Re: Fred W - re NOD32 and Online Armor

VanguardLH wrote:
"louise" wrote in message news:5rmnomF15ht5fU1@xxxxxxxxxxxxxxxxxxxxx

I don't understand however, why I would care if I got their automatic updates for newly approved programs. I don't install new programs every day by any means, and when I do, I don't mind answering the questions about what I want to allow - especially since there is a "remember" checkbox. Is there another reason to get the paid version?

The point of their certified list is to eliminate the prompts. Once you've installed OA, and after running every application on your host to ensure they get detected (so you answer THOSE prompts for apps that are not on their list), you can run OA without any further updates if you don't care about getting prompts when: (1) You install new applications; and, (2) After any update to those applications (like you run Windows Updates, Adobe Reader updates, program updates for anti-virus software, etc). Without the certified list, and only if it includes the programs that YOU have installed, you will get the prompts for every new program that you install and perhaps also when you update it.

I installed the 2.x version of Comodo and it nearly brought down my machine. I don't know why, but I do know it couldn't remember what it was supposed to allow and everytime it got confused, things froze and its questions were endless and seemed kind of lame - I uninstalled it, retreived my system, and would be hesitant to try Comodo again - new version or not.

My guess is that you don't understand the parent-child relationship between the caller process that calls the child which does the actual connection. This is one reason why OA has not included parent-child control and is only considering adding it later. In Comodo v2, leave the Component monitor set to "Learn" if you don't want to get the prompts about the parent wanting to use the child or when different components happened to be used by the child for a particular connection. A program may end up touching hundreds of different components but not always all of them for every connection.

I'll take a look at ProSecurity - never heard of it.

Along with OA, it fared favorably against malware that attempts to unhooks the services into which the HIPS products will hook into. By unhooking the HIPS program, it is rendered useless. It also has most of the features that are found in the top-end HIPS products. ProcessGuard is long dead (DiamondCS abandoned that product). AppDefend hasn't been updated in over a year although Jason, its author, had promised needed and critical fixes would be available in a month (and that was over a year ago). System Safety Monitor (SSM) has the configurability needed for a good HIPS but is too easily unhooked. Antihook fared better than SSM but not as good as OA and ProSecurity. Also, Antihook incurs the most impact on the system and makes it less responsive.

Just be aware that the free version of ProSecurity is worthless. It is far too crippled (as are the free versions of SSM and AppDefend). In fact, some very basic HIPS functions are killed in the free version of ProSecurity so that it misleads the user regarding its protection. Trial the paid version to see if you want it. You can trial software in a virtual machine in VMWare Server (which is free) or under Virtual PC 2007 (also free) so you don't end up polluting your working host.

BTW, since you seem quite knowledgeable, I'll take the liberty of asking you another question: I'[m running NOD32 (new AV version), use Firefox mostly, and I do use Outlook with a good spam filter. I'm running XP, SP2. Do you think it is necessary to run an antispyware program?

Yes, always unless you are a knowledgeable user. The security software is to cover your *** in case you make a mistake but often you can severely reduce how much security software you have running if you know what you are doing (i.e., if you operated the host securely then you have less dependency on software to do that for you). Even with loads of security software, the final authority (and often the weakest link) still resides with the user. Tons of security won't protect a host from a user that obviates that security. Security software that you don't understand, don't configure properly, and don't maintain is usually a weak use of memory and disk space.

I have several anti-malware programs installed to provide for layered detection of pests but I do NOT run any of them in the background. That is, I install them but do not load them automatically (for on-access scanning). Instead I install them and disable them from loading automatically because I only use them as on-demand scanners. These include: Lavasoft Ad-Aware, Spybot Search & Destory, SuperAntispyware, and AVG AntiSpyware (was ewido).

I do let Windows Defender (WD) load automatically but its detection rate is poor. I don't use WD to detect pests. I use it to detect changes that affect the system behavior, like auto-run programs, browser setting changes, etc. Unlike Prevx (no longer free) which intercepts these changes to pend them until you authorize them, WD polls the system to detect the changes. That is why it can never tell you what process made the change because it always detects the change too late, but it does detect the changes it was coded to detect and lets you revert if you decide you didn't want them (whether it was malware or goodware that made the change). This is very similar to how WinPatrol operates by *polling* for changes (but WD has more change detections than WinPatrol). I also use SysInternals Rootkit Revealer and Resplendence RootKit Hook Analyzer to detect rootkit behavior (which isn't necessarily bad as some good products, like Daemon Tools, use it). I also use AVG's AntiRootkit to detect files that are hidden (not the hidden file attribute but are hidden in the Win32 API system calls to show files from the file system) which SysInternals will also show. These tend to duplicate each other in some coverage but have other detections that I like. SysInternals and AVG have shown me the .sys driver file that is hidden within the file system that is used by Daemon Tools, for example. When they tell you something is suspect, YOU have to figure out if it really is bad or okay. They don't fix anything but simply notify of suspect targets.

There are some anti-malware programs that some users like that I won't touch. I won't touch Spyware Doctor due to its past history of using false positives to prod users to buy the product when they were trialing it. It had a black history which maybe they've whitened by now. However, from only what I've read, it's coverage of pests isn't that broad.

Thanks an awful lot for clarifying so many things and making suggestions I can actually use.

I have been running the various anti-spyware programs you suggest (non-realtime), but wanted an educated opinion about running any of them realtime. I wont! I do run AVG AntiSpyware realtime on my portable which goes outside to various mobile sites etc. - but not on my desktop. I'm also running OA on the portable along with NOD32 AV.

I also have Process Explorer and check it every so often to see that I recognize everything running. When I don't, I google the process to find out what it belongs to.

I will start checking for rootkits periodically as well.

It sounds like I'll stay with the free version of OA for now and remember paid ProSecurity if I have problems. BTW, OA does prompt me when a new version is installed such as an update from Firefox (which I run with NoScript), but it doesn't give me a reminder every time NOD updates virus definitions. So in fact, the reminders are becoming pretty infrequent and I don't mind them - in fact, I like to know that OA has noticed :-)

Another BTW - I run gotomypc.com to access my desktop from any computer when needed. The last time I ran AVG AntiSpyware, it found a worm, I deleted it, and since then, gotomypc isn't working quite right. Citrix has suggested the "worm" was a false positive. I'm not sure. As soon as I get a chance, I'll reinstall gotomypc and I'll be more careful about deleting worms in the future.

Take care and thanks so much for all your help.

Louise
.