Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

SpywareTerminator & Winpooch

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Anti-Spyware and Security Software Discussion
View previous topic :: View next topic  
Author Message
mikey
Malware Expert


Joined: 12 Feb 2004
Last Visit: 08 Oct 2015
Posts: 1073
Location: CenTex

PostPosted: Tue Aug 08, 2006 9:10 am    Post subject: SpywareTerminator & Winpooch Reply with quote

I thought I'd start a thread about these two tools because I find them interesting and I am thinking about publishing reviews on them. I would like to hear any comments about them from others in the pri/sec community that may have experience with them. I think this will help me greatly as I study and make my own conclusions about the products.

Don't let the name fool you. These tools are NOT the obsolete conventional malware scanners that are a dime a dozen now. As far as I can see now, they are full fledged process firewalls (HIPS). The reason I created the thread with both tools of topic is because the two are virtually identical in almost all function but there are also some very distinct differences too; the UI(user interface), the way rules are generated, the database, etc. As with all tools, users should evaluate/study and decide for themselves if this type tool is needed and which if any is best suited for their use.

Eric(admin here) told me this in relation to the worthiness of listing SpywareTerminator as a HIPS product;

eburger68 wrote:
Mikey:

...

As for Spyware Terminator, a number of anti-spyware scanners are incorporating kernel level prevention technologies. If I list Spyware Terminator, I'm going to have to list the others as well -- no preferences. Yet, I'm reluctant to add mention of every single one that has done this, lest this list simply become yet another long, general list of anti-spyware tools.

Eric L. Howes



I don't quite understand this reasoning. I don't see anything common about this development as yet. I'd be quite interested in seeing the other anti-malware scanners offering this level of protection. The fact is that any intrusion prevention tool that doesn't load and work at the sys level(krnl) is a fake/fraud. These tools take control of the sys and all processes thus not allowing any unauthorized intrusion/penetration into the sys by malwares or any other unwanted wares.

These are both freeware tools and I think both, even tho young, will compete in the same arena with any process firewall available today...at least by my current thinking. There is one big difference tho; In addition to being the proactive intrusion protection tools, they also offer the user an optional conventional anti-virus component...the open source ClamAV, as well as their own definitions for spywares and other unwanted wares. In the case of WinPooch, in addition to ClamAV the user can also choose to include KAV instead.

Even tho I have no use for the reactionary anti-malware components(obsolete in our sys), I was fairly impressed with the function in these tools. But please do not consider this post as a recommendation...partly because I just review the tools...I don't sell them. Anyway, I think anyone interested in process firewalling might want to at least give them a look.

I don't know all the details, but SpywareTerminator was at one time on the rogues list here at SpywareWarrior. My review, when/if finished, will pertain strictly to the current function without any concern for historical differences and issues taken with/by SpywareWarrior. If anyone knows of any current wrong doing with either tool, I would certainly appreciate the heads up. And of course, as noted, I would like to hear any comment about function and whether they are suitable for use by the average user. After hearing Eric's comment, I would also like to hear thoughts and comments about whether these tools should even be considered as HIPS amd referred to by the community at large.

TIA for any relevant comments.
_________________
-

UbuntuStudio...community supported multi-media development optimization.

-
Back to top
View user's profile Send private message Visit poster's website
mikey
Malware Expert


Joined: 12 Feb 2004
Last Visit: 08 Oct 2015
Posts: 1073
Location: CenTex

PostPosted: Tue Aug 08, 2006 9:35 am    Post subject: Reply with quote

Sorry, I forgot the links;

Ref; http://winpooch.free.fr/home/index.php

Ref; http://www.spywareterminator.com/
_________________
-

UbuntuStudio...community supported multi-media development optimization.

-
Back to top
View user's profile Send private message Visit poster's website
Mystique
Newbie


Joined: 18 Jun 2004
Last Visit: 27 Feb 2007
Posts: 8

PostPosted: Thu Aug 10, 2006 11:04 am    Post subject: Reply with quote

I'm testing out SpywareTerminator out myself as well so I'll have to look into it and evaluate it for myself, I'm not to sure of its past but it seems like a decent enough application at the moment but the question for me is can it deliver.
Back to top
View user's profile Send private message
eburger68
SWW Distinguished Expert


Joined: 23 Jun 2004
Last Visit: 18 Nov 2008
Posts: 575
Location: Clearwater, FL

PostPosted: Thu Aug 10, 2006 6:14 pm    Post subject: Re: SpywareTerminator & Winpooch Reply with quote

Mikey:

You wrote:

mikey wrote:

eburger68 wrote:
Mikey:
...

As for Spyware Terminator, a number of anti-spyware scanners are incorporating kernel level prevention technologies. If I list Spyware Terminator, I'm going to have to list the others as well -- no preferences. Yet, I'm reluctant to add mention of every single one that has done this, lest this list simply become yet another long, general list of anti-spyware tools.

Eric L. Howes


I don't quite understand this reasoning. I don't see anything common about this development as yet. I'd be quite interested in seeing the other anti-malware scanners offering this level of protection. The fact is that any intrusion prevention tool that doesn't load and work at the sys level(krnl) is a fake/fraud. These tools take control of the sys and all processes thus not allowing any unauthorized intrusion/penetration into the sys by malwares or any other unwanted wares.


Not to distract from this topic (which promises to be interesting) but could I urge you to take the presentation of HIPS apps one step at a time? Although I'm willing to consider a separate section in the main list (now posted as an announcement in this forum) for security apps with some other primary function that have incorporated HIPS to some extent, I want to get the list at it exists straight first.

To that end, you agreed to separate out the HIPS and sandbox apps for a clearer presentation. I'm still waiting on that revised list. Get me the separate HIPS vs. sandbox list, then I'll consider adding a separate section for non-dedicated HIPS apps.

Sorry for the distraction, folks -- back to the main feature.

Eric L. Howes
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Erikalbert
Warrior


Joined: 10 Aug 2006
Last Visit: 05 Jul 2007
Posts: 219

PostPosted: Thu Aug 10, 2006 7:58 pm    Post subject: Reply with quote

Winpooch is still very immature. Not recommended.
Back to top
View user's profile Send private message
mikey
Malware Expert


Joined: 12 Feb 2004
Last Visit: 08 Oct 2015
Posts: 1073
Location: CenTex

PostPosted: Thu Aug 10, 2006 9:05 pm    Post subject: Reply with quote

Erikalbert wrote:
Winpooch is still very immature. Not recommended.


Do you have anything of substance to offfer? Do you think this helps me with my project? Do you have any first hand hard reason or data to contribute? My requests were rather specific here and I'm certainly not asking for unsupported opinions.

===========

Eric, point noted.

BTW As I'm not really familiar with all those tools, the best I can probably do justice to would be separating the process firewalls. That is a relatively short list. However I will also try to include my take on where the others belong too which you can then do with as you think proper.

Thx for the reminder. Now, it's off to bed for me.
_________________
-

UbuntuStudio...community supported multi-media development optimization.

-
Back to top
View user's profile Send private message Visit poster's website
Erikalbert
Warrior


Joined: 10 Aug 2006
Last Visit: 05 Jul 2007
Posts: 219

PostPosted: Fri Aug 11, 2006 4:05 am    Post subject: Reply with quote

What exactly is your project?

I have tried lots of stuff on the list , the last time I checked Winpooch uses use mode hooking, and injected itself into every process to monitor changes. This is highly inefficient and unstable not to mention insecure compared to other products already out on the market.

My own personal testing on a fresh Windows XP machine pretty much confirmed what I thought it slowed the system to a crawl, while other products like SSM , PG has almost no appreciable effect except at the startup.
Back to top
View user's profile Send private message
mikey
Malware Expert


Joined: 12 Feb 2004
Last Visit: 08 Oct 2015
Posts: 1073
Location: CenTex

PostPosted: Fri Aug 11, 2006 11:27 am    Post subject: Reply with quote

Quote:
What exactly is your project?


Hey Erikalbert, thx for responding. That was much more informative. As noted, I'm trying to review the products. I'm also working on a piece comparing different content & process filters. I'm not talking about just unsubstantiated opinion. I'm talking about a review with the study of function and providing a real sampling of monitoring reports.

While raw opinion does help, what I'm really hoping for is folks to support what they witness with hard data such as screen shots and monitoring reports. For example, you said;
Quote:
My own personal testing on a fresh Windows XP machine pretty much confirmed what I thought it slowed the system to a crawl...

While that does help me with the overall picture, if you had provided a report showing that usage and included a list of all running components on that sys, I could use it to partially confirm or deny my own findings. It would also show if your sys might have other conflicting processes on board or not.

No one needs be a professional analyst to provide this info, there are many tools available for the novice to use when documenting what they see. In this thread is mentioned some of those type tools; http://www.spywarewarrior.com/viewtopic.php?t=21772

BTW I haven't spent much time with it yet but while looking at WinPooch myself in w2k, I found that when using the optional AV, the usage was indeed excessive. However, I saw no excessive usage at all without it. In fact, with the exception of the occassional activity spike, CPU cycles and mem use were minimal and all was returned without leaks. I also had no other types of conflicting sys hooks in play.

It is indeed hooking each and every running process with it's injection of it's spy.dll and you are quite right, it does not run from or take control of the sys level. Admittedly tho, I haven't yet had time to really study it properly.

The more I look at both of these products, the more I believe that neither actually belong in the same category as the true process firewalls such as AP, SSM, & PG.

But this is just my preliminary opinion and I appreciate yours and any others that are provided here as it helps me greatly. Thx.
_________________
-

UbuntuStudio...community supported multi-media development optimization.

-
Back to top
View user's profile Send private message Visit poster's website
Erikalbert
Warrior


Joined: 10 Aug 2006
Last Visit: 05 Jul 2007
Posts: 219

PostPosted: Fri Aug 11, 2006 6:04 pm    Post subject: Reply with quote

Quote:

Hey Erikalbert, thx for responding. That was much more informative. As noted, I'm trying to review the products. I'm also working on a piece comparing different content & process filters. I'm not talking about just unsubstantiated opinion. I'm talking about a review with the study of function and providing a real sampling of monitoring reports.


Give me a template of what you want , and I will fill it up for you (including screenshots). I'm a newbie at this, so I don't know what you want. I just started playing with abtrusion protector and early versions of SSM around 2001-2003?? Then ProcessGuard, then an explosion of similar stuff...




Quote:

It would also show if your sys might have other conflicting processes on board or not.


I always test with a fresh XP Pro SP2 fully patched machine to give the product the best chance of looking good.Usually via VMware, though I also have access to test machines too.

Only if it looks good then I consider compatiability testing.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Anti-Spyware and Security Software Discussion All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group