Discussion in 'other anti-malware software' started by Iangh, Nov 29, 2006.
which one of Prevx, Cyberhawk or Boclean would you choose to sit alongside your AV, and why?
I would choose BOClean. No conflicts with other software, no yearly fees, light on resource and you can install on 5 machines if I'm not wrong.
Honestly, none, because I don't deem them necessary.
Different types of tools
BOClean: back-up to AV; true secondary scanner/poller: mature highly effective utility. Great support.
CyberHawk: almost pure HIPS and very good one too.
PrevX: still developing combination of scanner, HIPS, software application control
1) Get BOClean: just get it and it will look after itself and you.
2) if you go by the recent AV-Comparatives trial CH is a very good hips and will not afaik conflict with much. FREE
3) hard to decide btwn CH and PX: PX not free but cheap as, has promise to be a great app. The more people who use it the better it will get
Open ended model for development: evolving.
Very smart coders and developers working on it. Pretty good support.
Unfortunately does not do as well as it probably should in some tests imo.
Continues to develop but if you lend credence to tests then could be regarded as the weakest of the tools here.
LOL I have all three for fun: why not, minimal impact from BOClean and PX and CH is free; and I like seeing what gets what and How.
Probably some better "iron fisted" HIPS/IDS, but these are very unobtrusive.
(KAV PDM )
CH is a really interesting tool and I think probably just behind DefenceWall (?another option: pay, but with trial and still V.cheap for what it is and also great support) as HIPS.
Sorry probably no real definitive answer but for the $, good tools, any of them.
Lots of threads re HIPS variations if you want to look.
I have chosen Prevx1, simply because I got tired of all the popups from other HIPS. I let the community do most of the decisions.
I have not tried Boclean because of their, to me, strange buisness model ("buy and try" as oppose to the normal shareware concept where you try before buy)
Nothing wrong with cyberhawk, I just feel more comfortable with Prevx1. And I feel I know more about Prevx1 because of their very responsive support staff who gives answers to all the questions I´ve had.
Couple of good comments here
Sukarof is well covered with PX and Commodo
Of the three apps listed in the subject of this thread, I recommend Prevx -- with the caveat that you run it in expert mode. In expert mode, Prevx is pretty much a combined AT + AV + AS + HIPS.
BOClean is a superb AT but it's not a HIPS or AV. In my opinion, Px-in-expert-mode offers a broader scope of protection.
As for Cyberhawk -- I consider that the CH people have begun taking unfair advantage of those who opt into their community. Namely, they have begun using that open channel as a vehicle to send pop-up solicitations to CH's users. Also, the 2 to 3 times-per-day pop-ups about how many processes CH has evaluated that day are, to me, bordering on becoming nag screens. When I want to view statistics I will ask for them. I don't want CH ramming them down my throat whether I want to see them or not.
I've opted for Boclean for now.
Pretty light and one-off price for family computers.
Will keep an eye on Prevx as I would like it to be lighter and start-up quicker. Kids hated waiting for it and I didn't like the memory usage.
CH conflicts with Antivr scan and no mention of their paid product so far that will stop the conflict.
I like Defensewall concept but a few problems with FF when I tried it. Another one to give another look later on. Ilya is a persistent bugger and will make it perfect. Making the kids accept the basic concepts will be the challenge.
To be honest I need a break from trying programmes - I know it excites some of you but it frightens me!!
I'll re-visit the above three in a few months to see where they are.
Expert mode is absolutely not recommended for daily use - it is not made to be an application control tool. The database has been the focus of Prevx1 for some time now, which is why development has been primarily in things like memory scanning (sort of similar to BOClean's), malware removal, etc. For the behavior blocking that is there, the prompts are made far more meaningful by focusing them on what might actually stand a chance of being malware. Unless you have a deep understanding of programming in general and malware specifically, Expert mode will only dilute the meaning of the prompts and ultimately lower your security. You do not gain any security by controlling legitimate applications. If you don't trust that the program, regardless of it's type, is alerting you to actual malware, then that application becomes ineffective as you start habituating yourself to allowing prompts, leaving you with the feeling that you know better than the application possibly could (especially when it's prompting you for literally everything). At that point the application becomes meaningless, other than a potential security liability and a liability to your system's stability. We have no end of advanced users disagreeing with files determined bad that actually are malware, and this happens becuase they use/view Prevx1 as a HIPS and use other scanners to verify, scanners that are still in the process of finding the malware to analyze that Prevx1 already has covered. Note that I am not speaking of riskware or other such low-risk threats, the example that comes to mind first and foremost was one of the Bagle variants that was particularly bad, but have seen it with any number of other trojans, droppers, keyloggers, and so on.
To put it in perspective: In Expert mode a prompt would mean "You haven't allowed this yet", where in Pro mode it would mean "Hey, this hasn't been seen anywhere in the community ever before, and hasn't been reviewed by our analysts. We cannot vouch for it's safety for you, are you sure you want to allow it to happen?". The benefits of this should be quite obvious, they are far more meaningful and informative, which ultimately does more for your overall level of security. For those that want to keep tabs on what's happening in the background, I highly recommend enabling the Event Notification, or using the Program Monitor for specific use (which also monitors system-wide now). These give you a more complete picture in which to make informed decisions. All you have to do to maintain that higher level of security that you're looking for in such a program is wait until the analysts mark a given unknown file either good or bad, or even just write in to support if you don't want to wait and aren't sure about a program's safety.
If you want and like the behavior blocking features, then Prevx1 in Pro mode is provided for you. When it comes to the behavior blocking, the functionality is there, albeit for different purposes, and so is provided for those that want it. Understand, however, that Expert mode is made for troubleshooting, such as creating personal rules if Prevx1's monitoring is interfering with an action in some way. Prevx1's primary purpose in life is to specifically identify malware and remove it, and do so much earlier in the malware's life cycle than other anti-malware applications, greatly reducing the impact of any given malware on the community as a whole, and making sure that the entire community can get rid of it if they do happen to encounter it.
For those accustomed to behavior blockers, the underlying technology is familiar, however the way that the underlying technology is used is much different. It's there to report the behavior of malware in the wild so that detection and removal can be added nearly instantaneously. The caveat here is that if you want to use a behavior blocker in addition to Prevx1, you must be careful as the underlying technologies do overlap in the kinds of drivers and hooks that they use. There are some that will work fine, but many others that will cause software conflicts, so it is generally recommended that you not use a HIPS with Prevx1.
Feel free to bring up any further questions by PM or over at CastleCops in our official forums.
More information available HERE, HERE, and HERE.
Why we send you email messages
Novatix is in the business of selling software that people use to enhance their computing experience. Because you are already a customer who has made the decision to buy one of our products, you may be interested in our other products. We are constantly working on new and interesting products that we want to know about, and if you grant us permission, we will periodically send you information about these new products. We may also, from time to time send you newsletters containing tips and tricks about how to get the most from the Novatix products you already own.
Hmm spruiking not my style either
Doesn't specifically say Pop-ups either
??begs the question as to what else they feel they have a right to do.
Perhaps there is a config setting to stop this
I assume if I opt out of the 'open connection/autoupdates' this will not happen?
This would remove one of the realistically central tennants of the tool.
By comparison, no evidence that PrevX is taking advantage.
Cyberhawk. Why? It works, it's free. This version (1.20.39) sits quietly alongside my other security apps. That is until a potential unpleasant situation crops up. I purposely exposed my system to several hazardous situations (don't ask! ), and Cyberhawk was more often than not the first responder. I was not impressed with the prior version, but so far this one is a keeper.
I'm not sure I know what "pop up solicitations" you're referring to. We actually currently only have one product available--Cyberhawk--and it's currently free to anyone, so we don't even have anything to sell you.
Perhaps you're referring to a protection notice earlier in the month in reference to the zero-day XML exploit? We did use a new type of alert in this case to let users know that they were protected from this exploit and didn't need to worry. The exploit was all over the news and and we had inquiries as to whether Cyberhawk blocked it. This was our way to let everyone know they were protected. Cyberhawk, without any kind of updates, blocked the exploit even before the exploit was announced and long before Microsoft issued their patch.
Also, you mention that you're seeing the security status report pop up 2-3 times daily. Please contact us if this is indeed the case, as that is not supposed to be happening. We do automatically show that statistics report, but it is only supposed to display only once every 2 weeks, unless you open the Cyberhawk GUI where it is also always displayed on the main Security Status tab.
We included this periodic report because we've had many reports from other users that Cyberhawk was so quiet (except in the case of an alert) that they didn't even know it was working. The report is an effort to try and let folks know that Cyberhawk is indeed still working for you, even if you haven't seen any alerts in a while. There are plenty of users who are perhaps not as advanced as you or who don't do as much testing of security software, so they don't get to see the program "doing" much. We want to ensure they still understand the value Cyberhawk is providing. But we hoped that once every 14 days was not too intrusive.
We appreciate your comments and would like to try and figure out what's going on if you indeed seeing pop ups that are not actual alerts 2-3 times a day.
Hi,folks: I have not tested BoClean yet, but for for CH and Prevx, yes. Both use informant's model to feed their database. CH is more like FBI's profiling, altering users any potential suspects; while Prevx is more like Homeland Security's no flyers list, checking against their million and million names, issuing "No" order. IMO, CH seldomly send out F.P. on the other hand ,Px does sometimes single out good guys, causing unnessary panic. For my peace of mind and daily comfort, I have chosen CH.
thanks Becky, I agree Cyberhawk is tops of all 3. You will have to excuse bellgamin, as he sometimes has the lodore syndrome, as I do. Bellgamin, last month, you were all for Cyberhawk and seem to give Notok a lot of grief about Prevx. Guess things change.
lodore syndrome IMO.
if you havent read already i have said that after extra reading i now like dr web and have put a link to dr web cure it in my sig.
i will try it on my test machine just as a test since im definatly getting KIS6.0.
i quite like the spider icon in the taskbar.
Yep, I like the spider to. Would be my second choice.
@Notok- My suggestion to use Prevx in expert mode was largely based on the test report's "Summary Tables" at THIS link. Those tests showed greatly improved results of Prevx in expert mode vice 123 (sic) mode. Perhaps the test confused its terminology as between PRO mode vice "expert" and ABC mode vice "123". In any event I found the better results of "expert" vs "123" were rather dramatic. Did I mis-interpret?
@Longboard- I uninstalled CH late yesterday night because of repeated pop-ups. Up until lately pop-ups were few & far between, but they became increasingly intrusive so I am going a different route for now.
@Cyberhawk Support- In comments above, I had reference to the recent rash of daily pop-ups asking me if I want to participate in a survey. Upon the first such pop-up I tried to do the survey, but the survey form went numb. Perhaps it doesn't like K-meleon but I have successfully filled-in other such forms, & yours was the first such numbness. Yes, I have java script enabled (but not java itself).
The next day I got another such pop-up and said "No." Even though I kept saying "No," I still got those pop-up's again & again & again every day, & sometimes multiple times in a day. It simply wouldn't take "no" for an answer.
As for the stats pop-ups occuring multiple times daily, this really did happen. Since I have uninstalled CH, that's all I can tell you for now. It might have happened because I switch back & forth between frozen & thawed modes rather often. Even so, I repeat -- if & when I want to see stats, I will activate the appropriate click-spot in CH's GUI myself. I don't need or want CH doing it for me. Also, if CH wants to request a survey, or whatever, I think you should use email messages like all my other apps do when they want input.
I do intend to have another look at CH in the future, and especially when it offers a paid version. It's an excellent HIPS -- but I am leery of any signs of real or potential abuse by ANY application to which I have granted connectivity for auto updates or any other purpose.
@trjam- I explained my turn-around re CH in comments above. As for my turn-around toward Prevx -- a while back I was mostly concerned because Prevx was "the flavor of the month" even though the claims of its excellence were untested. That situation has since been changed by virtue of the tests done by AV-Comparatives and Gizmo. I'm not a particular fan of the latter but (in the words of Toadbee) "a test is a test is a test."
Some folks felt those tests were unfavorable to Px. I did not & do not. I thought Px did very well indeed for the first time out of the test gate. I was especially impressed by their attitude of "we'll fix the misses" instead of trying to debunk the tests/testors. That sort of attitude denotes INTEGRITY -- something I look for in the company behind any app whose proper functioning requires a connection to my computer.
FACT- a written privacy statement is only as good as the integrity of the company that issued it. I learned this fact by attending the school of hard knocks. The problem with that school is this -- first they give you the final exam, and then (afterward -- while you still stand there, bleeding on the deck) they give you the lesson.
I would choose BOClean.
It runs light and is very easy to use.
Ah, there is definitely something going on there and we'll try to reproduce that behavior with the survey prompts here. For the survey we're only supposed to ask once every two weeks, certainly not every day. And after the 3rd time we ask, you're given the option to opt out of ever seeing any further survey requests.
Regarding the security status reports, as I said we added these in for folks who wanted to see more activity from Cyberhawk. We do hope to add in more options in a future release to control when you see these reports, or to allow you to turn them off completely.
Thanks for clarifying the behavior!
I have been rather happy with Cyberhawk.
I think I got a note popup if i want to participate in some study, but I answered no. I am still allowing all as regarding for the malware sharing.
Becky and others, is it a false positive that I do get a popup warning sometimes from my Skype behaviour when starting it or shutting it down?
Hi Jarmo P--
Glad Cyberhawk has been working out for you.
Yes--we are aware that we are giving false positives with Skype. We do hope to address this in a future release.
Thank you Becky.
I wish that if possible you leave that behaviour on if it might be a saviour for some real malware, but please put some note in your website.
That is the place people first look at when in need of an opinion, besides google that might not be so helpfull, but I did find some post.
SSM also gives some prompt for Skype, but because it gives so many popups people tend to not notice them.
With CH giving much less noise, so it is more important to have some information so they need not to worry too much unless real. Glad you replied, cause it was really bugging me, that warning prompt. Skype.exe too large to submit to jotti scan etc...
Prevx1 did what it was designed to do for the most part in that test: block the malware and allow the legitimate files, where Expert goes and blocks everything regardless. Singular actions are more representative of legitimate applications than they are of malware.
Thinking of Prevx1 has lead to a lot of confusion around the forums, leading to a lot of contradictory expectations, whereas you'll notice that those that think of it more as an anti-malware generally have fewer questions and can talk about strengths and weaknesses. Perhaps I've done myself and others a disservice in the past by trying (perhaps too hard) to limit my posts here to being direct responses to people's questions and trying to remain neutral and not sway people's opinions of Prevx1, out of courtesy. I think that if you really look at general descriptions of Prevx1 you'll see that the community database has been the primary focus, with malware detection and removal. Prompts also only happen as a very last resort, with malware detection being the front line of defense, and execution prevention being considered the last. When it comes to behavior blocking, yes Prevx1 does have it, and it has application based rules. If those application behavior rules are broken, however, Prevx1 is going to detect it as malware and initiate the malware cleanup routines, and that's a pretty different thing. If some system file suddenly added itself to startup or tried to hook IE, you wouldn't just see a "blocked" message for a single action, you would likely see an entire swath of malware being removed all at once, followed by a disk scan. If you consider the bigger picture of how Prevx1 actually works and how it would respond, I think it's pretty obviously not the same as a traditional HIPS.
We could talk quite a bit about tests, but if you read some of my technical explanations (of Prevx1) around here and CastleCops, consider the nature of leaktests (commercial scare tactics made specifically to show unique feature of that vendor's product), and consider how Prevx1's community database and heuristics work, the reality should be pretty accessible. When it comes down to it, Prevx1 is made to stop the malware before you start seeing those kind of prompts. You have to assume that any prompts will be allowed and/or bypassed when considering your defense strategy, just as you would with any other security tool or application (it's just a matter of bringing it down to a pragmatic level of probability). Unfortunately if you do allow something malicious then subsequent prompts aren't going to do you a lot of good, except to make removal perhaps a tad easier, which Prevx1 will do automatically. We all know and accept that 100% security is not possible, so I have to wonder what a 100% score on a test really means, especially when the tests are done with mostly marketing tools. To me, the far more important information is in the reviews that lay out the strengths and weaknesses in a useful way.
If you want to see a good success story with Prevx1 (the likes of which are not at all uncommon for us to hear), one that illustrates what Prevx1 was meant to do, then you can read THIS blog entry.
The behavior blocking aspect of Prevx1 is the one that is the most important IMO, is the execution alerts. As I mentioned, with a product that prompts you for everything the prompt means "You haven't allowed this yet", where in Prevx1 it would mean "Hey, this hasn't been seen anywhere in the community ever before, and hasn't been reviewed by our analysts. We cannot vouch for it's safety for you, are you sure you want to allow it to run?". But read that again a little more slowly, that's a pretty big difference. If you've made a conscious decision to allow a file to run, you're likely to allow any subsequent prompts as well. If you're at the point where you've allowed several prompts and it's starting to look suspicious, then you're probably at the point of blocking it's internet access - ie, blocking it at the firewall, and the malware has already won.
More RSI for you eh
I dont mean to push but I (will probably go OT here)
Could I suggest that posting links to anecdotal tales of internet stupidity, even quite well written and amusing ones, for a good result is not a really convincing way to support the PrevX.
That guy is really to smart to have given himself a dose by mistake dont you think?
I posted this elsewhere after seeing the promo link on PrevX home page to Webuser mag:
I wouldnt think that repesents integrity of any order
I follow the posts you link to at CC and have read (I think) the whole forum;
The tone of all the posters is supportive and interested imo; most of the responses are good and from obviously expert PX friends and developers.
PX must feel under the gun re profile: 500,000 users is hardly Symantec!, and expectations and; afaics things are going very well indeed.
To be put up against serious gorillas at AV-C and be online at virus-total implies serious credibility is serious cred !!.
Then to go up against HIPS as well: impressive.
(wonder how the pure AV utilities would have gone with Gizmo's HIPS tests !!)
To perform so well at such an early stage of the development cycle is astounding.
You should speak to your marketing bods about how to get this out there perhaps with a slightly more robust fashion. (marketing budget at this stage had BETTER be a bit skinny heh get the tool right then blitz the market.)
If wom is the main marketing tool currently then so be it.
We - the licensed users and the PrevXR group are asking for a chance to be at the grass roots of this development and we would love to see integrity as one of the foundations.
The claims made to date have been exposed as a bit thin.
I see several users have asked for perhaps videos of PX in action to back up the claims re rootkits and other malware.
Any chance of same?
I hope we see PX rock the socks off virus total
Regards as ever
(disclaimer: licence holder of and committed to PX)
Longboard: My post was not made to raise any specific claims, only to try to highlight the concept of Prevx1 and why not to run it in Expert mode. The link is more of the results Prevx1 is made to produce than scoring well on HIPS tests. If you have feedback on other subjects feel free to raise them over in the official forum.
Separate names with a comma.