Rate your Security Software

Discussion in 'other anti-malware software' started by toploader, Sep 27, 2005.

Thread Status:
Not open for further replies.
  1. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    We have all seen the independent tests rating security products for their effectiveness but how much do YOU trust the realtime security software on your machine to 1- catch the nasties? 2- run reliably without crashes or conflicts? How secure do you think your system is from stealth trojans, rootkits, hijackers, exploits and worms that are at this very moment doing their upmost to crawl in through your orifices?

    this includes HIPS like prevx, pg, regdefend, oa, winpatrol etc, Sandboxes like sandboxie, shadowuser etc, Realtime Spyware Trojan and Virus Scanners like spybot teatimer, MSAS, counterspy, webroot, spyware doctor, ewido, BOclean, UnHacME, Nod, Kaspersky and so on.

    this is of course is a subjective test (and is meant to be) please state what you are running and give it marks out of 10 for how secure you feel when your product(s) is up and running in the machine.

    i use very little realtime monitoring at the moment as i am concerned about software reliability (crashes, bugs, conflicts, heavy resource usage) so tend to rely mainly on on-demand scanning.

    i'm currently running AVG - this i give a security rating of 5 out of 10 it has found one or two things including a trojan and runs pretty reliably but seems to perform poorly on independent group tests probably because it's trojan finding capabilities are not all that hot and it's spyware detection is very low. (it's mainly a virus scanner) - remember these are my subjective scores based on how secure i think my computer is with it running.

    i also run winpatrol free which is useful for monitoring auto startup lists and protecting the registry and seeing what processes are running - but it only polls about every two minutes time enough for a trojan to get in and disable it - i give this also 5 out of 10 - if i were running the plus version i would probably increase the score to 7 out of 10 with the addition of R.I.D - this could well go higher but i would like to see tests conducted to assess it's ability to deal with backdoor keylogger trojans like Srv.SSA-KeyLogger, to really assess it's worth as a HIPS. the same goes for all the other hips and realtime scanners.

    The marks out of 10 you give for each product reflects how secure you feel with that product running in your machine. in other words - do you feel secure enough to use your credit card, run a p-2-p download or open a unknown attachment on the web with IE/outlook? (no cheating here by using firefox/thunderbird - what we are assessing here are realtime intrusion detection systems.
     
    Last edited: Sep 27, 2005
  2. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    extracted from the web....

    To bypass firewalls and IDS/IPS software, there are two approaches: active and passive. Both approaches must be combined to create a robust rootkit. Active offenses operate at runtime and are designed to prevent detection. Just in case someone gets suspicious, passive offenses are applied "behind the scenes" to make forensics as difficult as possible.

    Active offenses are modifications to the system hardware and kernel designed to subvert and confuse intrusion-detection software. Active measures are usually required in order to disable HIPS software (such as Okena and Entercept). In general, active offense is used against software which runs in memory and attempts to detect rootkits. Active offenses can also be used to render system-administration tools useless for detecting an attack. A complex offense could render any security software tool ineffective. For example, an active offense could locate a virus scanner and disable it.

    Passive offenses are obfuscations in data storage and transfer. For example, encrypting data before storing it in the file system is a passive offense. A more advanced offense would be to store the decryption key in non-volatile hardware memory (such as flash RAM or EEPROM) instead of in the file system. Another form of passive offense is the use of covert channels for exfiltration of data out of the network. Finally, a rootkit should not be detected by a virus scanner. Virus scanners not only operate at runtime, they can also be used to scan a file system "offline." For example, a hard drive on a lab bench can be forensically analyzed for viruses. To avoid detection in such cases, a rootkit must hide itself in the file system so that it cannot be detected by the scanner.

    Bypassing Forensic Tools - Ideally, a rootkit should never be detected by forensic scanning. But the problem is hard to solve. Powerful tools exist to scan hard drives. Some tools, such as Encase, "look for the bad" are used when a system is suspected of an infection. Other tools, such as Tripwire, "look for the good" are used to ensure that a system remains uninfected. A practitioner using a tool like Encase will scan the drive for byte patterns. This tool can look at the entire drive, not just regular files. Slack space and deleted files will be scanned. To avoid detection in this case, the rootkit should not have easily identifiable patterns. The use of steganography can be powerful in this area. Encryption can also be used, but tools used to measure the randomness of data may locate encrypted blocks of data. If encryption is used, the part of the rootkit responsible for decryption would need to stay un-encrypted (of course). Polymorphic techniques can be used to mutate the decryptor code for further protection. Remember that the tool is only as good as the forensic technicians who drive it. If you think of some way to hide that they have not, you might escape detection.

    Tools that perform cryptographic hashing against the file system, such as Tripwire, require a database of hashes to be made from a clean system. In theory, if a copy of a clean system (that is, a copy of the hard drive) is made before the rootkit infection takes place, an offline analysis can be performed that compares the new drive image to the old one. Any differences on the drive image will be noted. The rootkit will certainly be one difference, but there will be others as well. Any running system will change over time. To avoid detection, a rootkit can hide in the regular noise of the file system. Additionally, these tools only look at files, and, they may only look at some files—maybe just files considered important. They don't address data stored in non-conventional ways (for example, in bad sectors on a drive). Furthermore, temporary data files are likely to be ignored. This leaves many potential places to hide that will not be checked.

    If an attacker is really worried that the system administrator has all things hashed and the rootkit will be detected, he could avoid the file system altogether - perhaps installing a rootkit into memory and never using the drive. One drawback, of course, is that a rootkit stored in volatile memory will vanish if the system reboots. To take things to an extreme, perhaps a rootkit can install itself into firmware present in the BIOS or a flash RAM chip somewhere.
     
    Last edited: Sep 27, 2005
  3. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    At the present time I have the most trust in NOD32,Process Guard, and Online Armor. Of course I have First Defense ISR to back me up.
     
  4. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    hi William is your trust 100% in your defence software's capability to repel all known nasties?

    i think a good test for this would be to have a file on your computer that contains all your bank account and credit card numbers and passwords etc

    if you are willing to leave it there as a prize for the most resourceful spy trojan to find - it would indicate that you trust your defences 100%
     
  5. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I didn't say anything about 100% . That is why I am allways looking to improve my protection. My biggest concern is me. I have a problem with programs that keep asking me what to do. I don't trust me. And I certainly don't trust my wife to make the correct decision. I am trying to learn as much as I can and don't mind paying for a good program. Right now I am looking at a program on the line of Sandboxie or that type.
     
  6. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Not sure that anyone trust's their defences 100%

    That would imply that if a malware author wrote 100 different types of new malware (so undectable via signature scanning), 10 of those including newly discovered vulnerabilities (in browser/firewall/whatever) that your defences should stop them.
     
  7. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Try ShadowUser if money isn't a problem for you.
    If you search in this forum, you will find some good posts too.
    http://www.shadowstor.com/products/ShadowUser/
    A total different philosophy, than definition/heuristic-based solutions and proactive solutions and easier too once you understand it.
    ShadowUser means "Whatever you do, whatever you download and try, it won't hurt your computer.", if you are in ShadowMode.
    If you like to have your freedom back on the internet use ShadowUser or ShadowSurfer.
     
  8. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Yep, what ErikAlbert says is pretty much spot on. SU is perhaps my most trusted program.

    Of course, when you are installing, then you have to disable SU, but while using SU your computer is safe from permanent infection...reboot and it's gone.

    While using SU, you are safe on the internet...except in any folders you choose to exclude from SU (but seeing an almost all spyware/trojans/worms want to autorun, and to do so they need to access the registry, or windows folder, you are safe from them)...so perhaps the only thing I could see that 'might' get through is a true virus attaching itself to an exe in your excluded folders (of course if you don't use excluded folders, then nothing gets through, everything new disappears after reboot)

    That was one reason that AntiMalware interested me...seeing I use excluded folders....prevents true viruses from attaching to anything in my excluded folders :) Basically, AM is meant to prevent any malware (untrusted programs) from changing any trusted programs (what was on your computer when AM installed)...so if malware downloads while you are in ShadowMode (SU), AM will prevent said malware from operating in a malicous way...until the malware is removed upon reboot.

    And I use OA for any installs (when SU is off)...tracks everything...so I can uninstall if I find it's malware (perhaps excepting something that gets to kernel level...but I think that with AM running, it should be able to remove even that...can't say for sure though)

    Dunno what sort of rating I'd give the individual programs...nor even the setup.
     
    Last edited: Sep 27, 2005
  9. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    i know how you feel William - too often i press things and ask questions afterwards. oops i didn't mean to press ok i mean't cancel! :D
     
  10. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    is shadowuser pretty much crashproof and user friendly? - i see there is something called shadowsurfer too?
     
  11. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    I've never heard of anything crashing it. It doesn't seem to cause conflicts with anything. SU is very userfriendly, very easy to understand. It just may not be for everybody, because of the way it works (requiring reboots to disable SU when doing certain things - installing being the main one)...but for those who don't mind doing that, it really is the best security.

    Sorry, I haven't used ShadowSurfer, so can't give you much more than what's on the website about it.
     
    Last edited: Sep 27, 2005
  12. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,203
    Location:
    USA
    Too bad ShadowUser doesn't have a "Shawdow COST" ($70!!!) - LOL

    Is that a one-time fee, Vikorr? Or annual? (can't imagine, but need to ask anyway)......
     
  13. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Yeah, it's pretty expensive. Deepfreeze is cheaper at $29 (I think) if you want to partition your harddrive and move progams that you update/change a lot to the new drive.

    It's only a one time fee...heheh, that'd be hugely expensive if it was yearly.
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    WilliamP doesn't need Shadow user. He is already using First Defense ISR which accomplishes the same thing. FDISR is also up to $60 right now and worth every penny. Already paid for itself. Plus now it has backup capability, the ability to export a snapshot, and a freeze mode which can reset the computer back to the start of the day.
     
  15. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    does anyone know what level of security one gets from booting windows from a cd?
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    Hi Toploader

    With a grin on my face, I'll say I'd bet it would do a good job of keeping you from running very effectively.

    Without any attempt to justify why, I am running Outpost 2.7,Kav 2006 beta,ProcessGuard,Wormguard,Safe'n'sec beta, Online Armor, and common sense. Plus I run First Defense to allow me to undo any screwup. I feel pretty close to 100%. Now if you ask if I'd go to a website, with known nasties, my answer is common sense would block that action.

    Pete
     
  17. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    hi Peter - that looks a pretty comprehensive setup

    can i ask why you are running pg + online armour + Safe'n'sec? - i would have thought they all do the same thing? - or are there areas in which each one has particular strengths?
     
    Last edited: Sep 29, 2005
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    Hi Toploader

    Actually, I forgot Regdefend. To answer your question, yes there is overlap, but each does have unique strengths. But also remember some of SnS's greats strengths are in the beta, not in the public release. Interestingly, the greatest difference in strengths lies in area's that greatly impact the security of Internet Explorer. I use IE, because I have some software that requires it, Plus I just like it. Also I find I like it at a somewhat lax security setting. Both SnS beta, and OA really nail down anything bad from happening, plus the other protections.

    Also I can't say enought about how much First Defense has saved me. It has protected my computer from it's biggest threat..ME. I enjoy beta testing, but boy you can really reek havoc at times. Longest recovery time is 5 minutes. Example of what I am talking about is having the computer freeze during a registry cleaner operation, and having to do a power reset. Not pretty. Took FDISR 5 minutes to recover. Would do the same if you saw you'd gotten infected.

    Pete
     
  19. FastGame

    FastGame Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    677
    Location:
    Blasters worm farm
    I rate my setup of Kero 2.1.5, Sandboxie, avast! and Drive Image as 100% effective.

    My PM box is open to all that have links which could change my mind, Drive Image is real tough ;)
     
  20. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I rate my setup of Kero 2.1.5, Deep Freeze, Anti-executable, and Drive Image as 100% effective.

    It interesting that more people are opting to build their security around a sandbox-type of program, i.e., one that provides for restoring in one way or another.


    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  21. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    it's an approach i'm looking at myself Rich - i've tried sandboxie and have uninstalled it for now because i was having problems with macromedia flash that seemed to start about the time i installed sandboxie (maybe co-incidence)

    regarding firstdefense - if the Hips lets something in because we have mistakenly pressed the accept button then FD means we can magically go back in time before it happened - it really is time travel - the thing is it's not just malware we have to worry about - there are plenty of other ways we can end up with a corrupted system as Peter states. It seems to me that FD gives you a very significant layer of extra protection.

    (if it didn't cost money i might use it myself) :D
     
  22. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    that's what i like to see FG someone who has confidence in his setup :D (i have very little in mine because every day i read about a new type of scam or exploit)

    i've held off installing software likes hips or sandbox or software that takes an image of the drive because i see so many threads where people have had problems involving these products.

    i don't want to have my system corrupted by the very products that are suppose to keep it secure.
     
  23. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Hi Toploader, I've never heard of anyone having problems with programs like SU and DF - they seem rock solid... although sandboxes are a different matter.

    I've often wanted to get a program that images a computer system. Not so much for security purposes, but to keep a clean image of my computer after I've set it up for the first time (because it takes about 7-8 hours to set my computer up, from format to finish).

    It would have security benefits too of course :)

    Heh, I've spent too much money on my computer recently though, so maybe in 6months - 1 year I might buy one. Or maybe the next time I reformat.

    Peter, I thought imaging programs stored the image on something like 6-8 CD's. Is that how First Defence ISR works ? (wondering how it only takes 5min to recover)
     
    Last edited: Sep 29, 2005
  24. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Hi,
    I rate my security setup at 100%. Otherwise, I would not use something I do not think is adequate. This does not mean the tools I use can or will stop all possible problems. It means that what I install I believe is highly compatible with my pc and my needs.
    Objectively, the effectiveness of the arsenals I have cannot be measured in percentage, because about 90% of it is based on the user. I believe there are people, who even running a limited account with ShadowUser and PG, will still manage to get their computer messed up. On the other hand, I know people who only use router and anti-virus or just software firewall and anti-virus and never got infected.
    Assuming the user will NOT inflict anything out of ordinary upon himself / herself, a user with 50% knowledgeableness and 50% dangerous surfing (some porn, some mail, some p2p) will enjoy an average 90% security.
    However, always, the user is the key to everything.
    Best security though is knowledge and fear (itself and lack thereof).
    People should always remember - nothing is irreversible. Computers are only dumb machines. You can always repeat today what you did yesterday. And when you get to feel that way about your computer habits, you'll have 100% security.
    Mrk

    P.S. People who donate money to exiled Nigerian generals deserve to be hacked...
     
  25. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Aren't people who donate money to the Financial Wellbeing & Retirement Fund Trust of said exiled Nigerian Generals normally phished into contributing to said benevolant Trusteeship ?
     
Loading...
Thread Status:
Not open for further replies.