WinPatrol against malware?

Discussion in 'other anti-malware software' started by risl, Oct 25, 2008.

Thread Status:
Not open for further replies.
  1. risl

    risl Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    581
    Hello,

    Has anyone tested the free Winpatrol against malware, if it's any good? Is it even supposed to be anti-malware application at all, or just some system info displayer. :)
     
  2. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    there is a video on youtube about winpatrol out 10 scores 0 for blocking malware.still dont know the test that was performed the tester in youtube says it fails:doubt:
     
  3. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    WP´s function is to monitor some key areas (IDS) as e.g. startup, services, file types etc. If something changes at those areas, malicious or not, Scotty will bark and you may choose to allow/disallow. Runs very light, no slow-downs or stability problems.

    /C.
     
  4. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
  5. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    I have Winpatrol plus, but i wouldn't expect it to do anything against serious malware, like trojans, worms etc. I think it can stop spyware and such.

    Its real time monitor is usually a bit "too late" in my PC. Twister flags a registry run key immediately, Winpatrol Plus has a lag. Sometimes i can even reboot before WinPatrol flags it. It doesn't really use hooks, it just polls very quickly to achieve its "realtime" protection.

    But it's nice monitoring the hosts file and services. Just don't expect it to stop the super trojan.
     
  6. gates

    gates Registered Member

    Joined:
    Sep 2, 2005
    Posts:
    59
    I have real life example which happen today.

    I was browsing at internet when suddenly my winpatroll informed that file named wJQs.exe (from temp folder) tried to start svchost file as a process (from system32/drivers).
    Same time my firewall informed that svchost.exe wants to go internet. Of course I denied those reguests.

    After that I just ziped those files and send them to dr.web - after one hour dr.web had added detection and I just run scan to make sure that my computer is clean. :D

    Thanks to winpatrol plus those trojans was easy to remove. So all was simple and effective :thumb:
     
    Last edited: Oct 25, 2008
  7. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    It does appear that way at times, but WP always alerts me to changes before they are written to HD.
    i.e.: When I update my HOSTS file, WP alerts me (after a couple seconds). I am then given the option to disallow any change to said file.
    I do understand your observation about the seeming "lag", but as long as no real changes are made to my system / files, I believe WinPat is doing it's job.
     
  8. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    thats is very impresive:thumb: :thumb:
     
  9. progress

    progress Guest

    So WinPatrol Free (without real-time protection) can't prevent the installation of a rootkit? :ouch:
     
  10. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Try installing Comodo. It will reboot and only after reboot WinPatrol will alert (the PLUS version). And Comodo will be autorunned in the meantime. (you will see it running at startup). Happened to me with various applications, but simply Comodo occured to me recently and repeatedly, so i remember it clearly. The fact that on startup Comodo is running (loaded), means that if it was a malware, it would be already running too and the ability of WinPatrol to revert the startup key, would be of dubbious use.
     
    Last edited: Jan 31, 2009
  11. PiCo

    PiCo Registered Member

    Joined:
    Apr 9, 2008
    Posts:
    352
    Location:
    Athens, Greece
    The setting "Warn if changes are made to my Internet HOSTS and critical System files." must have been responsible for that.

    I mainly use WinPatrol to monitor my system and detect any changes, I'm not actually counting on it to save me from a nasty trojan, but what you described was very cool!
     
  12. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    I agree.
     
  13. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    For whoever is interested, here are results of SpyCar (hosts file is also blocked):

    HKCU_Run : Spycar change blocked
    HKCU_RunOnce : Spycar change blocked
    HKCU_RunOnceEx : Spycar change blocked
    HKLM_Run : Spycar change blocked
    HKLM_RunOnce : Spycar change blocked
    HKLM_RunOnceEx : Spycar change blocked
    IE-HomePageLock : Spycar change allowed
    IE-KillAdvancedTab : Spycar change allowed
    IE-KillConnectionsTab : Spycar change allowed
    IE-KillContentTab : Spycar change allowed
    IE-KillGeneralTab : Spycar change allowed
    IE-KillPrivacyTab : Spycar change allowed
    IE-KillProgramsTab : Spycar change allowed
    IE-KillSecurityTab : Spycar change allowed
    IE-SetHomePage : Spycar change blocked
    IE-SetSearchPage : Spycar change blocked


    The point, is all those reg keys, can be easily protected and also in real time (pops up before WinPatrol plus), by a much lighter application, RegProt. Which though won't protect the hosts file. Honestly, seen what WinPatrol is about, i would expect better protection of IE. And why not, support more browsers.

    You may also think that TF is free and does more and consumes a little more CPU.

    Anyway, this little test, brought me the will to run WinPatrol again. :D
     
  14. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    this is freaking cool and it is the plus version;)
    you should run for president:D
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    That is certainly impressive.

    However, I would be concerned that there is a weakness in your security that allowed the trojans to get onto your computer in the first place while browsing.

    ----
    rich
     
  16. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    no,remenber that some trojans are very undetecteble by sig base antimalware that's when winpatrol trigger a fire when notice a strange behabiour by the way is winpatrol plus a behabiour blocker?
     
  17. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Yes, it's the PLUS. Which btw, i will now install without Shadow Defender for the the 3rd time today. So, i must let know Bill that i install it again (activate).
     
  18. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    cool;)which one will serve you better winpatrol plus or spyware blaster when it comes to protect the browser?thanks again:)
     
  19. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    To tell you the truth, i haven't used Spyware Blaster for ages / i am not sure i have ever used it at all.

    I took a look at Spyware Blaster's site at this moment, seems specialized for browser protection. I don't know. In WinPatrol i like also the service monitoring. Seems to have a more wide coverage. But i don't know which would be more effective for browsers.

    Personally i use Opera, which isn't covered in WinPatrol, so i often ask myself why i bother to use WinPatrol in the first place. Twister has registry protection of its own. I guess for the hosts file and services... and because Scotty is cute... *puppy*
     
  20. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    agree 100% i also notice when you have a hips program winpatrol is not needed cause a hips does eactry and even more stuff than winpatrol does:thumb:
    but again the burking dog is cute:)
     
  21. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Yes, in fact, i am about to uninstall SSM. I am torn between TF + WinPatrol or Process Guard Free (which doesn't do much) + WinPatrol. I 'll flip a coin. :D
     
  22. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Well, you can add Process Guard to the list of applications that can reboot and WinPatrol Plus asking about their autostart, after they have loaded... While RegProt asks you as soon as it installs.

    Anyway, come here Scotty! *puppy*

    EDIT: WinPatrol should think of an easy way to submit "new PLUS info" for unknown processes.

    http://img218.imageshack.us/img218/7686/58639874vx8.png

    I guess unless i mail him, no matter how many times i ask about it, it won't be included in the database... The "we now have a record so we will search it", is a bit old, since i have searched Twister for months now and everytime i get the same answer.
     
  23. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i tried winpatrol plus and threatfire and you'll feel secure and confident;) plus you add your fave in my case DefenseWall :D :)
     
  24. progress

    progress Guest

    I agree, WinPatrol can't prevent key changes! It's just an information tool ... :(
     
  25. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    My understanding, is that it is able to REVERT the change. In the Plus, this happens in almost real time. But, if a malware is capable of causing a reboot, chances are it won't stop it before reboot. Once i have also found a trojan simulator that was doing something similar and i was running regprot. Regprot did pop up in realtime, but before i could click "no", the PC was rebooted.

    For "ordinary" malware, Winpatrol CAN successfully revert changes in almost realtime. I think it's very useful for spyware/adaware and common malware that makes a startup entry.

    But i wouldn't put it at the same level of classical HIPS. Those won't allow any registry change until you decide and wil freeze anything pending your decision.


    TF is good, but i have mixed feelings about the net module and the fact that some people complain it drags down their system. To tell the truth it is somewhat CPU hungry, although within acceptable levels. For now i use WinPatrol because i like Scotty! :) Now, if only Scotty was to have a behaviour blocking ability too! That would be awesome!
     
    Last edited: Feb 7, 2009
Loading...
Thread Status:
Not open for further replies.