OSA/VS/AG/SAP differences

[Tiamati]

Guys, i know that is a common doubt and there is a few posts around here talking about it, but despite my effort to understand, i still found a lot of conflict info and could not fully understand.

What are exactly the differences between: OSArmor (OSA)/ VoodooShield (VS) / AppGuard (AG) / SecureAplus ? When and why should i use them? And when I should NOT use them? Wich is more user friendly?

For example, i saw a lot of guys using some of them together with other antivirus, others advising to don't combo them, and others saying they are not needed at all if you are using Kaspesky Security Cloud (free?), Bitdefender Internet Secucirty, Emisoft, etc...
So I don't even know if i should use any of them in the first place.

Ty for your attention. I apologize for any inconvenience.

BONUS question: should I use any of them associated with H_C or SysHardener?

 

[bribon77]

I am using Emsisoft and H_C without any problems so far.

 

[93803123]

OSArmor (OSA) / VoodooShield (VS) / AppGuard (AG) / SecureAplus

At a basic level,

• SecureAPlus and Voodooshield are simple antiexecutables that rely heavily upon signatures\file reputation.
• OSArmor is a GUI front-end to enable native Windows security policy tweaks.
• AppGuard is software restriction policy.

BONUS question: should I use any of them associated with H_C or SysHardener?

It is recommended that you use H_C all by itself and read all the documentation carefully. Once you have gained an understanding then you will be better prepared to make your own decision, based upon your own understanding as well as your likes and dislikes, of what type of security you wish to implement.

If you understand the principles of H_C, then you will easily understand AppGuard, OSArmor and both SecureAPlus and Voodooshield, more or less. It is also recommended that you experiment and learn using VirtualBox for your own hands-on experience. That way you will figure out what works best for you.

Despite what anyone else says, you won't know what works best for you until you try and sort it out for yourself.

 

[oldschool]

What are exactly the differences between: OSArmor (OSA)/ VoodooShield (VS) / AppGuard (AG) / SecureAplus ? When and why should i use them? And when I should NOT use them? Wich is more user friendly?

OSArmor - free rule-based OS hardening and post-exploit protection. Can be used with most AVs but not with AV suites. Has hard-coded rules built-in and allows custom rule making. Pretty user friendly.

VS - Anti-exe with some exploit protection, e.g. browers, PDF readers, etc. Free version available but not as configurable as paid version. I very rarely get alerts, usually if I forget to disable VS when installing software. Has been known to inadvertently block some Windows processes but this is rare. Some users like VS and some find it annoying and say they get too many alerts. The annoyed users may be mostly using free version. VS is a great companion to free AVs like Windows Defender. I'd say it's user friendly, about the same as OSA.

SAP - I haven't used it but I believe it is a white-listing app with an AI component. Can be used with AV. Very recent version being tested in MT Hub. Free. Can't comment on user-friendlyness or experience required.

Appguard - proprietary software restriction policy app. Expensive. For advanced users. No forum help, small user base. Good luck getting help.

SysHardener - default-allow OS hardening app. Mostly user friendly on default configuration - but can cause issues where less experienced users may not be able to identify when something on their system is not working, especially with default+ features enabled.

Hard_Configurator - smart software restriction policy/OS hardening that offers default-deny and default-allow configurations. Meant for advanced users but can be used by less advanced users who are willing to learn. I am proof of that. The MT thread is invaluable and @Andy Ful offers the best customer service in the industry.
_____________________

No one can or should tell you what to use. A good practice is to start with AV of your choice and add one of the above apps so potential problems can be diagnosed. Good security can be had with little or no $$$ investment. I advise starting with Windows Defender because it's built-in and free. Afterwards you can change to another AV if desired in order to compare usability, etc. Always read/study user guides and forum threads for chosen apps. Become familiar with the GUI so you know what feature/button does what. Adding multiple softs at once is not advised for newbies. Most will go overboard and after time passes will begin to scale back to a comfortable configuration.

My motto is: Stay safe, not paranoid!

 

[Digmor Crusher]

oldschool, a very well written explanation, superb. To OP, just combine any one of them with an anti-virus and your good to go. Most user friendly is OSArmour.

 

[Tiamati]

Ty @oldschool @zhuzhangspankspank and @bribon77

I'm very pleased for your help.
A few considerations:
1) I started with Syshardener now, and i will see how it works. As far as i noticed here in the forum, Syshardener seens to be more user friendly for beginners, so i'll try it first, and if i don't find a lot of problems, i'll change and check H_C later.

2) Talking about Voodooh, i checked some forums saying that it would be a performance killer to use it along with Bitdefender Internest Security, so with that in mind, i configured it to be turned on only in most vulnerable situations. However idk if that is true.

3) On OSArmor topic, i checked on some forums that it would be redundant to use it with syshardener because most protections features are more or less covered by it, so i decided to go with Syshardener.

4) Ty for the feedback about SAP and AG. My VS license is near the end, and i was considering a change.

5) Cruelsister Comodo settings seems to be a very common config around here. I checked, but found only a video from a few years ago (that turned HIPs off ). The config is still good?

 

[jerzy601]

he personally I use Kaspersky Free + SysHardener( default settings) and I'm very happy.
the system is working very well I do not have any problems.

 

[ErzCrz]

Ty @oldschool @zhuzhangspankspank and @bribon77

5) Cruelsister Comodo settings seems to be a very common config around here. I checked, but found only a video from a few years ago (that turned HIPs off ). The config is still good?

Check the forums for a download link for Free Comodo Firewall. Almost everything is linking to paid only version but you can still find a link in their forum if you decide to use it.
EDIT: Someone found this page recently which lets you download the firewall for free. Free Firewall | Get Award Winning Comodo Firewall Today but these pages are very hard to find now and we're still waiting to find out what's happening.

H_C and OSArmor can conflict one another if OSArmor Powershell protection so just use one or the other in that respect. I currently run Windows Defender H_C with recommended settings, ConfigureDefender element of H_C Set to High and the Firewall Hardening (H_C Recommended) rules added.

Erz

 

[bribon77]

5) Cruelsister Comodo settings seems to be a very common config around here. I checked, but found only a video from a few years ago (that turned HIPs off ). The config is still good?

the answer with the @cruelsister configuration, if it is good and valid.

 

[Moonhorse]

Someone to suggest anti-exploit for chromedge?

.Cant add anti-exploit for new chrome edge browser on voodooshield free

.Not using comodo firewall currently since they have hassle on forums going on ( download link only on forums, website being a mess)

- currently using code integrity guard + windows defender ( configure defender high)
Never tried if i can make a rule to support OSA for current edge dev

 

[imuade]

Someone to suggest anti-exploit for chromedge?

.Cant add anti-exploit for new chrome edge browser on voodooshield free

.Not using comodo firewall currently since they have hassle on forums going on ( download link only on forums, website being a mess)

- currently using code integrity guard + windows defender ( configure defender high)
Never tried if i can make a rule to support OSA for current edge dev

What about Malwarebytes anti-exploit?

 

[Moonhorse]

What about Malwarebytes anti-exploit?

I used to have that, but since that they combined anti-exploit to malwarebytes 3.8... and you couldnt have it to work with google chrome back then

their forums changelog says;
Usability:
Updated shield list to include Chrome and Edge Browsers

So im not sure if that means chromedge, but im going to give their free beta a go and see hows its nowadays, cheers

Edit 1: had to make rule for msedge.exe , its been 4 years since i found out of their beta and since that its been free....so i think im staying with free version for now for another 4 years ( jk)

 

[oldschool]

@imuade @Moonhorse MBAE is OK as a stand-alone anti-exploit and AV companion, and is free but be aware that on you cannot enable Windows Exploit Guard with custom configurations for Edge Chromium without getting a warning message each time you open the browser. MBAE must still use some DLL injection or something because the warning is to that effect. I just use Exploit Guard myself and no problems. I think MBAE is one good alternative for a set-and-forget companion app but e.g. OSA offers better, more comprehensive features for the user who wants easy to use protection.

Edit: in italics.

 

[ForgottenSeer 823865]

There is still confusion about "anti post-exploit" features and "anti-exploits"

Anti Post-Exploit:
All those anti-exe, SRP, HIPS, etc... Those don't block the exploit itself, they have nothing to protect the memory space (they don't use SEHOP, etc...) they just prevent LOLbins to be used by the exploit to do further damages. Example: blocking rundll32.exe being used by exploited Lsass.exe to open reverse connection.
If you believe that anti-exes which all lack of any kind of memory mitigations will prevent an exploit, you are ready for a big disappointment if an exploit hit you. Their marketing staff will say "if we block the process to execute nasty stuff, then we prevent the exploitation of the system ", uh no... If you have a bullet (exploit) in the chest (system) , putting a bandage (anti-exe) to stop the bleeding (abused LOLbins) doesn't nullify the injury (exploited system) , the bullet is still there, you still are in critical condition.
Remove the bandage, you will bleed again.

Anti-exploit:
MBAE, HMPA, EMET/Exploit Guard. Those are real anti-exploit. Look at their settings, they all have dozen of options with weird names (SEHOP, ASLR, bottom up ASLR, etc...), those are memory mitigations. Those will prevent the exploit.

 

[oldschool]

@Umbra OP didn't specifically ask about anti-exploits. He asked about a bunch of things.

 

[ForgottenSeer 823865]

@Umbra OP didn't specifically ask about anti-exploits. He asked about a bunch of things.

I know, but since I while I saw the amalgam between post-exploitation and exploitation.
Just wanted to clarify things, I did here because it was mentioned here, not especially because of the OP. (could have made a thread tough)

 

[oldschool]

I know, but since I while I saw the amalgam between post-exploitation and exploitation.
Just wanted to clarify things, I did here because it was mentioned here, not especially because of the OP. (could have made a thread tough)

OK, no problemo!

 

[Andy Ful]

There is still confusion about "anti post-exploit" features and "anti-exploits"

Anti Post-Exploit:
All those anti-exe, SRP, HIPS, etc... Those don't block the exploit itself, they have nothing to protect the memory space (they don't use SEHOP, etc...) they just prevent LOLbins to be used by the exploit to do further damages. Example: blocking rundll32.exe being used by exploited Lsass.exe to open reverse connection.
If you believe that anti-exes which all lack of any kind of memory mitigations will prevent an exploit, you are ready for a big disappointment if an exploit hit you. Their marketing staff will say "if we block the process to execute nasty stuff, then we prevent the exploitation of the system ", uh no... If you have a bullet (exploit) in the chest (system) , putting a bandage (anti-exe) to stop the bleeding (abused LOLbins) doesn't nullify the injury (exploited system) , the bullet is still there, you still are in critical condition.
Remove the bandage, you will bleed again.

Anti-exploit:
MBAE, HMPA, EMET/Exploit Guard. Those are real anti-exploit. Look at their settings, they all have dozen of options with weird names (SEHOP, ASLR, bottom up ASLR, etc...), those are memory mitigations. Those will prevent the exploit.

I think that SRP does not fit this classification, because it can also prevent exploits before the exploitation process will start. So it could be "Anti Pre & Post Exploit."
For example, the script which contains the exploitation technique can be blocked by SRP.
In the case of PowerShell, the script can be allowed to run but the exploitation technique based on .NET Framework will be blocked by Constrained Language mode (activated by SRP).

 

[ForgottenSeer 823865]

I think that SRP does not fit this classification, because it can also prevent exploits before the exploitation process will start. So it could be "Anti Pre & Post Exploit."

indeed, reason why SRP is the oldest but most proven effective default-deny mechanism used in Enterprises (if configured properly of course) but i didnt want make it too complicated, there is enough confusion and many people don't have know about SRP.

 

[Tiamati]

Hello guys! First of all, ty for all your advice. A left the 0% of knowledge about all this, and i'm currently loading at 0,1% now hahaha

I tried to follow all you explanations i guess i got most part of it. So let me answer some of them

H_C and OSArmor can conflict one another if OSArmor Powershell protection so just use one or the other in that respect. I currently run Windows Defender H_C with recommended settings, ConfigureDefender element of H_C Set to High and the Firewall Hardening (H_C Recommended) rules added.

Ty for clarifying @ErzCrz

the answer with the @cruelsister configuration, if it is good and valid.

I'll talk to him and check if i get some help about that so. Ty!

MBAE, HMPA, EMET/Exploit Guard. Those are real anti-exploit. Look at their settings, they all have dozen of options with weird names (SEHOP, ASLR, bottom up ASLR, etc...), those are memory mitigations. Those will prevent the exploit.

@Umbra I have a few questions if you don't mind.

1) so how Voodoo fits on all this. Acording to what i read, it does have some anti-exploit features (but only the paid version?) along with the anti-exe/white-list feature. Besides that, how the "snapshot" feature would work here? Wouldn't that be an anti-exploit too?

2) I'm currently using Bitdefender Internet Security... that has - as far as i know - some anti-exploit features, so do i need MBAE ou HMPA still? If so, can i use the beta version from MBAE without worries? And if i use MBAE, do i still need to harden OS trough SysH. or H_C?

3) On the other side, using only Voodooh free version would add any benefit to my system, considering it's already protected by bitidefender?

4) Comodo firewall default setting would be enough as a substitute for Vodooh? If not, Cruelsister config would be enough?

Tyvm for the attention. You're all very kindy