ProcessGuard (PG) VS System Safety Monitor (SSM) VS Viguard
NB. the secure mode (administrator for SSM, "blocking new and changed applications" for PG) is not enabled.
Viguard with critical files protection (Windows\System32, INI etc).
***Rootkit Test with Hacker Defender 1.0.0:
-ProcessGuard: can prevent the installation by blocking the driver (with no specific rule for service.exe).
NB. For a high protection against rootkits, it's suited to deny/uncheck the box "install Drivers/Services" option for service.exe.
-System Safety Monitor: can detect and prevent the installation.
NB. For a strong defense against rootkits, it's recommended to configure a special rule for service.exe and to deny the driver installation permission.
If we launch a totall installation of the rootkit, Viguard can detect and block it (INI protection), but if we launch only the service, the user is not instantaneously warned by an alert (only before the shutdown).
NB. the rootkit can be put into quarantine:
NB. For a strong defense against usual rootkits, it could be helful to deny creation/modification of .sys/Ini/DRV files on the FileWall options (but set up permission rules for programs legitimate access).
1: ProcessGuard, 2: SSM, 3: Viguard.
NB. The service (and processes) can be run hidden, but this is the goal of the next test.
***Hiding/spoofing a process (in Windows explorer):
NB: an access to physical memory is necessary for this testa.
-ProcessGuard: PG does not detect the hidden process in "explorer.exe" (even when we launch "explorer.exe" from Windows\System32 with the "block new and changed applications" option).
-SSM: can only prevent the spoofing on administrator mode (access to memory is automatically denied) and does not make any difference by MD5 control.
-Viguard: does not detect the hidden process, even if we run an integrity scan.
ProcessGuard, SSM and Viguard failed against "hidden process test".
-ProcessGuard: any manipulation is automatically blocked and prevented.
-SSM: System Safety Monitor detects "the attack", but can only prevent it on Administrator mode or with specific rule:
-Viguard: Can prevent its own process from being profiled.
1: ProcessGuard and Viguard, 2: System Safety Monitor.
***Disabling the startup registry key:
-ProcessGuard: ProcessGuard can be easily disabled from the startup menu.
-SSM: with all plugins enabled (registry startup), SSM can block the action and reverse automatically the change.
-Viguard: has strong features (detection and prevention, automatic scan before a shutdown and when system starts ) against this method and therefore can't be disabled from the startup menu without an alert.
1: Viguard/SSM, 3: ProcessGuard.
***Launching an HTTPS connection ( with Kapimon):
-ProcessGuard: PG detects the injection of code in Internet Explorer, but can't block the connection to Verisign web site and does not inform about it.
Specific rule is necessary : "deny once or deny always" for IE.
-SSM: It detects that Kapimon wants to get the control of Internet Explorer with a code injection, and also detects which web site/connection will be launched.
NB. With specific rules, we can prevent any unauthorized launching attempt of the browser.
-Viguard: Viguard is the winner.
NB. With specific rules, it's possible to monitor many more actions (loaded modules, access to internet with NetTrap, deny access to Verisign web site as untrusted servers etc...).
1: Viguard 2: System Safety Monitor 3: ProcessGuard
***Crashing instantaneously the systemb:
-ProcessGuard: PG can't prevent the computer from crashing instantaneously without a specific rule for Windows Service Controler (Windows\System32\service.exe)
The option "intall service/driver" is a needful permission to install new softwares on the system and is not present in the default configuration.
But if we deny this permission, then any new service/driver can't be installed and loaded .
-SSM: System Safety Monitor detects all Bang actions and the user can easily prevent the system from crashing.
-Viguard: Viguard detects the loaded driver and can block it.
And if we deny the action, Viguard asks the user if he wants to kill the program:
1: Viguard and SSM 3: ProcessGuard.
(a) For more informations, take a look at some papers about DKOM (Direct Kernel Object Manipulation) by Jamie Butler (writer of FU rootkit);
(b) this test shows what can happen when the computer is instantaneously crashed by an attack (Buffer overflows, DOS etc).
It seems difficult to choose a winner between ProcessGuard, SSM and Viguard.
If i take into consideration only results and just results, Viguard and System Safety Monitor would certainly fight a battle for the first place.
But these tests are made for all consumers and consequently ease-of-use/effectiveness is the first criteria.
As a consumer, i defend products which can provide a high degree of security for all users and family's members: from the children of 7 years old to the grandmother of 77 years old, anyone has to be protected.
A strong line defense should not only concerned knowledgeable, advanced or experienced users (professionals, programmers etc).
Making advanced attacks (rootkits, code modification etc) easier for the final consumer/user is really a well appreciated programmer's effort.
Therefore, ProcessGuard is my first choice: it does not take too much time to configure (very intuitive), and any user has just to check a box/option to get a strong protection.
SSM and Viguard are as powerful as ProcessGuard, certainly more exhaustive, but are less confortable to use.
As an integrity protection partisan, Viguard seems very interesting and has more features and options than System Safety Monitor: ability to launch an integrity scan, to reinstall itself and repair infected files, to deny access to any file/folder etc.
And the major weakness of SSM is the driver/service which can be easily disabled.
All these criteria urge to choose Viguard as the second choice and System Safety Monitor as the third choice.
SYSTEM SAFETY MONITOR
NB. A special mention for SoftClan Integrity 2005, Safe'n'Sec, AntiHook and OSsurance Desktop which are also very effective and promising products.
Nowadays, a classical defense with a firewall and anti-virus-trojans-spywares scanners is not sufficient against the new generation of threats which often use stalth1 methods to avoid scanners and evade resident engine detection.
Antivirus are limited2 and there's many files3 that scanners does not integrate in their database and a system can be infected and corrupted in a home user or in a corporate environment as a recent scandal has shown it in Israel, United Kingdom or US.
Therefore it seems necessary for any user who seriously takes into consideration his online security to integrate a proactive protection on his line defense.
These "personal HIPS" tests and reviews had shown that solutions exist against all kinds of malwares, from the basic trojan to the stealth rootkit4.
And in all cases, it's technically hard to code programs which can mix and combine ease-of-use, effective multi-layered protection without soliciting user's intervention.
At the last resort, any security soft requires education and effort from the user: it's the price for a strong line defence and for mind's tranquillity.
Ultimately, the choice is as usual a question of experience and budget.
(1): "Hide'n'Seek: anatomy of stealth malware" ( F-Secure):
this pdf by Gergely Erdelyi is here (save with right click);
(2): about limits of AVs: "Owning Antivirus", by Alex Wheeler and Nell Mehta:
the pdf is here (save with right click);
(3): like this keylogger for instance (checked on VirusTotal),
(4) " Hidden threats" by Rick Dudley: the pdf is here.
Aujourd'hui, une protection classique avec un parefeu secondé par les usuels anti/virus-trojans n'est guére suffisant face à la nouvelle génération de malveillances utilisant des méthodes furtives5 pour éviter les modules de détection.
Il existe de nombreux parasites6 qui ne sont pas intégrés aux signatures des meilleurs antivirus et tout système peut donc être infecté; que ce soit dans un environement familial ou d'entreprise comme l'ont récemment montrées certaines affaires en Israël ou en GB.
Il apparaît donc nécessaire pour l'utilisateur qui prend la sécurité de son ordinateur au sérieux de déployer une protection dite "proactive" ou comportementale.
Ces tests de quelques logiciels personnels de" prévention et de détection d'intrusions" ont démontré que des solutions existent contre toutes les typologies de malveillances, du basique trojan au furtif rootkit.
Dans tous les cas, il est techniquement hardu de développer des programmes offrant une protection multi-niveaux, faciles à utiliser, efficaces, et ne sollicitant pas l'utilisateur.
Tout produit de sécurité requiére un effort d'apprentissage de la part de l'utilisateur: c'est là le prix de l'efficacité et de la tranquilité.
Et au final, le choix est une question d'expérience, de niveau de connaissance, et bien sûr de budjet.
(5):" Panorama des techniques de résistances aux antivirus" (SOPHOS/OSSIR):
Ce pdf de Vanja Svajcer est disponible içi.
(6): tel cet enregistreur de frappes ( scan sur VirusTotal).
The Pros and The Cons of "personal HIPS7":
-run on kernel low-level8 for most of them, then can intecept more activities (physical memory, device/driver installation etc);
-no signatures update, no waste of time with scans;
-detect/stop/prevent the infection before it occurs ("prevention is better than cure");
-can detect unknown malwares by their behaviour monitoring while scanners engines can see nothing (recently, the Kelvir worms invasion had bypassed all AVs during a few hours);
-provides a powerful activity control on the system (...)
(7): Host Intrusion Prevention System is just a terminology to nominate these proactive softwares; HIPS are more sophisticated but have the same goal: prevention/detection of unusual/suspect activities: Viguard is the product which more correspond to the definition;
(8): short info on alinea 1.3.4 here,
or the exhaustive article of Mark Russinovich (part 1 and 2 about Windows architecture).