rhythmnsmoke

And exactly who is it that I would be able to trust, and why would I trust them? You see, there is no sure fire way of avoiding handing it out to "just anybody", because everyone in here is "just anybody" to me. Yes, that is my next task. I printed off their User Guide for the software, and will be reading it over. I will also be downloading a limited vers. of it onto my little Vaio. A lot of the time, you come across software that has many of the features that we have, but where the difference lies is how they operate. Sometimes it boils down to "HOW" things are done as appose to you actually being able to do it. True, some of our security features can be duplicated with System Drivers. But we all know that in the corp./gov. world as I explained, we have defined a new tier in computer security, and they are now requesting that you be able to opperate in safe mode. So, if it can't do that from the start, then we know the out come. But I will be testing it here shortly.

What's stopping me from doing the same thing? 7,300+ views from my first ever post, I think I'm doing a good job at that. And I'm able to actually show people first hand, so who would you be able to tell that I wouldn't, without actually giving them the software to prove that it works? What's your credibility? Why would you uninstall software that does what I say it does? Unless you like reading manuals, you will want to ask me technical questions personally. It's not difficult to install, if you read the manual. But it might take time getting use to how it operates. However, most people don't like to read the manual, therefore they result to contacting technical support. This software is a little different when it comes to installation. Installation is not like typical (run install shield and go) software installs. The manual would need to be read word for word. Did you forget that the Home Use ver. isn't available and we are not pushing it out to Home Users, and that I would have to clear something like that? You are just going to have to wait bro. I do apologize.

In order for me to do any of that: 1) I would have to ship it to you. Who is paying for the cost? 2) After you install it, you would have to call BBX to authenticate it, because we do not give you an authentication key with the software. 3) After that, I would have to provide you with technical support. 4) How will I be sure you removed the software after a period of time (given that we don't have a trial ver. available)? Now, what will I be getting out of this deal....lol.

Ok, here is the Low-Down on how the Old Home Use vers. of ImmE works compared to that of the new PG. Now this is based off the free downloaded(limited) vers. of PG. There are Pro's and Con's throughout both descriptions. PG -Does a good job of stopping executables from running. -Can not erase the payload from your machine. -Payload has to be executed in order for it to be detected by PG. -Does not pick up nor stop un-compiled(scripts) programs from running. -Have to reboot the machine 3 times in order for it to start working. -There is no password to the console, allowing anyone to turn it off and on. -Does not block the admin tools (cmd, registry, services, msconfig...etc..). -Stops execution after it passes to the kernel. -Must launch every program you need to use individually. (Very time consuming if you have a 200 GB HDD with a couple of thousand programs that need to run). -It's nothing new and there is technology that comes with the OS that already does what PG does. Therefore, you pay for something you already have. PG just makes it easier for you to utilize it. -You may download programs, and all you have to do is permit the setup program to run and you will be able to install. -Provides no protection in Safe mode. (This feature is going to have merit when you are talking about deploying on a network in the corp./gov. sectors. Not as important for the home market. So, home users do not need this feature persay). Old Home Ver. of ImmE -Does a good job of erasing the payloads before they have a chance to run. -Erases any payload that is not apart of the matrix, as well as payloads that have been moved from one part of the machine to the next. -Payloads do not have to be executed in order to be detected and eradicated. -Eradicates un-compiled programs, but will not stop them from running if you copy and try to double click on them real fast before the binary search sweeps it. However, it will knock them out of memory once they do run. -May take 1 to 2 sec. to find the payload even on a 200 GB Hdd (The delay is set for a specific reason. See below for the explanation). -Does not intercept the programs execution. Instead, it is designed to knock programs out of the memory stack that do not belong. -After installation and the reboot, it builds the matrix automatically for you. All you have to do is wait till it's finished. -The console is password protected. -Overrides the Microsoft OS privileges(even if you are logged in as admin) to secure the admin tools (registry, services, computer management...etc.). However, it does not secure the command prompt. -When downloading software, you have options, you can either filter the setup program into a designated folder, bring down your defenses to be able to deposit the setup.exe program (as in the bank vault senario I gave earlier in this thread), or if you were to leave the shields up, when you downloaded the program, the Home ver. will ask if you wish to ACCEPT or ERASE the newly deposited payload. If you ACCEPT, it will allow the payload to stay in the machine. However, it will NOT be apart of the matrix of the system, therefore it will(after a period of time) keep asking for you to ACCEPT or ERASE it until you tell it to be apart of the matrix. -Truely a new design concept and philosophy, not duplicated by other technology. -Protection from external device connectivity. Payload deposits from devices, and again will knock programs out of the memory stack if you try to just execute a program off the external device. -Does not provided protection in safe mode. (Then again, this is the home ver.) About the 1 to 2 sec. delay before it sweeps and eradicates the payload. When you download a file, it's going to take a couple of secs. to actually WRITE to the hdd. Obviously you can't erase something that's not there. Also note, if a virus was to try and write to your hdd, without your knowledge, it would have to be coded in such a way, that it would need to lauch at the same time (as it's writting) that it hit the drive. The write and execution would have to be SIMULTANEOUS, to squeak by the 1 to 2 sec. delay. And not to mention, it would have to operate in a manner to enter and leave the memory stack so FAST that the task manager doesn't even see it. As we all know, there are no viruses that are coded like that, nor have that level of sophistication. Again, this was the old approach to ImmE. This approach is ancient to us now, seeing as how we have evolved into something far and beyond. This approach is still in place. We did not scrap it, we built more defenses on top of it. So, the network version does everything and then some. Updates from the network version that will be added to the Home ver. are most likely going to be: -The ability to intercept before it's passed to the kernel (which means protection from script execution because it already eradicates them if they are deposited). -Securing the command prompt. -Further securing of admin tools.

Maybe because it's real. And you can't deny that it's the next step in computer security. I haven't heard of that one yet. But if it's using system drivers, then the answer is no. But I will check it out. Yes, someone did mention Deep Freeze. It is not very practical to use. You have to shut it down, just to make a text document. Otherwise, when you rebooted, it would be gone. It dosen't restore you computer back to it's normal state, until after you reboot. Someone else is going to have to spend the $$, because I don't have it....I'm poor..lol. J/K, I use my money for modding my car, not buying software.

No prob. Like I said, ImmE might not be for everyone. I'm having to format my g/f's mom's computer and re-install the OS. After that I'm putting on our older home use version of ImmE. She did have Norton on their, but it didn't stop here from getting spy-ware and other viruses when she didn't have the update. And now, here license is about to expire and she dosen't want to pay to re-new it....LOL. So, I'm just going to throw our stuff on, and I guess I'm going to have to train everyone.

Here's my recipe: Install WinXP+SP2. Then install Symantec Corp. AV 10 or NOD32 as your AV, Sygate Firewall Pro 5.5.2170 and Lavasoft Ad-Aware SE 1.06. I can guarantee you your PC will be a fortress. This is my recipe for over 10 years now(a good AV+FW+anti-spyware), and never had to deal with a virus/keylogger/etc... <{POST_SNAPBACK}> OMG! what does your license renewals cost you? Don't they charge like an annual fee for you to keep updating with new signatures? All that is good and dandy, until you get a batch file virus.

Guys, as I stated earlier, I believe that PG is just a user-friendly version of Software Restriction Policies (SRP). With what ImmE has done, and the way that we are doing it, has not been duplicated thus far by any other product available or un-available on the market. If I come across one, I will be sure to let you guys know. I am still putting together my comparison of PG (SRP) to our older Home User ver. of ImmE. It does not have some of the features like the network vers. does so, it operates differently and much so like the previous approach we were going after. But because our Home ver. will be updated sometime afterwards (of all "paper-pushing" work), I thought I would go ahead and describe to you the differences in how PG (SRP) using System Drivers to intercept execution vs. how ImmE intercepts execution and beyond. The Older Home ver. intercepts executed programs now, but it does it in a less efficient way than PG (SRP). And PG (SRP) intercepts executed programs in a less efficient way than our network ver. of ImmE. But like I said, the Home ver. has yet to be updated as of 9/7/2004. Ok, when it comes to PG (SRP) they use system drivers to do what they do right. Let me describe the Kernel of the OS for you and how with System driver approach is different from ImmE approach to intercepting the execution of programs. The Kernel has what's called a PID. That stands for Process Entry/Exit Identifier. Therefore, when a program executes, it has an entry point into the kernel and an exit point from the kernel. When you use the System driver approach, they intercept the execution of the program when it enters the kernel. Because the kernel processes instructions within millisec., if you hold it up from doing what it does, you run the potential risk of generating a protection fault. Therefore, when you intercept code execution using System Drivers, you only have the ability to either permit or deny that execution. You can't analyze it any further because you are actually holding up the kernel from doing it's job. Like I said, if you were to try, you would run the risk of causing a general protection fault. So, the System Driver approach is actually intercepting the code AFTER it has already entered the Kernel. Well, when it comes to ImmE (as you know, I'm talking about the network ver., because the home ver. dosen't have it yet, but soon will be added). Where we intercept code execution is actually BEFORE it is passed to the kernel. Were we intercept, is described as "intercepting the Shell". The OS has what's called the Command Processor Interface there are basically 4 levels within the OS. There is the Command Shell (command prompt level), the Shell, the Command Processor Interface (CPI), and the Kernel. ImmE acutally bridges the point between the CPI and the Kernel. Therefore, we have the ability to analyze everything before it is actually sent to the kernel. Now, what this means is this, we can take as long as we want when it comes to analyzing code, because we are not holding up the kernel. Because ALL code starts with a ShellExecute, we can analyze scripts(un-compiled programs), modified scripts, code(compiled programs), etc.. You see, PG (SRP) can only analyze "compiled code" persay. We can analyze "code" whether it's compiled or un-compiled. As well as track when you open a folder, click on a start menu button, or browse to folders of the hard drive. Because of where we are intercepting, we can analyze 100% of the computer and know every step taken in it, and not just when code executes. That is just one way of describing how we are independent of the OS. System Driver approach = wait till the kernel tells you something is executing and then intercept. ImmE approach = get it before the kernel knows about it. Also as you know, booting into safe mode turns off all 3rd party drivers. We were forced to create something new, to which you couldn't just easily blow past it by just booting into safe mode with the F8 key and turning it off.

And you see guys, HERE in lies the problem with the in-ability to work in safe mode. For one little simple test, Test Case 1) I had the software in secure mode. And set to PERMANENTLY deny the command prompt(cmd.exe) and the Services admin tools to run. Therefore, everytime you try to get to the command line, or Services menu, it will shut it down before you are able to start it. 2) Now, I booted into Safe Mode via the F8 key. Within Safe Mode (due to the fact that the software runs off System Drivers as every other computer security product in the industry does), I was able to launch the cmd.exe and also access the Services menu. 3) I found the Service that runs the PG software, and disabled the service. 4) I rebooted into normal Windows (XP Home edition) and the icon for the PG software was running, but the software was not protecting the machine. I tried the cmd.exe and the services menu, and now they run. I have sucessfully shut down the PG software in a matter of about 5 min. So far my impression of it is that it's a User friendly version of Software Restriction Policies (SRP), to which comes with Windows XP Pro w/Service Pack 2. And that's free! Now, I'm not trying to get into a peeing contest with this software. But the only way I can seem to make the comparison fair and justifiable, is to compare this software to our "OLD" Home Ver. of ImmE. The features that I have described to you thus far, to which has also lead up to previous 21 consecutive pages has been all about our Network ver. of ImmE and it's capabilities. Our Home ver. to which we haven't updated with the new features yet is dated back to Sept. 7, 2004. It would not be a fair comparison to compair this software to our current release of our Network ver., because ImmE would win hands down. So, what I'm going to do is go back and get out the "OLD Home ver." of ImmE (which we call ImmunePC) and put it on this little Fujitsu that I have here. And do some side by side test. PG will not fit into a network corp./gov. environment, due to the fact that: 1) if you were to follow the instructions on how to set it up, it requires that you reboot the machine 3 Times for it to complete the protection. 2) You have to manually open every single application and executable that you are going to use for every single machine that you would install it on. If they can't automate that process, then no corp./gov. environment is going to take a second look at it. And that's just two of the reasons thus far. I have more, but I will save them for my next post. The next post will be of a comparison run down of the "OLD Home ver." of ImmE (dated 9/7/04) and Process Gaurd.

Unless you are running a different ProcessGuard than I am, it dosen't work in safe mode. I also downloaded it onto a little Sony Vaio. Booted into safe mode, and it was shut off. Unless there is some feature you have to configure/turn on, then let me know, because as of right now, it was disabled when I booted into safe mode. I'm use to ImmE automatic ability that I might have over looked something I needed to configure. This is just one thing I have already done. I have also ran batch files on it, to which it dosen't stop either. Also, just from having it only a few hours, I have come to the conclusion that this is border line Software Restriction policies. It does the same thing, and is ran off System Drivers, to which are disabled when in Safe Mode. I will give some more detailed analysis on it after I have time to play around.

That could simply mean that they won't guarantee it can't be hacked. Just like disinfectants say "destroys 99.99% of germs and bacteria". Can't say 100% because if anyone ever proves them wrong once, it could lead to a false advertising lawsuit. <{POST_SNAPBACK}> IC, good point. Hope your right about that. *Edit* Is this a home user software, or do they market this to commercial/gov. business? If they market to com/gov. what I would like to know is do the software stop Admin's from shutting it off?

I think I will play with it myself, when I have time. I will put it through just a couple of sample test that we had to go through when we came up against the RED team hackers. You may try them as well. I'm not to sure if you have multiple computers, but you will need one machine with PSTOOLS on it. Freely downloaded software that is designed to allow administrators to gain access to a machine remotely. Take PSTOOLS to it to see how it holds up. Also, when you get PG running, boot into safemode to see if it gets turned off. That is just somethings to start with. A lot of the description sounds like it protects other applications from being terminated...ie firewall, AV software..etc, and not the entire machine (I could be wrong, only time will tell). And when it explains that it "Determines which programs are being executed on the machine", does that apply to both Compiled and Non-Compiled programs? What keyloggers does it not block? And why does it not block those?

Sir, we have the ability to install new software without shutting down ImmE completely. You can tell it to allow you to install, but not allow those executables to stay within the matrix. Kind of like test driving the software (we call it shutting down the probe). If all is good and well with you, THEN tell ImmE to shut down completely. You are jumping ahead and asuming things, before even asking. Ask and you shall recieve. Again, replacing AV. And yes, it works 10 times better in business environments, because they don't just blindly download stuff off of untrusted sites like home users do. And neither do I on my home pc. Don't trust everything from every website to download. The software puts the power over the PC in the users hands. If this was to happen with AV, and it's an unknown virus, then your machine is hosed. If (as they are starting to do now) this was a virus designed to attack your AV, then how is your AV going to protect you if the virus shut it down? This will not happen with ImmE, because it knows everything that shell executes. *Edit* A computer can't reason, you have to do the reasoning for it. How many times have you ever downloaded software from a trusted site that contained malicious code. 0 to None probably. Now, count how many times you get infected un-Knowingly just by opening an e-mail, surfing to a site....a vast majority of all infections are NOT created by you downloading programs blindly. Surely you don't just go download any and everything from anywhere to your box do you? You are not looking at their whole solution. Taking directly from their website... Exactly how many drivers and process are you going to have to deny? Is that time consuming? By the way, leaving code on the machine is not good. ImmE again, is automatic. Nothing needs to be told to allow or deny. If it don't belong, it don't belong. Does this also prevent the execution of new/previously modified scripts? I might download it just to find out. Also I think I read that the software runs off of system drivers. And if you saw before where I stated the problem with system drivers. (Speaking from an internal hacker threat), you just boot into Safemode and turn off the software. Therefore, by-passing their solution. We have to approach the consumer market with caution. Because this software is a different beast altogether. So, I can imagine the influx of tech. support to go along with people trying to figure out how to operate it (been there, done that!). You know, although for every 10 houses you find, 8 might have a computer in them. But for every 1,000 users you find, 2 might actually know how to really work one.

I predict something like that will be available either later this year, or early next year. Who is smam? By the way, Dondamm was in the last demo. He probably will be on here to give his thoughts on the software.

Meeting has now started.

Man, this brings back memories. I haven't mentioned this before in the previous pages, but here is the story. My boss and I went to this government facility for a formalized test of ImmE. The people testing are like a liason between the Gov. and the commercial world. Whatever they say is good, the gov. seeks to accquire. Now, keep in mind, the technology they were testing on was our "OLD" stuff. It was like ver. 8.1. We are now on ver. 8.2.1. 8.1 did not have the ability to analyze every executable before it was passed to the kernal. What it could do was monitor the memory stack, and kick things out of memory that didn't belong there. Anyhow, the took a CD with 600+ some odd viruses on it. They turned off the AV that was already on the machine. I think it was Norton. So, the only thing that was running was ImmE. They launched all 600+ viruses agains ImmE from this cd, and then afterwards turned the AV back on to do a scan to see how many viruses were able to infect the machine. Norton came back with 0 infections. And that is with our "OLD" stuff. If this was the new system, the viruses wouldn't have been able to run in the first place. With the new stuff, they wouldn't even have made it to the memory stack, just to be kicked out of it.

I have not played with this software in particular, but just by reading some small description from the website I can already point out a couple little things. If you click on Products, and read the first description, it notes that they keep a "database" of known trojans. That's difference #1. It states that it updates daily. Wonder how much system resources that takes up? Also it updates daily, but how often does it scan? I haven't read everything, so I'm still looking. The next 2 products sounds like they monitor network points. We are Host-based. And the last product describes that it uses heuristics and rules. To which we don't use that approach either. We have one simple rule..."Nothing Comes In unless you let it in". Whooaa! I just read like the first couple of sentences from that thread, and I picked out another difference immediately. Nothing of the sort is done with ImmE. We stay out of the way of Windows. Upon reboot, you do nothing, except wait for ImmE to do it's analysis and "Automatically" build it's policies for every executable on the machine. Is there a network version of this software. I wonder how you do that in a network deployment type environment, if you have to manually open every "Most" used application. What do you have to do if you miss a program? Do you then have to go and reconfigure the software everytime you run across a program that you forgot to add at reboot. For instance, not to many people use MSPaint. But when you need it for that one time, then do you have to go configure the software to allow it? Again, I haven't finished reading, so I'm just asking some random questions. But it already sounds like a different animal than our software. It seems their software is geared a lot towards giving information about your OS, and giving you the ability to configure certain parts of your OS. No configuration needed from ImmE. It's locked down "Automatically". Here is another example. They made a little utility to monitor your registry. And will alert you when something changes in it. Here was the graphic taken from the site. It gives you a yes or know option. If this was a virus trying to change the registry, with ImmE, you wouldn't see this option, because the virus wouldn't even make it this far. It wouldn't even run, because it would be killed to begin with. Not after the fact that it tried to make a change. *EDIT* Also taken from their website: This is very interesting. Does this mean they change something in the OS for Trend to think it is spyware? ImmE changes nothing of the OS to do it's job. We don't even install an executable in System32 or the Windows folder. Because we are independent of the OS, you wouldn't have this problem.

I feel like we're going around in circles again... <{POST_SNAPBACK}> Lol...I don't know how else to explain it to you. It can be worked out is all I'm saying. *EDIT* Just thought of a better way of explaining to you. Ok say, you have a virus that is asleep on the machine, and you didn't use your old AV to find if there was one there to begin with. And you install ImmE. When that virus wakes up, 9 times out of 10 it's going to drop more executables and .dll's onto your machine to help it do it's job. Usually in the Windows folder and System32. When those get dropped, ImmE is going to know about it, report it, and eradicate those new .exe's and .dll. Therefore, destroying the virus ability to do anything. You will know the forensics of what those .dll's and .exe's are, and you could google them to find out what their origin's are. Second situation is if the virus is already active on your machine. Wouldn't your machine already be hosed if that was the case? You probably would have to format your machine anyway in that case. Not to mention, if AV was successful in combating a virus already active on the machine, then they wouldn't release free tools from their website, or explaining how to get rid of a particular virus. Keep in mind, our job is not "Cleaning" up the mess after you already made it. Our job is making sure the mess never happens to begin with. "Cleaning" already infected machines is another buisness in itself.

By the way, I am looking to have my next live demo tomorrow after work. That's 5:00pm Central time. For those of you who have sent me your e-mail, you should be getting those instructions on how to join in live meeting tomorrow. If you can't make it, then catch it next time. *Edit* That's July 8th, after 5pm central time.

Maybe somewhere in the far distant future, someone might be able to write a virus to try and get past our system. The point being is that virus writers are going to have to go back to the drawing board and create new code to do that. And that is going to take forever and a day. You are going to have to attack ImmE before you can attack the computer. With traditional AV, no need to bring down the AV to successfully bring down the computer.

Sir, you are still missing the point. It replaces AV even for those people. You will know when you have a virus or not. At some point, your machine is going to start acting funny. Most people that are not sure if they have a virus will do a search on the odd behavior that their computer is displaying, and find out that way. Also, I assume that before you install ImmE, you would have already had some form of AV software on it. If your AV software hasn't came back with any virus detections, then you can (to some degree) know if you have already been infected before installing ImmE. And if you are that paranoid, then just format your entire computer, install what you need, and then install ImmE. Case solved, no more virus, no more signature updates. Everyone is Happy...lol. PS...For those that choose to do so, they can run ImmE, with their exsisting AV software. <{POST_SNAPBACK}> No, you are missing the point. Short of a format/reload, those people are out of luck using your software after they're infected with a virus. With traditional AV, they at least have a chance of removing the viruses without wiping the whole system. Am I wrong? You said from the start this *REPLACES* anti-virus software. I'm saying it may complement it, but will not replace it. I fail to see how your statement refutes that. <{POST_SNAPBACK}> I fail to see how, your statement refutes my statement of taking time to figure out if you have a virus to begin with. Formating was just an option for those who are paranoid, and think that their exsisting AV software didn't find the un-known virus. Again, here is your option. 1) Take your exsisting AV, and do a scan. If it comes back clean, install ImmE, and now you don't have to use AV again. 2) If you don't trust that your exsisting AV say that the machine is clean, THEN format and install ImmE. Either way, no more need for AV software.

what? I have only been replying to peoples questions. If I double posted, it must be from the browser I'm using. I'm only replying once I assure you. <{POST_SNAPBACK}> Use the edit button. You do not have to reply to different people's questions with different posts. <{POST_SNAPBACK}> I have been trying to just respond to questions that have already been answered with a "Read Previous Post" instead of re-answering the question. But then again, this thread is like 19 pages long. What would you prefer?

Twice a month. No big deal. ImmE shield will drop in a matter of about 30 secs. So, for twice a month install, waiting 30 secs. before you do the download, I don't see that impacting you that much. Also, you have 3 variations on bringing your shield down. It's not a biggie either if you are installing on a daily basis for a couple of weeks either. You can suspend the shield of the computer for as long as you need. It will not return to shielded mode, until you tell it too. So, you don't fight with anything. You push a button, and Vola! it's down. That's the equivalent of plugging in a USB device. No, we are not going to go and erase the HDD. However, you won't be able to launch the executables off of it onto the machine. Again, you still have to option of bringing down your shield for that duration of time. And if you are worried about getting a virus from their HDD, we have ways of still being able to protect your drive, but still allow you to do what you need to do with their drive.

Sir, you are still missing the point. It replaces AV even for those people. You will know when you have a virus or not. At some point, your machine is going to start acting funny. Most people that are not sure if they have a virus will do a search on the odd behavior that their computer is displaying, and find out that way. Also, I assume that before you install ImmE, you would have already had some form of AV software on it. If your AV software hasn't came back with any virus detections, then you can (to some degree) know if you have already been infected before installing ImmE. And if you are that paranoid, then just format your entire computer, install what you need, and then install ImmE. Case solved, no more virus, no more signature updates. Everyone is Happy...lol. PS...For those that choose to do so, they can run ImmE, with their exsisting AV software.

what? I have only been replying to peoples questions. If I double posted, it must be from the browser I'm using. I'm only replying once I assure you.