Bitdefender: protection against installation of malware drivers ?

[shmu26]

this is what BD intrusion protection does at its lowest level, which seems to be the default setting.
Is protection against malware drivers a standard feature of most AV software?
I am asking because Spyshelter free also has this protection, and I am wondering if that is a potential conflict.

 

[shmu26]

this is what Daniel Brom at SpyShelter says:

As far as I have tested them on Windows 7/8.1/10 in past few days there were no conflicts. However every system configuration is different so you must see it for yourself - you are in charge of your own security.

 

[hjlbx]

this is what BD intrusion protection does at its lowest level, which seems to be the default setting.
Is protection against malware drivers a standard feature of most AV software?
I am asking because Spyshelter free also has this protection, and I am wondering if that is a potential conflict.

Since SpS has a HIPS, it could conflict with BD.

SpS doesn't conflict with NVT ERP, but Webroot shuts down its HIPS.

So I think it is dependent upon soft and system - like Brom states.

With BD, you'd be better off using NVT ERP because it monitors system-wide - unless you want SpS for the anti-logging feature; fort the most part, SpS white-lists C:\Windows whereas with NVT ERP you can adjust settings to monitor C:\Windows. One exception is the installation of drivers (action 39).

SpS is tricky. If you don't know malware behaviors, you can still get infected. SpS doesn't detect Hollow Process on 64 bit systems and can't detect memory modification of child processes either.

Whether you use SpS or NVT ERP, the best thing to do is to terminate\block and then do some research on the file.

Never allow an application from User Space (C:\Users, AppData, ProgramData, Temp, etc) to execute a file in System Space - if the file is unknown. This is great advice from @Online_Sword.

 

[shmu26]

thanks.
I am in the process of trying out SecureAPlus. So far I like it.
I was using spyshelter free edition until now, and I thought I would keep it, to give me an extra layer of protection, but based on what you wrote, it doesn't sound like I really gain so much from it, besides redundant notifications.

As a home user, I am not so sure I need to worry about process hollowing.
And I imagine it would be hard for malware to get itself into the windows folder in the first place, if I am running SAP.
So maybe SAP + BD is the right combo for me?

I tried out NVT freeware, but I had a problem, shortly after installation there was a basic windows function that tried to run, and I needed to approve it, but windows froze, so I couldn't allow the process to run. catch 22. It happened to me a couple times.

 

[hjlbx]

thanks.
I am in the process of trying out SecureAPlus. So far I like it.
I was using spyshelter free edition until now, and I thought I would keep it, to give me an extra layer of protection, but based on what you wrote, it doesn't sound like I really gain so much from it, besides redundant notifications.

As a home user, I am not so sure I need to worry about process hollowing.
And I imagine it would be hard for malware to get itself into the windows folder in the first place, if I am running SAP.
So maybe SAP + BD is the right combo for me?

I tried out NVT freeware, but I had a problem, shortly after installation there was a basic windows function that tried to run, and I needed to approve it, but windows froze, so I couldn't allow the process to run. catch 22. It happened to me a couple times.

You can put NVT ERP in Learning Mode.

Anyhow, Hollow Process can happen anytime... even by just visiting a website with an exploit. I have seen legitimate websites that have been hacked, exploits embedded, you visit, next thing you know system encrypted... it isn't make-believe; it really does happen.

Online, you just never know where the next bullet is going to come from. You can ask @Umbra about this one.

You are better off using HMP.A on 64 bit system. It covers Hollow Process and a whole lot more. There's always Sandboxie.

Bitdefender has a problem protecting system from malicious scripts. That is why I recommend NVT ERP so you can monitor Windows Host Processes like cscript.exe, wscript.exe, java.exe, etc.

 

[shmu26]

I hear you.
So you would say better to drop SAP, and go for NVT learning mode + HMP.A?
Or did you mean either one or the other?
Is it going to work together with BD?

 

[hjlbx]

I hear you.
So you would say better to drop SAP, and go for NVT learning mode + HMP.A?
Or did you mean either one or the other?
Is it going to work together with BD?

I've tested BD with NVT ERP and HMP.A.

They worked on my system, but that is no guarantee that it will work universally.

I'm not real big on security suites - so I opt for AppGuard + NVT ERP + HMP.A + Adguard + Webroot.

Yes, Webroot. Since AV is essentially worthless, I want to devote less than .05 % system resources to it - which Webroot meets. Besides, Webroot has good online protections - so that is why I use it.

I have 4 separate systems. Each one is configured differently, but all have AppGuard and Adguard.

 

[shmu26]

I have a license for webroot, actually. It cost me $4.99, on newegg.
I it was blocking firefox for some reason, the support couldn't figure it out. they just kept saying it works for them.

 

[hjlbx]

I have a license for webroot, actually. It cost me $4.99, on newegg.
I it was blocking firefox for some reason, the support couldn't figure it out. they just kept saying it works for them.

I have run into same issue. Webroot was blocking HMP.A and some other legitimate, safe files.

I just add to PC Security > Allow\Block Files > Allow. That fixes problem.

There are some quirks with Webroot that the documentation does not explain:

Get alert, Block - Allow Once - Allow Always for *.exe; if you select Allow Always then Webroot will add to Allow\Block Files - Monitor; you have to change to Allow.

Get webpage block - allow page; Webroot will allow permanently.

Get alert, Block - Allow Once - Allow Always for script (*.vbs, *.js, etc); if you select Allow Once then Webroot will Allow Always.

Webroot will sometimes auto-block files - even safe - without alert; only way to know it is blocked is to look in Allow\Block Files.

Webroot will sometimes auto-block file from accessing personal data - even safe files only way to know it is blocked is to look in Identity Shield.

I am not sure, but I think the anti-clipboard and anti-screen capture only applies to unknown files trying to access clipboard\make screen capture.

Webroot calls the default scan a "Deep Scan," but all it does is scan the most commonly infected areas; marketing. That's why the Webroot scan is so fast; it only scans a limited number of directories. At least Emsisoft calls theirs a malware scan.

There's a lot more.

Webrooters toot-toot their horns that Webroot support is so good, but in my experience it is typical frustrating experience. More and more users are complaining. There seems to have been some recent internal changes - I think they outsourced - but I could be wrong.

Ask questions about Webroot mechanics and you can never get a straight answer.

I have a love\hate relationship with Webroot. I report bugs\problems and Webroot and its fanboys will not even admit that there might be a problem. As far as their attitude shows, they all seem to think Webroot is perfect and nothing needs to be improved.

 

[shmu26]

I've tested BD with NVT ERP and HMP.A.

They worked on my system, but that is no guarantee that it will work universally.

If I go for BD and HMP.A, should I set the intrusion protection on BD to lowest level, to minimize changes for conflicts?
windows 10 pro x64 stable build

 

[hjlbx]

I think you can safely test it. Intrusion Detection System is for network - so shouldn't conflict with HMP.A.

You can always ask @Erik Loman loman or @markloman (here at MT or at their support thread at Wilders). They would know for sure if there have been any reported conflicts. I have seen none posted at Wilders.