|
Posted by louise on December 5, 2007, 9:57 am
If you were Registered and logged in, you could reply and use other advanced thread options
VanguardLH wrote:
>>
>> I don't understand however, why I would care if I got their automatic
>> updates for newly approved programs. I don't install new programs
>> every day by any means, and when I do, I don't mind answering the
>> questions about what I want to allow - especially since there is a
>> "remember" checkbox. Is there another reason to get the paid version?
>
> The point of their certified list is to eliminate the prompts. Once
> you've installed OA, and after running every application on your host to
> ensure they get detected (so you answer THOSE prompts for apps that are
> not on their list), you can run OA without any further updates if you
> don't care about getting prompts when: (1) You install new applications;
> and, (2) After any update to those applications (like you run Windows
> Updates, Adobe Reader updates, program updates for anti-virus software,
> etc). Without the certified list, and only if it includes the programs
> that YOU have installed, you will get the prompts for every new program
> that you install and perhaps also when you update it.
>
>> I installed the 2.x version of Comodo and it nearly brought down my
>> machine. I don't know why, but I do know it couldn't remember what it
>> was supposed to allow and everytime it got confused, things froze and
>> its questions were endless and seemed kind of lame - I uninstalled it,
>> retreived my system, and would be hesitant to try Comodo again - new
>> version or not.
>
> My guess is that you don't understand the parent-child relationship
> between the caller process that calls the child which does the actual
> connection. This is one reason why OA has not included parent-child
> control and is only considering adding it later. In Comodo v2, leave
> the Component monitor set to "Learn" if you don't want to get the
> prompts about the parent wanting to use the child or when different
> components happened to be used by the child for a particular
> connection. A program may end up touching hundreds of different
> components but not always all of them for every connection.
>
>> I'll take a look at ProSecurity - never heard of it.
>
> Along with OA, it fared favorably against malware that attempts to
> unhooks the services into which the HIPS products will hook into. By
> unhooking the HIPS program, it is rendered useless. It also has most of
> the features that are found in the top-end HIPS products. ProcessGuard
> is long dead (DiamondCS abandoned that product). AppDefend hasn't been
> updated in over a year although Jason, its author, had promised needed
> and critical fixes would be available in a month (and that was over a
> year ago). System Safety Monitor (SSM) has the configurability needed
> for a good HIPS but is too easily unhooked. Antihook fared better than
> SSM but not as good as OA and ProSecurity. Also, Antihook incurs the
> most impact on the system and makes it less responsive.
>
> Just be aware that the free version of ProSecurity is worthless. It is
> far too crippled (as are the free versions of SSM and AppDefend). In
> fact, some very basic HIPS functions are killed in the free version of
> ProSecurity so that it misleads the user regarding its protection. Trial
> the paid version to see if you want it. You can trial software in a
> virtual machine in VMWare Server (which is free) or under Virtual PC
> 2007 (also free) so you don't end up polluting your working host.
>
>> BTW, since you seem quite knowledgeable, I'll take the liberty of
>> asking you another question: I'[m running NOD32 (new AV version), use
>> Firefox mostly, and I do use Outlook with a good spam filter. I'm
>> running XP, SP2. Do you think it is necessary to run an antispyware
>> program?
>
> Yes, always unless you are a knowledgeable user. The security software
> is to cover your butt in case you make a mistake but often you can
> severely reduce how much security software you have running if you know
> what you are doing (i.e., if you operated the host securely then you
> have less dependency on software to do that for you). Even with loads
> of security software, the final authority (and often the weakest link)
> still resides with the user. Tons of security won't protect a host from
> a user that obviates that security. Security software that you don't
> understand, don't configure properly, and don't maintain is usually a
> weak use of memory and disk space.
>
> I have several anti-malware programs installed to provide for layered
> detection of pests but I do NOT run any of them in the background. That
> is, I install them but do not load them automatically (for on-access
> scanning). Instead I install them and disable them from loading
> automatically because I only use them as on-demand scanners. These
> include: Lavasoft Ad-Aware, Spybot Search & Destory, SuperAntispyware,
> and AVG AntiSpyware (was ewido).
>
> I do let Windows Defender (WD) load automatically but its detection rate
> is poor. I don't use WD to detect pests. I use it to detect changes
> that affect the system behavior, like auto-run programs, browser setting
> changes, etc. Unlike Prevx (no longer free) which intercepts these
> changes to pend them until you authorize them, WD polls the system to
> detect the changes. That is why it can never tell you what process made
> the change because it always detects the change too late, but it does
> detect the changes it was coded to detect and lets you revert if you
> decide you didn't want them (whether it was malware or goodware that
> made the change). This is very similar to how WinPatrol operates by
> *polling* for changes (but WD has more change detections than
> WinPatrol). I also use SysInternals Rootkit Revealer and Resplendence
> RootKit Hook Analyzer to detect rootkit behavior (which isn't
> necessarily bad as some good products, like Daemon Tools, use it). I
> also use AVG's AntiRootkit to detect files that are hidden (not the
> hidden file attribute but are hidden in the Win32 API system calls to
> show files from the file system) which SysInternals will also show.
> These tend to duplicate each other in some coverage but have other
> detections that I like. SysInternals and AVG have shown me the .sys
> driver file that is hidden within the file system that is used by Daemon
> Tools, for example. When they tell you something is suspect, YOU have
> to figure out if it really is bad or okay. They don't fix anything but
> simply notify of suspect targets.
>
> There are some anti-malware programs that some users like that I won't
> touch. I won't touch Spyware Doctor due to its past history of using
> false positives to prod users to buy the product when they were trialing
> it. It had a black history which maybe they've whitened by now.
> However, from only what I've read, it's coverage of pests isn't that broad.
Thanks an awful lot for clarifying so many things and making
suggestions I can actually use.
I have been running the various anti-spyware programs you
suggest (non-realtime), but wanted an educated opinion about
running any of them realtime. I wont! I do run AVG
AntiSpyware realtime on my portable which goes outside to
various mobile sites etc. - but not on my desktop. I'm also
running OA on the portable along with NOD32 AV.
I also have Process Explorer and check it every so often to
see that I recognize everything running. When I don't, I
google the process to find out what it belongs to.
I will start checking for rootkits periodically as well.
It sounds like I'll stay with the free version of OA for now
and remember paid ProSecurity if I have problems. BTW, OA
does prompt me when a new version is installed such as an
update from Firefox (which I run with NoScript), but it
doesn't give me a reminder every time NOD updates virus
definitions. So in fact, the reminders are becoming pretty
infrequent and I don't mind them - in fact, I like to know
that OA has noticed :-)
Another BTW - I run gotomypc.com to access my desktop
from any computer when needed. The last time I ran AVG
AntiSpyware, it found a worm, I deleted it, and since then,
gotomypc isn't working quite right. Citrix has suggested
the "worm" was a false positive. I'm not sure. As soon as
I get a chance, I'll reinstall gotomypc and I'll be more
careful about deleting worms in the future.
Take care and thanks so much for all your help.
Louise
| 
XML site map