New leader at Matousec

Discussion in 'other firewalls' started by Dragons Forever, May 1, 2010.

Thread Status:
Not open for further replies.
  1. disPlay

    disPlay Registered Member

    Joined:
    Apr 26, 2009
    Posts:
    17
    Location:
    Lisbon
    All the products that are scored very good or even better are recommended by matousec so your statement is completely useless. Why do that type of statements? if you don't like a product it's simple don't use it.
     
  2. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
  3. hayc59

    hayc59 Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,843
    Location:
    KEEP USA GREAT
    Last edited: May 23, 2010
  4. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,351
    Location:
    Hawaii
    OSSS is much harder to configure than (for example) Malware Defender. Also, the current version tends to forget custom rules from time to time -- not every time, but too often. I reported the forgetting of rules to them 2 weeks ago, but they have not yet replied.

    Bottom Line: OSSS is fairly new & shows great promise. It's a tad too "beta-like" for my tastes at the moment, but I have it on my watchlist for future re-trial.
     
  5. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,808
    Location:
    Kolkata, India
    Do they have any free products??
     
  6. ace55

    ace55 Registered Member

    Joined:
    Mar 29, 2010
    Posts:
    91
    It will be interesting to see how OSSS and Comodo compare on x64 when Matousec gets around to it.
     
  7. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,087
    Location:
    Europe, UE citizen

    I agree: I used many previous versions of OSSS: great product, but again in the growing phase.
     
  8. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
    How OA premium got 10
    and OA free got 10+:rolleyes:
     
  9. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,087
    Location:
    Europe, UE citizen

    I read the two PDF reports, but I can't undestand the reason for.
     
  10. Matthijs5nl

    Matthijs5nl Guest

    Probably because this is their way to show that the the extra features you get by using Pro are not worth paying for. Therefor they rate the free version higher to show the Free version is in their eyes the best deal.
     
  11. I'm beginning to take Matousec results with more and more grains of salt... I mean, OA is good. Really good. It does in fact detect behavior that e.g. Privatefirewall doesn't. (For instance, when a program tries to get a list of files in a directory.)

    It also gives many, many more popups, at least with near-default settings. Which makes it much more annoying and hugely increases the risk of user error.

    Whereas Privatefirewall is pretty much designed to keep popups to a minimum. Okay, so if you deliberately execute a file that turns out to be malware, and click "allow" the first time it does something dodgy, you're screwed. But hey, that's what Jotti, on-demand AVs, and sites like CNET are for.

    IMO a HIPS, at least the kind I'd use for day-to-day security, should not give me a detailed account of everything that any installer does. If I click on a link that tries to install a rogue antivirus, it should tell me that the rogue is trying to load a driver, or trying to modify an active process, or whatever, and let me block and terminate it. Heck, all it really has to tell me is the name and location of the file; that's generally enough for me to know if it's bad. Anything more may be useful in theory, or even in practice for e.g. security researchers and software developers. But for me it's not really necessary.

    I think what I'm getting at here is that Matousec is biased towards HIPS products that are unnecessarily strong. And that, due to the nature of HIPS, that kind of unnecessary strength is a liability for most users. Basically I think the Matousec tests are completely ignoring the human side of the equation; and that, in real-world situations involving drive-by downloads and stuff, "weak" HIPS like Privatefirewall or PCTools may be just as effective.

    Assuming, of course, that the KHOBE/TOCTOU exploit doesn't become widespread. Then they're all doomed, I guess.

    [/stupid rant]
     
  12. Matthijs5nl

    Matthijs5nl Guest

    You saying that you want a HIPS to give the message like this: "XP Antispyware (Rogue) is trying to load a driver" doesn't make any sense. Because that is exactly what antiviruses have their signatures for. Something you read a lot on Wilders is that a signature-based defense is not enough and you need a proactive defense like a HIPS (or sandboxing/virtualization), so you install a HIPS, why would you after that ask a HIPS to start using signatures?
     
  13. No no no... I'm fine with a HIPS telling me when anything tries to load a driver, or modify the memory of a running application, or somesuch. But I don't need it to tell me that some program is asking for a list of files in some directory. And I'd much prefer it to assume that, if I answered "yes" once for an application, I think that application is trustworthy.

    Basically, I'm saying that (IMHO, and feel free to correct my view) a good HIPS for desktop users should not even try to be effective against stuff that the user deliberately executes, because that's never going to work out well. A good "desktop" HIPS should be simpler, not stronger, because if it sets off too many warnings the user will just ignore it - and a HIPS is only as secure as its user's decisions.
     
  14. Matthijs5nl

    Matthijs5nl Guest

    Now it does make sense :)
     
  15. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,087
    Location:
    Europe, UE citizen
    This is exactly the reason for the HIPS born and exist: to enable the user - the power user - to check every activity running in his system.



    For this, many HIPS are more modes: High, Safe, Training...
     
  16. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,087
    Location:
    Europe, UE citizen

    Ya, but reading the reports, I have not this idea...It seems the contrary.
     
  17. I suppose. It just strikes me as monstrously impractical to do that for day-to-day security.

    True... In which case, contrary to what Matousec says, "maximum" may not be the best option for protecting one's system from malware. Obviously that's not the case if you're tracking the behavior of a known good program, or monitoring malware on an isolated machine. But most people who use HIPS are not doing that.
     
  18. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,975
    Location:
    Boston, MA
    Thats why they created behavior blockers. So you wouldn't have the constant nagging of such and such program is creating dll injection or global hook.
     
  19. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    The show's gonna go on while Matousec uses the score system ignoring PC users. While the score system is based on an amount of popups per app.
     
  20. I suppose. Though I have suspicions about behavior blockers, e.g. even when turned up to maximum I've found that Threatfire fails to report when gmer or other ARK tools try to load their drivers.

    (Then again it could just be Threatfire being Threatfire. I've never bothered to try Mamutu, and PrevX with its iffy business tactics doesn't appeal to me.)
     
  21. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,975
    Location:
    Boston, MA
    BB are looking for suspicious behavior. It varies from BB what it maybe looking for. Take a look at Emsisoft mamutu run down:
    "In addition, the Behavior Blocker can monitor and stop any of the following actions:
    Installation of new drivers and services
    Any kind of process manipulation like DLL-injection, code-injection, patching, termination, etc.
    Installation of new BHOs (Browser Helper Objects)
    Changes to your Internet Explorer configuration
    Hidden installations of software
    Changes to your Hosts file (redirects domains)
    Installations of debuggers on the system"
    Thats alot of changes. Of course programs like Malware defender, considered classical HIPS, kind throw up a lot of alerts.
     
  22. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    I'm using Mamutu at the moment. Have seen reviews on youtube and desided to be reassured - I've downloaded 8 variable malware samles... The one has refused to work, ok. The rest has shown the next - 5 were caught by Mamutu, 2 passed freely where they wanted. That's funny - Windows defender popped up once and never appeared again although I've tested it twice. An updated Malwarebytes Anty Malware the next day has caught and removed them all.
     
  23. Windows Defender is like that. I recently cleaned up a PC that a rogue AV had installed on - WD had been running the whole time, and there was nary a peep from it.

    (Of course the same thing could be said about McAfee, which also utterly failed to intercept the rogue. Thus my decision to enable UAC and IE Protected Mode, and explain to the user how that worked. Anyway...)

    As for Mamutu, 25% success rate doesn't seem so great to me, unless that was vs. seriously exotic malware. BTW please tell me you did that on an isolated box, not your main desktop!
     
  24. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    Sure, no funny things. Has restored the whole system after each test... As for samples - I've taken the first was able to download, 4 trojans if I remember correctly and some others, can't remember. Thanks for reminding ;
     
  25. Night_Raven

    Night_Raven Registered Member

    Joined:
    Apr 2, 2006
    Posts:
    388
    I went my own way and did my own tests but not versus some synthetic tools but versus real malware that I have kept in a folder on my PC. I did the test on a virtual machine and the products I tested were: Comodo Internet Security, PC Tools Firewall Plus, Online Armor Free, Outpost Firewall Free, Privatefirewall, Malware Defender, System Safety Monitor Pro and Real-time Defender.
    The biggest disappointments were Online Armor Free and PC Tools Firewall Plus.
    The first was too buggy and wouldn't allow MBAM to run control scans sometimes. It also just allowed one piece of malware to just go through directly on the second run. Yes, that's right. I ran the malware once, blocked as much of it as OA allowed me to and ran it again after that. The second time OA was completely silent. True, it isolated it after the reboot but it was never supposed to go down like that in the first place. Rootkit Unhooker had some problems starting as well. On my real machine OA has caused some sever slowdowns most likely due to incompatibility of some kind, although I never tried to actually figure out what it was. All in all Online Armor Free to me is just too unstable and buggy, which kind of negates its strong sides.
    The test of PC Tools Firewall Plus just confirmed what I was already 97% sure of: it's just a stupid placebo program. It just gets patched to pass the Matousec tests so it would look like a really effective product but in real life it's very weak. Actually this can be confirmed to some extent by the new Matousec tests, as PC Tools Firewall Plus scores very badly compared to the previous sets, whereas the rest of the programs basically retain their relative score.
    PC Tools and Real-time Defender were the only products to allow a rootkit installation.

    Not a very professional test by any means but more practical than Matousec's tests.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.