Ransomware n poor protection by HIPS

Discussion in 'other anti-malware software' started by aigle, Jul 10, 2008.

Thread Status:
Not open for further replies.
  1. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Erik Correct me If wrong but with AE you can install anything you want as long as you allow the excutable.If not AE kicks its but to the curb so to speak.If something tried to exacute and run on its own, it can not with out your knowledge or approval.
     
  2. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Any not-whitelisted executable (good or bad) is stopped immediately and AE doesn't even ask, it only gives a message that the executable (good or bad) is stopped. AE has to be OFF (= my permission) before I can download and install a new application.
     
    Last edited: Jul 11, 2008
  3. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Ah ok understand know how it works by your clear discription.I may just give it another go.I had a serious crash from it so never got a chance to see whats under the hood but I sure like what I hear of it.Hey its making a difference at the LAPD:D
     
  4. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,351
    Location:
    Hawaii
    SSM has a free version for Win9x. NOT free for XP & Vista.

    As for HIPS being "annoying" -- the children in my 7th grade computer class use SSM, Comodo, et alia, quite readily. "So easy a child can do it." ;)

    Properly installed & at-least-minimally-trained, a rulebased HIPS does a splendid job, with few pop-ups.

    As for AE -- now THAT'S annoying!

    Just kidding Erik -- I agree that AE has its uses. Just not my cup of tea, if you get my drift. Shalom.:)
     
  5. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Keep in mind that the new AEv3 is still buggy, I still run AEv2. Your timing is a bit bad.
     
  6. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Hey bellegamin your are funny lad:D Anyways My 5 yr old goes to K-school and can use a Imac and goes on the net to play A Sponge Bob gameo_O
     
  7. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    yes I guess so,I try at a latter.
     
  8. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Tested Defensewall protection against modifications to files with above extensions by an untrusted executable.
    - 40 were protected, 21 were not protected
    I really don't know how important the unprotected files are. One particular file type though I would have considered important. Most file types that I do recognise are protected. Will pass info on to Ilya.
     
  9. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    For completeness, I checked all extensions for all versions of GPcode detailed in viruslist. There are some 272 file types that can be affected by GPcode!

    Defensewall prevented modifications to 101 file types.
    171 file types were not protected from modification, probably for perfectly valid reasons. It was interesting to see what files are and are not protected from change by Defensewall and I can take measures to protect files I feel are important.
     
  10. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello hammerman,

    I very much appreciate your attention to detail and thoroughness in verifying which file extensions were protected and were not protected by DefenseWall(DW) by default. Your efforts will not only help fellow DW users, but will also help others as well. Keep up the good work!:thumb:


    Peace & Gratitude,

    CogitoErgoSum
     
  11. wat0114

    wat0114 Guest

    Actually, free version for '98, 2K and XP...not for Vista

    http://www.syssafety.com/product.html

    Scroll to bottom of linked page.
     
  12. simmikie

    simmikie Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    321
    run the test with Prevx2....is what i am requesting, but it seems a couple of you want to call me out over my assertion that Prevx2 is the "most effective".

    and what flavor do you prefer your proof? sreenshots of different apps showing malicous processes, and various pop-ups, and such? Aigles gig. far too labor and time intensive for me. personal experieince, and testing and evaluation? i have used Prevx for around 2 yrs, and Threatfire as well, on and off for the same amount of time, in fact for awhile even ran them together with Online Armour on the same snapshot.

    tecnically i feel Prevx2 is the more effective BB, because BB is not it's bread and butter. the community database is it's most prominent, as well as it's first line of defense. however it still showcases (if set up correctly by the end-user) very powerful BB tecnologies. Prevx2 can recognize over 300 malware behaviours as opposed to (last i read anything on it) 86 for Threatfire, 200's for PRSC & Anti-Bot (could now be more my data is months old). Prevx2 can unpack suspected files to look for bad stuff and actually preview it in a sandbox like environment, before actually allowing the file to run. "the other's" have no such capability. on paper it has superior capabilities in my opinion over it's also ran competition.

    in real-world testing i have done with Prevx1 & 2 and Threatfire, Prevx2 was the more consistent stopper. if set-up properly ie using Prevx as an automated anti-malware security app.

    1) ABC mode
    2) Unknown set to run instead of query (this is when the other Prevx2 capabilities, come in when an unknown file is set to run Prevx will watch it, compare it's behaviour against 300 + profiles, utilize it's 7 signatures technology, as well as the sandboxing and other detection technologies)

    i ran probably close to 300 malicious files against Prev 1 & 2 and saw first hand some of these technoligies come into play. if a file was identified as bad by the community, often i would go to the "jail" set the file to probation (allowing it to run) and see the BB capabilities nail the infection. when i was actively comparing Threatfire against Prevx2, i never encountered an infection Prevx wouldn't stop, that was stopped by Threatfire. the reverse could not be said in my testing.

    while still not hard proof, my agenda was not proving anything to the masses, but which app served my purposes the closest.

    i believe if one takes into account the very powerful Community Database, the enormous capability Prevx has because it does not reside on the end-users computers, but on Prevx servers is a huge key no one ever refers to. when i was on much better terms with Prevx i was given a peek into the capabilities that Prevx has right now, that it's handlers, for reasons of their own, have not flipped the switch for, is astounding (inbound firewalling, for one). the present ability to react to malware as a behaviour blocker, sandboxer, or even a limited signature guided app, memory and disk protection
    elevates Prevx2 in my opinion to more than a single dimension behaviour blocker.

    went way long, and again, while it may not constitue hard evidence, you may now have an idea why i characterized Prevx2 in the fashion i have. there is not another BB with the instataneous flexibility, diverse malware detection feature set, and infrastructure that is present with Prevx2.


    Mike
     
  13. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    Thanks for the correction.
     
  14. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    But you need to turn of protection right?

    Thanks
     
  15. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,351
    Location:
    Hawaii
    Thanks for correcting me, wat. The "free version" ostensibly will run on XP.

    I enjoyed & benefitted from your SSM tutorials in THIS Wilders thread. I hope you add to them when you have the time.
     
  16. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    My point is, you could easily have said:
    "before completely writing off behaviour blockers, would someone test Prevx2?" I mean, what's wrong with that? If it's good, it will block it and someone can post the results and everyone will be happy.

    I'm not sure how is Prevx more effective behavioural blocker because BB is not it's main function? (If that's what you mean by bread and butter?)
    Well it would be better if it was effective without manual configuration?
    Numbers of behaviours don't mean a lot of vendors can have different way of counting and the quality of the rules are being disregarded
    Community Databases relying on the masses generally are quite unreliable, because why would you trust a bunch of users when they were probably just guessing? Even if it is useful, it's not unique. Mamuto also has this, and Comodo has a ThreatCast beta. I think ThreatFire's community database sends information to experts to analyse, which is a much more reliable option. Also, the community database requires constant internet connection, which not everyone has.
    Well if product X uses one way of detection but is very effective, isn't that still better than product Y which uses 50 ways of detection but is not so effective?

    Thanks
     
  17. simmikie

    simmikie Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    321
    hey, community database with Prevx is not the same as taking the pulse of 5 million knuckleheads that know no more than yourself.

    the rest not responding to, already have typed more than i like. you are right about whatever. now will someone test this with Prevx2?


    Mike
     
  18. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    How is it not the same?

    Thanks
     
  19. simmikie

    simmikie Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    321
    it's an actual blacklist, much like an AV (which i suspect you already know) as opposed to an advisor set-up that informs of what other users have chosen to do.

    btw. are you presently using a BB?


    Mike
     
  20. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    aigle, you may want to check this out

    http://www.pctools.com/forum/showthread.php?t=52157

    I used a number of them for awhile, they work really well coupled with some other neutering/tweaking. I just don't like all the disc activity TF introduces.

    Sul
     
  21. simmikie

    simmikie Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    321
    well, perhaps we don't own the same writing style, you and i? and everyones happiness is not currently a goal of mine.

    apparently not. is it beyond your understanding that something can do more than one thing well....even exceptionally well? to your thinking, is it even remotely possible? i have seen Prevx2 stop malware that was flagged as bad by the Community Database, and even after going in and reallowing the file to run, Prevx2 stopped it based on what it was doing in the system (it's behaviours), where Threatfire remained silent.


    that would be my vote, for Prevx2 to come out of the box as an automated malware tool, and that 's that. however to appeal to a more broad base of users, to include people that enjoy/feel good...whatever, about being able to tinker, my guess is Prevx allowed user to have some configuration choices. the recommended setting is ABC, with unknown allowed to run.

    well i suppose for the sake of giving your argument the appearance of some validity, you can impune the integrity of the vendor. what are some of the different 'ways' you have seen vendors count rules, undermine quality, to render the actual numbers useless?



    Prevx's database is not an advisor function.

    wrong again, with respect to Prevx database (but at least you are on a roll)

    well partly right. Prevx does default to checking with the Community first, but if there is no network connection, Prevx will still query the user (much like a standard HIPS) and if the user chooses, Prevx will still block the suspicious file. isn't Threatfire, Mamutu, Drivesentry, PRSC, Anti-Bot alll recommended to have an internet connection to maximixe protections? in fact isn't it fairly common now for security apps to request, if not requirre internet access?

    only if one has the myopic viewpoint that a security app is not better served by detecting malware in more than one way. the goal (for me) is that my pc is as thoroughly protected from malicious code (within reason) as possible. i believe Prevx2 casts a broader net, and is more effective than any similar software currently on the market.

    you know what may be amusing, we are engaged in this back and forth, and i no longer use Prevx, on my pc. i use Threatfire on all but my Online Armor snapshot. my license has expired and as much as i miss the software itself, i will not support with my dollars a prouct that has not been upgraded in 6 months if you consider build 127, which only tweaks the engine to accomodate XP SP3 and i believe Vista (still beta) SP1, if one doesn't count that as an upgrade, than it's been closer to 10 months without a significant upgrade. forum support has all but vanished for many months now as well. so while i believe Threatfire is a distant second place for this type of app, i am still using it. and overall pretty pleased with it. if Prevx comes out with an update, which there has been innuendo, that they may, then i will probably, almost certainly, truth be known, re-license.


    Mike
     
  22. wat0114

    wat0114 Guest

    Thank you Bellgamin :) I'm busier than usual of late, but I will add to them when time permits. Hopefully others can as well. There's so much ground to cover in that thread.
     
  23. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    Sorry, I did not know this? o_O
    Can you explain in detail how it works?

    Is OA a BB too? Well I've been using TF for a long time but recently switched to OA.

    Thanks
     
  24. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    No, I mean you could have just asked the question without adding it's the best - it is irrelevant
    I think there's a misunderstanding. I thought you said Prevx was a MORE effective BB because it was not it's main functionality, which seemed very weird. I don't know the actual effectiveness of the BB myself.
    So for Prevx to be effective it needs a lot of pop ups? If so, isn't it dependent on the user how good it is? Not everyone is as smart as you.
    I'm not a vendor, so I don't know. :) But you can't just assume all vendors count the rules the same way.
    How does the Prevx database work? I thought it was like a normal community database? o_O
    No need to make fun of me, ad hominem isn't very nice
    Yes, but Prevx requires CONSTANT internet access and is more dependent on it than some other apps, like the Community Database is a large part of it's protection
    Well not if they implement the protection badly. I'm not saying this is true with Prevx, but the way you list off all of the different protection methods seems like you're swallowing their advertisement. :)
    Well if it's the best by far why do you keep on using it? If it is so good the lack of updates don't matter
    Hey cool. I always used the use TF until a few days back when I switched to OA

    Thanks
     
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    I have not used Prevx since long but if it is such a nice behav blocker, their developers should seriously think of releasing a slimmed down version of it without signatures and community data base- purely as a behav blocker like TF, Mamutu and PRSC/ Norton Antibot.

    If it proves good, they can get a big maketing adavantage.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.