64 bit systems and HIPS

[shmu26]

I think, generally, an outbound firewall with alerts for most users is a good thing

what do you say about glasswire, to keep the user informed?

 

[hjlbx]

what do you say about glasswire, to keep the user informed?

Very simple to use. Get's the job done.

 

[Behold Eck]

I agree with you.

I think, generally, an outbound firewall with alerts for most users is a good thing. It's very unfortunate that this is not an integral capability of Windows Firewall.

* * * * *

If you use COMODO Internet Security and set the firewall to block all outbound connections for Untrusted\Unknown processes (which means that they should be auto-sandboxed), then that is exactly what TinyWall does (without any sandboxing). The firewall behavior is identical for both products... with that firewall setting, COMODO does not generate any alerts and TinyWall does the same - always.

The advantage to COMODO is that you can set the firewall to generate alerts.

As for sandboxing, rollback or user profile isolation with the ability to delete the maliciously modified user profile and "regenerate" the complete clean, base-line user profile are more comprehensive and effective protection mechanisms.

But I do admit, this gets into "splitting hairs" territory...

That`s right @hjlbx

if only Microsoft would give an option even to enable outbound filtering on their for advanced users but as always to much to ask for.

Tinywall might be a good option for my son`s laptop ? He doesn`t like alerts and is apt to remove the app to avoid this(...I know) but I`ll try Comodo first on silent mode with password protection on to seehow it goes ?

Nothing wrong with splitting hairs or worrying about the pinhole sized flaw in a fortresslike defence setup when other folks trundle on with only the most basic protection,oblivious to all.

Just wondering about how good any of these security apps are at defending themselves from attack.

Hence I like the floating toolbar approach once it disappears at least you know somethings up.

Regards Eck

 

[Tony Cole]

May I ask, not too sure if this is "off topic." With AppGuard do you need exploit protection?

 

[hjlbx]

May I ask, not too sure if this is "off topic." With AppGuard do you need exploit protection?

Not really.

I watched AppGuard protect the system after a nasty browser exploit. The exploit abused Windows trusted processes, but AppGuard blocked execution of the malicious *.tmp.

As long as you have commonly exploited apps added to Guarded Apps list and keep them updated, you should be fine. If you want to protect the system earlier during an exploit, then you can add most of the vulnerable Windows processes to User Space (YES) = disable them - but there is no absolute need to do so.

Even if a malicious process somehow manages to get onto your system, Locked Down mode will prevent its execution.

 

[Tony Cole]

What vulnerable windows processes should I add?

 

[hjlbx]

What vulnerable windows processes should I add?

https://malwaretips.com/threads/vulnerable-processes.56154/#post-539836

 

[Tony Cole]

Should I restrict access to C:\ProgramData\*

 

[hjlbx]

Should I restrict access to C:\ProgramData\*

You can, but it might break something. If it does, just allow full access to C:\ProgramData.

 

[Tony Cole]

Thanks hjlbx

 

[Deleted member 178]

That`s right @hjlbx

if only Microsoft would give an option even to enable outbound filtering on their for advanced users but as always to much to ask for.

it does, (it just doesn't generate prompts) , you just have to do the rules manually.

 

[Behold Eck]

it does, (it just doesn't generate prompts) , you just have to do the rules manually.

That`s what I mean`t "prompts" without all the hassle of creating rules for everything.

Regards Eck

 

[koletz]

Another Great another improvements of Spyshelter regarding process hollowing in 10.8.7
Will test more in next 24 hours

 

[shmu26]

Actually, it's not very important whether SpyShelter can block process hollowing or not, because an unknown file won't even be able to execute in the first place, unless it has a signature from a trusted vendor. And that would be a very rare case.

 

[Exterminator]

@Jeff_T - Testing Group is Hjlbx he works for Appguard.
Off topic conversations removed

 

[vivid]

Any product that relies only on vulnerable applications list is not safe. COM protection is more important. Hype.

 

[shmu26]

Any product that relies only on vulnerable applications list is not safe. COM protection is more important. Hype.

could you please elaborate?
are you maybe referring to SpS? It has an anti-executable function, i.e., it is default/deny. Please explain about the vulnerable applications list, because I didn't even know that SpS has such a thing. I was not able to get a clear answer from their support about that issue.

 

[vivid]

Sure. Having a list of vulnerable processes means nothing to me. When you run into a malicious application it's very possible that it will not rely on any third party application or command line. A better approach is to create an interface in order to communicate and it depends on your operating system and installed programs. Do you guys really think that one application will always launch trough a VBScript interpreter? What I meant is that I find this attention towards the so called vulnerable processes to be unnecessary compared to others.

 

[Mr.X]

COM protection is more important

What is COM protection?
I swear I did a google search but found nothing unless you are talking about this technology:
COM: Component Object Model Technologies

 

[vivid]

It's the Microsoft way to interconnect software. Component Object Model.