LUSHER

Yes, a nice feature. IIRC some other HIPS are starting to include that, on top of of the old "learning mode" that Diamond CS processguard had. Another feature I like is a "install mode" to allow more comfortable installation of software packages. That's a windows specific function not a firewall specific function? Just give the normal permissions and it will work. One major problem though I could be wrong but while you can set rules using specific ports, you can't set filters based on ip? Can someone confirm? Some confusion here. Real AV scanning (kaspesky engine) is only available in paid OA+ . OA does have a small blacklist - which should not be confused for av signatures , and can recognize certain processes and files as malicious, but you should not rely on that for protection. Use another AV instead.

Amazing!, there are people who haven't heard of Online Armor?? Talk about the ignorance...

This time its spyware terminator forum that is hacked (though not as seriously). http://forum.spywareterminator.com/Default...osts&t=3036 http://www.wilderssecurity.com/showthread.php?t=184968

Piriform might be next....

Yes , absolutely shocking.

BTW guys visiting AVASt! forum in the last 24-48 hours should be careful, apprently the forum was hacked and it was trying to infect people via a iframe and security exploit (should be okay if you have patched?)... http://www.wilderssecurity.com/showthread.php?t=183634 Do a full scan just in case.

Definitely wacko. I spoke to several big names and they all agreed .

If something isn't active or operating, how does it protect you? Surely something what be watching for it to know when to do something? That sounds really active to me? Like if you are using host files, something must be watching for the system to make domain lookups and then block them if the domain is set to loopback.... And trust me, I know how Spywareblaster and all the other things you mention work (probably better than most of you on this thread), but this whole/active passive thing puzzles me. Seems to me what you are referring to is using built in windows features like setting activex killbits (spywareblaster), to do this "passive protection". It is built in, so you don't really need spywareblaster running (hence the myth about such protection using zero resources). In fact you don't realy need spywareblaster, you could edit the registry directly really... Same for hosts files, it is just built into windows. But this theory fails, when you start talking about adblock plus...Since that definitely isn't part of windows by default. Hack it isn't even part of firefox typically... Why do people think adblock plus is "passive" protection. Because it shares the same memory space as firefox, so people think this protection is "free"...?? I mean why isn't third party firewalls considered passive protection (or is it?). Because people see it appears as a seperate process in the task monitor? Never mind, I think too much...

Of course it's different, one blacklists domains via dns lookups, another stops activex controls.

What's the definition of "passive protection" (as opposed to active) again? From the examples you gave it seems to mean blacklists.. But then antivirus are really just very complicated blacklists really... Or does passive protection mean "low resources consumption protection". But that does seem to be the case... otherwise why not simply say that?

http://www.runscanner.net/download.aspx Changelog 1.0.3 Added trusted zones HKLM Added HKCU\Software\Classes\Folder\Shellex\ColumnHandlers Added HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components Added HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved Added HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Added 105 HKCU\Software\Microsoft\Internet Explorer\MenuExt Fixed minor bug with incorrect filter Fixed minor sorting bug in text log file Changed behaviour with 068 -> download lsp-fix Changed ctrl+c (copy) formatting Google lookup now also searches for GUID, registry entry if no exename available.

Changelog 1.0.2 Fixed bug with "problem with shortcut , searching for file gui" Fixed false positive warning with AVG antivirus (Thanks to Lusher for reporting the bug) Hmm the author "fixed" it so it is no longer detected by AVG. Plus fixing another bug I found

That's your choice. I'm just presenting facts.

It's a bit slow compared to AutoRuns though. And AVG detects RunScanner as a trojan.

1.0.1 release out. This fixes a fairly serious bug that makes it miss appinitdll entries. http://www.runscanner.net/

That's not 100% reliable of course.

Whatever. some/many is still wrong, when it's not even ONE month. It's more like 1-2 weeks. Yeah whatever dude. You don't like me, i don't like you either.

"Many months ago??" That's a lie! It was first posted on Wilder's on 9th Aug, how is that "some months" ago?? And I question the whole "many of them are kinda heistant", besides many of them are just sheep.

SafeSpace - Sandbox. Similar in many respects to Sandboxie . Free for personal use. beta Comodo Firewall 3.0 beta - Firewall. This beta version adds a lot of HIPS features McAfee? VirusScan Plus – Special edition from AOL - Replacement for AOL ActiveShield. Includes firewall. EQsecure 3.4 (direct link) - Fully featured HIPS. Offers full Application, File and Registry control. Neoava Guard beta 3 - Another totally free HIPS comparable with EQSecure , SSM Pro etc. Comodo Memory Guardian (beta) - Protection from buffer overflows. Will be future part of Comodo security suite. See here for more information. RGguard - SiteAdvisor competitor, add a toolbar that advises you about dangerous executables on websites. RunScanner - Promising auto-starts listing tool. Version 1.0 just released. MANDIANT Red Curtain - Interesting tool that tries to determine heuristically, how dangerous a file is based "on entropy (in other words, randomness), indications of packing, compiler and packing signatures, the presence of digital signatures, and other characteristics to generate a threat 'score'". For advanced users. ThreatFire (beta) - Renamed CyberHawk. This security HIPS program detects malware based on behavior. This new beta, includes fully configurable advanced custom rules (formerly only for paid version) for the free version. BE CAREFUL, MOST OF THE ENTRIES IN THIS THREAD ARE BETA. USE AT YOUR OWN RISK!

Again I would like to stress that uploading your report online is strictly OPTIONAL. It works fine without doing this, you can also save a txt file (.run) locally.

RunScanner 1.0 is finally out! Final release! Changelog 1.0 (final release) Rewrite of the "beginner - wizard" screen Added version check in beginner mode Added list of specialist helper forums Removed "no zone defined" entries from trusted zones Whitelisted microsoft trusted zones in textlog: Whitelisted 063 default items Whitelisted 036 default items Whitelisted "::1 localhost" in vista hosts file Whitelisted default 180 entries in log file Whitelisted default 106 entries in log file Fixed bug with incorrect "file not found" Several other small bug fixes http://www.runscanner.net/

"The outbound traffic is to clr.microsoft.com and to verisign to check the authenticode signatures of the files. (there is a warning on the top of the first screen) A "Quick scan" is expert mode doesn't do this check." This is harmless, don't believe me, use a packet sniffer and you can see exactly what is being "sent". This is actually one of the best features of runscanner actually, so you can filter out obviously safe entries. And no it doesn't store information on the online database, not unless you select online malware analysis. Even then any and all personal indentifying marks will be stripped and it will store it for a maximum of 30 days , and the url will be a unique url that you can give to some expert to look (no one else will know the url). It's exactly the same as posting on a forum , except the forum will keep your postings of logs forever!

Build 0.9.6.1 uploaded (minor release) Changed : restricted sites/zones are now ignored Redesigned the beginner screen Fixed performance issues with uploading As to the question able whether I'm the developer, the answer is no. I'm just one of the 'agents' (er shrills) of RunScanner. Sorry for the confusion, I was just using the template the author developed. As penance for not doing the quotes thing I will not post here in the future.

Runscanner 0.9.6.0 released (almost final version) http://www.runscanner.net New feature : "Beginner mode" is targetted at "novice" forum users. Let me know your thoughts/remarks I'm looking for some people to test this on "real" infected machines. Changelog 0.9.6.0 Fixed bug with links to folders in global startup. Fixed description bug with internet explorer buttons (added buttontext) Fixed bug with incorrect host file path Fixed bug with importing of existing .run file (history) Fixed bug 063 fix not working Fixed bug difference string / expandstring in registry Signed executable with authenticode certificate Changed icons for signatures (green, blue) Changed textlog for tasks items (added description) Added : Beginner, expert mode (wizard) Added : Backup & restore function Added : Scheduled jobs now show the application started by the job Added : free filter/search (you can now search on part of words ex: "f-secure" show all items with the phrase "f-secure") You can search in path,executable,company,md5 Added : filesize to .run file Added : extra info window (easy for debugging and to copy/paste) Added : basic tutorial to the site Added : extra backup info window in the history tab Added extra vista UAC support Added vista support : now program asks to run as administrator by default Added item : 001 : hosts file location Added item : 001 : hosts file entries <> 127.0.0.1 (count) Added item : 047 IE trusted zones Added item : 048 IE ESC trusted zones Added item : 008 Autorun registry entries .default user Added item : 009 Autorun registry entries System user __________________

Take a look at the following list of free anti-rootkits It's divided into Anti-rookits by Antivirus Companies , Relatively well known antirootkits and Others It's somewhat dangerous to use anti-rootkits from unknown sources, hence the categories above will help you decide. Rootkits from AV companies should not be malicious, and well known anti-rootkits are probably not malicious as well given the amount of scrunity they have being subjected to. That said even if the anti-rootkit is not malicious on purpose it is still possible to damage your computer because of either user error, or incompatiabilities. Users running Kaspersky based engines should be particularly careful.