Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Thoughts on Anti-Spyware Testing
Goto page Previous  1, 2, 3  Next
 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Anti-Spyware and Security Software Discussion
View previous topic :: View next topic  
Author Message
mikey
Malware Expert


Joined: 12 Feb 2004
Last Visit: 14 Aug 2014
Posts: 1073
Location: CenTex

PostPosted: Thu Aug 17, 2006 4:59 pm    Post subject: Reply with quote

Perhaps, Eric, you haven't been paying attention. Any user wanting to know what I know about process firewalling need only ask.
Examples;
http://www.spywarewarrior.com/viewtopic.php?t=22227

http://www.spywarewarrior.com/viewtopic.php?t=21772

etc

Eric, do you have a specific question about firewalling that I might know the answer to? If so, I'll be more than happy to try to find an answer.


As for your responses about my concerns with all the so called 'testing' done in the anti-malware industry, again;

Quote:
Hey Eric, I guess we can just let the users who see daily the corruption in this industry, including all the bogus testing and other advertising that has been published, decide for themselves which one of us is making more sense.


You see, I think the average user really does have enough sense to see through the bulk of the garbage. I believe they will take one look at your responses to my concerns and conclude the same as I...that you really didn't respond with anything worthy of further comment. If I'm wrong about that...oh well...I don't have the energy or inclination to debate responses I don't think make any sense...especially when I think the users will see the same thing I do...nothing real.

I noticed how even with all the feigned responses to my concerns, you managed to avoid this one;
Quote:
Should any testing done by those affiliated with a particular tool be considered viable? How does anyone reading a test result know if a test was done by someone who is affiliated or has interest in a particular tool?


Unlike how those of you with special interests would try to convince them otherwise, I also think the average user can be taught how to 'freely' use a firewall just as easily as they can be taught to periodically rip the guts out of their sys, while more often than not, crippling components in the process. Then they wont need to use malware scanners anymore. Yes, I do think most users can and will learn...but not from those who want to sell the status quo.

BTW Please continue to try and bait my responses...I think it makes it all the more plain for folks to see the realities here. I suppose you wouldn't know what I mean tho, huh. Smile
_________________
-

UbuntuStudio...community supported multi-media development optimization.

-
Back to top
View user's profile Send private message Visit poster's website
eburger68
SWW Distinguished Expert


Joined: 23 Jun 2004
Last Visit: 18 Nov 2008
Posts: 575
Location: Clearwater, FL

PostPosted: Thu Aug 17, 2006 5:34 pm    Post subject: Reply with quote

Mikey:

If you're not willing to answer specific questions -- and there were plenty of them in my two previous posts -- please just say so. Don't pretend they weren't put to you. They're there and will remain there, if you're ever up to answering them.

You point to two discussions here at Spyware Warrior, both of which center heavily on but one application: System Safety Monitor. Neither of those discussions comes close to doing the minimal work that I identified as necessary in order to help folks make sense of this new generation of anti-malware apps. Specifically...

Quote:
* honest discussions of the shortcomings and problems (real and potential) with HIPS apps;

* detailed discussions of the feature sets and technologies behind these applications;

* meaningful considerations of the user experience with these applications;

* tips and advice to help non-technically savvy folks distinguish the high-quality HIPS offerings from the the not-so-good offerings and even the outright snake-oil masquerading as good HIPS;

* recognized, quality testing -- or even amateur comparative testing, for that matter.


Or even for just starters...:

Quote:
If anyone's willing to dive in, you could do worse than by starting with the basics -- how about a simple, standardized guide to comparing and evaluating the respective capabilities or feature sets of HIPS apps? Even something as simple as a usable bulleted list or check list of basics would be helpful at this point.

Or, put another way: most of us have a fairy good sense of what to look for in an anti-malware scanner (even if we often come to different conclusions about particular apps). But what are we to look for in a HIPS app? How do we tell if one HIPS app might be better or more suitable for us than another HIPS app?


Who here among the HIPS evangelists is willing to tackle any of the above tasks? I'm dead serious. This work desperately needs to be done, and the readers of Spyware Warrior would benefit immensely from some docs that were done intelligently and done right -- not just some forum regulars chewing the cud over one particular app.

If the discussion and takeup of HIPS apps is to spread beyond a few geeks inhabiting forums and fancying themselves so much smarter than the corrupt status quo of "bot scanners" -- which is to say, if these apps are ever to become recognized and accepted among regular users -- then the discussion surrounding these apps is going to have to move beyond where it is now. And, like it or not, we're going to need some form of testing. T'ain't fair or consistent to denounce corrupt or poorly performed testing of anti-malware scanners and then to fall utterly silent on the issue of testing of HIPS apps.

And, by the way, Mikey, I'm still waiting for that list of process filters you promised.

This is basic stuff, folks. Many of you expressed a desire for a more HIPS-centric focus at Spyware Warrior and more HIPS-related data and content. Well, guess what? That info isn't going to spontaneously appear on its own -- it's going to take work. We're soliciting advice and contributions. So far it's been difficult to get more than a basic list of apps (and even that list is flawed/incomplete).

Contrary to what some folks around here might like to think, all those dastardly vendors of "bot scanners" aren't attempting preserve the status quo. Quite the contrary. Many if not most of them are embracing HIPS in one form or another, and sitting around here denouncing them isn't going to play much longer.

So, please, let's get on with it. If anyone wants to take a stab doing some intelligent, coherent, disciplined reviewing of HIPS apps, or putting together docs on any of the other topics suggested above, I'm sure Suzi would be happy to turn those efforts into stickies or even featured content here at Spyware Warrior.

Also, I've been thinking that a basic feature comparison page along the lines of the page we already have for anti-spyware scanners...

http://spywarewarrior.com/asw-features.htm

...might be a useful addition to Spyware Warrior. WHo might be willing to put together a basic structure (beyond product name, company, price, etc.) for comparing these applications? And would anyone be willing to put in some hours examining the apps selected and gathering the required data?

This is where Suzi and I are at folks, in case you're wondering. I hope we can find a few likeminded others. If interested, feel free to weigh in here or PM one of us with suggestions and ideas.

Eric L. Howes
Back to top
View user's profile Send private message Send e-mail Visit poster's website
mikey
Malware Expert


Joined: 12 Feb 2004
Last Visit: 14 Aug 2014
Posts: 1073
Location: CenTex

PostPosted: Thu Aug 17, 2006 5:45 pm    Post subject: Reply with quote

Quote:
If you're not willing to answer specific questions...


Again,

Quote:
Eric, do you have a specific question about firewalling that I might know the answer to? If so, I'll be more than happy to try to find an answer.


Do you have a specific question?

I've seen lots of words here, perhaps I missed it.
_________________
-

UbuntuStudio...community supported multi-media development optimization.

-
Back to top
View user's profile Send private message Visit poster's website
eburger68
SWW Distinguished Expert


Joined: 23 Jun 2004
Last Visit: 18 Nov 2008
Posts: 575
Location: Clearwater, FL

PostPosted: Thu Aug 17, 2006 6:07 pm    Post subject: Reply with quote

Hi All:

For those wonderng where to get started, you might start drafting some intelligent, coherent, readable answers to the following...

Quote:

HIPS Frequently Asked Questions

1. What does HIPS stand for?

2. How can HIPS technology protect my PC against malware?

3. How does HIPS technology differ from the anti-spyware scanner, anti-virus scanner, and personal firewall that I have right now? HOw do HIPS apps differ from sandboxes and virtualization applications?

4. My anti-spyware/anti-virus app claims it provides "real time protection & monitoring"? Is this the same thing as HIPS? If not, why would HIPS be better than monitoring application I'm running now?

5. I've already got an app that warns me when certain Registry changes are made. Why would I need a HIPS app? What additional protection would it provide?

6. I've heard that HIPS applications often use "kernal level filter drivers." What are these? Why do HIPS apps use them? Are they dangerous?

7. I've heard that HIPS apps tend to produce a lot of pop-ups asking you to confirm or deny this, that, and the other action. I really don't have time for this kind of "chatty" app. Is this true? Are all HIPS apps like this? Just some? How do I tell?

8. Can HIPS apps conflict with any of my other security applications -- like my current anti-virus app, anti-spyware app, or personal firewall? Can I run two HIPS apps simultaneously?

9. If I install a HIPS app, will it replace my anti-virus, anti-spyware, or firewall applications? Can I uninstall the other apps? Should I keep one or two of them as "back-up"? If so, which ones should I keep?

10. I've heard HIPS apps referred to as "process firewalls." How is HIPS different than my personal firewall? Can it replace my current firewall?

11. I've heard that HIPS apps can cause system instability and blue screens. Is this true? Why? Are some HIPS apps are stable than others? How do I tell?

12. I thought HIPS apps were more for corporations and administrators. Are there HIPS apps suitable for home users like myself? If so, which ones?

13. How difficult are HIPS apps to learn how to use? Am I going to have to be an expert in Windows? How much about my computer am I going to have to know and understand?

14. What are the basic features of a HIPS app? If I were comparing several HIPS apps, what features or qualities should I look for? How do I tell if one is better than another?

15. Are there any published tests (like PC World or PC Magazine) of the best HIPS apps?

16. How do I tell if a product I'm looking at out at CompUSA or Best Buy offers HIPS functionality? Will it say on the box?

17. If I buy a HIPS app for my Windows XP system, will it also work on my older Windows 98 box? What happens when Windows Vista comes out next year -- will it work on that?

18. I heard that Windows Vista will have a bunch of new security features and is being designed for security from the ground up. Is this true? If so, why would I need a HIPS app for Vista?

19. I heard that Microsoft was locking third-party developers out of the kernel. Is this true? If so, how will HIPS developers implement kernel-level filter drivers on Vista?

20. I use Firefox for all my web browsing and I never visit porn sites or crackz sites. Why would I needs a HIPS app?

21. Do you have a short list of HIPS apps recommended for home users? If so, how did you select the apps on the list? What were the criteria for selection and recommendation?

Last revised: 22 Aug. 2006


Mikey, you asked if I had questions. You can start with the above.

Anyone else is free to take a crack as well. If we get useful answers that might actually benefit readers, we'll consider posting the FAQ as a sitcky or, if the answers are esp. well done, as featured content at Spyware Warrior.

Eric L. Howes


Last edited by eburger68 on Mon Aug 21, 2006 11:57 pm; edited 3 times in total
Back to top
View user's profile Send private message Send e-mail Visit poster's website
eburger68
SWW Distinguished Expert


Joined: 23 Jun 2004
Last Visit: 18 Nov 2008
Posts: 575
Location: Clearwater, FL

PostPosted: Thu Aug 17, 2006 6:19 pm    Post subject: Reply with quote

Mikey:

And just in case you get through with the questions in my previous post, you can go back and answer the questions from my earlier posts in this thread. To wit:

Quote:
1. With these new HIPS apps, users have little more than the bald and bold assertions of vendors themselves and the various fans of these applications in newsgroups. Is that not a little worrisome? How is the user supposed to distinguish quality HIPS protection from snake-oil?

2. How would or could HIPS testing be done in a way that would produce repeatable, valid, and meaningful test results that would actually allow users and consumers to compare HIPS apps? Any thoughts on creating a useful test bed, test environment, and methodology?

3. If some useful HIPS testing has been conducted, would you please point us to that testing and explain what makes the testing commendable as well as problematic?

4. What do you consider to be the essential ingredients of a good testing program for HIPS apps? How would we distinguish meaningful and valid tests from worthless ones?

5. What are users are supposed to do in the absence of any significant amount of recognized quality testing. Try every HIPS app on the market themselves? And evaluate those apps on the basis of what?

6. Could you offer a simple, standardized guide to comparing and evaluating the respective capabilities or feature sets of HIPS apps? Even something as simple as a usable bulleted list or check list of basics would be helpful at this point.

Or, put another way: most of us have a fairy good sense of what to look for in an anti-malware scanner (even if we often come to different conclusions about particular apps). But what are we to look for in a HIPS app? How do we tell if one HIPS app might be better or more suitable for us than another HIPS app?

7. When do you expect to have the list of process filters finished so that I can separate them out from the sandbox utils in the forum sticky?


Thanks for being a sport and offering to answer all of my questions. I'm sure I speak for the rest of the forum when I say that I sincerely look forward to your answers.

Cheers,

Eric L. Howes
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Erikalbert
Warrior


Joined: 10 Aug 2006
Last Visit: 05 Jul 2007
Posts: 219

PostPosted: Sun Aug 20, 2006 9:49 pm    Post subject: Reply with quote

eburger68 wrote:
Hi All:

For those wonderng where to get started, you might start drafting some intelligent, coherent, readable answers to the following...

Quote:

HIPS Frequently Asked Questions

1. What does HIPS stand for?

2. How can HIPS technology protect my PC against malware?

3. How does HIPS technology differ from the anti-spyware scanner, anti-virus scanner, and personal firewall that I have right now?

4. My anti-spyware/anti-virus app claims it provides "real time protection & monitoring"? Is this the same thing as HIPS? If not, why would HIPS be better than monitoring application I'm running now?

5. I've already got an app that warns me when certain Registry changes are made. Why would I need a HIPS app? What additional protection would it provide?

6. I've heard that HIPS applications often use "kernal level filter drivers." What are these? Why do HIPS apps use them? Are they dangerous?

7. I've heard that HIPS apps tend to produce a lot of pop-ups asking you to confirm or deny this, that, and the other action. I really don't have time for this kind of "chatty" app. Is this true? Are all HIPS apps like this? Just some? How do I tell?

8. Can HIPS apps conflict with any of my other security applications -- like my current anti-virus app, anti-spyware app, or personal firewall? Can I run two HIPS apps simultaneously?

9. If I install a HIPS app, will it replace my anti-virus, anti-spyware, or firewall applications? Can I uninstall the other apps? Should I keep one or two of them as "back-up"? If so, which ones should I keep?

10. I've heard HIPS apps referred to as "process firewalls." How is HIPS different than my personal firewall? Can it replace my current firewall?

11. I've heard that HIPS apps can cause system instability and blue screens. Is this true? Why? Are some HIPS apps are stable than others? How do I tell?

12. I thought HIPS apps were more for corporations and administrators. Are there HIPS apps suitable for home users like myself? If so, which ones?

13. How difficult are HIPS apps to learn how to use? Am I going to have to be an expert in Windows? How much about my computer am I going to have to know and understand?

14. What are the basic features of a HIPS app? If I were comparing several HIPS apps, what features or qualities should I look for? How do I tell if one is better than another?

15. Are there any published tests (like PC World or PC Magazine) of the best HIPS apps?

16. How do I tell if a product I'm looking at out at CompUSA or Best Buy offers HIPS functionality? Will it say on the box?

17. If I buy a HIPS app for my Windows XP system, will it also work on my older Windows 98 box? What happens when Windows Vista comes out next year -- will it work on that?

18. I heard that Windows Vista will have a bunch of new security features and is being designed for security from the ground up. Is this true? If so, why would I need a HIPS app for Vista?

19. I heard that Microsoft was locking third-party developers out of the kernel. Is this true? If so, how will HIPS developers implement kernel-level filter drivers on Vista?

20. I use Firefox for all my web browsing and I never visit porn sites or crackz sites. Why would I needs a HIPS app?

21. Do you have a short list of HIPS apps recommended for home users? If so, how did you select the apps on the list? What were the criteria for selection and recommendation?

Last revised: 17 Aug. 2006


Mikey, you asked if I had questions. You can start with the above.

Anyone else is free to take a crack as well. If we get useful answers that might actually benefit readers, we'll consider posting the FAQ as a sitcky or, if the answers are esp. well done, as featured content at Spyware Warrior.

Eric L. Howes


Some fair questions there Eric. Can I use these questions over at CastleCops wiki? I'll post my first draft proposed answers there.
Back to top
View user's profile Send private message
mikey
Malware Expert


Joined: 12 Feb 2004
Last Visit: 14 Aug 2014
Posts: 1073
Location: CenTex

PostPosted: Mon Aug 21, 2006 7:14 am    Post subject: Reply with quote

1. What does HIPS stand for? Host Intrusion Protection System

I too think these are some very good questions. Unfortunately,I personally don't have the expertise in all HIPS tools and can not answer all your questions about HIPS. However, I do know something about firewalling which is what I said I'd answer a specific question about.
mikey wrote:
Eric, do you have a specific question about firewalling that I might know the answer to? If so, I'll be more than happy to try to find an answer.

In my opinion, system level process firewalling, which is lumped into the HIPS category, is the best method of taking control of the system. What I've seen of the Virtual Machine and Sandbox technologies is that they present less protection because they actually allow initiation of malwares with the intent to keep the malware 'boxed in'...good for those testing malwares but not for the average user. The few 'sandboxing' tools I have looked at failed to 'box in' the rooters I tested with.

Firewalling technology has actually been around for many years. I believe that the lack of development is directly related to the security industry as a whole wanting to sell subscriptions to their reactive tools instead of producing tools that actually protect. With process firewalling, nothing can initiate on the system without the user or admin approval. "If it can't initiate, it can't infect." There are some very good firewalling tools available...some even free. There are also many more process firewalls in new development because it is thought by many of us that it is a much better method of protecting the sys.

So, if you want to talk about HIPS, I'm not your man. If you want to talk about firewalling, I'll be very happy to.
_________________
-

UbuntuStudio...community supported multi-media development optimization.

-
Back to top
View user's profile Send private message Visit poster's website
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 17 Sep 2014
Posts: 10328
Location: sunny California

PostPosted: Mon Aug 21, 2006 8:05 am    Post subject: Reply with quote

Code:
The few 'sandboxing' tools I have looked at failed to 'box in' the rooters I tested with.


Mikey, I'd be interested to hear more details about that -- what sandboxing tools and what rooters you tested with. I use VMware for malware testing, and afaik, no malware has yet been able to get into the host machine from VMware, but I certainly wouldn't doubt that it could happen at some point. We know that some malware detects virtual environments and won't install in VMware or Microsoft Virtual PC.

This is OT from the subject of this thread, and I could split off this post and any replies to a new thread, if needed.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
mikey
Malware Expert


Joined: 12 Feb 2004
Last Visit: 14 Aug 2014
Posts: 1073
Location: CenTex

PostPosted: Mon Aug 21, 2006 8:23 am    Post subject: Reply with quote

Suzi, what you quoted was part of an opinion. If I had intended to be brand specific, I would have published my findings, which are now outdated BTW. And again, I am not well versed in all HIPS. But, as always, I recommend that users take their time to look at all the resources available and see what they feel most comfortable with. All the good HIPS are preferable to the status quo.

BTW We've been OT for quite some time now. Smile
_________________
-

UbuntuStudio...community supported multi-media development optimization.

-
Back to top
View user's profile Send private message Visit poster's website
herbalist
Warrior Addict


Joined: 28 Aug 2004
Last Visit: 25 Jun 2008
Posts: 726
Location: northern Michigan

PostPosted: Mon Aug 21, 2006 7:42 pm    Post subject: Reply with quote

Quote:
BTW We've been OT for quite some time now.

Not really. Application firewalling or HIPS should be considered as anti-spyware. Anti-spyware testing in the conventional sense is almost pointless. The results are outdated before the testing is done. Testing application firewalls, HIPS, sandboxes, virtualization software, etc would be more beneficial to users in the long run. This is one of those rare times I wish I had a newer OS so I could test more of those apps. So few run on 98 and any test results are of limited value to XP users. Right now, I wouldn't have the time even if I had all the test units I wanted.
Setting the test criteria in a manner that best resembles how the PC is used would appear to be the hardest part of this. The way I use my primary unit, defending it with SSM is easy. Almost nothing new gets installed that hasn't seen a test box first, so there are no questionable unknown processes to make a decision about. Not changing and locked down is as close as you can get to 100% secure, but it doesn't represent normal user behavior. Users install software. Users make a lot of bad choices. How do we account for this in meaningful testing? An app like SSM won't differentiate between legit software and malware. The activity alerts won't mean much to an average user. Both malware and legit software install drivers and use hooks. Windows components set hooks. I know users should research what they're installing but we know they don't. With conventional HIPS software, about all that can be tested is if the app does detect all the hooks, drivers, processes, registry entries, etc, and whether it can block them the way it claims to. Beyond that, the user is what's being tested.
I recently installed SSM on a friends XP unit, along with Kerio 2.1.5. She is not computer savvy. In fact, she's the one I've quoted a few times:
Quote:
I don't care what they do with my computer, as long as I can play my games.

I'm at her place several times a week, helping her with household and yard work, she's disabled. She agreed to let me secure her PC with those apps as long as I handled the configuration. She gets a secured PC for free and I get to better understand how SSM works on XP, fair enough. When I first started setting it up, I used the learning mode and made a quick run thru the apps/processes I knew she used, then shut the learning mode back off and went straight to paranoid mode, UI connected. I'll admit that I'm not as good with XP as I'd like to be, but I'm not inexperienced either. Some of SSMs process and activity alerts about stopped me in my tracks. Process names I didn't recognize. Activity alerts for things I've never seen before. I had to look up quite a bit of stuff in order to know how to reply to them. For the things I didn't know, I knew where to find the info. The average user would have to do that the hard way. I can only imagine what it would do to a typical user. They'll either end up clicking thru the alerts or shutting SSM off entirely. There's no way one could be expected to respond knowlegably to those alerts. She looked at some of them, then looked at me with a blank expression and asked "what does that mean?" Ever try to translate one of those alerts into normal english for a typical user?
IMO, apps like SSM won't be suitable for the average user, even with more improvements in the learning mode. The only way it would have a chance of being usable by the average person is for it to come with an extensive configuration database or to use an online database with configuration data. Either answer not only bloats it, but also brings it back to being at least partially reliant on signatures, reference files, and stored data, and all the problems it was intended to avoid. Back to the original question. How do we conduct meaningful tests on these apps that separate testing the app from testing the user?
I can somewhat see how a sandboxing or virtualization app can be tested. Normal user behavior can be duplicated on those without having to answer so many prompts, but unless I've missed them, I don't see any that run on 98, so I can't test them.
Rick
Back to top
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger
eburger68
SWW Distinguished Expert


Joined: 23 Jun 2004
Last Visit: 18 Nov 2008
Posts: 575
Location: Clearwater, FL

PostPosted: Mon Aug 21, 2006 11:54 pm    Post subject: Reply with quote

Mikey:

You wrote:

mikey wrote:
So, if you want to talk about HIPS, I'm not your man. If you want to talk about firewalling, I'll be very happy to.


The operative definition of HIPS in those questions was appplication firewalling and did not include sandboxing or virtualization. See the FAQ Q. 10:

Quote:
10. I've heard HIPS apps referred to as "process firewalls." How is HIPS different than my personal firewall? Can it replace my current firewall?


To emphasize the point, I've revised question 3, which now reads:

Quote:
3. How does HIPS technology differ from the anti-spyware scanner, anti-virus scanner, and personal firewall that I have right now? HOw do HIPS apps differ from sandboxes and virtualization applications?


In other words, the questions are most certainly yours to tackle.

Have fun.

Eric L. Howes
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Ilya Rabinovich
Newbie


Joined: 06 Dec 2005
Last Visit: 24 Jan 2007
Posts: 8

PostPosted: Tue Aug 22, 2006 8:33 am    Post subject: Reply with quote

eburger68 wrote:


To emphasize the point, I've revised question 3, which now reads:

Quote:
3. How does HIPS technology differ from the anti-spyware scanner, anti-virus scanner, and personal firewall that I have right now? HOw do HIPS apps differ from sandboxes and virtualization applications?




Hm, I must be miss some, but I always thought that there are two types of HIPS nowdays- classical and sandbox. Sandbox HIPS are using partial virtualization (all of them).

If you mean VMWare- is not HIPS, it is hardware emulation tool.

herbalist wrote:

I don't see any that run on 98


And will never see- Win9x/ME inner architecture is ugly (it is advanced Win32s, in fact) and doesn't allow build any reasonable sandbox defense system on it. It is possible, for instance, get ring0 access without using of any API calls!
Back to top
View user's profile Send private message
Oldfrog
Site Admin


Joined: 08 Aug 2004
Last Visit: 09 Feb 2013
Posts: 1161
Location: Hewitt, TX

PostPosted: Tue Aug 22, 2006 11:13 am    Post subject: Reply with quote

Welcome to this topic, Ilya, and thanks for adding your comments.

For those who haven't met him, Ilya is the author of the Defense Wall HIPS product which has been discussed to a small extent in our topic here.
Back to top
View user's profile Send private message Visit poster's website
mikey
Malware Expert


Joined: 12 Feb 2004
Last Visit: 14 Aug 2014
Posts: 1073
Location: CenTex

PostPosted: Tue Aug 22, 2006 11:57 am    Post subject: Reply with quote

herbalist wrote:
Quote:
BTW We've been OT for quite some time now.

Not really. Application firewalling or HIPS should be considered as anti-spyware. Anti-spyware testing in the conventional sense is almost pointless. The results are outdated before the testing is done. Testing application firewalls, HIPS, sandboxes, virtualization software, etc would be more beneficial to users in the long run.
Rick


Actually, I agree, it should be included in this discussion. Thx for pointing it out.

As for the rest of your post;

Quote:
IMO, apps like SSM won't be suitable for the average user, even with more improvements in the learning mode.


There you go again trying to make it sound harder than it is. I just can't figure out why you keep doing that. None of this need be complicated assuming users have at least some little bit of mental capacity. Every noob I've dealt with ranging from teenage gamer to great grand mother has been able to deal quite nicely without any problems. I've seen too many folk start out with the basic instructions and find that it is actually quite easy to gain the kind of protection that will leave them malware free.

Now, I'm advising folks to run in 'learning mode' for at least 24 hrs of real time use without loading anything new in order to load most of the processes used on a regular basis. For most users, that usually equates to a few days. After that, they can generally experience a quiet firewall that only needs attention when loading new wares. Can you make it complicated? Of course. But, with the products being developed now, it certainly isn't required anymore.

And all any user need do is use a firewall for a little while in order to see for themselves. It really is hard to figure out why you have so much of a problem when others don't. Folks used to say that folks wouldn't ever learn to use a packet filter firewall...now there are multi-millions of folks doing just that. And a packet filter firewall is actually harder to use and is more annoying than these total process filters.

Your constant nay say just doesn't wash.

Hey Ilya.
_________________
-

UbuntuStudio...community supported multi-media development optimization.

-
Back to top
View user's profile Send private message Visit poster's website
Oldfrog
Site Admin


Joined: 08 Aug 2004
Last Visit: 09 Feb 2013
Posts: 1161
Location: Hewitt, TX

PostPosted: Tue Aug 22, 2006 12:56 pm    Post subject: Reply with quote

Quote:
Can you make it complicated? Of course. But, with the products being developed now, it certainly isn't required anymore.

I suspect that you are right on this, Mikey, but while I can accept it intellectually I just can't internalize it. For example, do I want to let Windows Installer run? Well, I do this time because I am deliberately installing something. I don't want it running whenever it or something else wants it to, though, so that is a one-time allow meaning I get another prompt the next time. Similarly, I finish an install and launch the application. I get a prompt saying that appX.exe has changed since the last time that it was run; "Allow, Deny, Make a Rule". I don't want to make a rule as that says let it do what it wants. So I allow it, one time, and get the same prompt after the next update. Do I want to allow "run_dll_as_an_app"? Well, not all the time. So, each instance results in a new choice. What .dll? Where did it come from? What does it do? Why does it want to run right now? I suspect that Rick and I may be overcomplicating things but also believe that you may be oversimplifying them.
Quote:
Folks used to say that folks wouldn't ever learn to use a packet filter firewall...now there are multi-millions of folks doing just that.

I would argue that they are employing one that has been pre-configured rather than using one. At least two widely used firewalls that I have used whitelist by default any process digitally signed by MS. I don't personally want the Generic_Host_Process to connect whenever and to wherever that it wants to. I want to know where it is trying to connect and why it thinks it needs to. With more and more malware showing up as services in the 020 list in HJT giving it blanket access seems like a very bad idea.
Back to top
View user's profile Send private message Visit poster's website
mikey
Malware Expert


Joined: 12 Feb 2004
Last Visit: 14 Aug 2014
Posts: 1073
Location: CenTex

PostPosted: Tue Aug 22, 2006 12:59 pm    Post subject: Reply with quote

Erikalbert wrote:
Some fair questions there Eric. Can I use these questions over at CastleCops wiki? I'll post my first draft proposed answers there.


Hey Eric, I've seen a rough draft preview of his work so far. I think he could very well dev a very good piece that encompasses even a bit more than what you asked.

I think I'll just wait untill he's ready to post before I try to tackle any questions or even comment on those questions. I have a feeling you will probably have even more questions after that.
_________________
-

UbuntuStudio...community supported multi-media development optimization.

-
Back to top
View user's profile Send private message Visit poster's website
Oldfrog
Site Admin


Joined: 08 Aug 2004
Last Visit: 09 Feb 2013
Posts: 1161
Location: Hewitt, TX

PostPosted: Tue Aug 22, 2006 1:07 pm    Post subject: Reply with quote

Quote:
Hey Eric, I've seen a rough draft preview of his work so far. I think he could very well dev a very good piece that encompasses even a bit more than what you asked.

I think I'll just wait untill he's ready to post before I try to tackle any questions or even comment on those questions. I have a feeling you will probably have even more questions after that.

Yeah, saw that yesterday but didn't want to post a link until he thinks it is ready.

I also want to give him credit for taking the time and effort to tackle this and to obviously want to do a good job of it.
Back to top
View user's profile Send private message Visit poster's website
mikey
Malware Expert


Joined: 12 Feb 2004
Last Visit: 14 Aug 2014
Posts: 1073
Location: CenTex

PostPosted: Tue Aug 22, 2006 2:08 pm    Post subject: Reply with quote

Oldfrog wrote:
Quote:
Can you make it complicated? Of course. But, with the products being developed now, it certainly isn't required anymore.

I suspect that you are right on this, Mikey, but while I can accept it intellectually I just can't internalize it. For example, do I want to let Windows Installer run? Well, I do this time because I am deliberately installing something. I don't want it running whenever it or something else wants it to, though,...


I'm sorry, I know you're heading to a point here but I'm stuck right here.

Why would it? What would cause it to run unless you specifically initiated an install executive? How would something make a call to it that wasn't caught by the firewall?

I figured you would have used a function like Window's Update to make this point. I'll answer to that already...I always encourage users not to let backdoors(auto updaters) run uncontroled...even from MS. Anyone with half an ounce of sec awareness would want to know and control all things loaded on their sys.

BTW I give Window's Installer default permissions. I don't know of any reason not to. Let me know if my thinking is flawed here.

Quote:
I would argue that they are employing one that has been pre-configured rather than using one. At least two widely used firewalls that I have used whitelist by default any process digitally signed by MS. I don't personally want the Generic_Host_Process to connect whenever and to wherever that it wants to. I want to know where it is trying to connect and why it thinks it needs to. With more and more malware showing up as services in the 020 list in HJT giving it blanket access seems like a very bad idea.


I have to agree with every word. Smile

However there are still millions of us who use rules based packet filters too. As I've said often, there is nothing we can do for those who don't care enough to do for themselves.
_________________
-

UbuntuStudio...community supported multi-media development optimization.

-
Back to top
View user's profile Send private message Visit poster's website
Oldfrog
Site Admin


Joined: 08 Aug 2004
Last Visit: 09 Feb 2013
Posts: 1161
Location: Hewitt, TX

PostPosted: Tue Aug 22, 2006 2:27 pm    Post subject: Reply with quote

Quote:
I figured you would have used a function like Window's Update to make this point.

That would have been too easy and obvious. Okay, so why am I paranoid about Windows Installer? Because it is there, and I don't want it running unless I know what is kicking it off. Yes, overkill, but I can't help it. Control is either control or it is not.
Quote:
I have to agree with every word.

yeah, but I ran Norton NIS for several years without knowing that it had a whitelist and never had any problems. That is one reason that I think that I might be overcomplicating things.
Back to top
View user's profile Send private message Visit poster's website
herbalist
Warrior Addict


Joined: 28 Aug 2004
Last Visit: 25 Jun 2008
Posts: 726
Location: northern Michigan

PostPosted: Tue Aug 22, 2006 11:55 pm    Post subject: Reply with quote

Quote:
There you go again trying to make it sound harder than it is. I just can't figure out why you keep doing that. None of this need be complicated assuming users have at least some little bit of mental capacity. Every noob I've dealt with ranging from teenage gamer to great grand mother has been able to deal quite nicely without any problems. I've seen too many folk start out with the basic instructions and find that it is actually quite easy to gain the kind of protection that will leave them malware free

With the example I mentioned earlier in this thread, I didn't tell her the apps were hard to configure or anything of the sort. She asked for security apps that were good and didn't cost too much (fixed income). I installed SSM and Kerio 2.1.5 and let her look them over. If I hadn't agreed to configure them for her, she was going to remove them. I have no doubt that she's more than intelligent enough to learn computers on any level she wants to. She doesn't want to. How a PC functions doesn't interest her, which is typical of most of my clients. They'd rather pay someone else to do take care of it for them and spend their time doing other things. Those that both can and are willing to do it themselves don't hire someone else to do the job. You seem to think using the learning mode is sufficient. I don't. I want to know what I'm permitting to run and I would hope the user does too. Maybe I do make things more complicated than they need to be, but you take too much for granted, starting with the assumption that the average user has a clean system or is able to completely clean it and will do so before installing something like SSM. If they don't, learning mode will permit malware to run as easily as it does normal system processes. I won't advise a user to enable learning mode on any system without some way of being reasonably sure that the system is clean, which includes any system I don't have access to. We've gone over this too many times. It's pointless to continue it further.
Back to top
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger
Ilya Rabinovich
Newbie


Joined: 06 Dec 2005
Last Visit: 24 Jan 2007
Posts: 8

PostPosted: Wed Aug 23, 2006 2:25 am    Post subject: Reply with quote

Hey, guys!

The fact is that those two types of HIPS are for different type of users. Classical HIPS are for technicians, sandbox are for avarage one. So, let's stop arguing about it and get back to inititial theme!

The fact is that there is no good explanation for users why they need HIPS and what is it, what types of HIPS are ITW, what are the difference between them, what kind of HIPS they need use. Gartner in it's September 2005 issue just said about need of use of HIPS, but that is all, and it is not enought.

Also, there is no good methods to determine what the HIPS is the world best (comparative tests), there is no opened methodology for it.
Back to top
View user's profile Send private message
Nick
Site Admin


Joined: 27 Feb 2004
Last Visit: 15 Jul 2014
Posts: 3913
Location: California

PostPosted: Wed Aug 23, 2006 2:58 am    Post subject: Reply with quote

Let's not get this one locked as well.

We already had the debate on whether people are or are not willing to learn HIPS or application firewalling.

The various parties should agree to disagree or take the debate out of this topic.
Back to top
View user's profile Send private message
Erikalbert
Warrior


Joined: 10 Aug 2006
Last Visit: 05 Jul 2007
Posts: 219

PostPosted: Wed Aug 23, 2006 3:41 am    Post subject: Reply with quote

Ilya Rabinovich wrote:
Hey, guys!

The fact is that those two types of HIPS are for different type of users. Classical HIPS are for technicians, sandbox are for avarage one. So, let's stop arguing about it and get back to inititial theme!


The fact that you are vendor of one of those sandbox type HIPS is just incidental right? Smile


Quote:

The fact is that there is no good explanation for users why they need HIPS and what is it, what types of HIPS are ITW, what are the difference between them, what kind of HIPS they need use. Gartner in it's September 2005 issue just said about need of use of HIPS, but that is all, and it is not enought.

Also, there is no good methods to determine what the HIPS is the world best (comparative tests), there is no opened methodology for it.


The worse thing is, Vista is probably going to kill off all these HIPS products anyway. I mean Ilya of Defensewall appears to have thrown in the towel already while to my knowledge most of the other classical HIPs vendors when asked have not yet commented on whether they intend to make their products workable in Vista or whether it is possible or not (without relying on dirty tricks) , most seem to be adopting a wait and see attitude.

Altough Jason's Ghost Security has a version of appdefend that runs on XP64 which works by cracking patchguard (similar to the one in Vista) . But even he hasn't stated up front for sure that he is going to support Vista as you can see from the link.

I understand this change will affect everyone in the security software industry not just HIPS vendors, but what I don't know is, whether HIPS vendors will be hurt worse i.e antiviruses can still run with workarounds even without hooking the SSDT, but it might be impossible for pure HIPS products.

From what I can see, there are already a few antiviruses out that support vista , but to my knowledge there is no HIPS that supports vista or have indicated that they intend to. It is still early days of course, particularly so for small time vendors that cater only to the home user market but the signs aren't encouraging.

Does anyone know of any 'straight' HIPS product (sandbox or not) that already supports vista or have stated their intentions to do so? Prevx maybe?
Back to top
View user's profile Send private message
fcukdat
Warrior Addict


Joined: 01 Jan 2005
Last Visit: 08 Apr 2009
Posts: 757
Location: Yeovil,England.

PostPosted: Wed Aug 23, 2006 3:48 am    Post subject: Reply with quote

Hi Erikalbert

Just one partial view on your last post,just because Vista going to be rolled out does not automatically mean everyone is going to be using it.There are plenty more OS's in the sea so to speak,so as long as there is demand there will almost certainly be a supply Smile
_________________
Malware hunter....Got Bot ?

MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html
Back to top
View user's profile Send private message Visit poster's website
Erikalbert
Warrior


Joined: 10 Aug 2006
Last Visit: 05 Jul 2007
Posts: 219

PostPosted: Wed Aug 23, 2006 4:09 am    Post subject: Reply with quote

Realistically speaking, the only OS in the ocean we are talking about are Microsoft's.

And I doubt you can really expect HIPS vendors to continue to innovate and develop HIPS only for a dying breed of OS and nothing else , given that the market share for XP will dwindle as the years go on.

Take windows 98, how many software vendors support that? Herbalist can probably tell you more stories. Heck that's the reason why he sticks to SSM (free) and nothing else.
Back to top
View user's profile Send private message
Ilya Rabinovich
Newbie


Joined: 06 Dec 2005
Last Visit: 24 Jan 2007
Posts: 8

PostPosted: Wed Aug 23, 2006 4:57 am    Post subject: Reply with quote

Erikalbert wrote:
Ilya Rabinovich wrote:
Hey, guys!

The fact is that those two types of HIPS are for different type of users. Classical HIPS are for technicians, sandbox are for avarage one. So, let's stop arguing about it and get back to inititial theme!


The fact that you are vendor of one of those sandbox type HIPS is just incidental right? Smile


No, it is not incidental. I've just implemented HIPS software according my own view at this point.

Erikalbert wrote:

I understand this change will affect everyone in the security software industry not just HIPS vendors, but what I don't know is, whether HIPS vendors will be hurt worse i.e antiviruses can still run with workarounds even without hooking the SSDT, but it might be impossible for pure HIPS products.


There will be huge problems with 3rd party firewalls compatibility- it need intercept ZwWriteVirtualMemory, ZwSetThreadContext and ZwCreateThread (at least) to prevent browser hijack.

Erikalbert wrote:
Prevx maybe?


I'm not sure in it- HIPS need control a huge number of Zw* functions (to prevent interprocess code injection, for instance).
Back to top
View user's profile Send private message
Erikalbert
Warrior


Joined: 10 Aug 2006
Last Visit: 05 Jul 2007
Posts: 219

PostPosted: Wed Aug 23, 2006 5:19 am    Post subject: Reply with quote

Ilya Rabinovich wrote:


Erikalbert wrote:

I understand this change will affect everyone in the security software industry not just HIPS vendors, but what I don't know is, whether HIPS vendors will be hurt worse i.e antiviruses can still run with workarounds even without hooking the SSDT, but it might be impossible for pure HIPS products.



There will be huge problems with 3rd party firewalls compatibility- it need intercept ZwWriteVirtualMemory, ZwSetThreadContext and ZwCreateThread (at least) to prevent browser hijack.


Well aren't these strictly speaking HIPS type features that firewalls added only recently in response to leak tests? Does the basic functionality of firewalls really require that?
Back to top
View user's profile Send private message
Ilya Rabinovich
Newbie


Joined: 06 Dec 2005
Last Visit: 24 Jan 2007
Posts: 8

PostPosted: Wed Aug 23, 2006 5:30 am    Post subject: Reply with quote

Erikalbert wrote:
Well aren't these strictly speaking HIPS type features that firewalls added only recently in response to leak tests? Does the basic functionality of firewalls really require that?


Responce to leak tests? Not exactly. Nowdays firewalls need create reverse sandbox protection arond processes allowed to connect Internet to prevent malware send information to it's creators. So- yes, it is absolutely nesessary and it is not just because of the leak tests...
Back to top
View user's profile Send private message
herbalist
Warrior Addict


Joined: 28 Aug 2004
Last Visit: 25 Jun 2008
Posts: 726
Location: northern Michigan

PostPosted: Wed Aug 23, 2006 2:14 pm    Post subject: Reply with quote

Quote:
The various parties should agree to disagree or take the debate out of this topic.

Sounds good to me.
Quote:
Take windows 98, how many software vendors support that? Herbalist can probably tell you more stories. Heck that's the reason why he sticks to SSM (free) and nothing else.

That's part of the reason, but not all of it. There's always the "F" word, "FREE". Razz
I think Online Armor runs on 98 as well, but I haven't tried it. I'm partial to separate applications and the Kerio 2.1.5/SSM combo works so well on my system that I haven't looked any farther. Fortunately for myself and others who still use DOS based systems, (whether by choice or not) there's still enough vendors that are not following the M$ "planned obsolescense" policy for 98/ME to still be an effective and securable operating system, IMO. Lets not debate that one either.
Regarding Vista, I'm sure that we can agree that we're going to be facing malware, rootkits, etc in that "locked kernel", no matter what M$ comes up with. I don't believe for a minute that M$ actually thinks they can truly lock the kernel and make it impossible to exploit. Of all people, they should know better. Maybe I'm wrong, but I think we're going to see a reality where the kernel is locked in a legal sense only while remaining pretty much as "hack-able" as it's ever been. Maybe a little better protected than it is in XP, but not secure in any real sense. If this scenario proves to be correct, the question that really needs answering is why would they do this? The only answers that make any sense to me involve the OS becoming spyware in the truest sense of the word, but that's another off topic subject.
After all this time, we're finally seeing security-ware using methods and approaches to the problem that can actually make a real difference. We finally have software using methods that could drastically cut down on the number of infected PCs and help to offset many of the vulnerabilities that Windows has in abundance, only to find that M$ wants to make that impossible. In the past, when something that helped secure PCs would start getting popular, M$ would add it to their OS, in a weakened and watered down fashion, but at least they did. A firewall is an example. If security was their primary concern, you'd think they'd embrace HIPS and make it part of the OS as soon as possible, but they're deliberately trying to kill it. This forces me to believe that securing the kernel is not the real goal here. The real goal appears to be to keep the good guys out of the kernel by forcing them to use methods that may end up illegal to bypass it. A real problem for security apps and those who want to be honest and legal, not a problem for malware writers. The only conclusion that makes sense to me is that they intend to put things in there that they don't want others to find, like rootkit processes of their own. I'd like to think that my paranoia is just getting the best of me, but I can't reconcile their (M$) stated intentions with the results of their actions without coming to a completely different conclusion than the one they claim.
Had another little thought on Vista and M$ operating systems in general. On the early Windows and DOS systems, the user had total access and nearly total control. That's been slowly taken away with each new OS. DOS was slowly weakened thru the 9X systems until you couldn't boot into DOS on a WinME system (without a 98 bootdisk) before being taken away. Vista represents the opposite extreme. The user has very little control over or access to the core of the system, not just physically, but depending on where this "locked kernel" leads possibly legally inaccessible as well.
Rick
Back to top
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger
Erikalbert
Warrior


Joined: 10 Aug 2006
Last Visit: 05 Jul 2007
Posts: 219

PostPosted: Wed Aug 23, 2006 8:03 pm    Post subject: Reply with quote

Oldfrog wrote:
Quote:
Hey Eric, I've seen a rough draft preview of his work so far. I think he could very well dev a very good piece that encompasses even a bit more than what you asked.

I think I'll just wait untill he's ready to post before I try to tackle any questions or even comment on those questions. I have a feeling you will probably have even more questions after that.

Yeah, saw that yesterday but didn't want to post a link until he thinks it is ready.
.


Er no. Actually I'm waiting for permission from Mr Howes. He still hasn't confirmed that it is okay for me to use his questions (in a highly modified form) on the wiki yet. Seems premature for anyone else to do anymore work until that issue is clarified.

As for the readyness issue, it's a wiki, not my personal website, it's never going to be ready. Feel free to rip my none expert work apart right now if you like, never mind the rawness.
Back to top
View user's profile Send private message
Mrkvonic
Warrior


Joined: 27 Sep 2004
Last Visit: 01 Feb 2007
Posts: 209

PostPosted: Thu Aug 24, 2006 3:55 am    Post subject: Reply with quote

Hello,
Mikey I think you give way way too much credit to the average computer user. Until human nature drastically changes, which is has not in the recent 3-4 millennia, people will need other people to do things for them, in their stead, and fill for their laziness, of body and mind. Until such time, humans will heavily rely on semi-automatic and automatic tools that can help them. This is the evolution.
The same applies to software. To make the lazy people more comfortable and more secure, the scanners need to improve. Standardizing the methods for generalization, normalization and testing of the software is a very important step. Furthermore, most reviews are bloated, boring, repetitive, and biased. And most people cannot tell the difference. You really over-estimate the average man. The word rootkit, for most people, is probably some prosthate examination toolbox.
Mrk
_________________
http://www.dedoimedo.com
Back to top
View user's profile Send private message
mikey
Malware Expert


Joined: 12 Feb 2004
Last Visit: 14 Aug 2014
Posts: 1073
Location: CenTex

PostPosted: Thu Aug 24, 2006 5:33 am    Post subject: Reply with quote

Hey Erikalbert, I think you have good reason for being concerned about Vista. But after watching the community work at odds with MS all this last decade+, I tend to think of it like Jason_R0 said; "What VISTA brings will just be another challenge."

In the meantime, how many users & organizations do you suppose currently use the 32bit NT siblings in most of their appliances? I hardly think that Vista is going to change the world's landscape quickly.

Personally, I think it is quite possible that Vista will bite the MS butt. Speaking as a multi-SOHO admin, I think it will be a good long while before I or my clients buy into it...if ever.

Quote:
The word rootkit, for most people, is probably some prosthate examination toolbox.


LOL Thx, I needed that.

You may be right about users...I hope not...but I still think anyone who can be taught to use a scanner can be taught to use a firewall. And if only a few households or a few SOHOs take head to what I'm saying and decide to protect themselves, then my preaching will be worthwhile. Smile
_________________
-

UbuntuStudio...community supported multi-media development optimization.

-
Back to top
View user's profile Send private message Visit poster's website
eburger68
SWW Distinguished Expert


Joined: 23 Jun 2004
Last Visit: 18 Nov 2008
Posts: 575
Location: Clearwater, FL

PostPosted: Fri Aug 25, 2006 8:46 pm    Post subject: Reply with quote

Erik:

Erikalbert wrote:
Er no. Actually I'm waiting for permission from Mr Howes. He still hasn't confirmed that it is okay for me to use his questions (in a highly modified form) on the wiki yet. Seems premature for anyone else to do anymore work until that issue is clarified.

As for the readyness issue, it's a wiki, not my personal website, it's never going to be ready. Feel free to rip my none expert work apart right now if you like, never mind the rawness.


Anyone's welcome to take up these questions in whatever form and wherever. I would prefer that whatever we decide is the final product is posted here, not at CC, since it was started here.

I would encourage folks not to view Erik's first stab at answering the questions to be the "official" on-going work product. Obviously, Wiki allows for community editing, and that could be useful in this case.

But if other folks aren't comfortable with Wiki and would rather post their answers here, so be it.

The bottom line is that I'd like to see contributions from a number of folks, so please don't think the door to participation on this thing is now closed -- far from it.

Eric L. Howes
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Erikalbert
Warrior


Joined: 10 Aug 2006
Last Visit: 05 Jul 2007
Posts: 219

PostPosted: Sat Aug 26, 2006 2:14 am    Post subject: Reply with quote

Mr Howes

eburger68 wrote:

Anyone's welcome to take up these questions in whatever form and wherever. I would prefer that whatever we decide is the final product is posted here, not at CC, since it was started here.


To be clear, are you giving permission for the questions to be used on CC's wiki? If not, just say the word, and I will wipe it out.

As for what happens to the 'final product' I think it's premature to discuss this. It's not as if we have several rival attempts to answer the questions. I'm certain in any case, Spyware warrior and CC can co-operate on the same project if necessary, though obviously I don't speak for CC.


Quote:

I would encourage folks not to view Erik's first stab at answering the questions to be the "official" on-going work product. Obviously, Wiki allows for community editing, and that could be useful in this case.


Exactly, why I did it.

Quote:

But if other folks aren't comfortable with Wiki and would rather post their answers here, so be it.

The bottom line is that I'd like to see contributions from a number of folks, so please don't think the door to participation on this thing is now closed -- far from it.



Yes. Hopefully, nobody is taking this first rough attempt, as an excuse to sit back and do nothing because "Erikalbert has done it already".

I merely tried to start the ball rolling. I thought while most of you experts are too busy to start a full blown FAQ, you might find it easier to refine an existing one.
Back to top
View user's profile Send private message
eburger68
SWW Distinguished Expert


Joined: 23 Jun 2004
Last Visit: 18 Nov 2008
Posts: 575
Location: Clearwater, FL

PostPosted: Sat Aug 26, 2006 7:50 am    Post subject: Reply with quote

Erik;

Yes, you're more than welcome to use the questions.

Eric L. Howes
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Erikalbert
Warrior


Joined: 10 Aug 2006
Last Visit: 05 Jul 2007
Posts: 219

PostPosted: Mon Aug 28, 2006 12:25 am    Post subject: Reply with quote

eburger68 wrote:
Erik;

Yes, you're more than welcome to use the questions.

Eric L. Howes


Thank you for your generosity , Mr Howes.
Back to top
View user's profile Send private message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 17 Sep 2014
Posts: 10328
Location: sunny California

PostPosted: Mon Aug 28, 2006 7:21 am    Post subject: Reply with quote

Folks, see Ericalbert's post here for the link to the wiki where he's addressed the questions about HIPS.

http://www.spywarewarrior.com/viewtopic.php?t=22523
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
TonyDownUnder
Newbie


Joined: 01 Sep 2006
Last Visit: 01 Sep 2006
Posts: 2

PostPosted: Fri Sep 01, 2006 3:42 am    Post subject: Reply with quote

I am just a User and wasn't going to post anything amongst such luminaries but I got very angry with the disparaging remarks made by Mrkvonic and Mikey despite the latters vague concession to a User having intelligence to learn, though it sounded more like obedience training for a dog. The word by the way Mrkvonic is "Prostate".
I do not see why you take such delight in putting me down when the tenor of this whole thread is that the Software Security Industry of which many of you are a part cannot even agree on testing standards.
The reason for my anger and the point of this post is to let you gurus in on what one dumb user thinks.
1. Erics questions about HIPS etc. are of interest to me.
2. The theory of Application control I have some understanding of but the issue is whether it works.
3. The theory of Antispyware apps I understand but the issue is whether it works.
4. I think that Users fully accept the need for AV and AS and some, like myself are looking at HIPS/IPS/IDS.
5. My own position is that I would place greater weight on AV tests than tests of Antispyware.
6. I know that there are probably more rogue AS products than decent ones.
7. I believe that as a result of 6. people are very sceptical about AS and are probably of a similar mind about HIPS - the next big thing that I need or do I?
8. Its all about trust. If the AV scanner says you're infected with X you fix it. If the AS scanner says you'e got Y dialler you fix it. That is not laziness Mrkvonic, it's what the application is supposed to do.
9. HIPS doesn't fit this formula and is harder to use, not because I'm stupid but because it requires knowledge that I do not possess.
Clearly if I open Word and Ghost pops up or ProcessGuard or System Safety Monitor and asks me if I want to allow Winword.exe the answer is obvious. How do I know if svchost.exe in seeking acces to something less clear which then wants to write/delete/alter Registry values is necessarily legitimate?
10. The link back to the 'testing' aspect of this thread is that I need to rely on those with specialist knowledge to provide some information about the effectiveness of the product. Whether it's Software or a cleaning product all of us still ask, do we not, Does it work?
11. With all due respect (and I do mean it) those of you with connections to the Security Sofware industry had better realise that there is a great deal of mistrust about the need for and the effectiveness of these applications. Further, the absence of standardised, thorough and independent testing is not a theoretical issue but one that results in a user being adequately protected or not.
12. Stop arguing and get on with sorting out some proper comparative standards.
Back to top
View user's profile Send private message
random/random
Expert Developer


Joined: 23 Dec 2005
Last Visit: 15 Sep 2014
Posts: 1070

PostPosted: Fri Sep 01, 2006 4:36 am    Post subject: Reply with quote

TonyDownUnder wrote:

8. Its all about trust. If the AV scanner says you're infected with X you fix it. If the AS scanner says you'e got Y dialler you fix it. That is not laziness Mrkvonic, it's what the application is supposed to do.


And what do you do when windows will no longer boot up because you've just deleted a vital windows file?

What about the infections that go round replacing all the .exe files on your system with copies of themselves? That will take a lot more effort to fix than acquiring the knowledge to use process filtering software
_________________
Expert/Developer at Malware Removal University
My help is free, but please consider a donation to help with the running costs of this site.
Back to top
View user's profile Send private message
TonyDownUnder
Newbie


Joined: 01 Sep 2006
Last Visit: 01 Sep 2006
Posts: 2

PostPosted: Fri Sep 01, 2006 1:21 pm    Post subject: Reply with quote

random/random wrote:
TonyDownUnder wrote:

8. Its all about trust. If the AV scanner says you're infected with X you fix it. If the AS scanner says you'e got Y dialler you fix it. That is not laziness Mrkvonic, it's what the application is supposed to do.


And what do you do when windows will no longer boot up because you've just deleted a vital windows file?

I use my own recovery disk based on BartPE (not the usless WinXP CD) and restore a clean copy of the required file. If I have deleted anything I know what it is as I don't just click the magic 'fix all your problems button'. As an aside I have noticed over the last few years that none but the simplest infection is able to be repaired. A lot of software offers nothing but to quarantine and/or delet the file. Perhaps we should remember random/random that some untreated malware will prevent windows from booting so either way it's an issue to be dealt with. I also remind myself that none of the software is perfect and nor have I forgotten about false positives.

What about the infections that go round replacing all the .exe files on your system with copies of themselves? That will take a lot more effort to fix than acquiring the knowledge to use process filtering software


With great respect that's the nature of the beast isn't it and it backs up the need for proper testing standards. At the end of the day all I can hope is that I have effective software. In saying this though I do not expect perfection as I understand that malware evolves and the crackpot authors of this code menace try new tactics to defeat protective software. It also throws the ball back in the court of the software developers to help me prevent that happening by offering a sound product.
I also point out that it sometimes takes a lot of effort to get mainstream apps happily working with each other which is part of the life of a computer user.
I am not a zealot or an apologist for Process filtering software but it seems a potentially useful extra layer if it really works.
I did my own random (no pun) test by visiting an Internet Porn site - it really was a test ~ honest.
Firstly, PCTools Spyware Doctor warned me that it wasn't a good idea but I knew this and went ahead. As the page was loading NOD32 popped up and told me that a trojan was attempting to download. I stopped that. Once the page otherwise finished loading, I waited. Almost immediately both Prevx1 and Ghost threw up warnings about something trying to run, execute some of my system processes and write/delete/alter registry values. I blocked all of that and then left the site.
I fully appreciate this is not an empirical test but it is an example of a real world scenario. I was happy with the protection and the warnings and to be honest, that Prevx1 and Ghost actually did something and did something very useful.
If blended malware is the next big thing then maybe a mix of security apps is the solution.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Anti-Spyware and Security Software Discussion All times are GMT - 8 Hours
Goto page Previous  1, 2, 3  Next
Page 2 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group