What's Your Viewpoint On This

Discussion in 'other anti-malware software' started by EASTER.2010, Mar 16, 2007.

Thread Status:
Not open for further replies.
  1. EASTER.2010

    EASTER.2010 Guest

    For research purposes only for now, but as can clearly be noticed the drivers for KIS6, Cyberhawk, Spyware Terminator, Ghost Security Suite and System Safety Monitor all have a chosen position in the SDT Table here. I might add no issues or conflicts of slowdowns are even present with this combo. Which security protection is most likely to keep from being displaced in event of some forced attempt to overtake any of these lines.

    Another question is which product is most likely to take charge "FIRST" and why in event of some intrusion to overtake these guarded instructional sections.

    http://img.photobucket.com/albums/v391/carbondioxide/sdt.jpg
     

    Attached Files:

    • sdt.jpg
      sdt.jpg
      File size:
      86.8 KB
      Views:
      680
    Last edited by a moderator: Mar 17, 2007
  2. EASTER.2010

    EASTER.2010 Guest

    Every XP PC has this integral element that tells a lot about how naked and exposed your system is or else convered with a security sentry stationed to keep you alert as to what might have some malicious design or intent to your internal wokings without your knowledge, in effect, stealing control of signals intended only for your useage or the machine's normal operational duties.

    The more you can visually see what belongs to your system compared to what doesn't have permission to intrude you, the more interested you will be to encouraged to fill that gap responsibly and protect your self from forced computer invasion.
     
  3. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    I would answer, except the language seems to be way too technical for me.

    I'm still trying to figure out what "guarded instructional sections" means.

    In any case, you are clearly safe, every line is in red so everything is hooked.

    People who have lines that are not in red (not hooked) have gaps in their defense that they really need to fill ASAP.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    It´s really hard to believe that you´re running all these tools at the same time. And why on earth do you need both GSS and SSM, isn´t one of them enough? And if you have KIS do you really need CyberHawk? This is one of the most "bloated" setups I have ever seen. Are you sure your PC is running perfectly stable without any slowdowns? :blink:
     
  5. EASTER.2010

    EASTER.2010 Guest

    Give credit to those program developers. I would never heap that many hookers to the SDT Table if they showed the least issue or made for a slowdown which oddly to my surprise they don't. Plus they work fine in unison with one another. Don't ask me why, i'm no code specialist in those microsoft internals but i do know they perform side by side without ill effects, and on a rather enemic setup of DURON (single core) 1250 with a mere 512MB of ram. Top that with the customations i use for all my folders (eye candy) with their special effects on opening and you might think it would be too slow for any good use, but not the case at all, and i couldn't be happier.
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Easter

    SDT also stands for Research based theory of human motivation and personality in social contexts, with applications to education, health, organizations, etc.

    Because you are all hoooked to the SDT, I might add

    . . . with applications to (total) security control

    ;)
     
  7. EASTER.2010

    EASTER.2010 Guest

    No matter how you stack it up or whatever other conclusions you arrive at, the SDT table is but one popular area hooked because it works for security and at preventing being overtaken or 0wned! by malicious intent.
     
  8. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    Are you serious?
     
  9. EASTER.2010

    EASTER.2010 Guest

    When it proves itself and is also quite stable, yes, i am quite serious in my confidence.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Well from my expercience I can tell that running too many realtime tools is normally not really the way to go because sooner or later they will start to conflict. And why let various tools monitor the same stuff? I really think that if you have KIS and SSM Pro, you don´t need GSS, CyberHawk, Launch Monitor and Spyware Terminator. :rolleyes:
     
  11. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    I don't question your confidence, only your logic in running a surfeit of redundancy-rendering security apps.

    One word: overkill
     
  12. EASTER.2010

    EASTER.2010 Guest

    I'm sorry but i disagree and allow me to use an example. There is no overlap if you review with Ice Sword/RKUnhooker or another SDT Table lister. Each program uses it's drivers to position at particular lines of instruction and not compete for the same ones. If they were to do that, surely conflicts with blue screens would quickly happen, in even cancelling each other out.

    I'm no code expert in the System Descriptor Table but i welcome a specialist who is to refute or confirm my idea on this. If anything might be considerd overkill i would reason it might involve resource useage alone but never fighting over which kernel module gets an assigned addressed first. I think thats decided at install. If i stand corrected in any way please point out for me the accuracy i'm mising, because i am not perfect especially when delving this deep in kernel modules positions from security programs. It's purely been my observance from where i see they are located at and what triggers a first response is related to the instruction being signalled to from an outside force, perhaps windows itself?
     
  13. Gene Benson

    Gene Benson Registered Member

    Joined:
    Apr 19, 2003
    Posts:
    26
    Easter.2010, hope you don't mind my jumping in here. Have a look at this thread, which is an answer to a question of yours:
    https://www.wilderssecurity.com/showpost.php?p=892170&postcount=12

    The author, who is much more knowledgeable than I am, speaks of an "SSDT hooking chain", stating that more than one driver can hook the same element.

    It is my (unconfirmed) belief that anti-rootkit programs show only one element in the chain, either the first or last, I have no idea which. Perhaps someone with more knowledge can explain this.

    If this is true, then I would really like to know if there are any programs out there that will show the entire chain. A search on Google didn't turn up anything helpful.

    Also, if this is true, then your statement that there is no overlap in your security program hooks in not quite accurate, even though they all run well together. This is not a blast at you, merely a request for clarification.:D
     
  14. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    You are wrong. And frankly I'm surprised that you didn't know this.

    As Gene Benson notes, those tools you use show only one entry (the last I think).

    A simple seperate install (there are other ways)will easily prove that almost all the HIPS hook at least half a dozen places in common! Heck even AV and firewalls do these days. And no that doesn't mean it will automatically blue screen.

    I didn't know your claim of no overlap rests on the whole "show the SSDT table and noticing that there is only one entry on each line." I thought your claim of no overlap was no functionality/features overlap like what Rasheed is claiming.. Or maybe you installed each one seperately and checked... which come to think of it isn't reasonable.

    Didn't it strike you how strange it was that despite the fact that the HIPS share so many functions and yet they all happen to hook different places? Or that you have never seen more than one entry per line?

    A simple seperate install (there are other ways)will easily prove that almost all the HIPS hook at least half a dozen places in common! Heck even your AV and firewalls do.
     
    Last edited: Mar 20, 2007
  15. DVD+R

    DVD+R Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    1,979
    Location:
    The Antipodes
    My point on this is not all Computers are alike :cautious: If they were then we would have one Major Stuff up world wide, or All live in Harmony :p
     
  16. EASTER.2010

    EASTER.2010 Guest

    Wouldn't be the first time or the last either for that matter ;) , but don't you also find it odd there is but little real discussion lately when it comes to the hooking of the SDT Table with so many HIPS coming to the forefront and as you say hooking the same areas as opposed to my simple observations of the table lists/instructions courtesy programs designed to show those features of your system.

    No matter, speculation or fact, the technology going into these HIPS are proving more stability in a crowd then before, and for some like me that spells better coverage & code signal interception in those vital areas.
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    @ EASTER.2010

    Let me ask you one thing, in addition to running all these tools at the same time, are you also letting them watch for the same stuff? I mean, you can of course also disable certain things in the HIPS but since most of them have the same abilities, it still doesn´t really make any sense to run them all.

    Btw, I got a PM from DA, in which he told me that I myself also had quite a heavy setup a while ago (AntiVir Classic, ZA Pro, SSM Free/Pro, Neoava), but I don´t see what´s so heavy about it, they all do different things (scanner/firewall + 2 HIPS), isn´t a layered approach recommended?

    Normally I would agree that you shouldn´t use 2 HIPS, but there weren´t any big problems and as you know I like to have as much protection as possible. However it´s not really comparable to your situation IMO. :rolleyes:
     
    Last edited: Mar 21, 2007
  18. Get

    Get Guest

    Minimizing the chance of errors. When they don't slowdown the pc and don't have a conflict with each other I don't see why not.
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    I understand your point of view, I also try to cover as much as possible and some HIPS have unique features. However, I think that 2 HIPS is enough (to complement each other). I also wonder if anyone has actually done tests to determine if in case one HIPS misses something, the other one(s) can spot it? That would be nice, but I wouldn´t like to respond to 2 or 3 alerts about the same stuff. And I certainly wouldn´t dare to run 5 or 6 HIPS like Easter does. ;)
     
  20. EASTER.2010

    EASTER.2010 Guest

    Of course i'm also right in line with those same reasonings, the Layered approach plus minimizing errors echos exactly why i prefer to apply a HEAVY layer approach of defense programs, given of course the usual, no issues/conflicts/ and they ALL work independently of each other (no overlap) which would cause sudden malfunctions/a shutdown/errors etc. while occupying the same system.

    I run on a regular basis by the way Cyberhawk/EQSecure 3.3 (beta)/System Safety Monitor = 3 HIPS. I know there are more listed in my siggy but those others are my personal preferences in testing malwares i found adequate enough to those tasks.

    I have run a series of them (maybe for a few hours) at a time (while testing mals) which then does make it up to 6 HIPS when you take into account also running KIS6.

    When i go hunting for malware drivebys i definitely fire up Power-Shadow because some of them are extremely aggressive at patching system files, reg settings, crippling XP security policies and such.

    So in effect my extra heavy shielding serves up plenty of confidence in what i have to do and saves eons of time that might otherwise be wasted restoring/repairing due to some errant malware binded virus or whatever else comes weilding in with those droppers.
     
  21. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549

    Logically speaking if there are no conflicts, combining 2 HIPS = getting the feature sets of both, so assuming that, there is no need for testing. Just ask yourself, is there some vector that one HIPS blocks but the other doesn't? How important is getting the extra prompt for some other feature? Do I really need a prompt on everything that happens?

    However in the real world, conflicts do exist, though people here seem to think if the system doesnt' crash it means everything is fine and dandy. Sadly most of such conflicts are a lot more subtle.

    More interesting is to see if using 2 HIPS can cause both to miss something (conflicts, issues), when initially they could spot it on its own!


    I'm not sure if Easter answered your question directly.

    The question here is what does overlap mean?

    Easter keeps talking about no overlap, but his definition of that seems to mean, his system doesn't crash. (It's hard to know if there is no issues/conflicts)

    For you (RASHEED) it means only one prompt per trigger, which you achieve by turning off parts of some HIPS.

    IMHO the difference between the two of you is one of you gets more prompts than the other, but the issues if they exist are still there. AFAIK, if you "turn off" some HIPS feature, it merely means the HIPS will give a free pass (= allow all), but the hooks are still there.

    Most probably if there is any issue it will still be there.
     
  22. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I took a minute for myself with this one:D
    This is a very good question. Are they preventing proper use of the programs? Are they very light because they simply aren't working at the key points?
     
  23. EASTER.2010

    EASTER.2010 Guest

    Not at all really. I have no reason or purpose to withhold posting of that from any discussion thread and not just this topic alone should an issue or conflict make for some concern. Its in the mutual benefit of everyone to bring that to this forum's attention and let discussion take it from there and that's what i will continue to do unabated or influenced.

    Anyone can just as easily test them as i do if you (1) Rather use an alternate machine (2) Can FD-ISR to former snapshot in case of problems (3) If you trust Power Shadow you could rest easy in case some HIPS rips your system apart.

    I choose none of the above and not afraid to do so either because i yet to run into a HIPS that is that god-awfully constructed that it would crush the system and cause reinstall/repair. That'ssingle HIP (1), i started piling them on when i realized the developers have now sharpened those programs immensely to coexist safely with LISTS of other security programs. Those vendors do cooperate with respecting the users and each other that way you know. It's logical ethics in this technological realm of businesses and people see the results for themselves, like myself for one.

    I did have some problems with SensiveGuard lately (affecting boot-up) and have already posted my results and will not test it again untill updated.

    On several examples of my own experimenting with HIPS setups, (and testing with malware) anyone here who is read enough of my posts can clearly see i have no reservations or fear of heaping HIPS together from GhostSecuritySuite/SSM/CyberHawk/PG/ to KIS6/EQSecure/Spyware Terminator so on and so forth.

    In fact the only crash i have encountered so far was with a rather heavy & sophisticated weather radar program that i knew probably would be tipping the balance anyway, and it did but only crashed Explorer not the entire machine.

    In retrospect, no combination of HIPS i have crowded together so far even crashed explorer let alone make any other conflicts or issues that i assume you reference as slowdowns in opening programs and explorer folders & such.
     
    Last edited by a moderator: Mar 23, 2007
  24. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    People are very good at deceiving themselves. Leaving that aside, your remarks above don't give me much confidence you are competent enough to detect *subtle* or even not so subtle conflicts. Your methodology seems to be , if it doesn't not crash it is fine. Plus of course the whole misunderstanding about SSDT to support the conclusion you already held in advance.

    I myself have experience playing with tweaks, running software that appear fine for 6 months and more, but later I find some rarely used function not working later, and after much work I trace it to the tweak, or to the software I installed (verified by uninstalling the software and the problem disappears).
    Again you assume that if your system doesn't crash after playing with 1 or 2 hours, it means everything is fine. using VM, other machines etc is great, and we all do that, but testing for stability is not just a matter of install it, see if it doesn't crash, play with it for a while, that's it.

    A very bold assertion with no basis in fact. Do you really believe the guys at SSM, Neoavaguard, Prosecurity, really test to ensure that their products co-exist safely with their competitors ?

    Do you really think, they keep up with each and every rapid update by their competitors and make sure theirs always work properly without conflicts?

    heck most of them will tell you to just use one (prefably theirs), I can't really imagine them spending even 0.00001% of the time considering the case of a super paranoid user who uses half a dozen HIPS together.

    If they do consider compatibility it is more with other main stream products like firewalls and antiviruses, even then I don't think this is done a lot. It's a simple matter of cost-benefit. How many people are paranoid enough to run neoavaguard, SSM, prosecurity together? Even here here we have the most the most HIPS crazy crowd in the world, everyone pretty much agrees it is overkill...

    Sadly, when people ask is X compatible with Y on forums, we rely on people like you to give their *impressions* of whether something is compatible.

    Typically when people like you say there is no conflicts, all one can conclude is, if one installs it, most likely the system won't immediately crash.


    actually i agree outright crashes (after install) are not that common all things considered and those are quickly reported (any idiot can spot those). The more difficult cases are when things seem to work okay for a while, until some event causes it to crash.

    In any case, I suspect you are either trolling (particularly given your system specs ), or you are naive beyond words.......
     
  25. EASTER.2010

    EASTER.2010 Guest

    Devil's Advocate? You are only continuing to instigate and deliberately try to grind out disagreement and offer nothing more but stalking my posts for the sake of complaining how i conduct my own systems and the softwares used with them, methods, and techniques.

    Your PM's as of this post are also no longer accepted because i have answered them fairly and as best i could only to find you follow up with even more complaints on a daily basis in some ongoing fun game you are playing and i don't have time for that.

    Furthermore if you have an ax to grind with me (Unfairly Indeed!) or other personal problem with how i enter Topics and answer discussions here at Wilder's or my posting habits just because you disagree with my own methods or observations offered then i suggest you take that issue up with Paul Wilder's , Bubba or another Moderator/Admin but your comments are way out of order especially in reference to the accusation of trolling.

    Our discussion is ended permanently so smile on fella'.
     
    Last edited by a moderator: Mar 23, 2007
Loading...
Thread Status:
Not open for further replies.