ATTN: Fred W - re NOD32 and Online Armor

Discussion in 'Anti-Virus' started by louise, Dec 3, 2007.

  1. louise

    louise Guest

    Thanks so much for recommending the Armor Online Free
    firewall. It really works - is low on resources and speaks
    to you in comprehensible language when it poses a question.
    And it's free!

    I've put it on my desktop and my portable without a single
    problem.

    Louise
     
    louise, Dec 3, 2007
    #1
    1. Advertisements

  2. louise

    FredW Guest

    louise expressed precisely :
    > Thanks so much for recommending the Armor Online Free firewall. It really
    > works - is low on resources and speaks to you in comprehensible language when
    > it poses a question. And it's free!


    > I've put it on my desktop and my portable without a single problem.


    > Louise


    I agree fully.
    Glad I could help.
    :)

    --
    Fred W. te A. (NL)
     
    FredW, Dec 3, 2007
    #2
    1. Advertisements

  3. louise

    VanguardLH Guest

    Re: Fred W - re NOD32 and Online Armor

    "louise" wrote in message news:...
    > Thanks so much for recommending the Armor Online Free firewall. It
    > really works - is low on resources and speaks to you in
    > comprehensible language when it poses a question. And it's free!
    >
    > I've put it on my desktop and my portable without a single problem.



    There is no parent-child control in Online Armor's firewall. Say you
    allow your browser to connect. Well, then you have also allowed any
    caller (parent) program to execute that browser to get a connection to
    some unknown web page. By regulating who can call (parent) another
    program (child) then you know who is really asking for the connection.
    For many users, this is not a critical feature since few firewalls
    provide parent-child control. Comodo has it in their older v2.4 but
    dropped it in their new v3 firewall that now include HIPS. The
    firewall just got added in version 2 of Online Armor (OA) so it will
    need some fixing or features to get up to speed with other firewalls.

    So the assumption is that you have permitted the parent program to run
    but relinquish any control over whether or not it can make connections
    using child programs; i.e., in Comodo Firewall Pro v3, you get to
    regulate the load a program using HIPS (the parent and child
    programs), like in Online Armor, and you can regulate which programs
    can make connections (the child programs), but you cannot control if
    the parent can call the child to make the connection. As a result,
    both Online Armor and Comodo will fail all leaktests UNLESS you, as
    the user, see the prompt and deny the execution of the parent
    program - but that is not the point of leaktests. Rather than
    regulating who can call what for a connection, you're only choice is
    whether the parent loads or not. Online Armor is promising to add
    parent-control into their firewall, a brand new feature added in their
    latest version 2. But they have lots of fixes to make and other more
    security-related updates to make to their product so they aren't
    promising when to deliver on parent-child control.

    While other HIPS products are better at controlling ALL auto-start
    programs in the various locations available under Windows, Online
    Armor's AutoRuns protection is limited to just a few areas. They
    don't cover the WinLogin/Notify, Session Manager bootexecute, and
    other areas that users normally never touch. They are promising an
    update sometime later to address the lack of coverage for auto-start
    processes.

    There have some instances where programs would generate a prompt when
    they loaded, the user answered to allow the load and remember that
    action (and it does get remembered), but the program never shows up in
    the list under their Program Guard. Once remembered and because it
    isn't in the list, you cannot later revoke that run permission. It
    looks to be a UI error in the grid control that they use not showing
    all the recorded rules.

    Currently Online Armor does not encrypt the registry keys used by that
    program. This can provide info to malware or malcontents on how the
    product is configured and possibly could alter that behavior to reduce
    protection (their documentation is poor, basically just an overview,
    and they don't define the purpose of these registry keys). They also
    do not protect these registry keys against alteration. Online Armor
    does not load under Safe Mode so even if they protect those registry
    key then they won't be protected if you reboot into Safe Mode. They
    need to encrypt those keys. When OA attempts to read them, and if
    altered and hence corrupted, OA will be unable to read those altered
    values and know they were changed outside of OA. They promise to
    later address this security hole to protect against alteration (but
    only when OA is running) and use encryption (to detect alteration
    under Safe Mode and to then revert to whatever would be the most
    restrictive values for those corrupted settings and also alert the
    user to that act).

    The free version doesn't let you backup your settings. The paid
    version does. However, you can save the .dat files in the OA install
    path to backup your settings. Since OA protects against any access to
    these .dat files when it is running, even to copy them, you have to
    reboot into Safe Mode, copy the .dat files, and then reboot into
    normal mode.

    Online Armor does not run under Safe Mode. It has been deliberately
    designed that way. One reason for this behavior is that
    uninstallation may fail under normal mode; e.g., you won't be able to
    read their unins000.log file to do the uninstall. In most cases, but
    not guaranteed to be the only case, the user has disable Program Guard
    (HIPS) and loses access to the UI (i.e., the user can no longer get at
    the configuration or status windows for the product). Rebooting won't
    fix the problem. Loading the UI (oaui.exe) won't fix the problem.
    The product has to be uninstalled and that can only be done under Safe
    Mode. However, because OA does not run under Safe Mode also means
    that you have no HIPS or firewall protection while under Safe Mode.
    If malware still loads, like using the WinLogon/Notify event (instead
    of the normal auto-start locations), then it now has free reign to
    load. The malware is also unfettered under Safe Mode (with networking
    enabled) to connect. Not all malware gets neutered in Safe Mode.

    Currently there is no option in OA to block all network access until
    the firewall has fully loaded. This means there is a window of
    opportunity in which malware could load and also connect. About the
    only advantage the Windows Firewall provides is that the network stack
    is disabled during Windows startup until the Windows Firewall (if
    enabled) has fully loaded. Comodo v2.4 has the option to block
    network access until it is fully loaded. OA doesn't have this option
    but is promising to add it later. Of course, if the firewall is flaky
    then you might not get any network access even after the firewall
    loads. Comodo v2.4 hasn't had this problem. I don't know about v3
    since it lost some functionality, uses a non-intuitive HIPS (try
    figuring out how to block a program from loading without visiting
    their forum), lost the parent-child firewall control, and is way too
    flaky so I abandoned it long before having enough history to know if
    enabling the option to block network access until Comodo is loaded is
    reliable. Again most users don't even think about this window of
    opportunity for any firewall that doesn't have this option (but those
    same users don't think about the vulnerability of OA not running under
    Safe Mode, either).

    Unlike Defense Wall which reduces permissions for unknown or untrusted
    processes which attempt to run silently but is really for newbie or
    lazy users, OA with its HIPS will be asking lots of questions. (Note:
    Defense Wall is not a HIPS product as they claim since it never
    interferes with the load of a program, only with the priviliges it
    gets after it loads. It doesn't need to continually prompt the user
    because it doesn't regulate what can load. Softsphere also doesn't
    provide a free version of Defense Wall.) OA also tries to alleviate
    the deluge of prompts by downloading a list of certified good
    applications; however, if you update the program and it isn't in their
    list or you haven't updated the list yet, you'll get prompted because
    of the new version (of an old program that you allowed to run before).
    Many users want to use their host rather than repeatedly answer
    prompts about what is allowed to run. Of course, a list of certified
    apps is someone else's decision that the program is okay so some OA
    users won't use that list and instead want to get prompted on every
    program so they know what is allowed to run or not. That is why many
    HIPS products have a learning mode including, I believe, OA (but I
    don't remember if learning mode works in the free version). Be warned
    that the free version will NEVER retrieve updates to this certified
    apps list. Updating in the free version of OA is manual - but you
    can't even do a manual update to retrieve the new list. Manual
    updating means you get an e-mail telling you that there is an updated
    list, you have to download it using the link in the email, and then
    you point at that file to insert the new definitions. So manual
    updates are very manual. And you won't get notification of those
    updates unless you insert your email address during the installation.
    You cannot register after the installation to get those email
    notification of updates. You cannot subscribe to a mailing list to
    get those email update notices. If you chose to not disclose your
    email address during the installation, you will have to uninstall and
    reinstall and give your email address under that new install. And
    then what you get are emails telling you to download a new file and
    then have to point at it to insert its contents. The paid version has
    automatic updating. Forcing manual updates in a free version is
    nasty, especially regarding a security program, but this extremely
    manual update process that relies on email notification just sucks.
    It means a significantly reduced number of users of the free version
    will get the email notifications and only a subset of those will
    perform the manual file update.

    Online Armor is pretty good but it needs several security issues
    addressed, some which were so obvious that it seems they pushed it out
    the door way too soon simply because they wanted to show off their new
    firewall that got included in version 2. Visit their forums to see
    what is missing, promised for later updates to the product, and
    problems with it. I almost got this product and there is enough in
    the paid version to make me buy it but it needs a bit more work.
    Between Comodo's version 3 and Online Armor, both having HIPS and
    firewalling, I'd go for Online Armor - but after a few more updates
    (so I'm sticking with Comodo v2.4 for now and might get ProSecurity
    [paid] for HIPS if Tall Emu takes too long with the updates for OA).
     
    VanguardLH, Dec 4, 2007
    #3
  4. louise

    louise Guest

    Re: Fred W - re NOD32 and Online Armor

    VanguardLH wrote:
    > "louise" wrote in message news:...
    >> Thanks so much for recommending the Armor Online Free firewall. It
    >> really works - is low on resources and speaks to you in comprehensible
    >> language when it poses a question. And it's free!
    >>
    >> I've put it on my desktop and my portable without a single problem.

    >
    >
    > There is no parent-child control in Online Armor's firewall. Say you
    > allow your browser to connect. Well, then you have also allowed any
    > caller (parent) program to execute that browser to get a connection to
    > some unknown web page. By regulating who can call (parent) another
    > program (child) then you know who is really asking for the connection.
    > For many users, this is not a critical feature since few firewalls
    > provide parent-child control. Comodo has it in their older v2.4 but
    > dropped it in their new v3 firewall that now include HIPS. The firewall
    > just got added in version 2 of Online Armor (OA) so it will need some
    > fixing or features to get up to speed with other firewalls.
    >
    > So the assumption is that you have permitted the parent program to run
    > but relinquish any control over whether or not it can make connections
    > using child programs; i.e., in Comodo Firewall Pro v3, you get to
    > regulate the load a program using HIPS (the parent and child programs),
    > like in Online Armor, and you can regulate which programs can make
    > connections (the child programs), but you cannot control if the parent
    > can call the child to make the connection. As a result, both Online
    > Armor and Comodo will fail all leaktests UNLESS you, as the user, see
    > the prompt and deny the execution of the parent program - but that is
    > not the point of leaktests. Rather than regulating who can call what
    > for a connection, you're only choice is whether the parent loads or
    > not. Online Armor is promising to add parent-control into their
    > firewall, a brand new feature added in their latest version 2. But they
    > have lots of fixes to make and other more security-related updates to
    > make to their product so they aren't promising when to deliver on
    > parent-child control.
    >
    > While other HIPS products are better at controlling ALL auto-start
    > programs in the various locations available under Windows, Online
    > Armor's AutoRuns protection is limited to just a few areas. They don't
    > cover the WinLogin/Notify, Session Manager bootexecute, and other areas
    > that users normally never touch. They are promising an update sometime
    > later to address the lack of coverage for auto-start processes.
    >
    > There have some instances where programs would generate a prompt when
    > they loaded, the user answered to allow the load and remember that
    > action (and it does get remembered), but the program never shows up in
    > the list under their Program Guard. Once remembered and because it
    > isn't in the list, you cannot later revoke that run permission. It
    > looks to be a UI error in the grid control that they use not showing all
    > the recorded rules.
    >
    > Currently Online Armor does not encrypt the registry keys used by that
    > program. This can provide info to malware or malcontents on how the
    > product is configured and possibly could alter that behavior to reduce
    > protection (their documentation is poor, basically just an overview, and
    > they don't define the purpose of these registry keys). They also do not
    > protect these registry keys against alteration. Online Armor does not
    > load under Safe Mode so even if they protect those registry key then
    > they won't be protected if you reboot into Safe Mode. They need to
    > encrypt those keys. When OA attempts to read them, and if altered and
    > hence corrupted, OA will be unable to read those altered values and know
    > they were changed outside of OA. They promise to later address this
    > security hole to protect against alteration (but only when OA is
    > running) and use encryption (to detect alteration under Safe Mode and to
    > then revert to whatever would be the most restrictive values for those
    > corrupted settings and also alert the user to that act).
    >
    > The free version doesn't let you backup your settings. The paid version
    > does. However, you can save the .dat files in the OA install path to
    > backup your settings. Since OA protects against any access to these
    > .dat files when it is running, even to copy them, you have to reboot
    > into Safe Mode, copy the .dat files, and then reboot into normal mode.
    >
    > Online Armor does not run under Safe Mode. It has been deliberately
    > designed that way. One reason for this behavior is that uninstallation
    > may fail under normal mode; e.g., you won't be able to read their
    > unins000.log file to do the uninstall. In most cases, but not
    > guaranteed to be the only case, the user has disable Program Guard
    > (HIPS) and loses access to the UI (i.e., the user can no longer get at
    > the configuration or status windows for the product). Rebooting won't
    > fix the problem. Loading the UI (oaui.exe) won't fix the problem. The
    > product has to be uninstalled and that can only be done under Safe
    > Mode. However, because OA does not run under Safe Mode also means that
    > you have no HIPS or firewall protection while under Safe Mode. If
    > malware still loads, like using the WinLogon/Notify event (instead of
    > the normal auto-start locations), then it now has free reign to load.
    > The malware is also unfettered under Safe Mode (with networking enabled)
    > to connect. Not all malware gets neutered in Safe Mode.
    >
    > Currently there is no option in OA to block all network access until the
    > firewall has fully loaded. This means there is a window of opportunity
    > in which malware could load and also connect. About the only advantage
    > the Windows Firewall provides is that the network stack is disabled
    > during Windows startup until the Windows Firewall (if enabled) has fully
    > loaded. Comodo v2.4 has the option to block network access until it is
    > fully loaded. OA doesn't have this option but is promising to add it
    > later. Of course, if the firewall is flaky then you might not get any
    > network access even after the firewall loads. Comodo v2.4 hasn't had
    > this problem. I don't know about v3 since it lost some functionality,
    > uses a non-intuitive HIPS (try figuring out how to block a program from
    > loading without visiting their forum), lost the parent-child firewall
    > control, and is way too flaky so I abandoned it long before having
    > enough history to know if enabling the option to block network access
    > until Comodo is loaded is reliable. Again most users don't even think
    > about this window of opportunity for any firewall that doesn't have this
    > option (but those same users don't think about the vulnerability of OA
    > not running under Safe Mode, either).
    >
    > Unlike Defense Wall which reduces permissions for unknown or untrusted
    > processes which attempt to run silently but is really for newbie or lazy
    > users, OA with its HIPS will be asking lots of questions. (Note:
    > Defense Wall is not a HIPS product as they claim since it never
    > interferes with the load of a program, only with the priviliges it gets
    > after it loads. It doesn't need to continually prompt the user because
    > it doesn't regulate what can load. Softsphere also doesn't provide a
    > free version of Defense Wall.) OA also tries to alleviate the deluge of
    > prompts by downloading a list of certified good applications; however,
    > if you update the program and it isn't in their list or you haven't
    > updated the list yet, you'll get prompted because of the new version (of
    > an old program that you allowed to run before). Many users want to use
    > their host rather than repeatedly answer prompts about what is allowed
    > to run. Of course, a list of certified apps is someone else's decision
    > that the program is okay so some OA users won't use that list and
    > instead want to get prompted on every program so they know what is
    > allowed to run or not. That is why many HIPS products have a learning
    > mode including, I believe, OA (but I don't remember if learning mode
    > works in the free version). Be warned that the free version will NEVER
    > retrieve updates to this certified apps list. Updating in the free
    > version of OA is manual - but you can't even do a manual update to
    > retrieve the new list. Manual updating means you get an e-mail telling
    > you that there is an updated list, you have to download it using the
    > link in the email, and then you point at that file to insert the new
    > definitions. So manual updates are very manual. And you won't get
    > notification of those updates unless you insert your email address
    > during the installation. You cannot register after the installation to
    > get those email notification of updates. You cannot subscribe to a
    > mailing list to get those email update notices. If you chose to not
    > disclose your email address during the installation, you will have to
    > uninstall and reinstall and give your email address under that new
    > install. And then what you get are emails telling you to download a new
    > file and then have to point at it to insert its contents. The paid
    > version has automatic updating. Forcing manual updates in a free
    > version is nasty, especially regarding a security program, but this
    > extremely manual update process that relies on email notification just
    > sucks. It means a significantly reduced number of users of the free
    > version will get the email notifications and only a subset of those will
    > perform the manual file update.
    >
    > Online Armor is pretty good but it needs several security issues
    > addressed, some which were so obvious that it seems they pushed it out
    > the door way too soon simply because they wanted to show off their new
    > firewall that got included in version 2. Visit their forums to see what
    > is missing, promised for later updates to the product, and problems with
    > it. I almost got this product and there is enough in the paid version
    > to make me buy it but it needs a bit more work. Between Comodo's version
    > 3 and Online Armor, both having HIPS and firewalling, I'd go for Online
    > Armor - but after a few more updates (so I'm sticking with Comodo v2.4
    > for now and might get ProSecurity [paid] for HIPS if Tall Emu takes too
    > long with the updates for OA).
    >

    Thanks for your detailed analysis.

    I don't understand however, why I would care if I got their
    automatic updates for newly approved programs. I don't
    install new programs every day by any means, and when I do,
    I don't mind answering the questions about what I want to
    allow - especially since there is a "remember" checkbox. Is
    there another reason to get the paid version?

    I installed the 2.x version of Comodo and it nearly brought
    down my machine. I don't know why, but I do know it
    couldn't remember what it was supposed to allow and
    everytime it got confused, things froze and its questions
    were endless and seemed kind of lame - I uninstalled it,
    retreived my system, and would be hesitant to try Comodo
    again - new version or not.

    I'll take a look at ProSecurity - never heard of it.

    BTW, since you seem quite knowledgeable, I'll take the
    liberty of asking you another question: I'[m running NOD32
    (new AV version), use Firefox mostly, and I do use Outlook
    with a good spam filter. I'm running XP, SP2. Do you think
    it is necessary to run an antispyware program?

    Thanks again.

    Louise
     
    louise, Dec 5, 2007
    #4
  5. louise

    VanguardLH Guest

    Re: Fred W - re NOD32 and Online Armor

    "louise" wrote in message news:...
    >
    > I don't understand however, why I would care if I got their
    > automatic updates for newly approved programs. I don't install new
    > programs every day by any means, and when I do, I don't mind
    > answering the questions about what I want to allow - especially
    > since there is a "remember" checkbox. Is there another reason to
    > get the paid version?


    The point of their certified list is to eliminate the prompts. Once
    you've installed OA, and after running every application on your host
    to ensure they get detected (so you answer THOSE prompts for apps that
    are not on their list), you can run OA without any further updates if
    you don't care about getting prompts when: (1) You install new
    applications; and, (2) After any update to those applications (like
    you run Windows Updates, Adobe Reader updates, program updates for
    anti-virus software, etc). Without the certified list, and only if it
    includes the programs that YOU have installed, you will get the
    prompts for every new program that you install and perhaps also when
    you update it.

    > I installed the 2.x version of Comodo and it nearly brought down my
    > machine. I don't know why, but I do know it couldn't remember what
    > it was supposed to allow and everytime it got confused, things froze
    > and its questions were endless and seemed kind of lame - I
    > uninstalled it, retreived my system, and would be hesitant to try
    > Comodo again - new version or not.


    My guess is that you don't understand the parent-child relationship
    between the caller process that calls the child which does the actual
    connection. This is one reason why OA has not included parent-child
    control and is only considering adding it later. In Comodo v2, leave
    the Component monitor set to "Learn" if you don't want to get the
    prompts about the parent wanting to use the child or when different
    components happened to be used by the child for a particular
    connection. A program may end up touching hundreds of different
    components but not always all of them for every connection.

    > I'll take a look at ProSecurity - never heard of it.


    Along with OA, it fared favorably against malware that attempts to
    unhooks the services into which the HIPS products will hook into. By
    unhooking the HIPS program, it is rendered useless. It also has most
    of the features that are found in the top-end HIPS products.
    ProcessGuard is long dead (DiamondCS abandoned that product).
    AppDefend hasn't been updated in over a year although Jason, its
    author, had promised needed and critical fixes would be available in a
    month (and that was over a year ago). System Safety Monitor (SSM) has
    the configurability needed for a good HIPS but is too easily unhooked.
    Antihook fared better than SSM but not as good as OA and ProSecurity.
    Also, Antihook incurs the most impact on the system and makes it less
    responsive.

    Just be aware that the free version of ProSecurity is worthless. It
    is far too crippled (as are the free versions of SSM and AppDefend).
    In fact, some very basic HIPS functions are killed in the free version
    of ProSecurity so that it misleads the user regarding its protection.
    Trial the paid version to see if you want it. You can trial software
    in a virtual machine in VMWare Server (which is free) or under Virtual
    PC 2007 (also free) so you don't end up polluting your working host.

    > BTW, since you seem quite knowledgeable, I'll take the liberty of
    > asking you another question: I'[m running NOD32 (new AV version),
    > use Firefox mostly, and I do use Outlook with a good spam filter.
    > I'm running XP, SP2. Do you think it is necessary to run an
    > antispyware program?


    Yes, always unless you are a knowledgeable user. The security
    software is to cover your butt in case you make a mistake but often
    you can severely reduce how much security software you have running if
    you know what you are doing (i.e., if you operated the host securely
    then you have less dependency on software to do that for you). Even
    with loads of security software, the final authority (and often the
    weakest link) still resides with the user. Tons of security won't
    protect a host from a user that obviates that security. Security
    software that you don't understand, don't configure properly, and
    don't maintain is usually a weak use of memory and disk space.

    I have several anti-malware programs installed to provide for layered
    detection of pests but I do NOT run any of them in the background.
    That is, I install them but do not load them automatically (for
    on-access scanning). Instead I install them and disable them from
    loading automatically because I only use them as on-demand scanners.
    These include: Lavasoft Ad-Aware, Spybot Search & Destory,
    SuperAntispyware, and AVG AntiSpyware (was ewido).

    I do let Windows Defender (WD) load automatically but its detection
    rate is poor. I don't use WD to detect pests. I use it to detect
    changes that affect the system behavior, like auto-run programs,
    browser setting changes, etc. Unlike Prevx (no longer free) which
    intercepts these changes to pend them until you authorize them, WD
    polls the system to detect the changes. That is why it can never tell
    you what process made the change because it always detects the change
    too late, but it does detect the changes it was coded to detect and
    lets you revert if you decide you didn't want them (whether it was
    malware or goodware that made the change). This is very similar to
    how WinPatrol operates by *polling* for changes (but WD has more
    change detections than WinPatrol). I also use SysInternals Rootkit
    Revealer and Resplendence RootKit Hook Analyzer to detect rootkit
    behavior (which isn't necessarily bad as some good products, like
    Daemon Tools, use it). I also use AVG's AntiRootkit to detect files
    that are hidden (not the hidden file attribute but are hidden in the
    Win32 API system calls to show files from the file system) which
    SysInternals will also show. These tend to duplicate each other in
    some coverage but have other detections that I like. SysInternals and
    AVG have shown me the .sys driver file that is hidden within the file
    system that is used by Daemon Tools, for example. When they tell you
    something is suspect, YOU have to figure out if it really is bad or
    okay. They don't fix anything but simply notify of suspect targets.

    There are some anti-malware programs that some users like that I won't
    touch. I won't touch Spyware Doctor due to its past history of using
    false positives to prod users to buy the product when they were
    trialing it. It had a black history which maybe they've whitened by
    now. However, from only what I've read, it's coverage of pests isn't
    that broad.
     
    VanguardLH, Dec 5, 2007
    #5
  6. louise

    louise Guest

    Re: Fred W - re NOD32 and Online Armor

    VanguardLH wrote:
    > "louise" wrote in message news:...
    >>
    >> I don't understand however, why I would care if I got their automatic
    >> updates for newly approved programs. I don't install new programs
    >> every day by any means, and when I do, I don't mind answering the
    >> questions about what I want to allow - especially since there is a
    >> "remember" checkbox. Is there another reason to get the paid version?

    >
    > The point of their certified list is to eliminate the prompts. Once
    > you've installed OA, and after running every application on your host to
    > ensure they get detected (so you answer THOSE prompts for apps that are
    > not on their list), you can run OA without any further updates if you
    > don't care about getting prompts when: (1) You install new applications;
    > and, (2) After any update to those applications (like you run Windows
    > Updates, Adobe Reader updates, program updates for anti-virus software,
    > etc). Without the certified list, and only if it includes the programs
    > that YOU have installed, you will get the prompts for every new program
    > that you install and perhaps also when you update it.
    >
    >> I installed the 2.x version of Comodo and it nearly brought down my
    >> machine. I don't know why, but I do know it couldn't remember what it
    >> was supposed to allow and everytime it got confused, things froze and
    >> its questions were endless and seemed kind of lame - I uninstalled it,
    >> retreived my system, and would be hesitant to try Comodo again - new
    >> version or not.

    >
    > My guess is that you don't understand the parent-child relationship
    > between the caller process that calls the child which does the actual
    > connection. This is one reason why OA has not included parent-child
    > control and is only considering adding it later. In Comodo v2, leave
    > the Component monitor set to "Learn" if you don't want to get the
    > prompts about the parent wanting to use the child or when different
    > components happened to be used by the child for a particular
    > connection. A program may end up touching hundreds of different
    > components but not always all of them for every connection.
    >
    >> I'll take a look at ProSecurity - never heard of it.

    >
    > Along with OA, it fared favorably against malware that attempts to
    > unhooks the services into which the HIPS products will hook into. By
    > unhooking the HIPS program, it is rendered useless. It also has most of
    > the features that are found in the top-end HIPS products. ProcessGuard
    > is long dead (DiamondCS abandoned that product). AppDefend hasn't been
    > updated in over a year although Jason, its author, had promised needed
    > and critical fixes would be available in a month (and that was over a
    > year ago). System Safety Monitor (SSM) has the configurability needed
    > for a good HIPS but is too easily unhooked. Antihook fared better than
    > SSM but not as good as OA and ProSecurity. Also, Antihook incurs the
    > most impact on the system and makes it less responsive.
    >
    > Just be aware that the free version of ProSecurity is worthless. It is
    > far too crippled (as are the free versions of SSM and AppDefend). In
    > fact, some very basic HIPS functions are killed in the free version of
    > ProSecurity so that it misleads the user regarding its protection. Trial
    > the paid version to see if you want it. You can trial software in a
    > virtual machine in VMWare Server (which is free) or under Virtual PC
    > 2007 (also free) so you don't end up polluting your working host.
    >
    >> BTW, since you seem quite knowledgeable, I'll take the liberty of
    >> asking you another question: I'[m running NOD32 (new AV version), use
    >> Firefox mostly, and I do use Outlook with a good spam filter. I'm
    >> running XP, SP2. Do you think it is necessary to run an antispyware
    >> program?

    >
    > Yes, always unless you are a knowledgeable user. The security software
    > is to cover your butt in case you make a mistake but often you can
    > severely reduce how much security software you have running if you know
    > what you are doing (i.e., if you operated the host securely then you
    > have less dependency on software to do that for you). Even with loads
    > of security software, the final authority (and often the weakest link)
    > still resides with the user. Tons of security won't protect a host from
    > a user that obviates that security. Security software that you don't
    > understand, don't configure properly, and don't maintain is usually a
    > weak use of memory and disk space.
    >
    > I have several anti-malware programs installed to provide for layered
    > detection of pests but I do NOT run any of them in the background. That
    > is, I install them but do not load them automatically (for on-access
    > scanning). Instead I install them and disable them from loading
    > automatically because I only use them as on-demand scanners. These
    > include: Lavasoft Ad-Aware, Spybot Search & Destory, SuperAntispyware,
    > and AVG AntiSpyware (was ewido).
    >
    > I do let Windows Defender (WD) load automatically but its detection rate
    > is poor. I don't use WD to detect pests. I use it to detect changes
    > that affect the system behavior, like auto-run programs, browser setting
    > changes, etc. Unlike Prevx (no longer free) which intercepts these
    > changes to pend them until you authorize them, WD polls the system to
    > detect the changes. That is why it can never tell you what process made
    > the change because it always detects the change too late, but it does
    > detect the changes it was coded to detect and lets you revert if you
    > decide you didn't want them (whether it was malware or goodware that
    > made the change). This is very similar to how WinPatrol operates by
    > *polling* for changes (but WD has more change detections than
    > WinPatrol). I also use SysInternals Rootkit Revealer and Resplendence
    > RootKit Hook Analyzer to detect rootkit behavior (which isn't
    > necessarily bad as some good products, like Daemon Tools, use it). I
    > also use AVG's AntiRootkit to detect files that are hidden (not the
    > hidden file attribute but are hidden in the Win32 API system calls to
    > show files from the file system) which SysInternals will also show.
    > These tend to duplicate each other in some coverage but have other
    > detections that I like. SysInternals and AVG have shown me the .sys
    > driver file that is hidden within the file system that is used by Daemon
    > Tools, for example. When they tell you something is suspect, YOU have
    > to figure out if it really is bad or okay. They don't fix anything but
    > simply notify of suspect targets.
    >
    > There are some anti-malware programs that some users like that I won't
    > touch. I won't touch Spyware Doctor due to its past history of using
    > false positives to prod users to buy the product when they were trialing
    > it. It had a black history which maybe they've whitened by now.
    > However, from only what I've read, it's coverage of pests isn't that broad.


    Thanks an awful lot for clarifying so many things and making
    suggestions I can actually use.

    I have been running the various anti-spyware programs you
    suggest (non-realtime), but wanted an educated opinion about
    running any of them realtime. I wont! I do run AVG
    AntiSpyware realtime on my portable which goes outside to
    various mobile sites etc. - but not on my desktop. I'm also
    running OA on the portable along with NOD32 AV.

    I also have Process Explorer and check it every so often to
    see that I recognize everything running. When I don't, I
    google the process to find out what it belongs to.

    I will start checking for rootkits periodically as well.

    It sounds like I'll stay with the free version of OA for now
    and remember paid ProSecurity if I have problems. BTW, OA
    does prompt me when a new version is installed such as an
    update from Firefox (which I run with NoScript), but it
    doesn't give me a reminder every time NOD updates virus
    definitions. So in fact, the reminders are becoming pretty
    infrequent and I don't mind them - in fact, I like to know
    that OA has noticed :)

    Another BTW - I run gotomypc.com to access my desktop
    from any computer when needed. The last time I ran AVG
    AntiSpyware, it found a worm, I deleted it, and since then,
    gotomypc isn't working quite right. Citrix has suggested
    the "worm" was a false positive. I'm not sure. As soon as
    I get a chance, I'll reinstall gotomypc and I'll be more
    careful about deleting worms in the future.

    Take care and thanks so much for all your help.

    Louise
     
    louise, Dec 5, 2007
    #6
  7. louise

    FredW Guest

    Re: Fred W - re NOD32 and Online Armor

    VanguardLH formulated the question :
    > "louise" wrote in message news:...
    >> Thanks so much for recommending the Armor Online Free firewall. It really
    >> works - is low on resources and speaks to you in comprehensible language
    >> when it poses a question. And it's free!
    >>
    >> I've put it on my desktop and my portable without a single problem.


    I saved your complete message, to reread several times more.
    ;-)
    I snipped most, but left some points of ineterest.


    > There is no parent-child control in Online Armor's firewall.


    > The free version doesn't let you backup your settings.


    > Currently there is no option in OA to block all network access until the
    > firewall has fully loaded. This means there is a window of opportunity in
    > which malware could load and also connect.


    > OA also tries to alleviate the deluge of prompts by downloading a list of
    > certified good applications;
    > Be warned that the free version will NEVER retrieve
    > updates to this certified apps list.


    > Online Armor is pretty good but it needs several security issues addressed,


    For many years I used ZoneAlarm and was a happy user.
    But ZA got more and more "features" I did not want or like.

    I even used Kerio 2.1.5 for some months and learned how to use it.

    Then came Comodo 2.4 and again I had a firewall I liked.
    From time to time Comodo asked for a "confirmation" of
    decisions I had taken.
    Some people regarded this as Comodo "forgetting things",
    but I did not mind.
    Also I appreciated that Comodo asked for "parent-child"
    relations, what was never done by ZA.

    Then I read about another newcomer, Online Armor Free.
    I uninstalled Comodo and installed OnlineArmor Free.

    OA now asked for every program on my PC, my permission
    to run or not, not only for going to the outside world
    (Internet), but also for running on my PC only.

    As Louise already explained both Comodo and OA ask again for
    permission when a new version of a program is installed.

    OA asks also permission for some(?) parent-child relations.
    I had to allow my email-program to start the browser.
    I had to allow my newsreader to start the browser.
    I had to allow my email checker to start my email program.

    Both Comodo and OA allow me to delete entries op selections I made,
    so questions can be asked again if I think that is required.

    Reading about Comodo 3.0 and Defense+, I do not want to use that
    for now, although I understand that some major changes in
    Comodo 3 are to be expected.
    So I feel my choice is at the moment between Comodo 2.4 and OA 2.1.

    For the time being I keep OA 2.1.031.
    I do not want a list of "certified" applications.
    I can decide for myself what applications I will allow or not.
    I connect to the Internet *after* my firewall and av-program
    are both up and running.

    Today I restored an image of my hard disc and had to setup
    the rules for OA again, but ZA required the same after a restore.
    It is nice (and usefull) to see all the programs present on your PC.
    As I understand a new version of OA can be expected any day now.
    (will be continued)

    --
    Fred W. te A. (NL)
     
    FredW, Dec 6, 2007
    #7
  8. louise

    louise Guest

    Re: Fred W - re NOD32 and Online Armor

    FredW wrote:
    > VanguardLH formulated the question :
    >> "louise" wrote in message news:...
    >>> Thanks so much for recommending the Armor Online Free firewall. It
    >>> really works - is low on resources and speaks to you in
    >>> comprehensible language when it poses a question. And it's free!
    >>>
    >>> I've put it on my desktop and my portable without a single problem.

    >
    > I saved your complete message, to reread several times more.
    > ;-)
    > I snipped most, but left some points of ineterest.
    >
    >
    >> There is no parent-child control in Online Armor's firewall.

    >
    >> The free version doesn't let you backup your settings.

    >
    >> Currently there is no option in OA to block all network access until
    >> the firewall has fully loaded. This means there is a window of
    >> opportunity in which malware could load and also connect.

    >
    >> OA also tries to alleviate the deluge of prompts by downloading a list
    >> of certified good applications;
    >> Be warned that the free version will NEVER retrieve updates to this
    >> certified apps list.

    >
    >> Online Armor is pretty good but it needs several security issues
    >> addressed,

    >
    > For many years I used ZoneAlarm and was a happy user.
    > But ZA got more and more "features" I did not want or like.
    >
    > I even used Kerio 2.1.5 for some months and learned how to use it.
    >
    > Then came Comodo 2.4 and again I had a firewall I liked.
    > From time to time Comodo asked for a "confirmation" of
    > decisions I had taken.
    > Some people regarded this as Comodo "forgetting things",
    > but I did not mind.
    > Also I appreciated that Comodo asked for "parent-child"
    > relations, what was never done by ZA.
    >
    > Then I read about another newcomer, Online Armor Free.
    > I uninstalled Comodo and installed OnlineArmor Free.
    >
    > OA now asked for every program on my PC, my permission
    > to run or not, not only for going to the outside world
    > (Internet), but also for running on my PC only.
    >
    > As Louise already explained both Comodo and OA ask again for
    > permission when a new version of a program is installed.
    >
    > OA asks also permission for some(?) parent-child relations.
    > I had to allow my email-program to start the browser.
    > I had to allow my newsreader to start the browser.
    > I had to allow my email checker to start my email program.
    >
    > Both Comodo and OA allow me to delete entries op selections I made,
    > so questions can be asked again if I think that is required.
    >
    > Reading about Comodo 3.0 and Defense+, I do not want to use that
    > for now, although I understand that some major changes in
    > Comodo 3 are to be expected.
    > So I feel my choice is at the moment between Comodo 2.4 and OA 2.1.
    >
    > For the time being I keep OA 2.1.031.
    > I do not want a list of "certified" applications.
    > I can decide for myself what applications I will allow or not.
    > I connect to the Internet *after* my firewall and av-program
    > are both up and running.
    >
    > Today I restored an image of my hard disc and had to setup
    > the rules for OA again, but ZA required the same after a restore.
    > It is nice (and usefull) to see all the programs present on your PC.
    > As I understand a new version of OA can be expected any day now.
    > (will be continued)
    >

    I'm not sure if this is parent/child but:

    I use a batch file which loads 2 separate parts of one
    program and then loads one of the features on my soundcard
    (it's a speech recognition program that needs soundcard
    adjustment). OA definitely asks me about each section of
    the program and again asks me about the soundcard loading.
    This seems reasonable and I've now told it to remember.

    However, I am on cable and it is "always connected" - so I
    suppose there is a brief window of oppty but I believe my AV
    runs first and that's enough.

    BTW, I'm running the same version of OA and there are
    certified programs. When I get a prompt, it usually informs
    me that the particular program in question is not on the
    certified list, or is. Go to configuration/programs and
    there will be a long list of programs - if you uncheck the
    hide/trusted, you'll see them all. You can edit them.

    Louise
     
    louise, Dec 7, 2007
    #8
  9. Re: Fred W - re NOD32 and Online Armor

    On Wed, 5 Dec 2007 02:30:29 -0600, "VanguardLH"
    <> wrote:

    >ProcessGuard is long dead (DiamondCS abandoned that product).


    Are you sure about that?

    http://www.diamondcs.com.au/processguard/

    Cheers,
    Pekka de G.
     
    Pekka de Groot, Dec 7, 2007
    #9
  10. louise

    VanguardLH Guest

    Re: Fred W - re NOD32 and Online Armor

    "Pekka de Groot" wrote in message
    news:...
    >
    > "VanguardLH" wrote:
    >>
    >> ProcessGuard is long dead (DiamondCS abandoned that product).

    >
    > Are you sure about that?
    >
    > http://www.diamondcs.com.au/processguard/



    It's been about a year since the Wilders Security group
    (www.wilderssecurity.com) decided to drop the support forum for that
    company. When Wilders dropped the dead forum for the stagnant
    product, DiamondCS then had to remove the link to the support forums
    from their web site (and they never provided their own support
    forums). You'll also notice that the revision history is no longer
    listed on their redesigned web site (because they don't want you to
    know how long it has been since their "new" 3.2 version got released).
    You can still find the old DiamondCS forums at Wilders but they have
    been archived. Go read
    http://www.wilderssecurity.com/showthread.php?t=159189 on why Paul
    closed the DiamondCS forums.

    If you separately download the manual
    (http://www.diamondcs.com.au/downloads/helpfiles/pg-chm.zip) and look
    inside the .zip archive file, that .chm file is dated back to July
    2006. If you download and install the product from their web site
    (into a VM under VMWare Server to eliminate having to uninstall it in
    your production/working environment), the latest datestamp for the
    installed files is January 20, 2005 (ignore today's datestamp on the
    uninst* files since you created those during the install). Do you
    really want to use a security product that has seen no updates in
    almost 3 years?

    Just because there is a site for the product and they're still
    accepting money doesn't mean the product has evolved. People were
    paying but not getting their serial numbers. It is a dead product
    because it went stagnant so it has not kept up with newer malware that
    tries to unhook HIPS products or uses different vectors used to infect
    a host. After their web site redesign, they were listing 3.2 as the
    latest version although users were already using 3.4. Wayne
    disappeared over a year ago with the company claiming illness and then
    they claimed he came back sometime around this September. But then
    why did they drop the support forum just because Wayne got sick, and
    why isn't the forum back after he returned, and why wasn't
    ProcessGuard getting updated long before his illness and even during
    his year-long absence?

    ProcessGuard has been a long-time dead HIPS product. Find something
    else.
     
    VanguardLH, Dec 7, 2007
    #10
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rindler Sigurd

    eTrust EZ Armor Suite

    Rindler Sigurd, Aug 19, 2003, in forum: Anti-Virus
    Replies:
    2
    Views:
    604
    Heather
    Aug 22, 2003
  2. jimpgh2002

    eTrust EZ Armor

    jimpgh2002, Nov 25, 2003, in forum: Anti-Virus
    Replies:
    5
    Views:
    159
    Heather
    Nov 27, 2003
  3. Rob

    eTrust Armor - My experience

    Rob, Dec 24, 2003, in forum: Anti-Virus
    Replies:
    0
    Views:
    137
  4. Morey G.

    EZ Armor eTrust?

    Morey G., Jan 31, 2004, in forum: Anti-Virus
    Replies:
    6
    Views:
    207
    Heather
    Jan 31, 2004
  5. jt
    Replies:
    1
    Views:
    520
    Duane Arnold
    Sep 30, 2005
Loading...

Share This Page