direct disk access used by other hIPS as direct disk access is very common with legit applications giving rise to unnecessary popups.
    8- Rapidly read text files
    9- Rapidly connect to hosts
    10- Create windows user account
    11- It has a child parent control not complex like SSM and PS but it,s based upon trusted and non-trusted applications that gives rise to very less popups as compared to other HIPS.
    12- Three different pre-defined( a bit configurable) policies- Trusted, Untrusted, Restricted
    13- Right click option to mark the static execuatbles as trusted, resticted or untrusted or to quaratine them.
    14- Counting bad behaviour of an executable and giving an option to quaratine it.

    Some features are present in other HIPS also but implemented a bit diferently.

    Take care

    I am still learning NG and have not used other HIPS so extensively as NG, SSM free and EQS, so feel free to correct me anywhere.
     
  20. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,304
    Location:
    Location Unknown
    There are a couple of things that I wish Neoava Guard could do, or, if it can be done, things I wish I knew how to do. Does the latest build of NG offer service protection? Also, with autoruns I am able to enable and disable autorun entries. Is this nornal? Finally, what are the changes NG will add the option to 'restart if terminated,' a la SSM?
     
  21. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    That looks very nice :eek: NG feels like a "smart" classical HIPS. I'm not very keen on clasical HIPS, but NG seems to be worth of a closer look.
    Thanks :)
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    What u mean by this?
    Seems a bit buggy here. If I want to uncheck an autorun entery, no alert. I get alert if I check it again. And if I block, the reg entery seems to be deleted.
    Not sure when but what u want to achieve? If any service, u can do it via services.msc also.
     

    Attached Files:

  23. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Obviously this tells us NG doesn't block removal of autostart entries, only creation.

    Not everything runs as a service. Winpooch, for example...
     
  24. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,304
    Location:
    Location Unknown
    I am just refering to autoruns as the program I use to acticate and deactivate services.. I do get prompted when I launch the exe but not when I try and deactivate programs that launch as services; such as LnS and VBA32. I am prompted when I try and reactivate them. But with NG these services can be deactivated, and thus effectively disabled, without ever being prompted. Again, all this was done with autoruns.
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    @ Aigle

    I decided to try it one more time, and guess what, all of a sudden it works just perfectly on my home PC, I´m very excited. I now feel a bit safer. :D

    So I guess it´s a matter of configuring it the best way possible to avoid any conflicts, and perhaps there are less stability bugs in NG than I first thought. At the moment it´s running just fine together with SSM, ZAP, CMG and Sandboxie. I´m not sure why it won´t work on my PC at work. Of course it´s not mature yet, there are a couple of things that work a bit unhandy, and are not really clear. But hopefully these things will be fixed and improved. But it does work correctly, it´s really blocking stuff. :)

    @ n8chavez

    I do get to see an alert when I try to disable services via Autoruns, so there must be something wrong on your machine. See pic:

    http://img124.imageshack.us/img124/9632/screenshot195um7.png
     
Thread Status:
Not open for further replies.