Prevx vs. Online Armor vs. MSAS

Discussion in 'other anti-malware software' started by LuckMan212, Sep 2, 2005.

Thread Status:
Not open for further replies.
  1. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    Hello,

    I was a PG user but have since uninstalled it -- the False Positive/Actual Threat ratio was just too high. I am currently running the following:

    Realtime/resident:
    • NOD32
    • MS AntiSpyware
    On-demand:
    • Watcher
    • SpywareBlaster
    • SpyBot S+D
    • AdAware
    • HijackThis

    I must admit that this combo has been working quite well, however I feel I am still missing something to fill the void that was left by PG. I am considering OnlineArmor or Prevx, and would like to drop MSAS as soon as possible since I believe that since being acquired from GIANT, it is now doomed to become ineffective especially given the recent alliances MS has made with spyware companies such as Claria.

    Does anyone have any comments on the efficacy of Prevx vs. Online Armor, especially with regard to False Positives and CPU usage, both of which I am always trying to keep to an absolute minimum. Are these products even comparable?

    much obliged.
     
    Last edited: Sep 2, 2005
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Luckman212

    First of all I am puzzled how you can get a false positive with Process Guard. Neither Process Guard, Online Armor or Prevx will generate false positives. What they do is either alert you to something trying to run that the program doesn't recognize based on what it knows about your system, or alerts you to an action that is potentially dangerous.

    To clarify

    Say my AV or something like spysweeper, identifies a specific threat in a file, and that file is okay, that is a false positve. It has labeled something as bad which isn't. ProcessGuard however anytime a program tries to run it alerts me and ask if I want to allow it. It makes no effort to identify it as good or bad, I have to make that decision. Online Armor has a database of know trusted programs, and it won't alert on them, but I can run a fine program that isn't in it's database, and it will alert on it. Again not a false positive, just that it is unknown.

    Likewise several of these programs will alert when something tries to add itself to the startup list. Again it will do this whether the program is good or bad. It is alerting to the action, not judging if it's bad or not. Again you have to make that decision based on what you are doing.

    Pete

    PS. I run among other things, Regdefend,ProcessGuard,Online Armor and Safe'n'Sec. I no longer run any real time spyware programs, and my KAV realtime setting is cut back to the minimum.
     
  3. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    I suppose I should clarify what I meant by 'false positive'. I didn't mean it in the typical sense of an AV program detecting a virus signature in an otherwise legitimate file. I meant PG popping up an alert for an event which was either a) something I initiated, or b) something a program that I trust initiated. I just found that I spent too much time fiddling with PG just to keep my system running normally which includes lots of app updating (so CRC's constantly changing) and unattended script running.

    In addition to spending lots of time clicking on that 'Allow' button, in all the time I had PG installed (over 6 months) I never actually had it 'catch' any trojans or prevent any malware from installing. <knock wood!> That's not to say it wasn't working properly-- It was, just that I am quite careful about what I install, and from where, and thus just wasn't exposed during that time.

    So I was looking for something that perhaps dealt with these types of attacks a little differently and distinguished a little more intelligently between what was malware and what wasn't.

    If no such thing exists, I suppose I will just keep clunking along with the tools I have.

    cheers
     
    Last edited: Sep 2, 2005
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Hi Luckman212

    Okay I see what you mean.

    First as far as updating, I know, beta testing I do a lot of that also, but it is fairly easy with Process Guard. At the start up a new install the first thing I do is disable Process Guard, and do the install, up to the point of rebooting, which most installs want. Just before rebooting, I renable ProcessGuard, but turn on Learning mode. Do the reboot, and then turn off Learning Mode. Bingo no pop ups.

    I also have never had these programs catch anything. But all it takes is once..... I run them because it is easier to deal with them, then the consequences of accidently getting infected.
     
  5. ---

    --- Guest

    Fustrating isn't it?

    I share your pain. But i would guess most people here are fanatics about security, all this clicking makes us feel warm and cozy inside, a sign that we are protecting our computers.

    What fun is there in a silent antimalware system that only craves attention if something malicious occurs? Given our security and careful most of us are, this system would almost never do anything!

    I'm afraid you have to wait then. Most of the products on the market these days are dumb products that have no ability to differentiate between malicious behavior and none-malicious behavior.

    On one hand they talk about how good their non-signature based methods are, on another they tell you they don't really detect malware! They alert on every freaking new detail, never mind if it is really malicious.

    That said, you might try Panda's truprevent.
     
  6. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    any other opinions on Prevx vs. Online Armor? Anyone using this "Truprevent" that was mentioned?
     
  7. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    Hi LuckMan212,

    I won't comment on the other apps - there are a couple of threads on Wilders regarding OA - but to answer your questions:

    Other users on here have commented that OA is very "Quiet" with it's popup messages. This is partly because there is a thorough setup process which we call the "Safety Check Wizard" that runs when you first install OA.

    During the SCW, OA will check your start menu for programs it does not recognise and ask you if you want to trust them. Assuming that you do, you would not get a popup from OA regarding them unless they changed for some reason.

    We try and keep the whitelist/safelist as up to date as possible - again, for the purpose of minimising these popup messages. So, even if you take a new program - there is a chance that we've already seen it and added it.

    Probably the best advice if you have a little time is give each of these programs a try and see which one you prefer.


    Regards


    Mike
     
  8. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    Thank you Mike, I think I will do just that ;)
     
  9. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Hi Luckman

    I use Prevx1, OA, and PG.

    I can give you a fairly decent comparison of them, although Prevx haven't actually release details on what Prevx1 can and can't do, that I can find (annoying).

    Prevx1 beta

    NB Prevx1 is in report mode only for a lot of settings at the moment. This should change in the future.

    -Filewall - ie notes when exe changes occur in protected directories
    -Execution Protection with Whitelist/Blacklist
    -Installation tracking
    -Can uninstall what installations it has tracked
    -Registry Protection - some
    -Host file protection
    -Raw memory protection
    -BHO protection (doesn't mention any other IE protections)
    -Self Protection

    Pro's
    - much more 'intelligent' than the old Prevx Pro
    - quick Support response (for those made via email) - usually 24hours

    Con's
    - Setupwizard takes forever to complete it's scans.
    - Popups, when they occur, are extremely annoying. You have to type in a description, and select 'installation' or 'not installation', before you can 'allow/deny'
    -Report mode only, for many settings.
    -Not as transparent as the old Prevx Pro
    -oversimplified interface (there's no settings to play with)
    -slow response to posts on their forum at Castlecops (I mean sometimes a week and more)
    -yearly fee or it stops working
    -very infrequent updates (so what are you paying a yearly fee for?)

    Future (likely)

    -Adding Prevx Pro like customisability
    -Adding script defense
    -Adding buffer overflow protection
    -Adding firewall
    (these are only the ones I know of)

    Online Armor

    Execution Protection with Whitelist/Blacklist
    -Installation tracking
    -Can uninstall what installations it has tracked
    Phishing protection
    -email filter (for tricks used by phishers)
    -DNS checker (checks your high value sites against a central database)
    -these are listed in the Protected Sites tab
    Web filter
    -filters ActiveX & Java (popup if site is unknown)
    Trusted sites
    -list websites intro Trusted, Untrusted, or Ask(?)
    -trusted lets activex etc through, untrusted doesn't, Ask asks.
    Keylogger Protection
    -detects keylogger via behavioural means
    Browser Protection
    -I'm not entirely clear on this, says :
    -IE extensions
    -Homepages settings (for all browsers)
    Hosts file protection

    Pros
    -Very easy setup (and quick compared to Prevx1)
    -User-friendly interface
    -Fantastic support (either on their forums, or here at Wilders...Mike doesn't sleep you see)
    - Mike listens to suggestions (actually seen many improvements to OA directly from suggestions people have made on these boards)
    -Frequent updates (seems at the most, 3 days apart, often sooner...great for a HIPS)
    -Program still works if you don't pay a renewal fee...you just don't get the updates (rather fair policy).
    -Uninstalls completely (heard this from other users)

    Con's
    -Hmmm...ummm...it hasn't reached 1.2 yet !!! (when it gets registry protection)
    -Still a few programs it conflicts with (I think...as they get fixed quickly...)

    Future

    Mike says he has 40 pages of things to do, but for the immediate future :
    -Registry Protection
    -Possibly a firewall (mentioned in Mikes previous posts as a maybe)
    -Advanced settings for those that like to play


    Hope it all helps
     
    Last edited: Sep 7, 2005
  10. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    Yes actually, that was extremely helpful, thanks! ;) I have downloaded OA 1.1 but in all honesty I am probably going to wait for 1.2 before giving it a throrough testing, so I can use my 15-day trial with that version. I will most likely remove MSAS and purchase OA at that point.
     
  11. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    I'll be resetting all eval keys so people who tried 1.1 will also be able to try 1.2 when it's released.


    Mike
     
  12. JBB

    JBB Registered Member

    Joined:
    Sep 9, 2004
    Posts:
    51
    ...MikeNash,

    My Question:

    What is the "Minimum System - RAM MB" needed to run Online Armor on an old "Win 98 PC", so as not to significantly degrade the Win 98 PC's performance when running Online Armor o_O

    ... P.S. Your web site does not list memory requirements. I think it would be a good idea to list this info (i.e. for the various Window operating systems their min. memory requirements)
     
  13. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    Hi JBB,

    I'll do some testing and see - usually I recommend that for XP you have 512mb of RAM, regardless of whether or not OA is installed. For XP I'd say the minimum is 256mb.

    On 98 - I don't recall how much Ram was in the test box. I'll do some playing around on Monday and post back here with an update.


    Mike
     
  14. JBB

    JBB Registered Member

    Joined:
    Sep 9, 2004
    Posts:
    51
    1) Anyone try Online Armor with Outpost Pro Firewall 2.7 o_O

    2) Anyone try Online Armor with Outpost Pro Firewall 3.0 with its new Spyware Plugin Enabled o_O

    ... Are there any conflicts or issues running Online Armor with either version of Outpost ?
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    This is the 2nd place you've posted this question. See answer in first .
     
  16. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    "Anyone try Online Armor with Outpost Pro Firewall 3.0 with its new Spyware Plugin Enabled"

    Yep seems fine - I'm also running Fsecure 2006 wth anti ad etc
     
  17. JBB

    JBB Registered Member

    Joined:
    Sep 9, 2004
    Posts:
    51
    MikeNash,

    I have been reading about Online Armor here on threads of Wilders and I was reviewing the description/user comments on the FileForum.BetaNews site. According to the description of Online Armor, on the FileForum.BetaNews site it indicates that Online Armor's "Program Blocker - now has option to track changes". I have a quick question about the tracking changes feature:

    Question:
    Does the "tracking changes" feature of program blocker, only track file adds and registry key adds ? ... Does it additionally track changed and deleted files and registry keys, by detecting an attempt to change and/or delete files/registry keys and first backing up these files and registry keys and then letting the file/registiry key change or delete action to proceed ahead by the program being executed ?

    ... If not, can this be considered for an enhancement to Online Armor? In my opinion, the ability to track all three actions (chgs, deletes, and adds of file/reg keys) of a program executing and then be able to also restore/reverse out changes and deletes of files and regsitry keys would provide a way of reversing out most of the destructive activities that an undesirable program can do to the files in your Windows System folders and your other application folders (Internet Explorer, Outlook, etc).

    .... (Especially, since some programs must upon install or re-configuring make changes to the win.ini, system.ini, etc files. Or when executed cause unexpected chgs and deletes of files on your PC.)
    ... Just an idea, what do you think?
     
  18. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    I think it's a good one - it may not get into 1.2, but we're always improving every feature we possibly can :)

    Mike
     
  19. JBB

    JBB Registered Member

    Joined:
    Sep 9, 2004
    Posts:
    51
    MikeNash,

    1. Does the Mail Screen filter of OA work as a local proxy program ?
    ... I ask because I am using a SPAM filter program which runs as a local proxy server listening on port 110 and I was wondering if OA and a Spam Filter Program that runs as a local proxy would cause a conflict to occur between the 2 pgms ?


    2. P.S.
    Did you get a chance to perform the below testing that you previusly mentioned that you were going to do on Win 98 PC, regading memory used/needed ?

     
    Last edited: Oct 6, 2005
  20. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    Hi again,

    MailScreen is implemented as a transparent proxy. No settings are required and it should work with existing spam filters with no problem.

    I did not get a chance to review on Win98 - someone nabbed the test box for another person; I'd suggest you give it a try on your box and see if it works for you.

    Mike
     
  21. JBB

    JBB Registered Member

    Joined:
    Sep 9, 2004
    Posts:
    51
    MikeNash,

    ...This is really, really the last question that I have about Online Armor, before trying it:

    Question:
    Does the current version of Online Armor have the below feature o_O (... If not, what's your view to adding it as an enhancement ?)

    -- A Family or Child Mode (for the less experienced family members) where OA would operate in an "automatic mode" where:

    1. All Untrusted or questionable events that are detected would automatically choose the blocked action:
    A) With either *no* screen windows prompts for actions
    -- or --
    B) Let the screen prompts occur, but with all choices except for the "block" choice to be grayed out.)

    2. All automatic blocking events are recorded in a history log for viewing by the administrator family member, at a later time.

    3. Adiminstrator Member Mode and Family/Child Mode ( Automated Block Mode), determined by providing an option on a configuration screen where you can specify a Windows UserId that OA should invoke Administrator Mode when the PC has been logged on with that UserId and where you can specify 1 or more Family/Child - Windows Userid's that should likewise invoke the "Automated Blocking Mode" of Family/Child Userid Mode.


    ... Basically, looking for a HIPS program that could provide the above type of parental control that is detemined by "Windows Userid Account" Logon, so its always easily invoked and no longer have to worry about the less experienced family members choosing the wrong action.
    ... If OA does not currently, do this by Userid, what's your view to adding something along what I described above ??
     
  22. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    Someone pointed out that the current OA 1.1x beta has this "sort of" - by preventing the kids from accessing the GUI part of OA. However, it will be in 1.2



    Mike
     
  23. JBB

    JBB Registered Member

    Joined:
    Sep 9, 2004
    Posts:
    51
    MikeNash,

    Oops, ...Wouldn't you just know it, I just remembered that I had two remaining software compatability questions that I want to ask before trying OA, but that I forgot to ask in the prior forum message to you:

    1. Has Online Armor been tested and confirmed to work with a PC running:
    .... VMWare ? ... or alternatively System Commander (from VCom) ?

    2. Does Online Armor make any modifications to the PC's Hard Drive's Boot Sector ? ... (I ask, since, I know utilities like System Commander do this, so could I have a conflict in the future running OA with System Commander or Vmware ?)


    Thanks, again for your time.
     
  24. se7engreen

    se7engreen Registered Member

    Joined:
    Feb 6, 2004
    Posts:
    369
    Location:
    USA
    At one time I had the current implementation of OA (trial) running in a VMWare virtual environment as well as on a workstation manageing virtual machines without issues.
     
  25. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    @JBB

    Install OA, you won't be disappointed!:)
     
Loading...
Thread Status:
Not open for further replies.