Best Behaviour Blocking

[Der.Reisende]

It's possible that Emsisoft Anti-Malware and HitmanPro.Alert may conflict, especially if you don't white-list both software in each product. However if anyone uses both in combination, let me know if it works well.

The reason I suspect it may potentially cause conflict is because since Emsisoft Anti-Malware has a Behaviour Blocker feature, it will work the same way other BB/HIPS systems work, usually via API hooking (so it can monitor the actions and intercept when necessary). Depending on how HitmanPro.Alert works, this may cause a conflict, since I believe HitmanPro.Alert will most likely attempt to detect hooks and repair them/notify the user of the manipulation (e.g. especially for browser processes to identify the browser becoming compromised).

Therefore, if Emsisoft does set hooks and then HMA starts detecting these and alerting the user about them = conflict. Even worse if it tries to repair them, and then Emsisoft tries to put them back in place, and it can continue in a loop.

However this is all just guesses, of course it would be a good idea to test and see if there is a conflict (I'd be interested in hearing about this), maybe if I get the chance I will test it myself if no one else currently uses both in combination to provide the feedback.

Would be interested, too.
I had EIS v11 running next to HMP.A, they didn't conflict, however I did not throw any malware on them. For HUB purposes, I uninstalled HMP.A to not need to shut it down multiple times by the TaskManager (it used to restart). HMP.A is currently running on my main PC only, next to CF, without any conflicts. It even did not conflict when Q360 TSE joined the party.

As for the HUB results, I agree, take everything with a grain of salt, CIS managed to not sandbox a ransomware once, however, this could not be repeated, and has never appeared again yet. For sure something wrong with the PC or a conflict with other ransomwares / malwares sitting in the sandbox as well, which can even cause BSODs.

I've not whitelisted CF in HMP.A and the other way around, I only turned off Control-Flow integrity in HMP.A (stops ROP attacks due to it's description - please don't ask me what it does, I only know it conflicts with legit Photoshop Elements v12+13).

 

[Wave]

I uninstalled HMP.A to not need to shut it down multiple times by the TaskManager (it used to restart)

HitmanPro.Alert has no self-protection mechanisms? Interesting, I would have thought it'd have had this already. I'm sure the development team had a good reason for not adding this though.

 

[shmu26]

HitmanPro.Alert has no self-protection mechanisms? Interesting, I would have thought it'd have had this already. I'm sure the development team had a good reason for not adding this though.

taskmanager is the ONLY way to shut it down.

 

[Wave]

taskmanager is the ONLY way to shut it down.

Oh, okay then, that does make sense actually. I hope they protect Task Manager against injection attacks then, and implemented some sort of verification to make sure only the genuine Task Manager can close it down (e.g. so if malware masked itself as Task Manager by stealing the same file-name it wouldn't be accepted to open a handle to the HMP.A process and terminate it).

 

[Der.Reisende]

taskmanager is the ONLY way to shut it down.

Correct, no "Exit" option employed in HMP.A.

HitmanPro.Alert has no self-protection mechanisms? Interesting, I would have thought it'd have had this already. I'm sure the development team had a good reason for not adding this though.

It restarts if you're to slow shutting down the two processes in TM.
And it uses to shut down every application it thinks detecting an exploit / attack in/on. That's the reason I had to turn off on layer in the Photoshop it monitors, next to many other apps like Google Chrome and SoftMaker Office.
GUI is quite well done for that, showing icons for all monitored apps, clicking on them will open a window with many many options.

Would be interested whether a malware managed to shut down HMP.A yet

 

[Deleted member 2913]

Love it or hate it, when I had a personal laptop, it was always Comodo FW & no AV, nothing...If you know to use CFW, no need of other software And no BB, System Watcher, Rollback Mechanism, Active Threat Control, Sonar, etc... compares with Comodo AutoSandbox...Light & solid protection with the ease of running programs in sandbox manually too.

 

[shmu26]

Love it or hate it, when I had a personal laptop, it was always Comodo FW & no AV, nothing...If you know to use CFW, no need of other software And no BB, System Watcher, Rollback Mechanism, Active Threat Control, Sonar, etc... compares with Comodo AutoSandbox...Light & solid protection with the ease of running programs in sandbox manually too.

COMODO autosandbox is perfect in theory but imperfect in practice. You need some expertise to really make it work the way you want.

 

[shmu26]

Bitdefender i would hope

Bitdefender is not known for having an outstanding BB. Its strong side is its excellent sigs.

 

[SHvFl]

COMODO autosandbox is perfect in theory but imperfect in practice. You need some expertise to really make it work the way you want.

Or you make it block everything unknown and stop trying to run things sandboxed because if you don't trust something don't run it in general.

 

[Deleted member 2913]

COMODO autosandbox is perfect in theory but imperfect in practice. You need some expertise to really make it work the way you want.

As I said, if the user know to use it then not a prob...just dont unnecessarily go & enable settings here & there, as cruelsister say.

Heck, I even like CCAV But cannot use it on family system, as said users need to know how it works/how to work with it.

 

[Lord Ami]

Bitdefender is not known for having an outstanding BB. Its strong side is its excellent sigs.

Actually I've found it to be quite good (Active Threat Control). But sure, sigs and cloud are the ones that do the heavy lifting.

 

[Wave]

COMODO autosandbox is perfect in theory but imperfect in practice. You need some expertise to really make it work the way you want.

Every day we are closer to a malware author finding a bypass; probably buffer overflow exploit.

 

[koko]

COMODO autosandbox is perfect in theory but imperfect in practice. You need some expertise to really make it work the way you want.

What do you mean by that ? I dont really know the product

 

[shmu26]

What do you mean by that ? I dont really know the product

what I mean is that you are likely to get unexpected behavior from COMODO. Things that you think should not be autosandboxed might end up in sandbox, and vice versa. COMODO is a favorite tool for expert users, but intermediate users and below are likely to end up frustrated.

I know the COMODO lovers will respond that this only happens to you if you play around with the advanced settings, but I wanna tell you, it happened to me even at default settings. There are enough videos around that demonstrate how COMODO is capable of unexpected behavior...

 

[koko]

what I mean is that you are likely to get unexpected behavior from COMODO. Things that you think should not be autosandboxed might end up in sandbox, and vice versa. COMODO is a favorite tool for expert users, but intermediate users and below are likely to end up frustrated.

I know the COMODO lovers will respond that this only happens to you if you play around with the advanced settings, but I wanna tell you, it happened to me even at default settings. There are enough videos around that demonstrate how COMODO is capable of unexpected behavior...

Thank you for the clarification, I did not test comodo yet, I will in a VM. I am interested now

 

[shmu26]

Thank you for the clarification, I did not test comodo yet, I will in a VM. I am interested now

enjoy. You might be very happy with it, many people are. Testing in VM is probably a good idea, because it does not uninstall very clean.

The heart of COMODO is the autosandbox. Therefore, you can install COMODO Firewall, which does not have AV component. (The AV component is so-so at best). And if you want to really see autosandbox do its stuff, put COMODO in interactive mode.

You can disable HIPS, most people do.

If you want top protection, don't install COMODO cloud. The autosandbox is not as strong.

 

[koko]

enjoy. You might be very happy with it, many people are. Testing in VM is probably a good idea, because it does not uninstall very clean.

The heart of COMODO is the autosandbox. Therefore, you can install COMODO Firewall, which does not have AV component. (The AV component is so-so at best). And if you want to really see autosandbox do its stuff, put COMODO in interactive mode.

You can disable HIPS, most people do.

If you want top protection, don't install COMODO cloud. The autosandbox is not as strong.

Thanks for the tips

 

[jamescv7]

So far Emsisoft BB is one to be most accurate in terms of detecting suspicious behavior; with the help of improved AMN which makes clearer to provide information.

Next goes to F-secure as their DeepGuard adds cloud analysis to determine the suspicious behavior.

Don't get me wrong; Norton (Sonar), Trend Micro BB, and even BD (AVC) manage to perform well in standard matter.

---------------------------------

However the best choice of protection layer goes to Anti-EXE or HIPS; you need to configure carefully to avoid issues. Sometimes a user must exert effort to understand the flow of protection; automation is not bad but not a permanent solution.

 

[AtlBo]

For me the choice is 360 TS + Private Firewall (21 types of behavior monitors per process) + MBAM Pro + EMET 5.2

The first two are far and away the most important as far as system use goes. On this system I think MBAM has had maybe 2 web hits over the last year? That's all with no local behaviors that I can recall. 360 TS and PF I think are the reason MBAM doesn't see much action on this system. 360 has scored a number of hits, many fp's but none that I found unwarranted. These include the case of key readers and certain programs that read the clipboard or monitor keystrokes. Also, things like downloaded gadgets might be flagged on W7. I do testing, and things like the Gibson leak test get flagged. EMET is supposed to be about advanced memory mitigation and blocking malicious use of memory. I want to learn more about how to use EMET for sure.

I am looking forward to seeing where BB goes with the standard a-v/fw packages. I have seen was Emsisoft can do, and I like the extra information. I think I would like to try gData based on that thinking, but I will have to be able to find a spare PC and an opportunity, because I don't want to lose rules in 360. Also, I value the sandbox in 360 for this main PC.

 

[shmu26]

EMET is supposed to be about advanced memory mitigation and blocking malicious use of memory. I want to learn more about how to use EMET for sure.

For some reason, EMET doesn't get talked about so much here on MT. I think the folks here prefer HitmanPro.Alert, despite the price, or they go for AppGuard, which basically makes everything else pretty much obsolete.