Sana Security Primary Response - Opinions

Discussion in 'other anti-malware software' started by Malcontent, Oct 18, 2007.

Thread Status:
Not open for further replies.
  1. Malcontent

    Malcontent Registered Member

    Joined:
    Dec 30, 2005
    Posts:
    451
    Location:
    Cleveland, Ohio USA
    http://www.sanasecurity.com/products/pr/index.php

    I'm looking for some feedback on Sana Security Primary Response.
    How effective is it against unknown, zero day malware? I'm running the 15 day trial now and it's been running pretty smooth. It's been very quiet. I just have no idea how effective it is when it encounters a threat.

    So, anyone else using it and seen it in action against malware?

    Thanks.
     
  2. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Use the search option :D Norton AntiBot is same software, just re-branded :D
     
  3. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    PRSC evaluates processes by assigning threat levels to the actions it performs, then flags the process when the levels go past a certain threshold.

    This has its ups and downs. On the bright side, FPs do not come by easily. On the bad side, it is largely incapable of stopping malware propagation, and to some extent malware installation as well, because it assigns relatively low threat scores to self-propagation actions. An autorun trojan that does nothing but register itself to autostart and replicates itself across removable media, for instance, would slip right past PRSC, because PRSC deems those actions as not dangerous enough.

    PRSC also has the problem of unable to handle massive malware bombardments. If only a trojan or two shows up, PRSC is able to function as advertised. If you visit a malicious website with a ton of iframes that launch multiple malware at once, for instance, then some will invariably slip past PRSC as it scrambles to deal with them. Again, this is a flaw due to its philosophy - PRSC seeks to block only malicious payloads, and certain less-dangerous actions like propagation and installation slip past it. When it finally does flag the malicious payload, the malware may already be too deeply-rooted in the system for PRSC to remove.

    This is by no means to say that PRSC is ineffective - it's still a excellent layer of defense when coupled with a traditional scanner, and will provide good protection with minimal FPs. However, as far as I'm concerned, ThreatFire and Micropoint are the undisputed leaders of behavior blocker software right now, and when compared against them some of PRSC's shortcomings and protection level become readily apparent.
     
  4. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    CogitoErgoSum

    We have PRSC on a vista64 box, you once emailed "PRSC is best appreciated by those of us who understand its strengths and limitations."

    I tried some tests and really can not say what trigger PRSC to intercept. May be you can explain (sounds a bit silly after a having purchased the lisence).

    Solcroft,

    Where did you find that information. Reason for asking I did some testing (obviously simple single action tests) and PRSC kept awfully quiet.

    I agree on ThreatFire as the best of the known (do not have experience with the chinese Micropoint) for free (but you have to have a strong CPU) and configurable with additional custom rules.

    Regards Kees

    Regards Kees
     
  6. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    I tested AntiBot for almost three weeks by repeatedly executing live malware - not test programs. ;)

    Regarding TF, I disgree that you need custom rules to be effective. The thing is that you're trying to compare an intelligent behavior blocker that strives to block ONLY malware, and a "dumb" HIPS program that flags anything and everything, malicious or not. Obviously, with a "dumb" HIPS, you can lock your system down to the extent that nothing is capable of so much as twitching unless it has your express permission, but when it comes to intelligently blocking only real malicious code and not barraging the user with a ton of popups every time something gets executed regardless of whether they're legit or not, and (equally important) cleaning up the mess afterwards, ThreatFire and Micropoint are unmatched.
     
  7. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks; I am using both TF free and PRSC paid on the same laptop. I have noticed these: when ever there is new program process added into system, TH will alert me with a pop-up seeking my approval, whereas PFSC just simply adds that process into monitoring list with few yellow-coloured squares designation, no alert. I think both are doing the same good jobs, except one is a bit more paranoid than the other. I remember some one says that PRSC will not be moved by a single behavior threat, just awaiting more of the same to confront with. These are just my non-tech observations so far. Take care.
     
  8. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    I'm afraid I'll have to challenge you on that; TF does NOT alert you just because you add a new program to your computer. If you do have some screenshots of this happening, that'd be nice.
     
  9. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, To satisfy your curiosity, I have listed two popular programs:
    Prevx2 and R-Wipe & Clean. TH will alert and seeking user's approval re:
    Prevx2 's browser lunch and R-Wipe&Clean's EXE creation and more. Sorry I do not have screenshots to prove it, but your DIY will see what I mean.. Take care.
     
  10. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello Kees1958,

    Based upon personal experience, other than throwing live malware samples(viruses, trojans, keyloggers, worms and rootkits) at PRSC, tests that will elicit a response include the prueba malware demo, Morgud's DFK blended threat simulator, Scoundrel Simulator and RegTest. Keep in mind that removal of detected threats may require multiple reboots.

    Please refer to the following link.

    https://www.wilderssecurity.com/showpost.php?p=1057172&postcount=45

    Hope this helps.


    Peace & Love,

    CogitoErgoSum
     
    Last edited: Oct 19, 2007
  11. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    ThreatFire responses to creating exe files in the Windows directory.

    Regards Kees
     
  12. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    prueba.exe is NOT a demo. It's actually a variant of the Bifrose trojan, and a live malware sample.
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Exactly right. TF will give popup whenever an exe is created in Windows directory or in root of C drive/ partition.
     
  14. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    That's a very different case from TF popping up alerts just because you added a new program.

    Many times it's not easy to distinguish installer programs from non-destructive malware, as they share many common characteristics: loading drivers, creating autostart entries, etc. I've seen TF throw up FPs on occasion when installing programs, but like I mentioned, this is a different story altogether from TF alerting you just because you added a new program; the installer exhibits some malware-like characteristics that caused TF to flag it.

    Even with the occasional FP on installers (again, because installers and non-destructive malware often exhibit similar actions), behavior blockers are still infinitely more useful than a "dumb" HIPS when trying to install new programs. Just try to to install, say, a firewall program if you have SSM, EQSecure or ProSecurity enabled with a good ruleset. Voila, instant popup nightmare.
     
  15. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Not always. I've seen TF allow such actions by legit programs a couple of times. Seems like TF isn't just a single-behavior blocker; I'm beginning to suspect it inspects other characteristics as well: invisible window, packers, file path/location/size etc., maybe.
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It,s the usual behavior of TF. Try copying any executable in windows directory or in root of C drive via ur browser or some alternative explorer( not windows explorer) and u will get an alert.
     
  17. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Tried it with Opera and Firefox. No such alert. =/

    What explorer shell are you using?
     
  18. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks: PRSC just updated to 148. This baby does not cry that much. Just stays low in the background doing its job. How they do it remains a mystery to me, although I wish developer could be more transparent, or at least come to here to acknowledge our gossips :) As I remember they showed up just once(?) when it was in beta. I know their bread and butter is in corporate sectors, but remember that little ants CAN move the Alps. Just a thought.
     
  19. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello solcroft,

    I stand corrected regarding prueba. Thanks for setting the facts straight.


    Peace & Love,

    CogitoErgoSum
     
  20. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi Solcroft, See the alerts with UltraExplorer.
    Just installed TF to check. No alert with the browser though.

    View attachment 194367
    View attachment 194368
    t.jpg
     

    Attached Files:

    • s.jpg
      s.jpg
      File size:
      91.6 KB
      Views:
      1
    Last edited: Oct 19, 2007
  22. midway40

    midway40 Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    1,257
    Location:
    SW MS, USA
    NAB updated today to 148 as well. I haven't heard much from NAB either. It did complain about a POP mail checker gadget I had installed. It didn't work like I wanted to anyway so I uninstalled it and got another. NAB liked it better, lol.
     
  23. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Weirder and weirder. :eek:

    I googled for and grabbed a copy of UltraExplorer from http://www.mustangpeak.net/ultraexplorer.html and then copied some arbitrary files to C:\ and C:\Windows (in this example it was the Webroot Desktop Firewall setup program). TF remained silent.

    :doubt:

    1.PNG

    2.PNG
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Copied to C from where?
    May be u used explorer.exe by mistake.
    Herre is the way i do it. Chane Ultraexplorer to dual panel mode. Open desktop in one panel and C drive in other panle. Use UltraExplorer,s file transfer button( that is located on the separation of two panels) to transfer an exe from desktop to C.
     
  25. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Ah, there we go. TF alerts now.

    I stand corrected. :D
     
Loading...
Thread Status:
Not open for further replies.