Which security pair is better?

Discussion in 'other anti-malware software' started by bellgamin, May 26, 2015.

  1. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Still running XP SP3.

    I am considering running one or the other of TWO Sets of security programs:

    Set A (3 apps)- APP Guard & NoVirusThanks EXE Radar Pro & Sygate Firewall 5.6.2808.0

    Set B (2 apps)- Spyshelter Firewall & NoVirusThanks EXE Radar Pro

    Do Sets A & B substantially overlap each other's security capabilities? Or do their respective capabilities differ in ways which might affect effective security protection for my doddering old XP system?

    10Q!
     
  2. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    1,441
    If you free -

    I'd run Voodoo Shield and Zone Alarm Free Firewall.

    If you need a web filter, Blue Coat K9 is light on system resources and configurable.

    Between these three, you have a bullet-proof Windows XP.
     
  3. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    Mhh, may I choose another combination :D

    AppGuard with Spyshelter Firewall

    HIPS+ANTI-LOGGER+FIREWALL = Spyshelter
    NO-EXECUTE USER SPACE + RUN PROTECTED APS AS LUA + Memory protection = AppGuard

    NVT only blocks EXE's (at least that is what I know), Appguard blocks everything in User space

    Regards Kees
     
  4. CGuard

    CGuard Registered Member

    Joined:
    Mar 2, 2012
    Posts:
    145
    My 2 cents:

    Set A lacks of Anti-Logging capabilities and classic HIPS-like features -i haven't had any first hand experience with Sygate Firewall, but i assume it is/was a pure firewall.

    Set B lacks of LUA-containment+SRP-like combo (unless you plan to a) natively implement one, or b) use SS's "Restricted Apps" + Whitelisted Paths -that is, if you are interested in such a scheme) and pure firewall capabilities -i haven't tried the latest releases of SSF, but, in a 9.x version that i did, i could not find a way to properly filter system processes' connections; i don't know whether it was a driver issue (WFP for Vista+, TDI for XP -no experience on the latter) or a auto-trusting system processes thing; also, there was no connections monitor.

    Anyway, what about Set C: SS Premium + ERP + Sygate Firewall?

    PS. ERP is capable of monitoring any file-type by filtering its "Vulnerable Process" interpreter's command line arguments. If that's also the case with SS (cannot remember), then i think that using the latter renders the former redundant.

    EDIT

    @Windows_Security: Just saw your post. Quick Q: Is AG compatible with SS?
     
  5. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    Tried them together some time ago and it worked well on 32 bits windows 7
     
  6. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,016
    Set B

    Spyshelter Firewall
    (+)
    NoVirusThanks EXE Radar Pro
     
  7. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,486
    Location:
    Poland - Cracow
    I think ERP will be the first line with possibility to block every unknown/untrusted process...second line will be SS for every other (whitelisted) app's unknown/suspicious behaviour. Of course we don't forget about SS's mentioned earlier fatures.

    BTW...my set on XP SP3 - processes visible in task manager
    Kerio 2.1.5 Free
    NVT ERP
    EdgeGuard Solo
    and not visible CryptoPrevent (Foolish) and Wondershare Time Freeze (only on demand)
    usage.jpg
     

    Attached Files:

  8. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Thanks to all for your helpful suggestions. I am still hoping for MORE COMMENTS before making a decision.

    @ Kees (Windoze Security) --- Spyshelter FW for 1 year is priced at 1/2 off at Softpedia - reasonable enough BUT how much do the Spyshelter folks charge to renew when the year expires? (Don't mention the lifetime license. I'm 84. If I bought a lifetime license, I would be doomed to an early grave. However, if I waste money by renewing Spyshelter annually, I shall probably live to be 150. These statements follow the same RULE which dictates that polishing my car will cause heavy rain, & a dropped slice of toast will always fall butter-side-down.)

    @ ichito --- You run Kerio, a very old FW that does a great job on XP. I run Sygate, another very old FW that does great on XP. QUESTION: Did you choose Kerio over Sygate for any particular reason? Or... ?

    @ all -- I recall having heard that the capabilities of ERP and APPGuard OVERLAP in many respects. True? Or do they each offer a unique set of security capabilities?
     
  9. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    AppGuard, hmm... Let me dig this one up. I think I did some experiments with it back when I was young and ignorant... err, I mean younger and more ignorant than I am now. Ah, here we go:

    Efficacy of different setups at containing a userspace attack on Windows XP SP3

    That was a couple years back, things may have changed since then. What I saw was, Appguard could probably contain most malware; but not a resourceful malicious person on the other end of a reverse TCP shell. Whether that makes a difference here is up to you.

    EXE Radar Pro I also tested; last I checked, it did exactly what it said on the box. Unfortunately, "what it said on the box" is IMO inadequate for a legacy Windows setup.

    Sygate is abandonware. The intersection of "abandonware" and "network firewall" is bad. Any vulnerability will likely be remote, and definitely unpatched. I would not use it if possible. The problem is that still-maintained firewalls for WinXP are just going to get less and less common.

    Spyshelter I'm unfamiliar with. If it includes a full HIPS - EXE blocking and all - then EXE Radar Pro would be redundant (or worse).

    Well, they're all mandatory access control (of a minimal sort), and they all reside at the kernel level, and have similar capabilities. I'm guessing their efficacy against more advanced exploit kits, targeting XP specifically, would be... very limited, at best.

    For instance: there are now ransomware varieties that run their encryption routine from within the original compromised process. If that process is, say, the browser, blocking that won't be easy. AppGuard's private folder might work, assume the browser is denied access; otherwise the prognosis is not so good.

    All told, my advice is to select the setup you feel more comfortable with, but be aware of its limitations. A false sense of security can be more dangerous than having poor security and knowing it.

    Also, if you haven't already: make sure you have an up-to-date hardware firewall protecting your network. And remember to disable UPnP, and set up outbound filtering rules on it. That alone is not sufficient security (especially for a network full of legacy systems), but for me it's been a big help.
     
  10. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    Alternative freebie setup
    - keep Sygate
    - use Spyshelter free on x32 it has a great and user friendly HIPS
    - use SecureFolders free to set a no execution in user folders (also stops dll etc)
     
  11. CGuard

    CGuard Registered Member

    Joined:
    Mar 2, 2012
    Posts:
    145
    So, in theory, a combination of AppGuard + SpyShelterFirewall (disabling the unneeded modules)/SpyShelterFree + NVT ERP + Sygate Firewall is possible -just saying.
    In practice, yeah -probably, an overkill.

    On a more realistic note, i think that the only feature of the abovementioned security products that one cannot get it for free is the "Memory Guard" of Appguard + come to think of it, AG on XP, probably is the wise choice here, IMHO.

    On a slightly unrelated note, i highly value Andreas' coding skills.
     
  12. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Not overkill, just redundant. They all work on the same level, with many of the same methods. If something bypasses one, it will probably bypass them all.

    Hmm, I hadn't heard of this "Memory Guard." Was this added after I last tried AppGuard? (i.e. after November of 2013.) Be aware though that, if it is in fact an exploit mitigation feature, it might rely on Windows Vista/7/8 internals for full effect.

    Edit: to be frank, I can't view anything on XP as a wise choice; with the possible exception of an air gap. ;)
     
  13. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,486
    Location:
    Poland - Cracow
    ERP has one function that SS don't posses... "lock-down system" which one can have just from sys-tray menu without any special tricks - ERP it's just anti-exe so only whitelisted app can run...if not - we have SS that should (I think) detect unknown process or unneeded/suspicious action of known app.
    Such combo...I think...can be very strong and useful.
     
  14. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,071
    Location:
    Germany
    It was already included by then.

    From what I understand - and I could be wrong because it isn't documented in detail - it is designed to prevent a guarded process from making lateral movements in memory, for example injecting code into another application. It reminds me of the process hollowing protection in HMP.Alert. Sandboxie - at least on Vista and above - should also prevent a process inside the sandbox to tamper with the memory of a process outside of the sandbox.
     
  15. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    My guess also. Before they implemented Memory Guard, Eirik (of Blueridge) set up a meeting with their developers. In Vista and above lower rights objects can't touch higher rights objects. This leaves same rights processes still vulnarable for side by side attacks (as M$ calls it). To implement additional protection they block write and/or read access outside allocated executable memory of protected processes. Advantage at that time was that it also added considerable protection to XP. Memory guard is stricter as most HIPS (and sandbox like) options which protect RAM or manipulating Memory allocated to other processes.

    So Memory Guard does not protect against the first stage of exploits, but it should add a considerable threshold to the intrusion steps usually following the first in memory exploit (which changes the flow of events inside the attacked process).

    Same as SpyShelter HIPS has an option which prevents reading memory of critical system processes. This also does not protect against first stage exploits, but could spoil the predictability of the next steps, because offset (internal memory addresses) of attacked (critical) processes can't be determined.

    Beware: according to Zoltan_MRG telling that this might block an exploit is considered a straw-man fellony, so use this information at your own risk (although Zoltan did not call Fabian Wosar a straw-man), you are warned look at my avatar :argh: Maybe Zoltan_MRG should call US defense and tell them they made a big mistake by granting Blueridge some important contracts.
     
    Last edited: May 28, 2015
  16. StillBorn

    StillBorn Registered Member

    Joined:
    Nov 19, 2014
    Posts:
    162
    Whoa!.. the prerequisite context of a logical straw man fallacy and the avatar to boot. Whether the hollow accusation (as I recall) was a motive or not to switch to that avatar. Priceless! :D

    p.s. "...straw man fellony..." LMAO
     
    Last edited: May 28, 2015
  17. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    Yes it was the trigger. It had two choices, copy the avatar of Fabian (since his critique was simular), but his avatar is a picture of himself, that would be illegal impersonation, so the strawman was the only viable alternative.
     
  18. StillBorn

    StillBorn Registered Member

    Joined:
    Nov 19, 2014
    Posts:
    162
    My only concern is if I'll ever see "The Wizard of Oz" again in the same light. Lions and tigers and bears oh my. :argh:
     
    Last edited: May 28, 2015
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    Hah ha. Great back n forth. Very good stuff indeed. In fact seems we are up to our ears in rebuilding anew HIPS all over again? In bits and pieces at a time, only adding more areas for protection with better techniques. Better being measured more comprehensively. Or something like that :argh:
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Keep in mind that SS is more a HIPS than a firewall. If HIPS (with alerts) is important to you, then SS + ERP is the best choice. SS also has a "restricted apps" feature which works a bit like AG's Guarded App feature.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    The object of that test was to check whether the execution of malicious code was stopped in the early stages, it was not about testing "containment" of malicious actions.
     
  22. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    For the moment I am testing Set A with a slight change: AppGuard & ERP & Sunbelt's 2005 update of Kerio FW (instead of Sygate FW). That FW includes a NIPS/HIPS/Behavior blocker combo, over & above its standard FW abilities. So far so good -- in fact... VERY good.

    @ ALL -- This thread has become intensely interesting & entertaining, even the stuff that's slightly OT. Kees is one of my favorite folks on the planet. So also Rasheed. Learning to love Fleischmann (it's an acquired taste, & bloody difficult to spell correctly).
     
  23. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    @bellgamin So you have a copy of the last release of Sunbelt (4.7) which had the pro options for free?
     
  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    Will this version run on a 64 bit windows 8 version?
     
  25. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    @ Kees - Yessss! :p Me got Pro options.

    @ Easter - No. Win 8 no can do. 64 bit -- no can put put 64 into 32, it make computer blow up maybe. :eek:
     
Loading...