in message
Does anyone have any experience of using Comodo BOClean Antimalware
(free)? Any recommendations? Discouragements? Does its continual
monitoring mess with Defender's rtp? Or anything else?
BOClean is getting dated, as even its author will admit. It still has
decent protection but is significantly limited when compared to other
IPS (intrustion protection system) software. It is a simple IPS that
will eventually get integrated into Comodo's anti-virus product along
with improvements to make it comparable to current IPS products (well,
for the freebie versions of current IPS products). Their firewall
already incorporates a rudimentary IPS feature (via the application
rules along with component checking). That is, their firewall includes
IPS for processes that want to get a connection and later their
anti-virus will include IPS to control what can load into memory
(nothing runs unless it gets into memory). It looks like IPS isn't
getting into the AV product until the next version which is expected
sometime around September. Their current anti-virus 2.0 (beta) is a
real pig for memory. So was their last version. They are promising to
reduce memory consumption in version 3.0 which is also supposed to
include IPS (i.e., BOClean with significant improvements).
In the meantime, look to DiamondCS ProcessGuard. It has been the IPS
gold standard for awhile but it, too, has fallen behind. I now use
System Safety Monitor (SSM). However, all IPS programs will end up
prompting you relentlessly at the beginning to get your permission to
allow programs to load into memory and the callers of those programs to
load that program. It has a learn mode. If you are absolutely sure
your host is clean, enable learn mode and then run every application you
have, including calling apps from within other apps, like clicking on a
URL link in an e-mail displayed in your e-mail program, sending mail
from the web browser, and so on. Also reboot your host so it learns
what is allowed to load on boot. Both ProcessGuard and SSM have learn
modes. When learning is done, make sure to turn off the learning mode.
Using either ProcessGuard or SSM you can, for example, prevent
Microsoft's WGA from running on startup. Easier than all the other
suggested methods of deleting files and editing registry entries. If a
program can't load into memory, it can't run. However, it will be up to
you to decipher the prompts to decide whether or not to let a program
load once or always. IPS programs are not for newbies. You have to
know a some about the OS, your applications, and be willing to
investigate when a prompt asks you about something you don't know or are
unsure of.
I currently have a problem with SSM with its update operation because it
refuses to communicate with the Comodo firewall (which has its own IPS
function). I have to temporarily disable the firewall to let SSM get
updated. IPS programs don't have whitelists, blacklists, or signatures
to constantly get downloaded as do anti-virus or IDS (intrustion
detection system) programs, like Windows Defender. That's not how they
work. The intention of IPS is to prevent, not to detect late and then
attempt a cure. I'm not concerned about ensuring that I have the latest
version of SSM installed, and I can disable the firewall and check at
monthly intervals, or longer, to see if there happens to be a new
version available (or just visit their download page).
I've only used the free versions of ProcessGuard and now SSM. The paid
versions afford more protection. However, if I was to pay, I'd
investigate more into the AntiHook product since I have seen some
exploits get past the freebie version of ProcessGuard (which is flawed
on letting rundll.exe execute without also matching on the parameters to
know what it is running, something that SSM easily catches) and have
read about some exploits for SSM.
Because the point of IPS is to prevent and not cure, if you allow IE,
services.msc, or any other allowed program to make changes to your
system, like the browser's home page or to the hosts file then the IPS
program isn't going to stop it. You allowed that program to run or
allowed a caller to load that program. That's why I still use Windows
Defender to detect (albeit late) any changes which then prompts me so,
if I disallow, then WD will attempt to undo. PrevX is better in that it
pends the change instead of polling for changes (which means WD detects
the change late, after the process is gone, and why WD cannot identify
the culprit that made the change). WinPatrol works the same way as WD.
With PrevX, the change isn't allowed until you choose to allow it (or
opted to remember a prior same change). Alas, the research version of
PrevX is no longer free. PrevX is an IDS (intrustion detection system)
program that detects the same changes as does WD but PrevX pends them
until allowed unlike WD that allows them and then prompts to let you
undo them.
)