Jump to content
SAS-fan

Question about SAS active protection

Recommended Posts

I saw this question posed in Wilders and thought that it might be interesting to see the opinions here.

A question was raised as to whether to use Windows Defender Active Protection or SAS active protection. The majority of responses voted for SAS. One person suggested to use SAS to detect and remove while using Windows Defender active protections.

I would like to see the developers thoughts on this. Nick...having followed your posts for some time, I know that you aren't the type of person to say anything negative about a competitive product (which I respect). But I would appreciate your 2 cents on the matter.

Share this post


Link to post
Share on other sites

lol Windows Defender.. doesnt it still only find about 35% of the known spyware ? :S

In January 25, Windows Defender Failed to Block 84 Percent of Most Common Spyware, (so 16% didnt get blocked)

And in april i got told it could catch 35% of the known spyware.. and thats 4 months ago, so maybe they have improved a bit since..

but unless the program have been improved alot, Windows Defender isnt very good.

Share this post


Link to post
Share on other sites
lol Windows Defender.. doesnt it still only find about 35% of the known spyware ? :S

In January 25, Windows Defender Failed to Block 84 Percent of Most Common Spyware, (so 16% didnt get blocked)

And in april i got told it could catch 35% of the known spyware.. and thats 4 months ago, so maybe they have improved a bit since..

but unless the program have been improved alot, Windows Defender isnt very good.

I'm not worried about how much malware it finds(detects). I know that SAS will find and remove most of the nasties. I'm talking about real time prevention. Which product will prevent the most malware from installing in the first place?

I put more stock in word of mouth and real world use than I do tests. The 2 tests of SAS that I have seen in print were not good, but I know that SAS is a good product.

So I guess I am looking for real world experience as to which programs active prtections are more effective.

Share this post


Link to post
Share on other sites

Can i see thoose 2 test results? and i dont want to see the one from http://techsupportalert.com, because it did test HIPS and SAS doesnt have HIPS...

And i dont want to see previes from sites who use the "pay and get a better review then you deserve".

And you cant trust most reviews anyway, because alot dont know how to actuelly test AS programs as they should the tested (same thing with AV programs)

And i dont belive theres a program thats worse then WD to block spyware from installing when it Fails to Block 84 Percent of Most Common Spyware from installing..

(or else it have to be a fake AS program :roll:)

and actuelly i would like to see a site where i can trust the tests of AS programs, havent found one yet :cry: .

Share this post


Link to post
Share on other sites

So what tests are you referencing that deterimed that Windows Defender only blocked 16% of malware? That's exactly the problem...there seems to be no objective 3rd party testing for antispyware like there is antivirus.

But back to the question at hand. Why do you feel that SAS active protections are more effective? Is it just your gut feeling? Do you have any real world examples of malware that SAS prevents that WD permits ot install? Is a "anti-microsoft" bias effecting your judgement (I somewhat depsise eveything MS myself).

Share this post


Link to post
Share on other sites

That's good stuff there. Not sure I would trust Webroot's data, as they are obviously pushing Spysweeper. But it is good that a neutral third party reccomends SAS.

I really like SAS. Nick provides excellent support. The product does a great job at detecting and removing spyware. Even if it didn't have active protections I would buy this product (as I did) simply to support Nick's cause. I think he has offered the general public a tremendous product for free. I did my part to show him my support.

Now, have any sources that you trust given SAS's active protection good reviews? That's the part i am still trying to figure out. It's not good enough to say that Windows Defender active protections are lame. The point is to show that SAS's active protection are better or less lame. What if SAS's active protection also miss 84% of the spyware according to Webroot?

I guess I am looking for a little balance from your response. No doubt that SAS is a great product with rock solid support. I just want some real world data on how effective it's active protections are. I am going to use SAS as my main scan engine to eliminate spyware. Now I just need to determine if I should use SAS active protection or if there is another product that I should trust more for real time protection.

Share this post


Link to post
Share on other sites

So Webroot's comparison just happens to show 100% detection for Spy Sweeper. How convenient.

I disinfect systems on a daily basis and examine the logs. I've never seen most of those "15 of the most common variations of malware".

Where is Registry Cleaner, Drive Cleaner, WinAntVirus, MediaCodec, Vundo?

Share this post


Link to post
Share on other sites

EXACTLY.

There just aren't many sources of nonbiased info out there. The Webroot info is simply trying to push Spysweeper, which is a bloated product in my opinion.

SAS seems to be the best if not one of the best at removing spyware.

Share this post


Link to post
Share on other sites
EXACTLY.

There just aren't many sources of nonbiased info out there. The Webroot info is simply trying to push Spysweeper, which is a bloated product in my opinion.

SAS seems to be the best if not one of the best at removing spyware.

Bloated and a resource hog.

SAS is quickly becoming the scanner of choice for malware hunters, and it easily crushes SS on many levels.

Share this post


Link to post
Share on other sites
That's good stuff there. Not sure I would trust Webroot's data, as they are obviously pushing Spysweeper. But it is good that a neutral third party reccomends SAS.

I really like SAS. Nick provides excellent support. The product does a great job at detecting and removing spyware. Even if it didn't have active protections I would buy this product (as I did) simply to support Nick's cause. I think he has offered the general public a tremendous product for free. I did my part to show him my support.

Now, have any sources that you trust given SAS's active protection good reviews? That's the part i am still trying to figure out. It's not good enough to say that Windows Defender active protections are lame. The point is to show that SAS's active protection are better or less lame. What if SAS's active protection also miss 84% of the spyware according to Webroot?

I guess I am looking for a little balance from your response. No doubt that SAS is a great product with rock solid support. I just want some real world data on how effective it's active protections are. I am going to use SAS as my main scan engine to eliminate spyware. Now I just need to determine if I should use SAS active protection or if there is another product that I should trust more for real time protection.

variants of common malware programs like DollarRevenue Trojan, PeperTrojan, and Playboydialler that made it by Windows Defender. Some of the variants were recently released, though others dated back to 2006,
http://www.infoworld.com/article/07/01/ ... ack_1.html

and pc-tools have tested the program to, it did better but its still very bad. http://www.pcadvisor.co.uk/news/index.cfm?newsid=8474

and if the test results where wrong and Windows Defender is good at blocking spyware and their tests is wrong im pretty sure Windows would say/do something about it..

but windows did decline to comment the test results that webroot made...

and yes of couse webroot did find 100% of the spyware they used to test windows defender, since it was malware from their database they used to test windows defender..

And if they go out and say the same thing about SAS i am sure that NICK will prove they are wrong, and i think SAS real-time-protection blocks about 86%.

and there really isnt much to thoose between, the best antispyware products is: Spyware Doctor, AVG antispyware, SAS, and SpySweeper. (and i think i forgot 1)

AVG and SAS is very very equal when it comes to the real-time, but i like SAS alot more :lol:

Spyware Doctor: i have heard the TRIAL version is better then the paid version.. (it finds spyware when you try it, and when you then buy it its suddenly gone.. i dont like any products that use that way to sell their product....) i dont know how good their real-time is though..

SpySweeper: i have heard its a bit better in real-time-protection then AVG and SAS, but both AVG and SAS beats it when it comes to scanning the computer. and i have heard spysweeper slows down the computer...

(i have writed this based on what i have seen people say on different security sites, so what i have writed can be wrong.)

Share this post


Link to post
Share on other sites

This basic question (Defender v SAS real time protection) is of more than academic interest to me. At present I have the AVG Security suite - which effectively means I have AVG antiMalware's real-time protection; and with this I also have Defender running with rtp. They work comfortably together, and Defender doesn't add much in the way of resource usage. The idea, of course, is that if the AVG misses something, then Defender might catch it.

However, recent experience with my daughter's computer has made me seriously question whether Defender's real-time protection is worth anything - see the story here:

https://forums.superantispyware.com/viewtopic.php?t=838

Obviously this is not a scientific test - but I'd have no trouble believing that SAS's rtp is likely to be significantly better than Defender's, which was totally ineffective in this instance.

So I'm now particularly interested in a variant of SAS-fan's question: I like the convenience of the AVG security suite, so I'm likely to keep that. But what would happen if I ditched Defender's rtp and replaced it with SAS (upgrading my free SAS to Pro)? Has anyone tried running SAS's rtp alongside AVG antimalware/antispyware's rtp? Do they have issues with each other? Does the resource usage become intolerable?

Share this post


Link to post
Share on other sites
This basic question (Defender v SAS real time protection) is of more than academic interest to me. At present I have the AVG Security suite - which effectively means I have AVG antiMalware's real-time protection; and with this I also have Defender running with rtp. They work comfortably together, and Defender doesn't add much in the way of resource usage. The idea, of course, is that if the AVG misses something, then Defender might catch it.

However, recent experience with my daughter's computer has made me seriously question whether Defender's real-time protection is worth anything - see the story here:

https://forums.superantispyware.com/viewtopic.php?t=838

Obviously this is not a scientific test - but I'd have no trouble believing that SAS's rtp is likely to be significantly better than Defender's, which was totally ineffective in this instance.

So I'm now particularly interested in a variant of SAS-fan's question: I like the convenience of the AVG security suite, so I'm likely to keep that. But what would happen if I ditched Defender's rtp and replaced it with SAS (upgrading my free SAS to Pro)? Has anyone tried running SAS's rtp alongside AVG antimalware/antispyware's rtp? Do they have issues with each other? Does the resource usage become intolerable?

How do you know AVG antispyware and Windows Defender work comfortably together, if you get spyware and they both try to stop it, they may conflict and wont protect you from the spyware.

Share this post


Link to post
Share on other sites

The latest caomparison I've seen on the ones mentioned above was through this forum:

http://www.pctools.com/forum/showthread.php?t=48657 (with link to PC Mag test)

The main thing that worries me about SAS is the lack of key-logger protection. I do all my banking on the net, have a lot of customers using my comps ordering tickets with credit-cards so 'total' banking security is a must on my comps. Key-logging protection is high on the demand list.

Running SD V5(licenced)/AVG Free on a laptop and two Dells with McAffe.

On all I have SAS Free as alternate/test for the time being.

Share this post


Link to post
Share on other sites
How do you know AVG antispyware and Windows Defender work comfortably together, if you get spyware and they both try to stop it, they may conflict and wont protect you from the spyware.

Well, it would be nice to have a definitive answer to that question, but of course it's unanswerable. At least - it's only answerable by setting up a machine with both AVG's and Defender's rtp running, and throwing a mass of malware at it - a test which I don't have the resources or ability to carry out. What I do know, however, is the following:

1. On the one occasion during the last year when malware did try to install itself on my computer, AVG picked it up and quarantined it immediately with no interference from Defender.

2. There have been a couple of AVG false positives (later confirmed by AVG) during that time. On neither occasion did Defender interfere with AVG's action.

3. One thing that Defender's rtp is very good at is notifying me of basic system changes. AVG has never interfered with this activity.

4. If I open, let's say, Internet Explorer, while watching what happens in Task Manager, one can see avgrssvc.exe (the AVG resident shield) leap into action, followed a couple of moments later by MsMpEng.exe (the Defender rtp equivalent). They each do their checking without interference with each other. In the 10 months I've been using this combination, no errors, and no false positives have ever been generated by such interaction.

It's on that experience, over an extended period, that I base my statement. And incidentally, in replying to your post I've reminded myself of one big advantage of running them together: Defender may be poor at recognising malware directly, but its rtp does monitor system changes mercilessly, and that's invaluable information that AVG does not supply. If something fiddles with my hosts file, sets a new startup, or makes any other system change, I know Defender will alert me to that. So actually, I think I've now answered my own question. Defender is worth sticking with, for this reason alone.

Share this post


Link to post
Share on other sites

the main thing that bothers me about SAS's realtime protection is that when i use the "trojansimulator" to test SAS, SAS flags "trojansimulator.exe" and pops up an alert saying that it blocked the "malware" from running, yet "trojansimulator.exe" is still running! in other words, based on that test, SAS actaully has no realtime protection.. it will pop up alerts saying that it blocked "malware" from running, but the malware is still running..

i tried reporting this to SAS but they replied that since the "trojansimulator" is not actually real malware it doesn't matter that SAS fails to block it from running.. well, i understand that the trojansimulator is not real malware, that it is just used for testing programs like SAS.. the problem is that SAS fails to block it from running.. if SAS fails to block "trojansimulator.exe" from running i can conclude that it would likewise fail to block any other "malware" from running..

SAS says that if i can manage to find some mysterious website with some mysterious malware that mysteriously tries to run on my computer, then i will see that SAS will block it from running..

well, it is too much trouble for me to risk infecting my computer with some mysterious malware just to prove that SAS fails to actually block malware from running (and then having to spend several hours reformatting).. i can do that with the trojansimulator, without any risks..

i hope that, one day, SAS's realtime protection will actually work because i would like to use the program for realtime protection..

i don't understand why no one but me, it seems, seems to think that it matters that SAS fails to block malware from running.. yes, you will get your popup alerts saying that SAS blocked the "malware" from running, but the "malware" is still running..

maybe there are some others who are "experts" who can use real malware to demonstrate that SAS's realtime protection actually does block malware from running.. i have asked for anyone to demonstrate to me that SAS's realtime protection actually works.. i have seen posts where people have said that they, like me, have seen SAS pop up alerts saying that it blocked malware from running, but was the malware actually blocked from running? in my case, the answer is NO..

p.s. regarding the "trojansimulator", even if SAS has no realtime memory-scanning, which i presume that it doesn't have, i still think that SAS should add detection for the "tserv.exe" process and for the simulator's startup regkey so that it can be demonstrated that the manual on-demand scanner works properly.. (SAS only has a pitifully poor detection of the trojansimulator where "tserv.exe" and the startup regkey are not flagged when running a manual on-demand scan with SAS while "trojansimulator.exe" is flagged)..

Share this post


Link to post
Share on other sites
if SAS fails to block "trojansimulator.exe" from running i can conclude that it would likewise fail to block any other "malware" from running..

Complete BS of an assumption :roll:

I have tested SAS realtime and can conclude that it has blocked malware on numerous occaisions so your assumption(logic) is flawed and incorrect.

As somone in the trench's of malware research i am not afraid to get my victim pc *hosed* or to test various softwares etc against real life malware infections and not simulators.

i don't understand why no one but me, it seems, seems to think that it matters that SAS fails to block malware from running.. yes, you will get your popup alerts saying that SAS blocked the "malware" from running, but the "malware" is still running..

Only in the case of the TR simulator and i think we can establish that it contains no malicious code for SAS to sniff so again your logic& assumption is wrongly directed.

At this point until you test real life malware code versus SAS realtime and can see whether it dose/dose'nt cut it stop making the assumptions that it dose not work in the real world without no factual base to back you up :wink:

FWIW if anyone would like to give me guidance/advice on how to capture footage of my PC as i take it into the darkside for research then i will happily generate numerous proofs to the contrary of what is being assumed by Redwolfe 98

Share this post


Link to post
Share on other sites

why is my assumption wrong when SAS pops up an alert saying that it blocked "trojansimulator.exe" from running, yet it is still running?

so you are saying that even though SAS fails to block "trojansimulator.exe" from running, it doesn't likewise fail to block other files that it flags from running?

if you have a sample of malware that you believe SAS actually blocks from running, send it to me and i will try running it on my pc and see if SAS's realtime protection actually blocks it from running..

my email address is "redwolfe_98 at yahoo.com".. you can send the sample as an email-attachment, in a password-protected zipped file..

or, to Nick, of SAS.. you have said that if i manage to find a mysterious website with mysterious malware that mysteriously tries to run on my pc then i will see that SAS will block if from running.. well, instead of my spending my life looking for the mysterious website with the mysterious malware that mysteriously tries to run on my computer, just send me a sample of some real malware (or any other file) that you believe SAS blocks from running, and i will try running it on my computer and see if SAS actually blocks it from running..

understand that i wouldn't be posting about the issues that i mention if i didn't care about SAS and want to be able to use SAS for realtime protection.. to "politely", "professionally" tell me that it doesn't matter that SAS's realtime protection fails to actually block the trojansimulator from running because the trojansimulator is not real malware doesn't help.. as far as i know, if it fails to block the trojansimulator from running, it likewise fails to block the other files that it flags from running.. i want SAS to do what it is supposed to do, to block malware from running.. blocking "trojansimulator.exe" (or tserv.exe, as well) from running is a way to demostrate that SAS is working properly, which is what the trojansimulator is for, for testing programs like SAS..

even if SAS does not want people to be able to use the trojansimulator for testing SAS, there should be some way of testing the program to see that it is functioning the way that it is supposed to-without running real malware on your pc just to see if SAS is working properly or not..

Share this post


Link to post
Share on other sites

Burger King bud :P

The file will be with you shortly+ the original source URL that i just downloaded it off 10mins ago.Password= infected

Commonly known as *free pr0n codec* in this case imports Tr DNS changer+freinds if not blocked from executing.

  • File vivacodec1086.exe received on 08.22.2007 21:05:19 (CET)
    Result: 9/32 (28.13%)
    Antivirus Version Last Update Result
    AhnLab-V3 2007.8.22.0 2007.08.22 -
    AntiVir 7.4.1.63 2007.08.22 TR/DNSChanger.CA.8
    Authentium 4.93.8 2007.08.22 -
    Avast 4.7.1029.0 2007.08.21 Win32:DNSChanger-NP
    AVG 7.5.0.484 2007.08.22 -
    BitDefender 7.2 2007.08.22 Dropped:Trojan.DNSChanger.PJ
    CAT-QuickHeal 9.00 2007.08.22 -
    ClamAV 0.91 2007.08.22 Trojan.Dropper-2260
    DrWeb 4.33 2007.08.22 -
    eSafe 7.0.15.0 2007.08.22 -
    eTrust-Vet 31.1.5080 2007.08.22 -
    Ewido 4.0 2007.08.22 -
    FileAdvisor 1 2007.08.22 -
    Fortinet 2.91.0.0 2007.08.22 -
    F-Prot 4.3.2.48 2007.08.22 -
    F-Secure 6.70.13030.0 2007.08.22 Trojan.Win32.DNSChanger.jf
    Ikarus T3.1.1.12 2007.08.22 -
    Kaspersky 4.0.2.24 2007.08.22 Trojan.Win32.DNSChanger.jf
    McAfee 5103 2007.08.22 -
    Microsoft 1.2803 2007.08.22 TrojanDownloader:Win32/Zlob!E647
    NOD32v2 2475 2007.08.22 -
    Norman 5.80.02 2007.08.22 -
    Panda 9.0.0.4 2007.08.22 -
    Prevx1 V2 2007.08.22 -
    Rising 19.37.22.00 2007.08.22 -
    Sophos 4.20.0 2007.08.22 -
    Sunbelt 2.2.907.0 2007.08.22 -
    Symantec 10 2007.08.22 Trojan.Zlob
    TheHacker 6.1.8.171 2007.08.21 -
    VBA32 3.12.2.2 2007.08.22 -
    VirusBuster 4.3.26:9 2007.08.22 -
    Webwasher-Gateway 6.0.1 2007.08.22 Trojan.DNSChanger.CA.8
    Additional information
    File size: 208569 bytes
    MD5: 0da6e11386e7c83590e6d7ca7ffd6a9a
    SHA1: d008a553bc988dc4f97efc4460bfe6783fdfb425
    packers: BINARYRES, BINARYRES

28% detction rate at Virustotal upload so i've escalated it up up onto MIRT malware listserve for widespread vendor distribution>>>

http://www.castlecops.com/p984719-MD5_0 ... tml#984719

and heres what SAS thinks of it when executed.Please note that the file dose not even show in ProcessExplorer during actual realtime interception,identification and blocking :)

asaai2.jpg

sas2xj1.jpg

HTH:)

PS

Who wants more :lol:

PPS

RED i would remove your email addy so no one abuses it :wink:

Share this post


Link to post
Share on other sites

thanks, fatdcuk.. now i have something to play with.. :)

it will take me some time to do the testing, i think..

p.s. burger king is my favorite.. :)

Share this post


Link to post
Share on other sites

No probs but here's another little clue as to how potent SAS can be,i'm currently using an application firewall in the form of ProcessGuard for execution control(its very handy for both security solution and in malware research).In this case(and all others) SAS will intercept *known* malicious code before PG even fires off an execution alert

One jump ahead of the HIBS so too speak 8)

If SAS failed to block the code(as claimed) then my application firewall(HIBS) would capture it as it executes and this is not the case :)

The following screenshot is what happens when SAS realtime is NOT activated and the malware file is executed.

sasqe5.jpg

HTH:)

PS Before any eager beavers pick up on the fact that Virustotal report shows AntiVir making a positive ID on the file yet AntiVir on my PC being quiet(no alerts)it is because i have the AV realtime guard switched off :wink:

PPs

I let this particular trojan do its business so i could hunt(collect) some more malware files and heres what the proverbial cat dragged in :P

http://www.castlecops.com/p984746-MD5_6 ... tml#984746

http://www.castlecops.com/p984748-MD5_1 ... tml#984748

http://www.castlecops.com/p984750-MD5_2 ... tml#984750

http://www.castlecops.com/p984752-MD5_9 ... tml#984752

Share this post


Link to post
Share on other sites

FWIW if anyone would like to give me guidance/advice on how to capture footage of my PC as i take it into the darkside for research

That would be fab! That's one show I would sit up all night for to watch, would give me such a thrill :lol::lol:

I too am too chicken to venture into those depths. Maybe one day when I have 2 PC's to play with :cry:

Share this post


Link to post
Share on other sites
How do you know AVG antispyware and Windows Defender work comfortably together, if you get spyware and they both try to stop it, they may conflict and wont protect you from the spyware.

1. On the one occasion during the last year when malware did try to install itself on my computer, AVG picked it up and quarantined it immediately with no interference from Defender.

.

And did you test afterwards that Windows Defender had the malware in its database to..? theres a big chance it isnt when it only (did) block 16%.

and as far i know AVG antispyware and Windows Defender do conflict..

Share this post


Link to post
Share on other sites

and as far i know AVG antispyware and Windows Defender do conflict..

Yours is the first statement I've encountered that there is such conflict, but the mere statement isn't helpful without some evidence. After all, the possibility for conflict exists between any two programs.

I don't claim to be able to answer these questions. I can only report on such limited experience as I've had (see my comments above), or have seen reliable reports about. If I were to see any such reports about conflicts, I would of course review my decision.

I'll put the question to the Defender newsgroup and see what they say.

Share this post


Link to post
Share on other sites

I'll put the question to the Defender newsgroup and see what they say.

I believe we now have a good answer to this question of conflict, thanks to a suggestion from Dave M at the Defender newsgroups, and to Robin, who's been running some tests on several computers. The upshot is that there is no problem - but Robin may wish to explain exactly what she's been doing, herself, so I'll wait for her to provide the necessary details.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...