Battle Best Anti-Executable in your opinion? - AppGuard, NVT ERP or VoodooShield ?

[hjlbx]

Which is the best anti-executable in terms of overall user experience:

interface
ease-of-use
features
compatibility
bugs
robust protection

Blue Ridge AppGuard (AG)
NoVirusThanks Exe Radar Pro (NVT ERP)
VooDooShield (VS)

My vote goes to NVT ERP.

AG - best (additional) protections
VS - features\innovation
NVT ERP - in day-to-day use, it has proven to be the most user/system friendly - especially on busy, changing system

 

[Noxx]

I've personally used NVT EXE Radar Pro for about a week and it works wonders. Simple layout and easy learning curve (as hjlbx said, only a few hours of practice). It's a tad sensitive, but once you've whitelisted your basic programs it eagerly awaits to obliterate anything bad.

 

[hjlbx]

how does spyshelter compare as an anti-executable?

@shmu26

EDIT: SpS has a setting "Block all suspicious actions." It is anti-executable - for everything. SpS will throw block notification balloon in system tray. However, if you are away from your system when the block occurs, you won't know unless you review the log. (I am submitting request to have tray icon turn red when block event occurs in addition to balloon.)

As you know, SpS has a HIPS module. HIPS is basically an anti-executable along with broader protections like blocks of registry writes, process modification, etc. SpS is a pretty good HIPS. It doesn't have the fine-granularity like other HIPS such as COMODO, ESET, or NVT ERP's command line white-listing.

Despite this fact, if you know about vulnerable processes and you aren't executing unknown files willy-nilly, then SpS will do a good job. In other words, if you know how to use SpS, I think it would be difficult for system to be compromised. The only exception would be some advanced malwares that can bypass HIPS and most any other security soft. I'm talking about nation-state malwares of the same caliber as Stuxnet.

SpS on 64 bit systems has some limitations; it cannot detect process hollowing. There's also a limitation on detecting certain *.dll injections. However, one should use the built-in Virus Total lookup before executing an unknown file. I would also recommend using a virtual machine, Shadow Defender or Sandboxie to do an initial test of any unknown files.

SpS and 64 bit systems is nothing to get too bent out of shape about. All HIPS have limitations of some form on 64 bit systems. Besides, if you aren't executing unknown files regularly without verification, then you have no real need to worry about process hollowing.

Used properly - with SpS you will do a good job of protecting the system. It just takes time and effort to learn - and some practice with malwares.

If you want better HIPS on 64 bit, then I would recommend Emsisoft products. Their behavior blocker is quite good on 64 bit. COMODO has good HIPS, but there is a "disappearing rules" bug - so I cannot recommend it at this time - unless you just use Proactive Security with default settings.

SpS is really light - and requires no signature updates. Whooo-Hoooo !

Combine it with AppGuard and that's pretty good physical system protection.

 

[Phant0m3xtreme]

This is a most interesting conversation. I've long since abandoned NVT because of lack of development. I've been using Vooodooshield for a few months now, but I've never heard of APPGUARD. It looks very interesting, and apparently very popular amongst members here.

 

[Deleted member 178]

This is a most interesting conversation. I've long since abandoned NVT because of lack of development. I've been using Vooodooshield for a few months now, but I've never heard of APPGUARD. It looks very interesting, and apparently very popular amongst members here.

Appguard is the n°1 anti-exe, despite it has some "issues" that would easily be fixed if the devs were more "swift"

 

[Phant0m3xtreme]

Ahhhh, but the devs are listening, though? I'll take that over "hmmph, you have an opinion? I'll add that to the dusty shoe box!"

 

[SHvFl]

Best is appguard. Most convenient is NVT and the middle ground is VS.

VS can become as convenient as NVT by changing some settings.

There is another better anti exe but still in beta. Rehips gets my vote. Also if you use it just for anti exe atm it's basically free with a nag screen at startup.

 

[shmu26]

If voodooshield could solve the bug of silently blocking program updates, I think it would be the go-to solution for most users. It's effective, actively developed, and easy.

 

[enaph]

Best is appguard. Most convenient is NVT and the middle ground is VS.

VS can become as convenient as NVT by changing some settings.

There is another better anti exe but still in beta. Rehips gets my vote. Also if you use it just for anti exe atm it's basically free with a nag screen at startup.

But I am not sure if we should talk about AG as an anti-exe solution. IMHO AppGuard is more restriction policy based software than anti-exe

 

[askmark]

If voodooshield could solve the bug of silently blocking program updates, I think it would be the go-to solution for most users. It's effective, actively developed, and easy.

Dan the author of VS has reported on the other forum this is easy to fix but he wants to make sure he does it in the most secure and optimum way. Knowing him and how hard he works i'd be surprised if we didn't see a fix within a week.

 

[Windows_Security]

AppGuard in default settings allows signed executables to run. That is a smart idea, because less than 4 % of the malware is signed and 99% of regular software is signed. Majority of the signed malware used forged signatures, which would not pass a signature validity check.

Cruel Sister tested AppGuard against a signed sample, AppGuard failed, so my hunch is that AppGuard does not check the signature on validity (assuming it is really hard to get a valid sgnature, most signed malware uses forged signatures).

 

[woodrowbone]

AppGuard in default settings allows signed executables to run. That is a smart idea, because less than 4 % of the malware is signed and 99% of regular software is signed. Majority of the signed malware used forged signatures, which would not pass a signature validity check.

Cruel Sister tested AppGuard against a signed sample, AppGuard failed, so my hunch is that AppGuard does not check the signature on validity (assuming it is really hard to get a valid sgnature, most signed malware uses forged signatures).

Anyone knows how VoodooShield handels this with forged signatures?

/W

 

[509322]

Cruel Sister tested AppGuard against a signed sample, AppGuard failed, so my hunch is that AppGuard does not check the signature on validity (assuming it is really hard to get a valid sgnature, most signed malware uses forged signatures).

From the very limited information available, it appears that in that test case a valid digital certificate from one of the vendors on the Trusted Publisher list was applied to the malware sample.

AppGuard verifies Authenticode via a WinAPI; if that API failed in the test - meaning a half-baked forged signature was enough to get the malware to execute without any applied AppGuard protections - then we most certainly want to know about it.

 

[ForgottenSeer 55778]

Voodooshield is great! Light, secure, and user friendly (my family can even use it on autopilot). The developer is also very diligent in making fixes.

 

[askmark]

Voodooshield is great! Light, secure, and user friendly (my family can even use it on autopilot). The developer is also very diligent in making fixes.

I couldn't agree more. The future is very bright for Voodooshield.

 

[shmu26]

I couldn't agree more. The future is very bright for Voodooshield.

I agree that the future is bright, but in the present, there are still a significant number of fixes for the dev to make.

 

[bunchuu]

I agree that the future is bright, but in the present, there are still a significant number of fixes for the dev to make.

I got FP from VS, they block Nvidia GPU process. I hope they enhance their white-listing capability.

 

[shmu26]

I got FP from VS, they block Nvidia GPU process. I hope they enhance their white-listing capability.

put VS in training mode and that will fix it

 

[LukeNukesEm]

Definitely VoodooShield, I myself use it and it is amazing.

 

[XhenEd]

Without any bias, I choose AppGuard.

 

[509322]

AppGuard is not an anti-executable. It is a software restriction policy software with enhanced protections. An anti-executable generates a HIPS-like alert where the user must decide to Allow or Block. AppGuard just blocks. If you haven't allowed it in your policy, then it is denied.

Comparing AppGuard to an anti-executable is like comparing Chateau Margaux (which I drink) to Boone's Farm.