Winsonar 2010 Build 9.03.01 Released

http://www.softpedia.com/get/System/System-Info/Winsonar.shtml


how good is this for being free? i see it now supports windows 7 fully

 

Winsonar is a free, time-tested HIPS, narrower in protective scope than Malware Defender, OnlineArmor, Outpost, CIS, etc.

It installs into Documents & Settings folder. Hmm...

Install does NOT require a restart so it can be trialed on Shadow Defender (et alia). Its new GUI is waaaay too big vertically to fit on my 24" monitor -- and it cannot be adjusted.

 

It's a poller. That alone puts it in a lower category than the rest of known HIPS.

 

I agree with Fuzzy's polling comment -- to an extent. The one reservation I have, before totally condemning polling, has to do with 64-bit and its nefarious "Patch Guard" (PG). As I understand it, PG precludes the *effective* hooking of the kernel in Windows 64 bit OS.

Please bear with me while I insert a bit of background concerning the *Patch Guard problem*. Trust me, I will come back to the polling attribute of Winsonar, as mentioned by Fuzzfas.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Patch Guard is an important reason (but perhaps not the ONLY reason) why DefenseWall is not yet projecting when, if ever, it will have a 64-bit version.

Sandboxie (SBIE) issued a 64-bit version reluctantly, & only after loud demands by its users. Tsuk says (in so many words) that it is a weakened version of SBIE, by virtue of its having to live within the constraints imposed by Patch Guard.

There are several other examples of security programs that have not yet issued 64-bit versions. ALSO, there have been hints by some highly respected security gurus that many (not all) of the security apps which DO run on 64-bit have been weakened, to an extent, in order to run under Patch Guard's constraints. If true, then bad guys will eventually locate those weaknesses and then... Katie bar the door!

Patch Guard is a security move on the part of Microsoft. The big question (for me at least) is this: will the security gains afforded by Patch Guard be great enough to offset the weakened condition of those security apps which formerly used kernel hooks as part of their security strategy?

If you want to dig more deeply into the *Patch Guard problem* then by all means read the fascinating, instructive, VERY lengthy, often inflammatory, bloody-good-fun-thread at...
https://www.wilderssecurity.com/showthread.php?t=250126
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Meanwhile, back at the topic thread. In light of the restraints imposed by Patch Guard, it is not all that horrible that Winsonar uses polling instead of hooking. Polling is one way to live with Patch Guard, I suppose (but I am FAR from being an expert in this area).

One of the weaknesses of polling is that it tends to spot real or potential threats AFTER-the-fact rather than during or before the fact. One answer to this weakness is to use disk imaging (or restore points) in conjunction with polling. {There never was a horse that couldn't be rode; there never was a rider that couldn't be throwed}

P.S. Per Major Geeks & SnapFiles, Winsonar 2010 runs on Win 2000/03/08/XP/Vista/7. I couldn't find whether it runs on 64-bit. Does anyone know?

 

Wait Winsonar uses polling? I thought it used hooks in userspace?

 

From what i know, this is the setting which determins the polling frequency:

http://img97.imageshack.us/img97/6222/27002907.png

As Bellgamin says, it's not necessarily a bad thing and in Win7x64 there aren't many standalone classical HIPS (or maybe none), so having one is better than nothing (unless you go for firewall+HIPS integrated solutions).

Anyway, last time i tried Winsonar (the v.8 in XP) it was consuming too much CPU time exactly because of the polling. That's what mainly turned me down, together with the fact that it was less userfriendly than most other competitors using hooks.

I may try it again though, as i would have room for a standalone hips in 7x64 (assuming it's 64bit compatible).

 

AFAIK HIPS for 64-bit hook the user mode (ring 3) whereas the HIPS for 32-bit hook kernel mode (ring 0). Hooking ring 3 is (so they say) much less protective-effective & much less *protectable* than is hooking ring 0.

Please keep in mind: I have no idea what I am talking about. (I do have answers, provided no one asks me any questions.)

Or try reading THIS if you really want more info on ring & things & stuff that goes bump in the night.

 

How good is this app as an AE? I found this very interesting.