SSM - Prosecurity - Cyberhawk - DSA

Discussion in 'other anti-malware software' started by tepe2, May 23, 2007.

Thread Status:
Not open for further replies.
  1. tepe2

    tepe2 Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    539
    This is probably my last post before I start trial these products. At least I hope so.:)

    Before you keep on reading you should know:

    My knowledge about security is not great. My English and computer language is not great.
    Please try to stay on topic. And also, you dont need to tell me things like:

    Why do you want all that protection? One HIPS is enough. You should learn how your pc work before starting with HIPS. Running several appl. can cause conflicts. SSM is hard to learn.You need to trial to see how it works. Its impossible to be 100% safe. Remember backup-plan, disc image etc.etc.... Because I know all this. And I also can agree with most of it.

    From reading this forum and asking some questions I have reduced my «want to trial»-list from thousend :) to these four (thank you) except from sandboxing hips, but please lets keep them out of this thread.

    Before you keep on reading, please have a look at this Comparative Features Table (HIPS - Behavior blockers):

    http://wiki.castlecops.com/HIPS/IDP_programs/services#Buffer_overflow

    I have listed some features missing for each of these four. Keep in mind I dont understand all those features, and dont know how important each of them are.

    SSM full miss:

    Dll loading (not miss, but limited)
    Monitor of sensitive areas
    Restrict file permissions by processes
    Restrict file permissions by directories
    Heuristic Algorithm or IDS
    Configurable IDS
    Buffer overflow

    Prosecurity Pro miss:

    Children parent control – Yes via rule 58 (I've only listed this because I dont know what it means)
    Startup control (files)
    Monitor of sensitive areas
    Restrict file permissions by processes
    Restrict file permissions by directories
    Heuristic Algorithm or IDS
    Configurable IDS
    Buffer overflow

    DSA miss:

    Records command line parimeters
    Dll loading
    Process modification (DSA has this feature, but not as strong as other)
    Restrict file permissions by processes
    Restrict file permissions by directories
    Block low level disk access
    Password protection
    Configurable IDS
    Buffer overflow

    Cyberhawk miss:

    Process execution
    Records command line parimeters
    Children parent control
    Dll loading
    Access to physical memory
    Service/Driver control
    Restrict file permissions by processes (not pro version)
    Restrict file permissions by directories (not pro version)
    Block low level disk access
    Password protection
    Configurable IDS (not pro version)

    I intend to go for a combo of 2 (or even 3) of these. Running SSM/PS in combo is out of question.

    PS/CH/DSA or SSM/CH/DSA would of cours cover the most, but perhaps madness. Overkill, overlap, too much, conflicts......Or could it work ?? (I may try)

    Running CH and DSA would of course be a free, easier to use, good combo, but lack something. (Password protection, block low level disk access, dll loading...dont know how important this is)

    What would I miss, or what would be the weak point running each of these combos?:

    SSM/CH
    SSM/DSA
    PS/CH
    PS/DSA


    Password protection needed for what? If it is to prevent other users/family members changing something, I will not need it. If it is to prevent malware from changing settings or shut off, then it could be nice to have.

    CH the only one to protect against Buffer overflow. What does it mean? Needed by who?

    The following I find interesting/important: If one of these 4 security applications miss one or two features, could it be possible that this could be ignored due to the fact that these features is covered by other features? Say SSM has feature A,B,C,D,E but not feature F,G. Maybe feature F and G are already covered by feature A,B,C,D and E?

    Restrict file permissions by processes/directories: Only CH Pro, so I suppose this is not important or covered by other features in SSM/PS/DSA?

    Heuristic Algorithm or IDS/Configurable IDS ?

    A lot of questions, so I understand if there will be few or none replies. But I can always hope.

    Btw I find this post helpful (post #77):

    https://www.wilderssecurity.com/showthread.php?t=175145&page=4


    My setup:

    Nod32
    Windows XP FW
    BING (BootIt NG)
    Firefox (NoScript, AdBlock Plus)
    Thunderbird
    Ccleaner
    Spysweeper
    Windows Defender
    AdAware SE
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Should use only one classical HIPS like SSM, PS, DSA, NG etc.
    CH can be added safely as it is behav blocker. Still more can be covered by a SandBox.
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
  4. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Hmmm... an interesting combination. WinPooch is an open source HIPS and Kees is one of the few posters who regularly mentions it. I shall have to give it a look one of these daze.

    As for moi, I use & recommend DSA + SSM-Pro. Not a cough in a carload.
     
    Last edited: May 24, 2007
  5. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    After trying GeSWall,WinPooch,and DSA over the last 3 weeks I would use DSA.

    WinPooch is an interesting program.I liked it a lot,but stability was an issue on this box.

    I'll be going to back DSA shortly.It was stable and easy to use.
     
  6. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Kees, one thing i don't know about Winpooch is if it polls the registry, or protects in real time.
    The other is how to prompt for executables. I set it to ask, and it didn't ask, just blocked:'(
     
  7. tepe2

    tepe2 Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    539
    So I guess this combo: SSM/CH/DSA or PS/CH/DSA would be totally out of question.:) As I said in my first post, probably madness, overkill etc... But still I want to use two. Maybe same as bellgamin (SSM/DSA).

    WinPooch sounds interesting. (Same registry protection as RegDefend..) But It had to be in combo with SSM or PS (Prosecurity), because I see them as stronger than CH and DSA.

    When I think of it, no matter what I choose as my main/strong HIPS, SSM or PS, I really think I should use a behaviour-blocker like CH. Why? Because I lack some knowledge, and if a malware should get throug anything else and start to do its business, whatever that may be, then CH is supposed to analyze its behaviour and block. But then I could not use DSA, which looks real good, because I end up with 3. Life is not easy:) So maybe a good solution would be SSM or PS in combo with CH, and change my Windows FW with Comodo instead of using DSA?

    Some say Prosecurity Pro is a lot easier to use/learn than SSM Pro. Would all of you agree with that?

    The reason I ask so many questions is that I want to find a combination of security applications that I will keep for a long time. As in not change all the time.

    If you look at my first post, you'll see that there are som questions that I can not find out by testing the products. I wait for a while to see if there will be answers to any of those questions before I trial.

    Thanks to all of you :)
     
  8. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    tepe2, let me tell you that your 'question' post is a masterpiece: i dont remember anyone asking about any matter in such a brilliant way...i even think you already replied to yourself!
    I dont think you need any advice,just start enjoying the programs you'll choose and should anything bad happen you have BING to take care of it.
    My best wishes for you,anyhow.
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    If u are using Kaspersky, u can use its PDMs with SSM and in my oipinion u will not need anything more except for a sandbox if u wish. PDMs will add to SSM and also replace CyberHawk.
     
  10. tepe2

    tepe2 Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    539
    Im not sure I agree but thank you so much :D

    I agree. I can run SSM/PS/CH/DSA/Comodo/NG/EQS/OA/Prevx/Winpooch in combo at the same time, and if....IF ? something goes wrong, I have BING :D :D

    aigle
    hmm...interesting. I now see the possibility of running Kaspersky with PDM, SSM, and add DSA. Because if PDM replace Cyberhawk and add to SSM, it would be like running what I suggested earlier, SSM/CH/DSA or even stronger. I'm hopeless I know:D (I guess PDM is some kind of built-in HIPS) Anyway I have Nod32 and since I am happy with it I dont think I will replace it. But I know for sure that if i should replace it, it would be with KIS. Aigle I wish I had Kaspersky because this was a great suggestion from you (also without DSA, or maybe better without DSA)

    Seriously, if I do try this crazy thing, running SSM/CH/DSA together I will let you all know the result. Must be something you could disable to have less overlap and make this run.
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    IMO if somebody tried PDM with SSM, no need of DSA or CH at all. Even u can remove the overlapping protections from PDMs and SSM.
    A sandbox might be the only addition to this.

    If u run DSA with SSM Pro/ free, I think u can disable two modules safely in DSA that is Process monitor and System Anamoly. Also u might disable network control of SSM Pro( not sure).
     
  12. glentrino2duo

    glentrino2duo Registered Member

    Joined:
    May 8, 2006
    Posts:
    310
    correction: my combo is SSM Free (classic HIPS) + WinPooch (network access only) + EQSecure (behavior)

    i drop Cyberhawk as my security app a long time ago, but try every new version to check if it improved...
     
  13. tepe2

    tepe2 Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    539
    Thanks aigle :)

    Thanks :) Not very different from this: SSM/DSA/CH

    From what I read in other threads EQS is very good. But I think CH (easy to use) will suit me. That is if it runs OK without slowdowns on my system. I soon find out.
     
  14. glentrino2duo

    glentrino2duo Registered Member

    Joined:
    May 8, 2006
    Posts:
    310
    Yes, you'll soon find out that it slows down your system. :)
     
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Glentrino2duo,

    Why don't you configure EQSecure as a Anti-Executable. Just change the "execute application" from allow (the ruleset I use) to "ask and block".
    Make sure you tigthen the rules for every program you allow to the default protect mode (with execute application set to allow).

    This way you can skip SSM-free.

    Regards K
     
  16. tepe2

    tepe2 Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    539
    I just downloaded SSM trial. I disconnect from internet. Installed SSM, restart. Enabled learning mode, and opened all my programs. Another restart, disabled learning mode and connected to internet. Before I was connected to internet I got 3 popups about svchost something, I created permanent rule allow. And thats it.

    Time will show if I can learn how to use SSM.

    I can see that non of the modules are enabled as default. (INI files, startup, services, window filter, layered service provider.) I guess I should enable all of them.

    By default network rules were not enabled, I had to enable. (So far I had popup for thunderbird and Nod32, of course I created permanent rule allow)

    Im going to read the user manual, but also would like to know if a quick guide that cover the most important is available somewhere?
     
  17. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I would say the manual, and some of Herbalist posts. There are discussions too, other members are on top of things too.
    Also, one way to relax: use it as an anti-executable, and move on from there.
     
  18. tepe2

    tepe2 Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    539
    Thanks, I'll do that :) And search for all recently posts about SSM.
     
  19. tepe2

    tepe2 Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    539
    I now run Cyberhawk and SSM together. Not much slowdown so far. Cyberhawk really is easy to use. And quiet.

    Whatever I end up using at the end, I will restore an image and reinstall the products I choose. Thats why I'm first going to add DSA to this setup. I read the manual (DSA) and it does'nt seem much harder than Cyberhawk.

    SSM - great! But not easy ! The manual is not up to date, and I read in the SSM forum that other users complain about this. I think the posts was from a year ago, and oct/now.

    01.png
    A green checkmark and the same checkmark in grey. Difference? And I cant find the red mark in the manual at all. They should incl a short expl in the GUI.

    02.png
    The "?" in grey and blueo_O

    SSM is supposed to have "Installation mode". How does it work? Can't find anything in the program.

    Anyway it does'nt matter. I think SSM is more than I can handle.

    I dont think downloading a trial, reading the manual and ask some questions at Wilders or SSM-forum is enough to handle SSM. It takes a lot more. At least if you're really going to use SSM.

    Yes I could. But I also agree with those who say you have to know how to set it up and create rules, and know your system, systemfiles and how it all works, to get full protection.

    As for Prosecurity....don't know if it is worth trialing for a guy at my level.

    I could end up using Cyberhawk/DSA combo.
     
    Last edited: May 31, 2007
  20. tepe2

    tepe2 Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    539
    And why is not my screenshots included in the post?

    When I created the post I several times made a preview. The first couple of times I previewed the screenshots were there, but later changed to:

    "Attachment 190368" and "Attachment 190369". And they don't work.

    Edit - They do work now:)
     
    Last edited: May 31, 2007
  21. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    @tepe2, I also find images attaching to be a PITA (Pain In . .)!

    Try this link https://www.wilderssecurity.com/showthread.php?t=63957

    See here that post says, "Note:"
    Mike
     
  22. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    That note regarding attachments only applied to those that are left to appear in the default attachments box at the end of the post. If you use the [ attach ] tags instead, you can view them inline while previewing.

    Attachments uploaded while writing a post are listed as "in progress" and not saved to permanent storage until a post is actually submitted. If you spend a lot of time composing and previewing, it is possible for them to time out and be deleted prior to posting.

    tepe2 - you can simple edit your post and add the attachments again. Edit the post. Upload both images using Manage Attachments. Take the two "new" [ attach ] links and place them in your post replacing the now expired ones. Save.
     
  23. tepe2

    tepe2 Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    539
    Thanks:) Screenshot problem now fixed. I learn something new every day:D
     
  24. tepe2

    tepe2 Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    539
    I now run all 3: SSM/Cyberhawk/DSA. Only for testing.

    Nod32
    Windows XP FW
    SSM
    Cyberhawk
    DSA

    No conflicts or slowdown so far. They did warn about each other a couple of times, but I click "allow".

    I'll soon uninstall SSM, and try Prosecurity. What I find difficult with SSM is to setup and understand all the rules, and that make me feel not protected.

    My hunt for a good combination of security applications will go on.

    BTW can anyone tell me if Comodo PFW is difficult to manage/handle the rules? Easier than SSM?
     
  25. tepe2

    tepe2 Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    539
    Wrong. There seem to be some conflicts, but that does not surprise me. Some error warnings when login/logoff Windows XP

    ssmmld.png

    ssmmld2.png

    Also a message about nvsvc32.exe.

    Dont know if this is because I run several security app together or not. But I dont think I will run all 3 together anyway. The error warnings also showed up after I disabled Process Detection and System Anomaly Detection of DSA.

    Just thaught I should let you know.

    I really like Cyberhawk, but dont know after PC Tools acquires:

    https://www.wilderssecurity.com/showthread.php?t=176587
     
Thread Status:
Not open for further replies.