Rootkits again

[Guest]

Hi everybody,
Good news. I've tested the latest version of WD(1.1.1593.0) against
rootkits(fu rootkit) and now WD is able to detect and even remove it but is
still unable to prevent them from running and it has to ask the user to
restart their computer for a complete disinfection.
This is acceptable on WXP but unacceptable on Windows Servers.
A WD alert to restart keeps popping up.
Wouldn't it be better if WD instead of allowing rootkits to run them,simply
freeze all the threads owned by the driver and this way stop it from doing
its malicious job.
Anyway , I think WD is doing well on other tests i performed. So keep up the
good work with this outstanding tool.
One question: Is WD a behavior-based anti-malware tool?

Thanks
Ken

 

[Guest]

After looking at Wikipedia, I would say no.

 

[Dave M]

Thanks for that report, Ken.

No WD is not behavior based, it's signature based. You can see the
specifics of that doing the tests for Spycar which are basically behavioral
and which WD does not pick up on very well at all (none of the sig based
products do):

http://www.spycar.org/Welcome to Spycar.html

I'd recommend you take a look at one of the specifically behavioral based
products and consider running it alongside WD for increased behavioral
protection. Here's one I'm using, it's very easy on resources as well as
user effort, but there are a number of them to consider:

http://www.download.com/Cyberhawk/3000-2239-10561070.html?part=dl-Cyberhawk&subj=dl&tag=button

 

[Guest]

Dave, went to Download.com to read from the users about Cyberhawk and there
are only four. Would like to hear more from you, like what other anti-
programs besides Defender are you using and any conflicts with anything else
? Ron

 

[Guest]

Hi Ron H,

Here are more reviews:

http://www.wilderssecurity.com/showthread.php?t=118227

http://fileforum.betanews.com/detail/Cyberhawk/1138656773/1

http://www.snapfiles.com/get/cyberhawk.html

http://blogs.pcworld.com/tipsandtweaks/archives/001370.html

http://supportcenteronline.com/ics/support/default.asp?deptID=1603

Good luck
--

 

[Guest]

it has to ask the user to
restart their computer for a complete disinfection.
This is acceptable on WXP but unacceptable on Windows Servers.
A WD alert to restart keeps popping up.

prevention is better than a cure, so I hope your Windows Server is never
infected...

 

[Guest]

Engel, Thats exactly what i needed. Didn't like some of the reviews, thanks
for helping. Ron

 

[Dave M]

Hi Ron;

Sorry, I was gone yesterday and didn't see your question until this A.M.
Engel gives some good links, but there's another more recent one at
Wilder's that's kind of the ultimate disection of Cyberhawk with imput by
their support org, so let me get that thread posted before I neglect to do
it and there have been some recent updates to the program that this
discussion covers since the thread is more recent:
http://www.wilderssecurity.com/showthread.php?t=152355

The real question when dealing with a HIPS program with community input, is
"Do you trust the vendor?" and that rather lengthy thread tackles this
topic. It's far easier to trust an established company like Ms than a
relativly unknown like Novatix. I can say however, that I've developed
trust over the six months or so I've used the program, but I'm not an
advocate of one behavioral blocker over another. I think the important
concept is that you consider a behavioral blocker as a complement your
signature based AS because of one inherent weakness in any signature based
program... that is until the sigs are developed and then added to the
database you're unprotected against zero-day malware no matter how many AS
signature programs you're running. That concept hit me like a ton of
bricks when I was testing WD on spycar, because I have all these sig progs
with many duplicating effort... but still I'm wide open to new or
previously unknown threats.

Hope that helps, Ron. No conflicts with Cyberhawk and anything else...
SpySweeper and Norton give me more problems than anything else in that
regard.
--

Active protection: Windows Defender 1.1.1593.0 , NIS 2005 v 8.0.7.1, NAV
11.0.16.4 , SpySweeper 4.5.9, Cyberhawk 1.2.0.39 SpywareBlaster 3.5.1
On Demand: Ewido 4.0.0,172 free, SuperAntiSpyware 3.3.1020 free, A-squared
2.1.0.12 free, Trend Micro online, Windows Live OneCare safety scanner
online

Regards, Dave

 

[Guest]

Hi Dave, Thanks for the come back and no need for apologies. Many of the
reviews as yours were positive but some were a little ify. You explain things
well, so maybe down the road a little we'll talk a little further on
Cyberhawk if thats ok? BTW paid 50 bucks for Norton for the year and removed
it after three months, couldn't take it not working any more. Ron