Process Guard, Prevx, Online Armour?

this is only possible if u have a "family" or "business" license.

i tried making my own policy once, but i found it overwhelming. there are many areas that Prevx1 protects and i did not feel like going through each one and changing how Prevx1 should react.

if the malware is in a form of a script u can use WormGuard, Script Sentry, or similar program to prompt you when u run them.

 

Thanks man. I will add this to my security setup.

 

How about program which only display ads (greyware)?
Are they really devils?

The greyware I define here is applications which will not do malicious activities on your computer, but some of their behaviours may be considered annoying/bad (not harmful).

 

Three situations:
1) HIPS makes all the security decisions
2) HIPS makes the security decisions (or advise me of their security decisions), but double-checked by me
3) I do all the security decisions

The third one is probably the worst for all except security experts.
The first one seems to be what you prefer.
Personally I prefer the second one. It is better for both security and non-security sakes (eg control harmless greyware or some stupid/annoying behavoiurs of green-ware).

 

ErikAlbert,

About extensions and executables, some of the concerns:
- there are many executable extensions. Could it block all of them?
- "relying on extensions as a basic to determine whether it is probably safe to execute" is not a good idea. There are many techniques which can fool you that this file is safe to execute. If you see a file which is called myfile.txt and think it is safe to execute it, you are wrong. I'm not talking about basic masking techniques like double extensions (eg myfile.txt.exe) or spacing-masking (myfile.txt　　　　　　　　　　　.exe)
- what if the malware writer hijack your harmless extension, so now the harmless extesion is executable now?
- extensions can still be hidden even if you click on "show hidden and system files".
- there are some more advanced techniques. Skip this part if you don't wish to read the details:

 

Although you may realise, I mention them again in case if you miss any of them:
- Vulnerabilities of your OS
You don't need to manually run the scripts/executables before you can infect. Connectng to the Internet is just what you need to do to get infected. If a malware writer finds holes in your OS, it can infect your system without you doing anything except online).
Could your security product block such kinds of execution/intrusion? It's a question mark.

- Apparently harmless files but containing malicious codes
Some files may look as harmless as a text file but it can be malicious itself. As I have heard enough that people can get infected even if you are opening apparently harmless files (advanced methods or exploits are used to do this trick), I don't trust any file I receive, be it real *.txt or *.jpg, just to be on the safe side.
I'm not sure how different security products encounter this sort of attacks. How effectively still identify the malicious codes hidden in a harmless type of file?
I did a test that I changed the extension type of the malicious file before I scan it. This can successfully bypass some of the anti-virus programs. They are not able to detect it.

- nullification and termination methods
Now there are many malware which tries to terminate or nullify the security products before they have any chance to detect/stop them. If your security products cannot withstand these attacks, you will not be protected. For example, although Look'n'Stop can block many leaktests, it is quite weak against termination attacks (ref: firewallleaktester.com)

- bugs and flaws
Once again, every product has its own bugs/flaws/exploits. Malware can always find ways to bypass it, so that's the value of multi-layered protection.

Note: The above applies to the security products generally, not just a particular security product.

 

1. You are referring to Prevx1.
3. You are referring to PG, AD, SSM.

Please tell me which 2 is. I have never heard of a HIPS that advises a decision but allows the user to make the final decision. Which HIPS is this?

muf

 

All HIPS using whitelist because they warn about what they secure or not process

Prevx1 do the same

 

for classical HIPS (SSM, PG, etc) the whitelist is user-made.

Prevx has a whitelist but its makes the decisions (ABC mode).

as muf has said, i havent seen a HIPS that prompts you but also gives u a recommended action.

 

Nope, sorry but don't agree. That is unless I have misunderstood Prevx1. The only option you get from Prevx1 to 'make the final decision' is with CAUTION PROGRAMS. i.e those programs that are either Greyware or not known. If a program is in Prevx's database as known good or bad then Prevx makes the decision. It doesn't advise it is good or bad then asks you to decide what you want to do. Unless that is i've missed this in the options.

muf

 

Online Armour, another community intrusion program, should go into (1).

Regarding yur question, if you are talking about HIPS, not really.
But I haven't tried many HIPS, so it may exist but I just haven't noticed.

It's high time to develop "option 2" HIPS.

 

You are probably right.
Either "no control" or "full control".

When you are in Expert mode, it won't display its recommendations at all.
Prevx1 would become perfect when it displays recommendations plus don't popup every time it blocks something.

 

Yes, I agree. A HIPS that uses an extensive Whitelist/Blacklist with the option to also have it display an alert box providing it's own analysis i.e "It is known malware!" or "It is known safe". But if it also says "Allow/Deny" then this seems perfect. Obviously this would be an 'Advanced' setting for people who like to keep control

Now this sounds great. If only Prevx1 had this capability...

muf

 

Wai Wai,
FirstDefense-ISR is NOT a security software in anyway, but I use one of its additional functions in my security setup, called "frozen snapshot".
A frozen snapshot doesn't detect malwares, but it detects any change in my frozen snapshot and removes them during the next reboot.

Whatever malware bypassed Look'n'Stop and/or Prevx1, they all have one thing in common : they changed something on my harddisk, in other words something in my frozen snapshot.
Since my frozen snapshot removes any change during reboot, all these changes caused by installed malwares are GONE.
That is of course theory, but nobody has proven yet until now that this theory isn't true in practice.
As long that doesn't happen, I trust my frozen snapshot, just like any other member believes in his security setup.
So I consider my frozen snapshot as a 100% REMOVAL method of any change on my harddisk, including malwares and GOOD changes, because FDISR doesn't see the difference between good and bad changes, it only detects "changes".

Vulnerabilities of your OS
How vulnerable my OS might be, my frozen snapshot gives my OS back as it was before during reboot.
Apparently harmless files but containing malicious codes
Just like you, I don't download any suspicious file, but let us assume I do it out of curiosity.
In that case I will download it in my frozen snapshot (not in my data partition) and execute it.
If it causes changes in my frozen snapshot, they will be removed during the next reboot.
If it causes changes in my data partition [D:], then I'm infected.
I still have to think about this, because I can't solve ALL problems at once and I prefer to work systematically.
First my system partition, the most vulnerable partition of all, than the rest.
nullification and termination methods
If this is possible, I trust FDISR to fix it. The main function of FDISR is "Immediate System Recovery" and FDISR allows you to boot in a healthy snapshot, BEFORE even Windows is started.
FDISR's Pre-boot Screen, where you can select any bootable snapshot, appears BEFORE Windows even starts.
bugs and flaws
Doesn't matter, because they cause changes in my frozen snapshot and all changes are removed during the next reboot.

My frozen snapshot, Look'n'Stop, Prevx1, ... aren't my only weapons.
1. I have a CLEAN special archived snapshot = frozen snapshot, saved on my off-line external harddisk,
which allows me to restore or to create a new frozen snapshot.
2. I have a CLEAN special backup file, which allows me to restore all my snapshots.
I call them CLEAN, because they were created OFF-LINE and that is my 100% SECURITY.
I'm only afraid of rare HARDWARE VIRUSES, other disasters can be restored.

I'm convinced that I'm on the right track with my crazy new "Rollback Intrusion Prevention System".
The big lines are there, the rest are details and minor problems. I will fix them, it is just a matter of time.
If I'm totally wrong, I will call it my "Rest In Peace System".

 

It's been a long trek. Thank you folk for your ideas, opinions, craziness, paranoia, mistakes, and, especially, your zeal to state what you believe is the right security - sometimes with facts. Sometimes you have to settle on a security array that satisfies you for awhile. Security is ongoing. I have settled for awhile with these and they work together without conflict as long as you decide which anti-spyware runs real-time. I decided to use ZoneAlarm Pro's anti-spyware as on-demand and AVG Anti-Spyware real-time. I also have six scheduled scans with AVG A-S, two with NOD32. NOD32 seems to best Kaspersky only with stability and compatibility. If ZoneLabs had used Kaspersky before I downgraded to Pro, I may not have downgraded. ZoneLabs would have been wiser to choose NOD32. I am a Gizmo supporter so I believe as he does that Sandboxie, not GreenBorder, or other HIPS, is necessary. It may play nice with Prevx1 too; so far it does. Most time it's only used with the browsers and e-mail client. Here:

AVG Anti-Spyware 7.5
DiamondCS Port Explorer v2.110
DiamondCS Wormguard
JAP 00.06.006
NOD32 antivirus system
PGP Desktop 9.5.2.4075
Prevx1
RootKit Hook Analyzer 2.00
Sandboxie version 2.64
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Trojan Remover 6.5.6 6.5.6
ZoneAlarm Pro 6.5.737.000


The ones in bold are real-time. I define real-time to include the passive, immunizing programs. These are backed by the on-demands of Ad-Aware Personal SE, RootkitRevealer, Spybot Search & Destroy, CWShredder, F-Secure Blacklight, Sophos Anti-Rootkit, Rootkit Hook Analyzer, a bunch of "intelligence" programs from Sysinternals, and ProcX, from Ghost Security+, with which I replace Task Manager. Of course before all of these I locked down the OS, XP Pro SP2 by disabling File and Print sharing, Simple File sharing, locking down the computer zone in Internet Options, unneeded services et cetera in a clean system, then installing the above. I also renewed the necessary paranoia and carefulness in my brain. My brain wasn't made by Microsoft, so there's hope.

It is obvious from the discussions that I have benefited from your experiences and opinions and from discussions at CastleCops and other places. Webroot's Spy Sweeper is probably the best anti-spyware, but I have a license for AVG and it ain't a slacker. I sandbox Mozilla Thunderbird, Mozilla Firefox, K-Meleon, K-Ninja, Opera, and IE7. I replaced Firefox with Opera as my default; Although I use Firefox second. Firefox's high memory use was the reason and Opera is probably more secure by a bit. So I use sandboxed three browsers in the Gecko family and Opera; I only use IE 7 for my Live blog, MSN pages, Hotmail, and Update. I wondered if Sandboxie and Prevx1 would cohabitate, and so far they seem to do so. JAP I do not use for the myriad familiar sites; it's only for exploration surfing. Of course I have the usual security add-ons for my browsers like SiteAdvisor, the extensions, etc. This is what I have for awhile.
__________
*I noticed that when the 'ghost' left DiamondCS DiamondCS wend downhill. Am I wrong?