Default/Deny comparison -- the results

[shmu26]

as a followup to my poll yesterday,
Compare Protection - Which default/deny solution wins, and why?
I will offer my comparison of the products discussed. Everything stated here is IMHO.
feel free to add, subtract and disagree...

COMODO Firewall
pros: strong anti-exe, strong anti-script, strong firewall, many security features, customizable, extensive list of trusted apps, very popular.

cons: prone to bugs and compatibility issues. does not always behave as expected. poorly documented exploit protection


ReHIPS
pros: strong anti-exe, strong anti-script, strong exploit protection (thanks to isolation of vulnerable apps), application control, customizable, very reliable, very responsive support community which includes the dev himself.

cons: learning curve, provides limited info on trust level of unknown files, free version is limited to 10 isolated processes


NoVirusThanks EXE Radar Pro
pros: strong anti-exe, strong anti-script, significant exploit protection (thanks to vulnerable processes list), customizable, highly compatible, very reliable.

cons: current version is functioning but outdated, provides very little info on trust level of unknown files, on some systems it takes time to properly configure (for instance, by manually adding wildcards (*) to command line strings)


Voodooshield
pros: strong anti-exe, strong anti-script, significant exploit protection, easy to use, provides excellent info on trust level of unknown files, highly compatible, very responsive support (provided by the dev himself), very reliable.

cons: still needs some development in order to work optimally on certain systems, only partially customizable, free version has no customization.


Kaspersky w/TAM enabled
pros: strong overall protection, controls apps without blocking them (thanks to a scale of trust levels), requires minimal user input, many security features, customizable, integrated with a robust security suite, responsive support right here on MT (thanks to @harlan4096 )

cons: protection is not bulletproof at default settings, might be difficult to run on a system with a lot of unusual apps, relatively expensive.


AVAST w/hardened mode
pros: very easy to use, has best list of trusted apps, integrated with a respected AV suite, easy enough for average users, does not mess up your OS and apps.

cons: lacks default/deny for scripts, lacks advanced exploit protection, depends on internet connection, no customization

***

don't miss this post with Umbra's comments: Default/Deny comparison -- the results

 

[HarborFront]

What happens when Kaspersky is set to maximum protection with TAM?

Can you rank them?

To complete the comparison put AppGuard as No. 1 like what @Umbra said it is better than all of them combined. List out AppGuard's pros and cons as well

 

[Deleted member 178]

i will comment in red.

COMODO Firewall
pros: strong anti-exe (Strong HIPS which can be tweaked to behave as an anti-exe, but not worth the effort), strong anti-script, strong firewall, many security features, customizable, extensive list of trusted apps (more a con to me, some shady vendors are trusted), very popular.
cons: prone to bugs and compatibility issues. does not always behave as expected. poorly documented exploit protection


ReHIPS
pros: strong anti-exe, strong anti-script, strong exploit protection (thanks to isolation of vulnerable apps), application control, customizable, very reliable, very responsive support community which includes the dev himself.
cons: learning curve, provides limited info on trust level of unknown files (not the point of an anti-exe, however you have a trust 'rate' based on certificate and a trusted vendors/apps list , most are the classics ones we used ), free version is limited to 10 isolated processes (no free version, it is the limitation of the demo)


NoVirusThanks EXE Radar Pro
pros: strong anti-exe, strong anti-script, significant exploit protection (thanks to vulnerable processes list) (won't stop memory based exploits), customizable, highly compatible, very reliable.
cons: current version is functioning but outdated, provides very little info on trust level of unknown files (not the point of an anti-exe again), on some systems it takes time to properly configure (for instance, by manually adding wildcards (*) to command line strings)
And no memory/dll/drivers protection which are modern threats..basically it is now almost pointless to use now as a standalone product.


Voodooshield
pros: strong anti-exe, strong anti-script, significant exploit protection, easy to use, provides excellent info on trust level of unknown files, highly compatible, very responsive support (provided by the dev himself), very reliable.
cons: still needs some development in order to work optimally on certain systems , only partially customizable, free version has no customization. and no dll protection.

 

[Deleted member 178]

To complete the comparison put AppGuard as No. 1 like what @Umbra said it is better than all of them combined. List out AppGuard's pros and cons as well

Pros:
- SRP , what isn't whitelisted by policy of the user is blocked whatever legit or malicious. Memory/dlls/drivers protection.
- Homeland security grade.
- Set and forget (until user add apps )

Cons:
- not for beginners, users must have a good understanding of the OS and how programs behaves , and the notion of user space and system space.
- some feature are not needed and should be removed , will be in future versions.

 

[shmu26]

What happens when Kaspersky is set to maximum protection with TAM?

a skilled user can tweak out Kaspersky w/TAM to a very high level of protection

Can you rank them?

I will rank them, if you will pay for my bodyguard. (but my current security config shows ReHIPS)

To complete the comparison put AppGuard as No. 1 like what @Umbra said it is better than all of them combined. List out AppGuard's pros and cons as well

AppGuard is a software restriction app. This puts it in a different category. Maybe someone wants to do a thread on software restriction apps, but that's not me...

 

[shmu26]

NoVirusThanks EXE Radar Pro...
won't stop memory based exploits

most memory based exploits need to run a command line tool, such as powershell or cmd.exe.
NVT ERP protects the common command line tools by default, and the user can add more to the protected list, if he wants.
For the same reason, NVT ERP will prevent downloading of rogue DLLs or drivers.

 

[HarborFront]

i will comment in red.

Hi

Given your corrections, apparently, all do NOT have dll and memory protection as well...except possibly for AppGuard, right?

 

[Deleted member 178]

Hi

Given your corrections, apparently, all do NOT have dll and memory protection as well...except possibly for AppGuard, right?

Anti-exe basic goal is to just block executables nothing else like ERP , it is why its dev created Smart Object Blocker to supplement it in the future.
Some softs mitigate dll's injections by using isolation or HIPS/BB.
some other doesn't really need memory protection (especially sandboxes) because all the protection is via isolation.but using some memory protection mechanism (in case of) would be nice.

 

[HarborFront]

@shmu26

Do you think you can update your OP with @Umbra's feedback and add dll/memory protection features (if any) as well?

Thanks

 

[shmu26]

@shmu26

Do you think you can update your OP with @Umbra's feedback and add dll/memory protection features (if any) as well?

Thanks

I haven't yet finished arguing with Umbra. I think he is guilty of all-or-nothing reasoning.
I left out the dll/memory issue, because it is kind of slippery

 

[Deleted member 178]

In fact all the apps mentioned are from different categories and can't really be compared.

ERP is a pure anti-exe
ReHIPS is mainly a sandbox
VS is an anti-exe with reputation feature.
KIS , comodo and Avast are suites with sandbox + HIPS/BB + AV

P.S: now i go to the beach

 

[HarborFront]

In fact all the apps mentioned are from different categories and can't really be compared.

ERP is a pure anti-exe
ReHIPS is mainly a sandbox
VS is an anti-exe with reputation feature.
KIS , comodo and Avast are suites with sandbox + HIPS/BB + AV

P.S: now i go to the beach

The issue here is given their limitations which combo offers the best protection. Please include AppGuard, if needed.

 

[shmu26]

The issue here is given their limitations which combo offers the best protection. Please include AppGuard, if needed.

I can already tell you that the killer combo is AppGuard+ReHIPS. I think Umbra will agree with me about that. But this combo is not for everyone.

 

[Duotone]

killer combo is AppGuard+ReHIPS

Not for newbies...

 

[shmu26]

Not for newbies...

it's not for me, either. You won't find many people who torture their system to that extent.

all of the apps on the list are great. it doesn't really matter so much which one or ones you use, as long as you use them right.

 

[Ink]

Default Deny doesn't sound like an install and forgot solution?

 

[shmu26]

Default Deny doesn't sound like an install and forgot solution?

it is. if you install it, you can forget about your system

 

[Ink]

it is. if you install it, you can forget about your system

Based on your initial posts, it's not a clear cut solution (reading the Cons)?

What I meant by Install and Forgot, is it's ease of use, when dealing with threats and non-threats. For example, How Auto-Protect in Norton Security will handle your Security compared to a talkative product.

 

[Deleted member 178]

I can already tell you that the killer combo is AppGuard+ReHIPS. I think Umbra will agree with me about that. But this combo is not for everyone.

Not for newbies...

I agree and indeed definitely not for everyone.

If i had to recommend several combos other than Appguard + ReHIPS

1- Appguard + ERP , one of the best combo you may find, was my ultimate anti-exe combo for long time , then ReHIPS appeared
2- Sandboxie + ERP , uber free combo, that is basically simulating ReHIPS with steroids
3- Appguard + VS paid , strong paid combo, you will mostly use VS as a AV "replacement" , using its reputation feature to know what should be whitelisted/allowed in AG.

i dont mention VS free because the lack of customization makes it worthless to me.

 

[Deleted member 178]

Default Deny doesn't sound like an install and forgot solution?

in some way... you install and forget (about security)

I have to mention that anti-exes are made to be installed and set in a brand new clean installed system, since you whitelist programs, you can't afford any suspicious/unknown software to be present on your system.