ATTN: Fred W - re NOD32 and Online Armor

[louise]

Thanks so much for recommending the Armor Online Free
firewall. It really works - is low on resources and speaks
to you in comprehensible language when it poses a question.
And it's free!

I've put it on my desktop and my portable without a single
problem.

Louise

 

[FredW]

louise expressed precisely :

Thanks so much for recommending the Armor Online Free firewall. It really
works - is low on resources and speaks to you in comprehensible language when
it poses a question. And it's free!

I've put it on my desktop and my portable without a single problem.

Louise

I agree fully.
Glad I could help.

 

[VanguardLH]

Thanks so much for recommending the Armor Online Free firewall. It
really works - is low on resources and speaks to you in
comprehensible language when it poses a question. And it's free!

I've put it on my desktop and my portable without a single problem.

There is no parent-child control in Online Armor's firewall. Say you
allow your browser to connect. Well, then you have also allowed any
caller (parent) program to execute that browser to get a connection to
some unknown web page. By regulating who can call (parent) another
program (child) then you know who is really asking for the connection.
For many users, this is not a critical feature since few firewalls
provide parent-child control. Comodo has it in their older v2.4 but
dropped it in their new v3 firewall that now include HIPS. The
firewall just got added in version 2 of Online Armor (OA) so it will
need some fixing or features to get up to speed with other firewalls.

So the assumption is that you have permitted the parent program to run
but relinquish any control over whether or not it can make connections
using child programs; i.e., in Comodo Firewall Pro v3, you get to
regulate the load a program using HIPS (the parent and child
programs), like in Online Armor, and you can regulate which programs
can make connections (the child programs), but you cannot control if
the parent can call the child to make the connection. As a result,
both Online Armor and Comodo will fail all leaktests UNLESS you, as
the user, see the prompt and deny the execution of the parent
program - but that is not the point of leaktests. Rather than
regulating who can call what for a connection, you're only choice is
whether the parent loads or not. Online Armor is promising to add
parent-control into their firewall, a brand new feature added in their
latest version 2. But they have lots of fixes to make and other more
security-related updates to make to their product so they aren't
promising when to deliver on parent-child control.

While other HIPS products are better at controlling ALL auto-start
programs in the various locations available under Windows, Online
Armor's AutoRuns protection is limited to just a few areas. They
don't cover the WinLogin/Notify, Session Manager bootexecute, and
other areas that users normally never touch. They are promising an
update sometime later to address the lack of coverage for auto-start
processes.

There have some instances where programs would generate a prompt when
they loaded, the user answered to allow the load and remember that
action (and it does get remembered), but the program never shows up in
the list under their Program Guard. Once remembered and because it
isn't in the list, you cannot later revoke that run permission. It
looks to be a UI error in the grid control that they use not showing
all the recorded rules.

Currently Online Armor does not encrypt the registry keys used by that
program. This can provide info to malware or malcontents on how the
product is configured and possibly could alter that behavior to reduce
protection (their documentation is poor, basically just an overview,
and they don't define the purpose of these registry keys). They also
do not protect these registry keys against alteration. Online Armor
does not load under Safe Mode so even if they protect those registry
key then they won't be protected if you reboot into Safe Mode. They
need to encrypt those keys. When OA attempts to read them, and if
altered and hence corrupted, OA will be unable to read those altered
values and know they were changed outside of OA. They promise to
later address this security hole to protect against alteration (but
only when OA is running) and use encryption (to detect alteration
under Safe Mode and to then revert to whatever would be the most
restrictive values for those corrupted settings and also alert the
user to that act).

The free version doesn't let you backup your settings. The paid
version does. However, you can save the .dat files in the OA install
path to backup your settings. Since OA protects against any access to
these .dat files when it is running, even to copy them, you have to
reboot into Safe Mode, copy the .dat files, and then reboot into
normal mode.

Online Armor does not run under Safe Mode. It has been deliberately
designed that way. One reason for this behavior is that
uninstallation may fail under normal mode; e.g., you won't be able to
read their unins000.log file to do the uninstall. In most cases, but
not guaranteed to be the only case, the user has disable Program Guard
(HIPS) and loses access to the UI (i.e., the user can no longer get at
the configuration or status windows for the product). Rebooting won't
fix the problem. Loading the UI (oaui.exe) won't fix the problem.
The product has to be uninstalled and that can only be done under Safe
Mode. However, because OA does not run under Safe Mode also means
that you have no HIPS or firewall protection while under Safe Mode.
If malware still loads, like using the WinLogon/Notify event (instead
of the normal auto-start locations), then it now has free reign to
load. The malware is also unfettered under Safe Mode (with networking
enabled) to connect. Not all malware gets neutered in Safe Mode.

Currently there is no option in OA to block all network access until
the firewall has fully loaded. This means there is a window of
opportunity in which malware could load and also connect. About the
only advantage the Windows Firewall provides is that the network stack
is disabled during Windows startup until the Windows Firewall (if
enabled) has fully loaded. Comodo v2.4 has the option to block
network access until it is fully loaded. OA doesn't have this option
but is promising to add it later. Of course, if the firewall is flaky
then you might not get any network access even after the firewall
loads. Comodo v2.4 hasn't had this problem. I don't know about v3
since it lost some functionality, uses a non-intuitive HIPS (try
figuring out how to block a program from loading without visiting
their forum), lost the parent-child firewall control, and is way too
flaky so I abandoned it long before having enough history to know if
enabling the option to block network access until Comodo is loaded is
reliable. Again most users don't even think about this window of
opportunity for any firewall that doesn't have this option (but those
same users don't think about the vulnerability of OA not running under
Safe Mode, either).

Unlike Defense Wall which reduces permissions for unknown or untrusted
processes which attempt to run silently but is really for newbie or
lazy users, OA with its HIPS will be asking lots of questions. (Note:
Defense Wall is not a HIPS product as they claim since it never
interferes with the load of a program, only with the priviliges it
gets after it loads. It doesn't need to continually prompt the user
because it doesn't regulate what can load. Softsphere also doesn't
provide a free version of Defense Wall.) OA also tries to alleviate
the deluge of prompts by downloading a list of certified good
applications; however, if you update the program and it isn't in their
list or you haven't updated the list yet, you'll get prompted because
of the new version (of an old program that you allowed to run before).
Many users want to use their host rather than repeatedly answer
prompts about what is allowed to run. Of course, a list of certified
apps is someone else's decision that the program is okay so some OA
users won't use that list and instead want to get prompted on every
program so they know what is allowed to run or not. That is why many
HIPS products have a learning mode including, I believe, OA (but I
don't remember if learning mode works in the free version). Be warned
that the free version will NEVER retrieve updates to this certified
apps list. Updating in the free version of OA is manual - but you
can't even do a manual update to retrieve the new list. Manual
updating means you get an e-mail telling you that there is an updated
list, you have to download it using the link in the email, and then
you point at that file to insert the new definitions. So manual
updates are very manual. And you won't get notification of those
updates unless you insert your email address during the installation.
You cannot register after the installation to get those email
notification of updates. You cannot subscribe to a mailing list to
get those email update notices. If you chose to not disclose your
email address during the installation, you will have to uninstall and
reinstall and give your email address under that new install. And
then what you get are emails telling you to download a new file and
then have to point at it to insert its contents. The paid version has
automatic updating. Forcing manual updates in a free version is
nasty, especially regarding a security program, but this extremely
manual update process that relies on email notification just sucks.
It means a significantly reduced number of users of the free version
will get the email notifications and only a subset of those will
perform the manual file update.

Online Armor is pretty good but it needs several security issues
addressed, some which were so obvious that it seems they pushed it out
the door way too soon simply because they wanted to show off their new
firewall that got included in version 2. Visit their forums to see
what is missing, promised for later updates to the product, and
problems with it. I almost got this product and there is enough in
the paid version to make me buy it but it needs a bit more work.
Between Comodo's version 3 and Online Armor, both having HIPS and
firewalling, I'd go for Online Armor - but after a few more updates
(so I'm sticking with Comodo v2.4 for now and might get ProSecurity
[paid] for HIPS if Tall Emu takes too long with the updates for OA).

 

[louise]

Thanks so much for recommending the Armor Online Free firewall. It
really works - is low on resources and speaks to you in comprehensible
language when it poses a question. And it's free!

I've put it on my desktop and my portable without a single problem.

There is no parent-child control in Online Armor's firewall. Say you
allow your browser to connect. Well, then you have also allowed any
caller (parent) program to execute that browser to get a connection to
some unknown web page. By regulating who can call (parent) another
program (child) then you know who is really asking for the connection.
For many users, this is not a critical feature since few firewalls
provide parent-child control. Comodo has it in their older v2.4 but
dropped it in their new v3 firewall that now include HIPS. The firewall
just got added in version 2 of Online Armor (OA) so it will need some
fixing or features to get up to speed with other firewalls.

So the assumption is that you have permitted the parent program to run
but relinquish any control over whether or not it can make connections
using child programs; i.e., in Comodo Firewall Pro v3, you get to
regulate the load a program using HIPS (the parent and child programs),
like in Online Armor, and you can regulate which programs can make
connections (the child programs), but you cannot control if the parent
can call the child to make the connection. As a result, both Online
Armor and Comodo will fail all leaktests UNLESS you, as the user, see
the prompt and deny the execution of the parent program - but that is
not the point of leaktests. Rather than regulating who can call what
for a connection, you're only choice is whether the parent loads or
not. Online Armor is promising to add parent-control into their
firewall, a brand new feature added in their latest version 2. But they
have lots of fixes to make and other more security-related updates to
make to their product so they aren't promising when to deliver on
parent-child control.

While other HIPS products are better at controlling ALL auto-start
programs in the various locations available under Windows, Online
Armor's AutoRuns protection is limited to just a few areas. They don't
cover the WinLogin/Notify, Session Manager bootexecute, and other areas
that users normally never touch. They are promising an update sometime
later to address the lack of coverage for auto-start processes.

There have some instances where programs would generate a prompt when
they loaded, the user answered to allow the load and remember that
action (and it does get remembered), but the program never shows up in
the list under their Program Guard. Once remembered and because it
isn't in the list, you cannot later revoke that run permission. It
looks to be a UI error in the grid control that they use not showing all
the recorded rules.

Currently Online Armor does not encrypt the registry keys used by that
program. This can provide info to malware or malcontents on how the
product is configured and possibly could alter that behavior to reduce
protection (their documentation is poor, basically just an overview, and
they don't define the purpose of these registry keys). They also do not
protect these registry keys against alteration. Online Armor does not
load under Safe Mode so even if they protect those registry key then
they won't be protected if you reboot into Safe Mode. They need to
encrypt those keys. When OA attempts to read them, and if altered and
hence corrupted, OA will be unable to read those altered values and know
they were changed outside of OA. They promise to later address this
security hole to protect against alteration (but only when OA is
running) and use encryption (to detect alteration under Safe Mode and to
then revert to whatever would be the most restrictive values for those
corrupted settings and also alert the user to that act).

The free version doesn't let you backup your settings. The paid version
does. However, you can save the .dat files in the OA install path to
backup your settings. Since OA protects against any access to these
.dat files when it is running, even to copy them, you have to reboot
into Safe Mode, copy the .dat files, and then reboot into normal mode.

Online Armor does not run under Safe Mode. It has been deliberately
designed that way. One reason for this behavior is that uninstallation
may fail under normal mode; e.g., you won't be able to read their
unins000.log file to do the uninstall. In most cases, but not
guaranteed to be the only case, the user has disable Program Guard
(HIPS) and loses access to the UI (i.e., the user can no longer get at
the configuration or status windows for the product). Rebooting won't
fix the problem. Loading the UI (oaui.exe) won't fix the problem. The
product has to be uninstalled and that can only be done under Safe
Mode. However, because OA does not run under Safe Mode also means that
you have no HIPS or firewall protection while under Safe Mode. If
malware still loads, like using the WinLogon/Notify event (instead of
the normal auto-start locations), then it now has free reign to load.
The malware is also unfettered under Safe Mode (with networking enabled)
to connect. Not all malware gets neutered in Safe Mode.

Currently there is no option in OA to block all network access until the
firewall has fully loaded. This means there is a window of opportunity
in which malware could load and also connect. About the only advantage
the Windows Firewall provides is that the network stack is disabled
during Windows startup until the Windows Firewall (if enabled) has fully
loaded. Comodo v2.4 has the option to block network access until it is
fully loaded. OA doesn't have this option but is promising to add it
later. Of course, if the firewall is flaky then you might not get any
network access even after the firewall loads. Comodo v2.4 hasn't had
this problem. I don't know about v3 since it lost some functionality,
uses a non-intuitive HIPS (try figuring out how to block a program from
loading without visiting their forum), lost the parent-child firewall
control, and is way too flaky so I abandoned it long before having
enough history to know if enabling the option to block network access
until Comodo is loaded is reliable. Again most users don't even think
about this window of opportunity for any firewall that doesn't have this
option (but those same users don't think about the vulnerability of OA
not running under Safe Mode, either).

Unlike Defense Wall which reduces permissions for unknown or untrusted
processes which attempt to run silently but is really for newbie or lazy
users, OA with its HIPS will be asking lots of questions. (Note:
Defense Wall is not a HIPS product as they claim since it never
interferes with the load of a program, only with the priviliges it gets
after it loads. It doesn't need to continually prompt the user because
it doesn't regulate what can load. Softsphere also doesn't provide a
free version of Defense Wall.) OA also tries to alleviate the deluge of
prompts by downloading a list of certified good applications; however,
if you update the program and it isn't in their list or you haven't
updated the list yet, you'll get prompted because of the new version (of
an old program that you allowed to run before). Many users want to use
their host rather than repeatedly answer prompts about what is allowed
to run. Of course, a list of certified apps is someone else's decision
that the program is okay so some OA users won't use that list and
instead want to get prompted on every program so they know what is
allowed to run or not. That is why many HIPS products have a learning
mode including, I believe, OA (but I don't remember if learning mode
works in the free version). Be warned that the free version will NEVER
retrieve updates to this certified apps list. Updating in the free
version of OA is manual - but you can't even do a manual update to
retrieve the new list. Manual updating means you get an e-mail telling
you that there is an updated list, you have to download it using the
link in the email, and then you point at that file to insert the new
definitions. So manual updates are very manual. And you won't get
notification of those updates unless you insert your email address
during the installation. You cannot register after the installation to
get those email notification of updates. You cannot subscribe to a
mailing list to get those email update notices. If you chose to not
disclose your email address during the installation, you will have to
uninstall and reinstall and give your email address under that new
install. And then what you get are emails telling you to download a new
file and then have to point at it to insert its contents. The paid
version has automatic updating. Forcing manual updates in a free
version is nasty, especially regarding a security program, but this
extremely manual update process that relies on email notification just
sucks. It means a significantly reduced number of users of the free
version will get the email notifications and only a subset of those will
perform the manual file update.

Online Armor is pretty good but it needs several security issues
addressed, some which were so obvious that it seems they pushed it out
the door way too soon simply because they wanted to show off their new
firewall that got included in version 2. Visit their forums to see what
is missing, promised for later updates to the product, and problems with
it. I almost got this product and there is enough in the paid version
to make me buy it but it needs a bit more work. Between Comodo's version
3 and Online Armor, both having HIPS and firewalling, I'd go for Online
Armor - but after a few more updates (so I'm sticking with Comodo v2.4
for now and might get ProSecurity [paid] for HIPS if Tall Emu takes too
long with the updates for OA).

Thanks for your detailed analysis.

I don't understand however, why I would care if I got their
automatic updates for newly approved programs. I don't
install new programs every day by any means, and when I do,
I don't mind answering the questions about what I want to
allow - especially since there is a "remember" checkbox. Is
there another reason to get the paid version?

I installed the 2.x version of Comodo and it nearly brought
down my machine. I don't know why, but I do know it
couldn't remember what it was supposed to allow and
everytime it got confused, things froze and its questions
were endless and seemed kind of lame - I uninstalled it,
retreived my system, and would be hesitant to try Comodo
again - new version or not.

I'll take a look at ProSecurity - never heard of it.

BTW, since you seem quite knowledgeable, I'll take the
liberty of asking you another question: I'[m running NOD32
(new AV version), use Firefox mostly, and I do use Outlook
with a good spam filter. I'm running XP, SP2. Do you think
it is necessary to run an antispyware program?

Thanks again.

Louise

 

[VanguardLH]

I don't understand however, why I would care if I got their
automatic updates for newly approved programs. I don't install new
programs every day by any means, and when I do, I don't mind
answering the questions about what I want to allow - especially
since there is a "remember" checkbox. Is there another reason to
get the paid version?

The point of their certified list is to eliminate the prompts. Once
you've installed OA, and after running every application on your host
to ensure they get detected (so you answer THOSE prompts for apps that
are not on their list), you can run OA without any further updates if
you don't care about getting prompts when: (1) You install new
applications; and, (2) After any update to those applications (like
you run Windows Updates, Adobe Reader updates, program updates for
anti-virus software, etc). Without the certified list, and only if it
includes the programs that YOU have installed, you will get the
prompts for every new program that you install and perhaps also when
you update it.

I installed the 2.x version of Comodo and it nearly brought down my
machine. I don't know why, but I do know it couldn't remember what
it was supposed to allow and everytime it got confused, things froze
and its questions were endless and seemed kind of lame - I
uninstalled it, retreived my system, and would be hesitant to try
Comodo again - new version or not.

My guess is that you don't understand the parent-child relationship
between the caller process that calls the child which does the actual
connection. This is one reason why OA has not included parent-child
control and is only considering adding it later. In Comodo v2, leave
the Component monitor set to "Learn" if you don't want to get the
prompts about the parent wanting to use the child or when different
components happened to be used by the child for a particular
connection. A program may end up touching hundreds of different
components but not always all of them for every connection.

I'll take a look at ProSecurity - never heard of it.

Along with OA, it fared favorably against malware that attempts to
unhooks the services into which the HIPS products will hook into. By
unhooking the HIPS program, it is rendered useless. It also has most
of the features that are found in the top-end HIPS products.
ProcessGuard is long dead (DiamondCS abandoned that product).
AppDefend hasn't been updated in over a year although Jason, its
author, had promised needed and critical fixes would be available in a
month (and that was over a year ago). System Safety Monitor (SSM) has
the configurability needed for a good HIPS but is too easily unhooked.
Antihook fared better than SSM but not as good as OA and ProSecurity.
Also, Antihook incurs the most impact on the system and makes it less
responsive.

Just be aware that the free version of ProSecurity is worthless. It
is far too crippled (as are the free versions of SSM and AppDefend).
In fact, some very basic HIPS functions are killed in the free version
of ProSecurity so that it misleads the user regarding its protection.
Trial the paid version to see if you want it. You can trial software
in a virtual machine in VMWare Server (which is free) or under Virtual
PC 2007 (also free) so you don't end up polluting your working host.

BTW, since you seem quite knowledgeable, I'll take the liberty of
asking you another question: I'[m running NOD32 (new AV version),
use Firefox mostly, and I do use Outlook with a good spam filter.
I'm running XP, SP2. Do you think it is necessary to run an
antispyware program?

Yes, always unless you are a knowledgeable user. The security
software is to cover your butt in case you make a mistake but often
you can severely reduce how much security software you have running if
you know what you are doing (i.e., if you operated the host securely
then you have less dependency on software to do that for you). Even
with loads of security software, the final authority (and often the
weakest link) still resides with the user. Tons of security won't
protect a host from a user that obviates that security. Security
software that you don't understand, don't configure properly, and
don't maintain is usually a weak use of memory and disk space.

I have several anti-malware programs installed to provide for layered
detection of pests but I do NOT run any of them in the background.
That is, I install them but do not load them automatically (for
on-access scanning). Instead I install them and disable them from
loading automatically because I only use them as on-demand scanners.
These include: Lavasoft Ad-Aware, Spybot Search & Destory,
SuperAntispyware, and AVG AntiSpyware (was ewido).

I do let Windows Defender (WD) load automatically but its detection
rate is poor. I don't use WD to detect pests. I use it to detect
changes that affect the system behavior, like auto-run programs,
browser setting changes, etc. Unlike Prevx (no longer free) which
intercepts these changes to pend them until you authorize them, WD
polls the system to detect the changes. That is why it can never tell
you what process made the change because it always detects the change
too late, but it does detect the changes it was coded to detect and
lets you revert if you decide you didn't want them (whether it was
malware or goodware that made the change). This is very similar to
how WinPatrol operates by *polling* for changes (but WD has more
change detections than WinPatrol). I also use SysInternals Rootkit
Revealer and Resplendence RootKit Hook Analyzer to detect rootkit
behavior (which isn't necessarily bad as some good products, like
Daemon Tools, use it). I also use AVG's AntiRootkit to detect files
that are hidden (not the hidden file attribute but are hidden in the
Win32 API system calls to show files from the file system) which
SysInternals will also show. These tend to duplicate each other in
some coverage but have other detections that I like. SysInternals and
AVG have shown me the .sys driver file that is hidden within the file
system that is used by Daemon Tools, for example. When they tell you
something is suspect, YOU have to figure out if it really is bad or
okay. They don't fix anything but simply notify of suspect targets.

There are some anti-malware programs that some users like that I won't
touch. I won't touch Spyware Doctor due to its past history of using
false positives to prod users to buy the product when they were
trialing it. It had a black history which maybe they've whitened by
now. However, from only what I've read, it's coverage of pests isn't
that broad.

 

[louise]

I don't understand however, why I would care if I got their automatic
updates for newly approved programs. I don't install new programs
every day by any means, and when I do, I don't mind answering the
questions about what I want to allow - especially since there is a
"remember" checkbox. Is there another reason to get the paid version?

The point of their certified list is to eliminate the prompts. Once
you've installed OA, and after running every application on your host to
ensure they get detected (so you answer THOSE prompts for apps that are
not on their list), you can run OA without any further updates if you
don't care about getting prompts when: (1) You install new applications;
and, (2) After any update to those applications (like you run Windows
Updates, Adobe Reader updates, program updates for anti-virus software,
etc). Without the certified list, and only if it includes the programs
that YOU have installed, you will get the prompts for every new program
that you install and perhaps also when you update it.

I installed the 2.x version of Comodo and it nearly brought down my
machine. I don't know why, but I do know it couldn't remember what it
was supposed to allow and everytime it got confused, things froze and
its questions were endless and seemed kind of lame - I uninstalled it,
retreived my system, and would be hesitant to try Comodo again - new
version or not.

My guess is that you don't understand the parent-child relationship
between the caller process that calls the child which does the actual
connection. This is one reason why OA has not included parent-child
control and is only considering adding it later. In Comodo v2, leave
the Component monitor set to "Learn" if you don't want to get the
prompts about the parent wanting to use the child or when different
components happened to be used by the child for a particular
connection. A program may end up touching hundreds of different
components but not always all of them for every connection.

I'll take a look at ProSecurity - never heard of it.

Along with OA, it fared favorably against malware that attempts to
unhooks the services into which the HIPS products will hook into. By
unhooking the HIPS program, it is rendered useless. It also has most of
the features that are found in the top-end HIPS products. ProcessGuard
is long dead (DiamondCS abandoned that product). AppDefend hasn't been
updated in over a year although Jason, its author, had promised needed
and critical fixes would be available in a month (and that was over a
year ago). System Safety Monitor (SSM) has the configurability needed
for a good HIPS but is too easily unhooked. Antihook fared better than
SSM but not as good as OA and ProSecurity. Also, Antihook incurs the
most impact on the system and makes it less responsive.

Just be aware that the free version of ProSecurity is worthless. It is
far too crippled (as are the free versions of SSM and AppDefend). In
fact, some very basic HIPS functions are killed in the free version of
ProSecurity so that it misleads the user regarding its protection. Trial
the paid version to see if you want it. You can trial software in a
virtual machine in VMWare Server (which is free) or under Virtual PC
2007 (also free) so you don't end up polluting your working host.

BTW, since you seem quite knowledgeable, I'll take the liberty of
asking you another question: I'[m running NOD32 (new AV version), use
Firefox mostly, and I do use Outlook with a good spam filter. I'm
running XP, SP2. Do you think it is necessary to run an antispyware
program?

Yes, always unless you are a knowledgeable user. The security software
is to cover your butt in case you make a mistake but often you can
severely reduce how much security software you have running if you know
what you are doing (i.e., if you operated the host securely then you
have less dependency on software to do that for you). Even with loads
of security software, the final authority (and often the weakest link)
still resides with the user. Tons of security won't protect a host from
a user that obviates that security. Security software that you don't
understand, don't configure properly, and don't maintain is usually a
weak use of memory and disk space.

I have several anti-malware programs installed to provide for layered
detection of pests but I do NOT run any of them in the background. That
is, I install them but do not load them automatically (for on-access
scanning). Instead I install them and disable them from loading
automatically because I only use them as on-demand scanners. These
include: Lavasoft Ad-Aware, Spybot Search & Destory, SuperAntispyware,
and AVG AntiSpyware (was ewido).

I do let Windows Defender (WD) load automatically but its detection rate
is poor. I don't use WD to detect pests. I use it to detect changes
that affect the system behavior, like auto-run programs, browser setting
changes, etc. Unlike Prevx (no longer free) which intercepts these
changes to pend them until you authorize them, WD polls the system to
detect the changes. That is why it can never tell you what process made
the change because it always detects the change too late, but it does
detect the changes it was coded to detect and lets you revert if you
decide you didn't want them (whether it was malware or goodware that
made the change). This is very similar to how WinPatrol operates by
*polling* for changes (but WD has more change detections than
WinPatrol). I also use SysInternals Rootkit Revealer and Resplendence
RootKit Hook Analyzer to detect rootkit behavior (which isn't
necessarily bad as some good products, like Daemon Tools, use it). I
also use AVG's AntiRootkit to detect files that are hidden (not the
hidden file attribute but are hidden in the Win32 API system calls to
show files from the file system) which SysInternals will also show.
These tend to duplicate each other in some coverage but have other
detections that I like. SysInternals and AVG have shown me the .sys
driver file that is hidden within the file system that is used by Daemon
Tools, for example. When they tell you something is suspect, YOU have
to figure out if it really is bad or okay. They don't fix anything but
simply notify of suspect targets.

There are some anti-malware programs that some users like that I won't
touch. I won't touch Spyware Doctor due to its past history of using
false positives to prod users to buy the product when they were trialing
it. It had a black history which maybe they've whitened by now.
However, from only what I've read, it's coverage of pests isn't that broad.

Thanks an awful lot for clarifying so many things and making
suggestions I can actually use.

I have been running the various anti-spyware programs you
suggest (non-realtime), but wanted an educated opinion about
running any of them realtime. I wont! I do run AVG
AntiSpyware realtime on my portable which goes outside to
various mobile sites etc. - but not on my desktop. I'm also
running OA on the portable along with NOD32 AV.

I also have Process Explorer and check it every so often to
see that I recognize everything running. When I don't, I
google the process to find out what it belongs to.

I will start checking for rootkits periodically as well.

It sounds like I'll stay with the free version of OA for now
and remember paid ProSecurity if I have problems. BTW, OA
does prompt me when a new version is installed such as an
update from Firefox (which I run with NoScript), but it
doesn't give me a reminder every time NOD updates virus
definitions. So in fact, the reminders are becoming pretty
infrequent and I don't mind them - in fact, I like to know
that OA has noticed

Another BTW - I run gotomypc.com to access my desktop
from any computer when needed. The last time I ran AVG
AntiSpyware, it found a worm, I deleted it, and since then,
gotomypc isn't working quite right. Citrix has suggested
the "worm" was a false positive. I'm not sure. As soon as
I get a chance, I'll reinstall gotomypc and I'll be more
careful about deleting worms in the future.

Take care and thanks so much for all your help.

Louise

 

[FredW]

VanguardLH formulated the question :

"louise" wrote in message news:[email protected]...

I saved your complete message, to reread several times more.
;-)
I snipped most, but left some points of ineterest.

There is no parent-child control in Online Armor's firewall.

The free version doesn't let you backup your settings.

Currently there is no option in OA to block all network access until the
firewall has fully loaded. This means there is a window of opportunity in
which malware could load and also connect.

OA also tries to alleviate the deluge of prompts by downloading a list of
certified good applications;
Be warned that the free version will NEVER retrieve
updates to this certified apps list.

Online Armor is pretty good but it needs several security issues addressed,

For many years I used ZoneAlarm and was a happy user.
But ZA got more and more "features" I did not want or like.

I even used Kerio 2.1.5 for some months and learned how to use it.

Then came Comodo 2.4 and again I had a firewall I liked.
From time to time Comodo asked for a "confirmation" of
decisions I had taken.
Some people regarded this as Comodo "forgetting things",
but I did not mind.
Also I appreciated that Comodo asked for "parent-child"
relations, what was never done by ZA.

Then I read about another newcomer, Online Armor Free.
I uninstalled Comodo and installed OnlineArmor Free.

OA now asked for every program on my PC, my permission
to run or not, not only for going to the outside world
(Internet), but also for running on my PC only.

As Louise already explained both Comodo and OA ask again for
permission when a new version of a program is installed.

OA asks also permission for some(?) parent-child relations.
I had to allow my email-program to start the browser.
I had to allow my newsreader to start the browser.
I had to allow my email checker to start my email program.

Both Comodo and OA allow me to delete entries op selections I made,
so questions can be asked again if I think that is required.

Reading about Comodo 3.0 and Defense+, I do not want to use that
for now, although I understand that some major changes in
Comodo 3 are to be expected.
So I feel my choice is at the moment between Comodo 2.4 and OA 2.1.

For the time being I keep OA 2.1.031.
I do not want a list of "certified" applications.
I can decide for myself what applications I will allow or not.
I connect to the Internet *after* my firewall and av-program
are both up and running.

Today I restored an image of my hard disc and had to setup
the rules for OA again, but ZA required the same after a restore.
It is nice (and usefull) to see all the programs present on your PC.
As I understand a new version of OA can be expected any day now.
(will be continued)

 

[louise]

VanguardLH formulated the question :

I saved your complete message, to reread several times more.
;-)
I snipped most, but left some points of ineterest.







For many years I used ZoneAlarm and was a happy user.
But ZA got more and more "features" I did not want or like.

I even used Kerio 2.1.5 for some months and learned how to use it.

Then came Comodo 2.4 and again I had a firewall I liked.
From time to time Comodo asked for a "confirmation" of
decisions I had taken.
Some people regarded this as Comodo "forgetting things",
but I did not mind.
Also I appreciated that Comodo asked for "parent-child"
relations, what was never done by ZA.

Then I read about another newcomer, Online Armor Free.
I uninstalled Comodo and installed OnlineArmor Free.

OA now asked for every program on my PC, my permission
to run or not, not only for going to the outside world
(Internet), but also for running on my PC only.

As Louise already explained both Comodo and OA ask again for
permission when a new version of a program is installed.

OA asks also permission for some(?) parent-child relations.
I had to allow my email-program to start the browser.
I had to allow my newsreader to start the browser.
I had to allow my email checker to start my email program.

Both Comodo and OA allow me to delete entries op selections I made,
so questions can be asked again if I think that is required.

Reading about Comodo 3.0 and Defense+, I do not want to use that
for now, although I understand that some major changes in
Comodo 3 are to be expected.
So I feel my choice is at the moment between Comodo 2.4 and OA 2.1.

For the time being I keep OA 2.1.031.
I do not want a list of "certified" applications.
I can decide for myself what applications I will allow or not.
I connect to the Internet *after* my firewall and av-program
are both up and running.

Today I restored an image of my hard disc and had to setup
the rules for OA again, but ZA required the same after a restore.
It is nice (and usefull) to see all the programs present on your PC.
As I understand a new version of OA can be expected any day now.
(will be continued)

I'm not sure if this is parent/child but:

I use a batch file which loads 2 separate parts of one
program and then loads one of the features on my soundcard
(it's a speech recognition program that needs soundcard
adjustment). OA definitely asks me about each section of
the program and again asks me about the soundcard loading.
This seems reasonable and I've now told it to remember.

However, I am on cable and it is "always connected" - so I
suppose there is a brief window of oppty but I believe my AV
runs first and that's enough.

BTW, I'm running the same version of OA and there are
certified programs. When I get a prompt, it usually informs
me that the particular program in question is not on the
certified list, or is. Go to configuration/programs and
there will be a long list of programs - if you uncheck the
hide/trusted, you'll see them all. You can edit them.

Louise

 

[Pekka de Groot]

ProcessGuard is long dead (DiamondCS abandoned that product).

Are you sure about that?

http://www.diamondcs.com.au/processguard/

Cheers,
Pekka de G.

 

[VanguardLH]

in message

Are you sure about that?

http://www.diamondcs.com.au/processguard/

It's been about a year since the Wilders Security group
(www.wilderssecurity.com) decided to drop the support forum for that
company. When Wilders dropped the dead forum for the stagnant
product, DiamondCS then had to remove the link to the support forums
from their web site (and they never provided their own support
forums). You'll also notice that the revision history is no longer
listed on their redesigned web site (because they don't want you to
know how long it has been since their "new" 3.2 version got released).
You can still find the old DiamondCS forums at Wilders but they have
been archived. Go read
http://www.wilderssecurity.com/showthread.php?t=159189 on why Paul
closed the DiamondCS forums.

If you separately download the manual
(http://www.diamondcs.com.au/downloads/helpfiles/pg-chm.zip) and look
inside the .zip archive file, that .chm file is dated back to July
2006. If you download and install the product from their web site
(into a VM under VMWare Server to eliminate having to uninstall it in
your production/working environment), the latest datestamp for the
installed files is January 20, 2005 (ignore today's datestamp on the
uninst* files since you created those during the install). Do you
really want to use a security product that has seen no updates in
almost 3 years?

Just because there is a site for the product and they're still
accepting money doesn't mean the product has evolved. People were
paying but not getting their serial numbers. It is a dead product
because it went stagnant so it has not kept up with newer malware that
tries to unhook HIPS products or uses different vectors used to infect
a host. After their web site redesign, they were listing 3.2 as the
latest version although users were already using 3.4. Wayne
disappeared over a year ago with the company claiming illness and then
they claimed he came back sometime around this September. But then
why did they drop the support forum just because Wayne got sick, and
why isn't the forum back after he returned, and why wasn't
ProcessGuard getting updated long before his illness and even during
his year-long absence?

ProcessGuard has been a long-time dead HIPS product. Find something
else.