Thanks for the feedback. Based on what I have been able to see and test with the Desktop Protector product, it isn't completely signature based. Yes, it has it's typical signature set aligned with the ISS Server and Network sensor, but v7.0 also has more behavioral intelligence built into it. (If you're familiar with the other ISS products, it has integration of the Protocol Analysis Module (or PAM as ISS calls it), which does allow for a fair amount of customization to fit specific needs.)

It sounds like you're (DjM) running BlackICE 3.5/3.6, which is much more signature based than the current release. I also ran the older version (on my home system) and it operated much like a personal firewall and nothing more; the v7.0 product has picked up a few attacks not attached to a signature (e.g., Blaster). If I were to deploy the ISS product, I would manage it using the SiteProtector console (I think ICECap will be EOL'd soon) and I would only block activity I *know* should not be occuring on the network (and with Microsoft's numerous *features*, this could be an interesting challenge).

Thank you again for the feedback, it is appreciated.

~aberration~