System Safety Monitor, Prevx, Process Guard

Hello,

I've been lurking here for a while and finally decided to gather up the courage to make a post. I must thank all the contributers here for both increasing my knowledge of computer security and my paranoia.

I've been searching the forums and found a good deal of information regarding
Prevx
System Safety Monitor
Process Guard

All seem to be recommended apps but I'm wondering if someone could clarify where the overlap would be amongst these three and what they would recommend in terms of balance of resources vs. safety.

From what I've gathered Prevx and SSM seem to have the most overlap, is this correct? Is one "better" than the other (protection, features, ease of use, system resources)?

Now I've also heard some conflicting information on the protection that Process Guard offers versus SSM. My impression is that the newest version of SSM offers a very similar kind of process protection to Process Guard, however, process guard runs at a "lower level" and is therefore harder to circumvent. In addition, my understanding is that Process Guard is also more of a set and forget type of tool while SSM will have to be trained more granularly. Is this understanding correct?

I guess the bottom line is, how much do I gain by running all three versus just running SSM for example? Has anyone ran all three and would they recommend doing so? Has anyone ran all three and decided to lighten to 1 or 2 of them?

Hopefully I'm not too far off in my understanding how these applications work. And if I am I stand ready to be learned up good and proper by the wise men and women on this forum.

Thanks

 

Welcome to the forums Lucid,

This post tries to summarise the differences between SSM and PG - there is some overlap (notably the application prompting) but this can be reduced by only using that feature from one of the programs.

PrevX will overlap to a greater extent since it covers service/driver installation and Registry changes. The only thing new it adds (that I am aware off) is a method of protecting from buffer overflows - PrevX will reboot your system if it detects one of these. If you are using WinXP on an Athlon64 system, then the Data Execution Protection feature would (probably) be a better alternative to this.

 

dunno about SSM but my choice:
Combine Prevx and Process Guard for having file-system, registry as well memory and process execution protection.

 

Careful with combining these products. I am not sure which combination did it, but something totally shot my registry and I had to start from scratch. Nowadays, I maintain an image copy to go back to in case it happens again. Right now I am running PG 3.0 and it seems to be enough.

Rich

 

I had some issues too with process guard 3.05 and prevx. I unloaded prevx .

 

I haven't had any issues with PG and Prevx, but I did have some issues with SSM and PG. SSM is still beta, however, so results will vary.

On the whole, however, I fully agree with pIMp

There isn't really overlap with driver installation with Prevx, however. Prevx only looks for driver files being placed in specific locations, which isn't the same thing.. this is evidenced by using one of SysInternal's tools that uses a driver, like FileMon, that will be blocked by PG but not by Prevx.

Other attacks in the scope of both programs together may or may not overlap, but it would depend on the specific malware's method of doing things. There are also plenty of other things that each program does that the other does not. For example PG stops hooking by keyloggers and rootkits, and Prevx stops spyware and browser hijacks.

Although there's a lot more too it, the easiest way to think of it is that PG protects programs while they're running and Prevx protects files when they're not (as well as non-executable program files), with other benefits worth checking out for each

One example that may (or may not) clear up some confusion about overlap is that Process Guard will stop something from inserting a DLL into a program in memory, where Prevx will stop something from changing/overwriting an existing DLL on the harddrive that the same program may load when it starts. They will both protect the same application against DLL attacks, but they each cover different things.

An example of some overlap, that's in my opinion GOOD, is if you installed some small application that turns out to contain something that alters a file of one of your security programs. Prevx would alert you when it tries to make the change, but the chances are that you already suspended Prevx' protection, so the next time the program starts PG will inform you that the program file has changed before letting it run (ie before it enters memory.)

Hopefully that all goes some way towards painting an overall picture, at least for those two programs I would say more about SSM but (like I mentioned) I had problems with it, so my experience is very limited.

 

Thank you all for your responses.

It would appear that the Prevx/Process Guard combo would cover the most bases and seems to be the more popular choice. However, judging from Paranoid2000's post it appears that SSM would cover most of Prevx's functions (minus buffer overflow) and some of Process Guard's protections

So would it be fair to say that SSM alone would offer "most" of the protections provided by the Process Guard/Prevx combination?

I would welcome more information from current or past users of SSM to get a better feel of the kind of protection they felt it offered and how it ran on their system.

I'm also curious about resource usage/system slowdown. If anyone has used all three of these apps, will I gain anything in terms of system resources/performance by using SSM alone versus the Process Guard/Prevx combo?

 

I don't have any experience with Prevx...

I have used SSM for about 2-3 years and never had a problem with it. One feature that PG has and that SSM does not, is that it protects services from being terminated. This morning, I tried to install PG. My intention was to use it in addition to SSM and just have it protect from service termination while let SSM do the rest. During installation, PG disabled SSM (got an alert from SSM). So, I decided not to use it. However, from what I have seen and read, here is a rather general comparison:

The advantage of PG is that it protects from service termination. Also, it has a nicer interface and looks like a more mature product. On the other hand, SSM does more:

The main advantage of SSM is that it also protects the registry and that it is more configurable. It is actually a very powerful program if one decides to take advantage of the "advanced options" that can be set for each program. However, doing so is very tedious, mainly because of the SSM interface (trying to set "advanced options" for dozens of programs is a pain). It seems to me that SSM provides a better level of control than PG but in a way that does not make it practical. Also, another limitation of SSM is the startup protection....even though it motitors several startup locations, there are many others that are not included on its list. One can add those other locations but doing so is tedious since the user would have to find a more complete list of such locations, add them, set the alert for each one, etc. I think SSM is better if one has lots of time to play with it....

m.