Process Guard vs. Abtrusion Detector

Discussion in 'other security issues & news' started by Dazed_and_Confused, May 10, 2004.

Thread Status:
Not open for further replies.
  1. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Has anyone out there ever used Abtrusion Detector (http://www.abtrusion.com/). I've heard nothing but positive comments about it (most recently at http://www.markusjansson.net/software.html). I'm torn between that application and Process Guard, which I understand is similar in many respects. I've been leaning towards Process Guard simply because I like DCS's other products (TDS-3, Port Explorer), but I've heard AD has more to offer. I need something similar to fill what I think is the final hole in my security portfolio. Suggetions anyone?
     
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    There was a comment in this thread that AP slowed down someone's system unacceptably. This comes up in the PG v2.000 FREE version vs Abtrusion Protector thread also.

    However if you want application control, consider System Safety Monitor also - it is a free application firewall that intercepts all calls between programs as well as process termination and DLL injection attempts. It does require careful judgement as to what to permit and what to deny (for instance, mouse/touchpad drivers that offer extra features implement these by injecting their DLL into every other running process - so you need to allow this behaviour to benefit from their features) but can give a good deal of insight into what goes on in your system. It can also monitor (parts of) the Windows Registry and .ini files, alerting you to any changes.

    The main downside of SSM (aside from it being a slow download) is that it is easily terminated itself - so you may want to use the (free) version of ProcessGuard to protect it. ;)
     
  3. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Hello, Paranoid2000,

    Thanks for the response. "Slow Download" - That's an understatement. :) Even their web page loads slow. I have heard of SSM before. I get the impression you prefer it to AP. What is your opinion of Process Guard compared to these two?
     
  4. Bdiamond

    Bdiamond Registered Member

    Joined:
    Apr 26, 2002
    Posts:
    74
    Location:
    N Carolina, USA
    I noticed some performance decay immediaterly after installing AP; however this disappeared after it completed the initial recording of the database it requires. Since then, there has been no change in either the CPU or memory values that were recorded prior to the installation.

    For what ever reason, PG never seemed to work well with my system (Win XP) and AP has given me no difficulties after the initial start up period. Hopefully it will provide similar protection.

    I would really appreciate hearing anyone elses experiences with AP.

    Bdiamond
     
  5. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Be fair, the author is using a free web host :) (any donations received are pledged to a faster site though).

    I have not used AP myself - but the information on their site does suggest it is more of a "fire and forget" solution with little scope for tweaking while SSM can be extensively configured on a per-application basis. I've not used PG either (!) so can't comment authoritatively - however there does appear to be some overlap between the two with PG seemingly offering more in individual process permissions and SSM offering application<->application control (e.g. Explorer could be permitted to run Notepad but blocked from running Calculator). Do feel free to correct any inaccuracies in this impression though. :D
     
  6. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    SSM uses "user-mode" style hooking to achieve what it does. So it's protection can easily be bypassed by any program that wants to do anything harmful. However I am pretty sure there is no malicious software available at the moment that can do this so you are still pretty safe with SSM currently.

    SSM has a lot more features over Process Guard, whilst Process Guard has a lot more features over AP. Process Guard and AP are both kernel based protection systems which is a positive over SSM. Some people do not like what AP does to their system, how it constantly background checks DLL's as they get unloaded and loaded. AP also doesn't offer much in the way of flexibility or interface, it simply does what it says without much fanfare.

    Process Guard does pretty much what AP does (without the performance hit) with a bit of SSM mixed in and some unique features like blocking drivers, global hooks, etc. Some people experience problems using Process Guard which is a negative, but with such a technologically advanced program you cannot expect it to be perfect on everyone's machine.

    AP on the other hand, I havn't really heard many people have problems with it (besides it's performance) so I would say it would probably work on more machines than Process Guard would. It all depends on what features you need, if all you need is an executable/dll file hashing program then you should go with AP. If you need more security and features then go Process Guard.

    I would recommend SSM after AP or Process Guard simply because I know how easy it is to get around SSM's protection, but until there are threats in the wild this doesn't really mean much.

    -Jason-
     
  7. SnowGuy

    SnowGuy Guest

    *Not inteded to be ot*


    One point that is being overlooked by many vendors is OS compatibilty.
    An I certainly compliment DiamondsCS for not having lost that insight.
    Many Users have no desire to upgrade their os.....others like myself may use more than one os....an no desire to upgrade.....so no matter how great a product may be its totally useless if it wont fit a person's os.....
    DiamondsCS continues offering very good products that matches numerous operating systems......even ssm does.......
    When I see great products like TDS3 continuing to meet my needs I stay with the vendor......AD has failed to meet my os requirements...an should the vendor ever make a retail product I wont waste my time to even look at it. I am not interested in hearing excuses of why a certain product wont match a certain os.....make it match.....thats that.
    When a vendor is loyal....so should a purchaser be. Now this may appear OT but far cry from it......there are tens of thousands of USERS being left stranded by vendors who refuse to meet the Users needs.......very bad marketing limiting one's sale potential.
    So which is the better product......the product is the vendor....thats what is really being purchased.....updates..etc.....how serious am I on this.......serious enough to have a note full of names of vendors than have abandoned Users....vendors I will never use........
     
  8. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Yes I should have mentioned SSM supports Win9x, whereas Process Guard and AP don't. Good point Snowguy. So if you have Windows 9x then pretty much your only choice is SSM. :)

    At DiamondCS we always try and get every single operating system we can supported for each product. For Process Guard is it obviously impossible to do what it does on Win9x so we cannot add support for Windows 9x. However Process Guard is the only product we have that is like this, and all of our upcoming releases are Windows 95/98/ME/2K/XP compatible.
     
  9. SnowGuy

    SnowGuy Guest

    Jason

    You guys have always stood by your products and with your Users...offering the best among the best.......an one product that does not meet all needs ...among the serveral that you do produce.. that do meet all needs.......its more than acceptable........an speaks very highly of you guys.


    Speaking As a business person.... it seems "marketing suicide" to ignor the needs of thousands of users.....as some vendors are doing.....just bad business. No one is going to go out a spend 2k for a new computer in order to have an os that matches a product...just wont happen.
    In my work I must maintain high security......talk of future computers having tracking chips....or whatever....forces me to take pre-cautions I would not have even two years ago........
    A computer I recently lost cost 3k....plus about 2k in added software....those vendors by ignoring my needs lost sales....I didn't.
    Nor do I care what a product costs...as long as it meets my needs....

    If I have a problem with a product I need someone fast.... a one hour delay can cost me tens of thousands of dollars or more....an I know DiamondCS is there....pop over to this site....moments later someone replies......so who will I be loyal to......who's products will I purchase....is there any doubt
    Business is business....the making of a profit.....a product for win95 may sell only once....but you gain a loyal customer and future sales.....that customer continues returning to purchase products....eventually may upgrade his os an need more products.....more sells.....building a bond between customer and vendor.......
    Sorry....I can get a tad bit carried away on the subject of business
     
  10. SnowGuy

    SnowGuy Guest

    LOL....for anyone who may not have understood....I would go with the DiamondCs Process Guard........a good product backed by a good vendor
     
  11. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Thanks for the post Jason - most informative... ;)
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi All, I cannot comment on Abtrusion protection but SSM and Process Guard can work together quite nicely, using Process Guard to protect SSM from malware - Although now I only use Process Guard since version two was released. :)
     
  13. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    As I mentioned in my original post, I was leaning towards PG because I'm very happy with their other products. And as SnowGuy said:

    I assume he's speaking of the private forum. Have not really used it much, but I know they are really watching the public forums too. SnowGuy is correct in saying that you can't discount good support.
     
    Last edited: May 11, 2004
  14. c0ltran3

    c0ltran3 Registered Member

    Joined:
    Nov 8, 2003
    Posts:
    172
    I've been using Abtrusion Protector with a AMD Athlon 2200 and I haven't any serious decay of my performance.
    I'd like to suggest to look for other material about AP.
    You can find other threads in this forum and you can seek in Broadband Security Forum.
    As it was previously said there aren't any serius aids from the producer.
     
  15. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Jason, I really appreciate your comments. It's apparent your familar with the subject. One more question, if you don't mind.

    Scenario: It has been said that if one does NOT have an AT, the AV to consider is KAV because of it's Trojan detection abilities. However, if one DOES have an AT, NOD32 is the way to go because it's faster and just as good as KAV at detecting viruses, and KAV's trojan detection abilities are not needed.

    So, considering my existing security portfolio (see details in my signature), which of the three (PG, AD, or SSM) in your opinion best fills the void? In other words, since I already have a good AV, AT, AdWare, etc. scanner, which of the three (PG, AD, or SSM) is the best fit, or does my existing portfolio not make a difference?
     
  16. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    While I'm not Jason,:D there are a few comments I feel I can usefully make...

    The answer will depend in part on your preferences - some people like a "fire and forget" solution that they just install and never hear from again while others like minute control over configuration and notification of anything and everything, even if it means a blizzard of popups.

    Abtrusion Protector appears to cater more towards the first group, offering little in the way of configuration options. System Safety Monitor (your download may have finished by now!) has lots of options and will provide enough popups on application activity (at least to start with) for the most click-hungry. Jason's post suggests that PG lies between these two.

    As such, it may be worth using SSM with the free version of PG to protect it from termination. That should give you enough experience of PG to decide if you want/need the full version - and whether it could replace SSM completely.

    Looking at your other items, I would make the following comments:

    Anonymizer: I would suggest using the Java Anonymizing Proxy instead. It is free (currently a research project) and the client software is open source which means that any attempts to back-door it are likely to be detected (see my comments in this thread for more details) which cannot be said for any closed-source product. Also, JAP is based in Germany so is free of the increasingly invasive legislation being passed in the United States.

    ZAPro: ZoneAlarm offers quick and simple configuration - but for the ability to control network permissions more closely, consider a rules-based firewall like Kerio or Outpost (at the risk of blowing my own trumpet, I would suggest a look at A Guide to Producing a Secure Configuration for Outpost to provide an idea of what a rules-based firewall can do - check the rules for svchost.exe in section E).

    Web/Ad Filtering: This can play a key role in blocking spyware (known or not) from getting on your system. Some firewalls (Kerio Pro and Outpost) offer this via plugins but you can also get specialised filters. The most powerful is Proxomitron which can allow you to rewrite the HTML code of incoming web pages - that power however does come with a somewhat steep learning curve when writing your own filters. There are filter collections available though - and I have found this the only way to get rid of some particularly stubborn ads. For an easier-to-use option, try WebWasher (they have a free version for non-commercial use). If you use these to filter all ActiveX, Java and Javascript then no spyware is going to get on your system via a web page - guaranteed. However it is also guaranteed that some web sites will become somewhat less functional - requiring you to relax settings for them (covered in section G of the Outpost guide above).

    Internet Explorer/Outlook Express: You do not mention these, but if you do use them then dropping them is a good security measure. IE has new vulnerabilities discovered on a monthly basis while OE is probably the application most responsible for virus propagation (and uses IE for HTML rendering, thereby gaining its problems too). Consider Firefox or Opera for a browser alternative (both also offer usability and speed improvements over IE) and Thunderbird for email.

    Aside from that, I would suggest that you may be over-protected for straightforward web/email usage (I would consider dedicated anti-trojans more necessary for those who use Usenet, IRC, P2P and other applications where files can be offered anonymously) but better that than the opposite!
     
  17. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Wow, Paranoid2K! That's quite a response. I think I'm going to give AD a try. I really hate installing and uninstalling products - they inevitably always leave traces of some type. I usually wind up reinstalling op system every 12 mos just to get a clean start.

    At the risk of getting off subject... :oops: I really do need to switch to a new browser and Email proggy - thanks for the suggestions....Just bought ZAPro a couple of months ago, so I'll have to live with it for a while....I think I'm fairly protected in the area of ad filtering / spyware...Never heard of JAP - took a look at their site - hard to believe it's more secure than the encryption/tunnelling technology used by Anonmyizer, but I think I'm going to give it a try. Thanks again! :-*
     
  18. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    JAP uses an encrypted tunnel also - but you have the option of routing it through multiple servers (mixes). That way, your anonymity can only be compromised if all the mix operators try to track you. It can be a little slow at peak times though (check mix availability and performance and switch to a faster one).
     
  19. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    This thread got me looking at Abtrusion Protector. I've been using SSM for quite some time, but long-standing (though minor) irritations have caused me to disable it recently:
    • It halts Boclean updates until I tell it to allow the update. Wish SSM had an exclude option.
    • Seems to have a memory leak (discussed and confirmed in an old thread) that causes SSM to crash on my system if left running for more than ~12hrs. Requires an occaional restart of SSM.
    So looking at Abtrusion Protector, and maybe also PG. Have already reinstalled Reg Prot.

    I don't know if I have any well-defined questions for this thread yet. Perhaps wondering if I need anything at all in addition to AV, AT, FW, and RegProt. Also wondering how AP will react with Boclean, and for that matter with Total Uninstall. Since there don't seem to be a ton of AP users here at Wilders, I guess I'll report back my experience.

    -Optigrab
     
  20. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    I would appreciate that Opti. I am currently evaluating DCS PG, and had a problem the other day (see here). As a matter of fact, I was just in the process of trying to download SSM when I was alerted to your post. Never tried either SSM or AP, but as you can imagine, I'm still not sold on PG. Looking forward to your evaluation.
     
  21. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    Will definitely keep you posted, but it might take a little time.
     
  22. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    D+C I would recommend AP over SSM to monitor process execution. I tried them both . Loved AP. I dropped it when I installed PG. Haven't had any problems with PG . I know you have. Strange things these puuters.
     
  23. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Thanks, Will. I think I'm going to stick with PG for now, until the next crash...
     
Loading...
Thread Status:
Not open for further replies.