In addition to an anti-spyware program (the new generation programs can detect trojans as well), do you think that a dedicated anti-trojan program really needed? If yes, what would you recommend among the most popular anti-trojan programs (Ewido, a-Squared, Trojan Hunter or BOClean)?

Simple answer, no. If you have the right suite.:)

if your antivirus has slightly lower detection rates and/or if u are a high risk, you might want an antitrojan but its not an absolute necessity.

supposedly BOClean is very good as resident protection but theres no trial so i cant tell u much more. it lacks a full on-demand scanner however, so i recommend u keep avg antispyware or a-squared free for scans.

Thanks for the input trjam and WSFuser :)

AVs are getting better and better and better...:) , but for me the answer is still a yes. Keep in mind attacks can disable security programs is it not a good idea to have an extra malware killer like BOClean. I think yes. Just me I guess and one purchase and you are pretty much done, no yearly renewals ::) ;) ;)

I dunno if antitrojan is needed - maybe for on demand but I don't see the need to buy one, with most AV's being between 95-99% as far as trojans go.

-{ Quote: "I dunno if antitrojan is needed - maybe for on demand but I don't see the need to buy one, with most AV's being between 95-99% as far as trojans go." }-At what point would you say an AV is all you need or would you?

BOClean seems to cover everything except virus. Things just seem to me to be Virus protection and then other malwares.:-\

A dedicated antitrojan will handle malware it detects better than an av. Even though some av's detect as many or more trojans than a dedicated AT they usually don't handle them near as well.

-{ Quote: "A dedicated antitrojan will handle malware it detects better than an av. Even though some av's detect as many or more trojans than a dedicated AT they usually don't handle them near as well." }-

Hi BigC,

I have believed that if one has a top AV, such as KAV, he did not need a dedicated AT. KAV, and others, have a higher detection rate, as near as I can determine from the various tests, than ATs.

Your statement, "they usually don't handle them near as well." makes me think I might not be correct.

In what way do the ATs handle trojans better?
FWIW, I have KAV 6 and Ewido Plus (lifetime license).

Regards,
Jerry

a dedicated AT will clean or delete trojans much more reliably than an AV. I agree that some av's like Kav do detect a lot of trojans but can't clean all it finds. Detection and cleaning are definatly two different things. And a dedicated AT is created to to handle trojans it doesn't use it's resources looking for anything else.

-{ Quote: "a dedicated AT will clean or delete trojans much more reliably than an AV. I agree that some av's like Kav do detect a lot of trojans but can't clean all it finds. Detection and cleaning are definatly two different things. And a dedicated AT is created to to handle trojans it doesn't use it's resources looking for anything else." }-

Thanks for the reply. I have often wondered what advantage the dedicated AT had.
The lines between ATs and anti-spyware seems to be blurring. I use layering, and since I have lifetime licenses for Ewido, and SuperAntiSpyware I use them.

I have been trying a-squared 2.0 free as a scanner, and am impressed with it as to updates and scanning speed.

Best,
Jerry

Information to your answer:

Has your real-time anti-trojan ever caught anything?
http://www.wilderssecurity.com/showthread.php?t=93179

comparison of anti-trojan programs and intrusion protection systems when dealing with trojans
http://www.wilderssecurity.com/showthread.php?t=94258

Why bother using any anti-trojan program
http://www.wilderssecurity.com/showthread.php?t=93044


If you wish to know the detection rates of known trojans achieved by Anti-virus programs and anti-trojan programs, go to:
http://www.virus.gr/english/fullxml/default.asp?id=82&mnu=82

Scroll down to the bottom. Then click on: DETAILED TEST RESULTS

You will get Excel files which classify the detection rates by different types of malware. Look particularly for trojan detection rates. Now look for the performances of your interested AV/AT by searching their names.

The best AV can get about 99% detection rates. Most AT cannot even come up with 50%.

If you ask me, I still don't think anti-trojan program is necessary if you have good security suite, ie good AV (eg Kaspersky) + Firewall + AS.

Unless you are using some average AV, the AT should only provide you marginal benefits in real circumstances.

I would prefer adding another type of security product first (eg HIPS), rather than going for an AT. Even if I wish to have an AT, I won't pay for an AT. Simply use a free one if you do wish to have one.

Links about free anti-malware:
http://www.mnsi.net/~jhlavac/freeware/security.htm
(Any more?)

My reasons:
Discouraging AT
- Both AV/AT have the same thing in common, they are mainly signature-based. That means they can mainly detect what they know. Heuristics help but not much.
- AV has far more signatures than AT. When doing an on-demand scans, AV are going to cover what AT can detect.
- Both AT and most AV offers memory scanning. However most AV's memory scanning is actually process module scanning. So, if by any chance, AV cannot detect that trojan due to the fact it is specially packed/encrypted (when a program is packed/encrypted, the original file image is changed. If the AV can't depack/decrypt correctly, it may not be able to detect it even if it is contained in its database).
- Then you run the malware, and the malware will load itself in the memory. Since memory scanning in AT is supposed to be stronger than AV, so even if the AV misses it again in memory scan, the AT may be able catch it and stop it from harming your system. But how effectively is it to prevent what AV misses? It is a question mark.
- Trojans/keyloggers tends to be more personalised, that is they only send its "home-made" malware to the selected audience. The researcher cannot even get reach of them at all. How can AV/AT detect such kinds of malware?
- Overall AV and AT are more or less doing the same thing to protect you against trojans. That means they share some common problems or weaknesses. Why not try to install another type of security product which can protect your system (and trojan) in another approach? It adds much more values to your security.

Other security products:
- HIPS
For newbies, you may wish to use Prevx1. Prevx1 can be used as a set-it-and-forget-it type of HIPS. Unlike other HIPS which will prompt you for security decisions, it uses its central database to help you to answer these questions. If a executable file is going to start, it will check the database for the proper answer first (ie allow or block), if it has an answer, it will answer it on your behalf. Otherwise it will prompt you for a decision.

The disadvantage is it won't let you control your computer. Everythng is controlled by your program. If your program goes wrong, so does your computer. And if you wish to customise/control on how the legitimate programs should behave on your computer (you know, some legitimate programs still do annoying/stupid things, you wish to control them in some ways), you can't.
Note: Prevx1 Expert mode can do, but currently there are some annoyances.

For users with a bit computing knowledge (or don't mind answerng the popups), you may choose other classic HIPS which provide learning mode or the like. What is learning mode? Learning mode is to tell the HIPS to learn your system. First ensure your system is clean. then let your HIPS "learn" your system. After the HIPS finish learning your system, turn the learning mode off. So it will only prompt for any non-typical activities.

When you are not sure whether you should block tne process, either block it first. Then see if it affects what you're doing. If not, that means you don't really need to allow it (or they might be malicous).

If you wish to know more, simply google for the process name, or ask in security forums. They can help you most of the time.

For experienced security people or experts, they may use really classic HIPS which will prompt them for every activity/behaviour which is within the control of the HIPS, and let the person decide. Thus they can fully control of what their computers and the programs can do.

- sandboxing applications
You can minimise your risks of being infected by sandboxing some of your applications. This may include your internet client (eg IE, Firefox), mail and newsreader, chatting programs, and any executable files.
Once they are sandboxed, any change made including the infection of malware are isolated.
The malware are being trapped in the sandbox. They can't infect your computer.
After you finish using that program and close it, you can clear any changes with just one button. :)

A graph is probably a good way to tell you how it works.
This graph is taken from sandboxie website.
http://www.sandboxie.com/img/FrontPageSystem2.png


Note:
- Some sandbox applications offer you the ability to save some personal files or settings inside the sandbox.
- It is what sandboxing tools are supposed to do. Sure malware can find ways to break out of it. But after all, any protection/blockage is breakable.

- Virtual Machine
This is a more complete version of sandbox in that it sandboxes your whole operating system. :) What you do is to install another operating system in the virtual machine. So you can try to do anything which may infect your system in the virtual machine, other strictly safe things in your host machine.

One way of using virtual machine as a security tool is you can try to do different things on different machines, ie host or virtual machine. When you are doing somthing which may be potentially unsafe (eg browsing the Internet, installing new programs and so on). Do it on the virtual machines. hus eve if you somehow get infected and you don't realise this, it still can't cause damages on your host machine.

Okay. Let's say you would like to do online banking. Now you can use the host machine (that's only for very secure tasks) to do that job. Is it much more secure than just using 1 computer to do all the things and stuff? Even some of the sneakiest trojans/keyloggers have to shake their white flags. :)

This one is much safer than sandboxing tools. However the disadvantage is you need more resources to run this virtual machine. The virtual machine will also take up your disk space, memory, CPU and so on.

Note: The same thing can be achieved if you have 2 computers. One is test computer. Another is just for very secure tasks.

-{ Quote: "a dedicated AT will clean or delete trojans much more reliably than an AV. I agree that some av's like Kav do detect a lot of trojans but can't clean all it finds. Detection and cleaning are definatly two different things. And a dedicated AT is created to to handle trojans it doesn't use it's resources looking for anything else." }-

Alternatively you may download any removal tool to remove particular trojans. Simply search for the "{trojan name} + removal tools".

By the way, it is a bit too late if your trojan has infected your system. you should stop it cold before it infects your system. The "cleaning" part is the least concerned part. Sometimes even AT may have difficutly to kick the malware out COMPETELY. To lower the risk that the malware is still hidden somewhere, I would restore back to the previous clean state. If you don't keep snapshots, do a OS reinstall - the safest.

Thank you Wai Wai for your authoritative answer.

-{ Quote: "Thank you Wai Wai for your authoritative answer." }-

Thank you, but that's not the authoritative answer.
It's just a personal comment/suggestion.

Wai Wai,
Thank you for your informative and thougtful responses. They are excellent educational posts for someone who wishes to deal with all of that....

But why:wacko: ???

Just get BOClean and be done with it all. What am I missing? :-\

Removal tools, Sandboxies, (HIPS makes the most sense) or decision making :blink:

-{ Quote: "Wai Wai,
Thank you for your informative and thougtful responses. They are excellent educational posts for someone who wishes to deal with all of that...." }-

Thank you very much. :)

-{ Quote: "
But why:wacko: ???

Just get BOClean and be done with it all. What am I missing? :-\
" }-

No single security product is perfect.
Why do you think BOClean can do it all?
If I understand correctly, it is another signature-based anti-trojan program.
(Note: I know it detects more than just trojans, but I think most people would call it as AT)

What does the above means? That means it will share the same problem other signature-based programs have, ie they only detect what they know.
The detection effectiveness is determined by the size of its database.
Unfortunately I couldn't find any third-party malware test about this program, nor there is any trial available.
But does it come up with what it claims? How many malware can it catch?
Can it still catch the malware when it tries to bypass the detection or attack the application?
(Note: I'm not saying BOClean must be bad. I just don't know. Most people don't either since they judge based on their feeling, or personal experiences)

Or did I get you wrong?

-{ Quote: "
Removal tools, Sandboxies, (HIPS makes the most sense) or decision making :blink:" }-

I can't quite get what you are asking.
But I have updated my post. Hopefully this will clarify somethng.

Note that you don't need to have all of them. The reasons why I mention all is to introduce you to other possible choices (apart from AT). Everyone has different needs. Just pick one or several which suit you the best.

Personally:
Resident programs:
- 1 AV*
- 1 firewall
- 1 AS*
- 1 HIPS
- 1 sandboxing application
(- or 1 virtual machine)
*: They can be backed up by on-demand scanners (AV/AS). Since on-demand scanners just waste space (I have plenty to waste :P), you can install as many as you wish. ;)

Short answer:
Yes.BOClean.
AVG Antispyware could be added if you want a scanner.

hi everyone i never hear to much about trojan hunter?how does it compare to the rest of the pack of anti trojans?...

Trojan hunter?tried it a while ago,was not very impressed.maybe thats just me but back to the question of weather or not a dedicated anti trojan is really needed or not,imo it is. After trying several,I deceided on BOClean,only caught 1 very bad thing that others missed but worth every penny.Maybe i'm just parinoid but i like to be careful.

Very informative posts.

I guess having Ewido/AVG Anti-Spyware (as a realtime and on-demand anti-spyware/antitrojan) + an antivirus with good detection rates (i.e., NOD32) + numerous on-demand scanners would be OK to cover for trojans.

My interest has been piqued by BOClean which is highly recommended by mercurie, the_Tester and travellinman. I wish they had a trial version :dry:

-{ Quote: "Very informative posts.

I guess having Ewido/AVG Anti-Spyware (as a realtime and on-demand anti-spyware/antitrojan) + an antivirus with good detection rates (i.e., NOD32) + numerous on-demand scanners would be OK to cover for trojans.

My interest has been piqued by BOClean which is highly recommended by mercurie, the_Tester and travellinman. I wish they had a trial version :dry:" }-

Is there a comparative test of BOClean and other similar applications? I am not aware of any, but I would not necessarily know about such.

Best,
Jerry

-{ Quote: "Very informative posts.

I guess having Ewido/AVG Anti-Spyware (as a realtime and on-demand anti-spyware/antitrojan) + an antivirus with good detection rates (i.e., NOD32) + numerous on-demand scanners would be OK to cover for trojans.
" }-

I won't use AVG. It is just an average anti-virus program for detection sakes.
If you wish to use strong free AV, Avira AntiVir is the best - free but offering one of the best detection rates, very hard to beat! However beware of its false positives due to its aggressive heurisitics approach. The second option is Avast which is still better than AVG in detection rates, but is far inferior to Avira AntiVir.

If you are willing to pay, Kaspersky and Avira AntiVir (paid version) are probably the best in detection rates.

NOD32 is good, but not as far as trojans & keyloggers are concerned. I am particulary concerned about trojans/keyloggers and its likes due to its nature and unnoticeable nature. I also do quite many internal tests myself, just to see how good they are.

That's one of my on-demand tests published on the Internet. It is just an informal test. Here's what my research about the effectiveness of different on-demand scanners. The result is disappointing :(.
http://www.wilderssecurity.com/showpost.php?p=839371&postcount=33

I am surprised to see NOD32 doesn't find as many trojans/keyloggers as I expect.

Another small test relating the detection capability of keylogger of NOD32:
http://www.wilderssecurity.com/showpost.php?p=824219&postcount=67

-{ Quote: "
My interest has been piqued by BOClean which is highly recommended by mercurie, the_Tester and travellinman. I wish they had a trial version :dry:" }-

No, what a shame. :'(

Note: The above recommendations are based on the results presented in AV-comparatives and some other third-party tests too, not subjective or personal feeling/experiences.

-{ Quote: "Is there a comparative test of BOClean and other similar applications? I am not aware of any, but I would not necessarily know about such.

Best,
Jerry" }-

Not as far as I know.
I wonder most comments or recommendations about BOClean are based on personal preferences or experiences.

Not just BOClean, other AT don't have comparative tests either.
The only site which have recent tests is virus.gr, but it only carries the on-demand test of AT.
http://www.virus.gr/english/fullxml/default.asp?id=82&mnu=82
Feel free to (mis)interpret the results.
Just notify you of possible sideeffects before you read this article. When you read their detection rates, you are guarantee a complte shock. You probably don't believe your eyes, or don't wish to read any further, or don't wihs to buy AT anymore.

If you wish to investigate further about BOClean, you may wish to read this:
http://www.wilderssecurity.com/showthread.php?t=108929

By far the majority of us have no real way to make an accurate assesment as to the comparative effectiveness of an anti-malware application. Accordingly we rely on what we can understand to be fair and objective tests. As to AVs it is for me AV Comparatives (AVC) at the top, but I do look at whatever is available.

However, for other anti-malware applications there does not seem to be a test that is even close to being universally agreed upon as AVC is for AVs.
I always wonder when someone states that BOClean for example is the best, what is the basis for that claim? If it is a clean machine, then many of us could claim that our particular AT was the best. The same for the AS type applications.

I agree that the few tests I have seen do not give me a sense of security when the top ones are often much less than 70%.
I do not think I have ever seen a test of BOClean for example.

As for clean machines, I carry a fingernail clipper, and have never been in a plane accident. Conclusion: A fingernail clipper prevents air disasters.
Not very convincing.

So we do the best we can understand, and make the trade-offs between being able to use the computer vs security.

Best,
Jerry

People spend way to much, and listen, way to much when it comes to this stuff.

-{ Quote: "By far the majority of us have no real way to make an accurate assesment as to the comparative effectiveness of an anti-malware application. Accordingly we rely on what we can understand to be fair and objective tests. As to AVs it is for me AV Comparatives (AVC) at the top, but I do look at whatever is available.

However, for other anti-malware applications there does not seem to be a test that is even close to being universally agreed upon as AVC is for AVs.
I always wonder when someone states that BOClean for example is the best, what is the basis for that claim? If it is a clean machine, then many of us could claim that our particular AT was the best. " }-

Several reasons why people feel AT is good:
- AT is *actually* good, worth the price
- they assume it is doing its job, and the computer looks clean and behave normally. However unlike virus, trojan is designed to hide its existence. If you are not technical enough to look for its trace, you just don't know.
- When a particular AT spot for something which their AV misses, they will assume it did detect something. However it may be due to (1) false positive; (2) your AV is just not good enough (eg AVG); (3) your AV is good, but is weak at detecting trojan (eg NOD32); (4) they are correct. AT detects a rare malware no AV can detect, so it is worth the price.
- Simply the name/nature of the product - it is called "anti-trojan" or other fancy names, it is a specialised product, so it should be good at detecting trojans.

Some phenomena observe is:
- freeware performs well
When a company offers its security product for free, the public will highly recommend it to others - not because of its performance, but the feeling of "using somethng for free"
- popular product performs well
If you hear several people mention the same product name again to you, you will start to presume it should be good, at least it can't be bad, or why many people recommend the same product over and over again. If you understand how the public forms recommendations and picks products, this is not a reliable way to pick a good porduct

-{ Quote: "The same for the AS type applications." }-
For AS, the website Malware Test (http://www.malware-test.com/test_reports.html) is available to be used as a guidance for performance benchmark.

For AT/AK/AR, no such source exists except www.virus.gr which can give us some clues how each AT/AK product performs. According to its on-demand tests, they are not promising.

-{ Quote: "
I agree that the few tests I have seen do not give me a sense of security when the top ones are often much less than 70%.
I do not think I have ever seen a test of BOClean for example.
" }-
It is because it doesn't offer any trial, s no one can test it before buy.
Also it appears it doesn't have an on-demand scanner.

-{ Quote: "
As for clean machines, I carry a fingernail clipper, and have never been in a plane accident. Conclusion: A fingernail clipper prevents air disasters.
Not very convincing.
" }-
Interesting anology. :)

-{ Quote: "
So we do the best we can understand, and make the trade-offs between being able to use the computer vs security.

Best,
Jerry" }-

The only way to know whether an AT/AK/AR is good is to:
- do the tests yourself (although the sample size is small, it is better than nothing but subjective feeling)
- read the informal tests done by others
- read www.virus.gr for some clues (its test is not perfect, but again better than nothing but subjective feeling)

Okay, this is about AT comparative test from AV-comparatives:
http://www.av-comparatives.org/seiten/ergebnisse/atreport2006.pdf

The author who performed the test has mentioned why anti-trojan test is so few. he author said "due to the low participation level of AT vendors, we don't know if we will carry this test next year".

Guess why AT vendors don't like to compare their products? ;)

-{ Quote: "Okay, this is about AT comparative test from AV-comparatives:
http://www.av-comparatives.org/seiten/ergebnisse/atreport2006.pdf

The author who performed the test has mentioned why anti-trojan test is so few. he author said "due to the low participation level of AT vendors, we don't know if we will carry this test next year".

Guess why AT vendors don't like to compare their products? ;)" }-
Altough i agree more or less 100% with you about the need (= most do not need it) for an AT...then to be fair it was an on-demand scan test and the results might have very different in that test if it was an on-execution test, whic i personally would really like to see...a test every 6 months with samples from the last 6 months used, i think there might be a few surprises....Andreas/IBK what do you think?but maybe you would have to recruit a few extra helpers for execution part!:)

-{ Quote: "Thank you very much. :)



No single security product is perfect.
Why do you think BOClean can do it all?
If I understand correctly, it is another signature-based anti-trojan program.
(Note: I know it detects more than just trojans, but I think most people would call it as AT)

What does the above means? That means it will share the same problem other signature-based programs have, ie they only detect what they know.
The detection effectiveness is determined by the size of its database.
Unfortunately I couldn't find any third-party malware test about this program, nor there is any trial available.
But does it come up with what it claims? How many malware can it catch?
Can it still catch the malware when it tries to bypass the detection or attack the application?
(Note: I'm not saying BOClean must be bad. I just don't know. Most people don't either since they judge based on their feeling, or personal experiences)

Or did I get you wrong?



I can't quite get what you are asking.
But I have updated my post. Hopefully this will clarify somethng.

Note that you don't need to have all of them. The reasons why I mention all is to introduce you to other possible choices (apart from AT). Everyone has different needs. Just pick one or several which suit you the best.

Personally:
Resident programs:
- 1 AV*
- 1 firewall
- 1 AS*
- 1 HIPS
- 1 sandboxing application
(- or 1 virtual machine)
*: They can be backed up by on-demand scanners (AV/AS). Since on-demand scanners just waste space (I have plenty to waste :P), you can install as many as you wish. ;)" }-
You are welcome. You post well. ;)

Certainly BOClean is not substitute for everything. They do claim to protect against, Spywares, keyloggers, rootkits and other malwares. They do say you should get an AV too.

I guess I have all that I need. I have not had an infection in several years or unusual activity. In fact very few Windows software hangups at all. I need to be careful do not want to tempt fate. ;D . But no BSOD nothing in years. I do use my machine too.

If you have an agressive to capture new threats signature based product with people willing to get them out 24/7. Is this why a signature based product is good for some of us. :-\ Kevin and Nancy are always talking about being in the "Lab" and busy. If the service is top notch and sigs come out very regularly how big of a window is needed statistically to get an infection.

Note: I totally agree any program that steals passwords and other critical data is far worse then average run of the mill mess up your machine nasty. Because a Trojan or other such nasty acting in similar manor can MESS UP YOUR LIFE :thumb:

Finally, I am looking over Prevx. I certainly see the value in this type of security. Thanks again for your postings here.

-{ Quote: "Since on-demand scanners just waste space (I have plenty to waste :P), you can install as many as you wish. ;)" }-

Exactly my thoughts, but after reviewing the kernel mode drivers installed by all these on-demand scanners I decided to remove them and switch to web based on-demand scanners. I don't like kernel mode drivers being active for products I only use for on-demand scanning.

-{ Quote: "
Since on-demand scanners just waste space (I have plenty to waste ), you can install as many as you wish." }-
That's funny, I consider on-demand scanners as a waste of time, not space. ;D

On-demand scanners :
1. Only detect remove malwares, they don't prevent the installation and execution of malwares.
2. You don't run on demand scanners every minut. Users run them usually one time a day, which means
that malwares had enough time to do their evil job.
3. Since ONE isn't enough, you have to run more than one and that takes alot of time.

A frozen snapshot :
1. Is the same as on-demand scanners.
2. Is the same as on-demand scanners, because you only need to reboot one time a day.
3. During a reboot all changes are undone COMPLETELY in 2 minutes. That is the big difference compared with on-demand scanners.

You save alot more time with a frozen snapshot, than running a bunch of scanners and much more reassuring. :)

-{ Quote: "People spend way to much, and listen, way to much when it comes to this stuff." }-

Hi,
[People spend way to much, and listen, way to much when it comes to this stuff.]

Not sure what your reasoning is. When I decide to buy a new car, I go to the test magazines, including Consumer Reports, and ask those who own them. In that way I can get some idea of the maintenance record, and the potential problems.
There is no way that I could test the cars.

Few have any idea how to test anti-malware, including me. So what would you expect us to do? Should we just close our eyes and throw darts? That would not be an intelligent move if we were trying to find the top tiered programs.

Not only that, the shopping is often more fun than the buying.
But until someone finds a better way for most of us average users to learn what are the best programs, I will continue to spend time asking, and reading tests.

I still consider AV Comparatives the best and most objective test that I can find. It seems that many who are smarter than I am agree.

Best,
Jerry

-{ Quote: "Exactly my thoughts, but after reviewing the kernel mode drivers installed by all these on-demand scanners I decided to remove them and switch to web based on-demand scanners. I don't like kernel mode drivers being active for products I only use for on-demand scanning." }-

1)
Why don't you like drivers being installed on your computer?

2)
Hmm... If it provides a standalone on-demand scanner to download and install, normally it shouldn't install any driver.
I might be worried the installation of driver since this may get conflicts with my resident AV and its own driver.

3)
What on-demand scanners will install drivers?

4) For your information (you might be interested :))
Standalone on-demand scanner(st) VS online scanner(onl)

Both will occupy your disk space anyway
st: scan faster
st: more flexible (configuration, scan options)
st: more handy (can scan right on the spot)
st: most of them offer both scan and cure/removal; onl: few offer both scan and cure/removal. Most are scan only
st: very low chance of getting conflicts; onl: probably slightly lower than "st"
st: hardly use more than 1 scan engine; onl: some websites offer scanning individual files with multiple engines
Any more to add?

st = Standalone on-demand scanner
onl = online scanner

-{ Quote: "Altough i agree more or less 100% with you about the need (= most do not need it) for an AT...then to be fair it was an on-demand scan test and the results might have very different in that test if it was an on-execution test, whic i personally would really like to see...a test every 6 months with samples from the last 6 months used, i think there might be a few surprises....Andreas/IBK what do you think?but maybe you would have to recruit a few extra helpers for execution part!:)" }-

If I understand correctly, an AT can catch what AV misses if:

that malware is known by that anti-trojan, ie it has its signature
AV misses it from both on-demand and on-access scans
anti-trojan can catch it from on-access scans


But how many missed malware can be caught by AT, or does it simply overlapping the efforts too much?

The detection rate of anti-trojan is determined by the size of the database. Provided that nearly all AT vendors' databases are increibly small, their detection is much restrained by how many they can detect.

Providing that there are so many options available to complement an AV, does an AT still a good choice?

Even if it is still a good choice, should we pay for just for some extra marginal protection?

Considering that trojans and keyloggers tend to be custom-made or bespoke for selected targets, AT couldn't help either.

Would "proactive prevention or behaviour blocking" be a better go?

-{ Quote: "That's funny, I consider on-demand scanners as a waste of time, not space. ;D

On-demand scanners :
1. Only detect remove malwares, they don't prevent the installation and execution of malwares.
2. You don't run on demand scanners every minut. Users run them usually one time a day, which means
that malwares had enough time to do their evil job.
3. Since ONE isn't enough, you have to run more than one and that takes alot of time." }-


Some thoughts:

How about if you receive some files or archives, and you would like to verify its cleanness before opening?
How about if you utilise your meal time or sleeping time to scan your computer? Your time is not wasted in this sense.


-{ Quote: "
A frozen snapshot :
1. Is the same as on-demand scanners.
2. Is the same as on-demand scanners, because you only need to reboot one time a day.
3. During a reboot all changes are undone COMPLETELY in 2 minutes. That is the big difference compared with on-demand scanners.

You save alot more time with a frozen snapshot, than running a bunch of scanners and much more reassuring. :)" }-

Good but may cause more hassles or troubles for many users.
Some concerns:

How about if you wish to save changes in the middle of the day? This may not just changes of your personal data, but settings of your programs
How about if you wish to try out new programs/games in the middle of the day, or add some new stuff to your computer? You need other methods to verify their cleanness (since you wish them to stay in your computer, not just rollback)
How about if your programs are updating themselves in the middle of the day? The updates would be rolled back, so you need to reboot in thawed mode to do the updates. You can't use auto-update in that scenario either [pointless].
How about if your system partition is very large, so creating a snapshot will waste much space?
How about your other partitions (eg data partitions), do you rollback all changes made from other partitions too? If not, there are risks aready. Otherwise your snapshots will grow very big.
How about if you don't wish to shut down computer every day? You wish to hibernate it only.
How much time do you need to spend to save snapshots and do the rollbacks? Does it take more time if you need to roll back all of them?


Your approach is much safer since any change is wiped off at the end of the day, but it seems to cause more hassles and inconvenience for many people.

I prefer replacing this with sandboxing or virtual machine approach.

PS: Don't get me wrong I completely discredit the value of your approach, but since we have known the benefits of that approach already, so I skip mentioning them in that post.

-{ Quote: "How about if you wish to save changes in the middle of the day? This may not just changes of your personal data, but settings of your programs." }-
My settings of each software are choosen and I don't change them every day. If I have to change them, I will restore the original archived snapshot off-line, make the changes and archive it back.
-{ Quote: "How about if you wish to try out new programs/games in the middle of the day, or add some new stuff to your computer? You need other methods to verify their cleanness (since you wish them to stay in your computer, not just rollback)" }-
Bad programs, caution programs and unknown programs are blocked by Prevx1. Why would I try these ?
I can try any new software in my frozen snapshot, as long it is considered as a good program by Prevx1.
If I don't like the good program, I only need to reboot and the program is gone.
If I like the good program, I will try it in a test snapshot until I'm familiar with it and know which settings it needs and then install it permanently off-line in my archived snapshot.

For the record : I don't install softwares permanently, unless I really NEED them. I'm not a collector of installation files. That isn't smart either, because most programs have new versions after awhile.
If the software sounds interesting, I store the link of the website in a .doc-file with a comment until I have the time.

Lots of users might not like this, but they also get often in problems in real life. If you want to see real life visit the Malware Forums. Wilders isn't real life. Wilders has only knowledgeable users and experts. Even newbies at Wilders aren't newbies anymore.
-{ Quote: "How about if your programs are updating themselves in the middle of the day? The updates would be rolled back, so you need to reboot in thawed mode to do the updates. You can't use auto-update in that scenario either [pointless]." }-
This is only required for security softwares and those are anchored in my frozen snapshot, which means that they accept changes.
For now it's only Prevx1 that needs an updating. I'm still working on that and this isn't really a problem, it's more a matter of timing and how much you trust on-line updatings, which is a problem for everyone.
-{ Quote: "How about if your system partition is very large, so creating a snapshot will waste much space?" }-
I have 70gb for my system partition [C:] and at this moment the maximum of 10 snapshots = 30gb, which will be 20gb in the next version of FDISR (compression). So space is not a problem yet.
I can store an unlimited number of archived snapshots on external harddisk/CD/DVD, but I don't need that.
I need only 2 snapshots :
1. Off-line snapshot, which is always the same and doesn't need anything.
2. On-line snapshot for on-line activities.
3. All 8 other snapshots are for testing and will be removed, when I don't need them anymore.

-{ Quote: "How about if you don't wish to shut down computer every day? You wish to hibernate it only.
How about if you utilise your meal time or sleeping time to scan your computer? Your time is not wasted in this sense" }-
I turn OFF my computer, when I don't need it anymore. Leaving your computer ON at night isn't safe anymore according my readings.
Keeping my computer ON for just running scanners is a waste of time and energy.
-{ Quote: "How about if you receive some files or archives, and you would like to verify its cleanness before opening?
How about your other partitions (eg data partitions), do you rollback all changes made from other partitions too? If not, there are risks aready. Otherwise your snapshots will grow very big." }-
This has nothing to do with my frozen snapshot stored on [C:].
My data partition [D:] is another problem that will be solved, when my system partition [C:] IS solved. First things first.

-{ Quote: "Bad programs, caution programs and unknown programs are blocked by Prevx1. Why would I try these ?
I can try any new software in my frozen snapshot, as long it is considered as a good program by Prevx1." }-
so you only run programs that Prevx1 has rated as good (green)?

what if a (trusted) program is updated and prevx1 doesnt yet have a rating for it?

-{ Quote: "so you only run programs that Prevx1 has rated as good (green)?

what if a (trusted) program is updated and prevx1 doesnt yet have a rating for it?" }-
That isn't a problem either. I always can create a test snapshot without Prevx1 on it and test the software this way, like I always did in the past.

Suppose I want RoboForm on my computer and Prevx1 doesn't accept it YET.
I know that RoboForm is a trusted program, because alot of members use it.
In that case I would use it in a test snapshot until I know how it works. :)

-{ Quote: "My settings of each software are choosen and I don't change them every day. If I have to change them, I will restore the original archived snapshot off-line, make the changes and archive it back." }-

-{ Quote: "
I can try any new software in my frozen snapshot, as long it is considered as a good program by Prevx1.
If I don't like the good program, I only need to reboot and the program is gone.
If I like the good program, I will try it in a test snapshot until I'm familiar with it and know which settings it needs and then install it permanently off-line in my archived snapshot.

For the record : I don't install softwares permanently, unless I really NEED them. I'm not a collector of installation files. That isn't smart either, because most programs have new versions after awhile.
If the software sounds interesting, I store the link of the website in a .doc-file with a comment until I have the time.

Lots of users might not like this, but they also get often in problems in real life. If you want to see real life visit the Malware Forums. Wilders isn't real life. Wilders has only knowledgeable users and experts. Even newbies at Wilders aren't newbies anymore." }-

Yes, possible solution.
However you may have noticed, people need to change their behaviour on how to use their computer to cooperate with your rollback security system.
That's why I say it may not be suitable for all people.

For example, some people need to install many programs. That may cause them more hassles and inconvenience. Their using experiences will be :thumbd: :thumbd: :thumbd:

-{ Quote: "
Bad programs, caution programs and unknown programs are blocked by Prevx1. Why would I try these ?

This is only required for security softwares and those are anchored in my frozen snapshot, which means that they accept changes.
For now it's only Prevx1 that needs an updating. I'm still working on that and this isn't really a problem, it's more a matter of timing and how much you trust on-line updatings, which is a problem for everyone.
" }-

So is Prevx1 your only defence?
How about updates or other changes made by operating systems, non-security programs?

What if malware manages to bypass the protection of Prevx or compromise it?
What if Prevx flags the malware as green (good)?
What if the malware trick Prevx to return green flag while the actual flag is red?
What if the malware try to disrupt your connection to Prevx database?

There are many ways which can compromise a security program. I won't place so much trust on just 1 security program. Plus this is probably not your style since you are paranoid in that every change made in your system may not potentially dangerous (that's why you need rollback intrusion protection system ;)).



-{ Quote: "
I have 70gb for my system partition [C:] and at this moment the maximum of 10 snapshots = 30gb, which will be 20gb in the next version of FDISR (compression). So space is not a problem yet.
I can store an unlimited number of archived snapshots on external harddisk/CD/DVD, but I don't need that.
I need only 2 snapshots :
1. Off-line snapshot, which is always the same and doesn't need anything.
2. On-line snapshot for on-line activities.
3. All 8 other snapshots are for testing and will be removed, when I don't need them anymore.
" }-

If you have 70GB system partition, will it waste too much space to snapshot it?
You also need to keep custom snapshot in external sources since the malware may be able to infect your snapshots.

-{ Quote: "
I turn OFF my computer, when I don't need it anymore. Leaving your computer ON at night isn't safe anymore according my readings.
Keeping my computer ON for just running scanners is a waste of time and energy.
" }-
Hmm... How about leaving your computer on but online connection off is safe.
It is unsafe only if your computer is being slaugthered by the malware, but then it is unsafe at any time you switch on your computer.

You can do the scan either in meal-time or any time you don't use your computer.

Some AV allows you to scan only new/changed areas, so this should dramatically decrease your scan time after your first scan.

Everything can be done automatically (scheduling your scans).
Your computer can be off once you finished the scanning.
Thus it may not be as inconvenient as you may think of.



-{ Quote: "
This has nothing to do with my frozen snapshot stored on [C:].
My data partition [D:] is another problem that will be solved, when my system partition [C:] IS solved. First things first." }-

How about if you encrypt your whole data partition?
Beware keyloggers which try to steal your encryption key.

-{ Quote: "1)
Why don't you like drivers being installed on your computer?" }-

I like to keep my system clean as possible. When troubleshooting problems I don't want to take in account drivers that are active but don't perform any function except being part of a program I use for on-demand scanning.

-{ Quote: "2)
Hmm... If it provides a standalone on-demand scanner to download and install, normally it shouldn't install any driver.
I might be worried the installation of driver since this may get conflicts with my resident AV and its own driver." }-

I've installed some products and disabled the active part, but then it still installs drivers. Preventing conflicts with resident scanner is the primary for not using these program for on-demand scanning.

-{ Quote: "3)
What on-demand scanners will install drivers?" }-

They're not dedicated on-demand scanners, but programs with the resident part disabled. The dedicated on-demand scanners like MWAV Toolkit and a-squared don't install drivers.

-{ Quote: "4) For your information (you might be interested :))
Standalone on-demand scanner(st) VS online scanner(onl)

Both will occupy your disk space anyway
st: scan faster
st: more flexible (configuration, scan options)
st: more handy (can scan right on the spot)
st: most of them offer both scan and cure/removal; onl: few offer both scan and cure/removal. Most are scan only
st: very low chance of getting conflicts; onl: probably slightly lower than "st"
st: hardly use more than 1 scan engine; onl: some websites offer scanning individual files with multiple engines
Any more to add?

st = Standalone on-demand scanner
onl = online scanner" }-

Nice overview. I only use web scanners if there's no dedicated on-demand scanner and the product installs drivers when the resident part is disabled.

-{ Quote: "Yes, possible solution.
However you may have noticed, people need to change their behaviour on how to use their computer to cooperate with your rollback security system.
That's why I say it may not be suitable for all people.
For example, some people need to install many programs. That may cause them more hassles and inconvenience. Their using experiences will be :thumbd: :thumbd: :thumbd: " }-
If you ask members "What kind of security setup do you have?" You get MANY DIFFERENT answers and I don't need to prove this because Wilders has several threads, where these security setups are mentioned and discussed.
Each security setup requires another approach, has it's own inconveniences and are not for everyone suitable.
If you decide to put your computer full with scanners, you have to maintain and run these scanners. If you decide to put HIPS on your computer, you have to learn how to use HIPS and answer its questions correctly.
If you want to talk about the advantages and disadvantages of each security setup, this is going to be a looong discussion and my security setup is just ONE of the hundreds.
All security setups have inconveniences, but users get used to these inconveniences and forget that they were ever inconveniences and therefore don't consider them as inconveniences anymore.
The problem is that you are comparing your security setup with my security setup which is quite different from the classical security setups and you see all kinds of inconvenciences, that aren't different from the forgotten inconveniences of your security setup.

-{ Quote: "So is Prevx1 your only defence?
How about updates or other changes made by operating systems, non-security programs?
What if malware manages to bypass the protection of Prevx or compromise it?
What if Prevx flags the malware as green (good)?
What if the malware trick Prevx to return green flag while the actual flag is red?
What if the malware try to disrupt your connection to Prevx database?
There are many ways which can compromise a security program. I won't place so much trust on just 1 security program. Plus this is probably not your style since you are paranoid in that every change made in your system may not potentially dangerous (that's why you need rollback intrusion protection system ;))." }-
For now Prevx1 is indeed my only defence, because I'm looking for two kinds of security software :
1. Softwares that PREVENT the INSTALLATION of malwares (Prevx1)
2. Softwares that STOP the EXECUTION of malwares. (??????)
I don't need more, because my frozen snapshot doesn't allow any change.
All the rest of your question apply to other security softwares also.

I decided not to anchor my Prevx1 anymore, because anchoring makes my frozen snapshot vulnerable.
I will update Prevx1 right after reboot (= clean snapshot) and re-freeze it.
I can do this for all softwares, that require an online-updating.
The period between reboot and re-freeze will be very short and of course there is little chance that I might
be infected during that short period. That little risk, I'm willing to take.
That risk is still smaller or equal :
- than scanners, who didn't find a threat because it wasn't blacklisted
- than a false positive that was removed by a user
- than a HIPS-question that got a wrong answer from the user.
- than an updating of a scanner that was too late or didn't happen at all.
Let us talk about the disadvantages of scanners.
Let us talk about the disadvantages of HIPS.
-{ Quote: "If you have 70GB system partition, will it waste too much space to snapshot it?
You also need to keep custom snapshot in external sources since the malware may be able to infect your snapshots. " }-
What are you talking about ? Problems with space, while you can get internal and external harddisks from 70gb upto 700gb ?
I can have maximum 4 harddisks in my computer case of 500gb or more and at least 2 external harddisks.
The special clean archived snapshots are stored on my off-line external harddisk and they are only used for restoration.
Only my daily backups can be infected, but that is common problem for ALL users.
I've read enough posts of users who run a NEW scanner, which finds malwares that were never detected before. During all that time these malwares were included in their backup files.
-{ Quote: "Hmm... How about leaving your computer on but online connection off is safe.
It is unsafe only if your computer is being slaugthered by the malware, but then it is unsafe at any time you switch on your computer.
You can do the scan either in meal-time or any time you don't use your computer.
Some AV allows you to scan only new/changed areas, so this should dramatically decrease your scan time after your first scan.
Everything can be done automatically (scheduling your scans).
Your computer can be off once you finished the scanning.
Thus it may not be as inconvenient as you may think of." }-
I answered already that question.

-{ Quote: "How about if you encrypt your whole data partition?
Beware keyloggers which try to steal your encryption key." }-
I considered encryption already and it was a very big disappointment for me.
Encryption protects you against PHYSICAL THEFT only, like a burglar in your home, who steals your computer or you lose
your laptop in the train, etc.
Encryption doesn't protect you against theft by malwares or hackers.
Once you mounted your encrypted partition, your data is an open book for millions of malwares and hackers on the internet.
I was so stupified by this, that I couldn't believe it. Encryption protects me against ONE accidental thief, while it doesn't protect me against theft by malwares and hackers, which are trying to steal my data constantly every moment when I'm online. :)

-{ Quote: "People spend way to much, and listen, way to much when it comes to this stuff." }-

Way too much $ or time?

I take the approach that if it's related to my internet security there is no such thing as too much time.
For money it all depends on one's wallet and how much shopping he/she does for a bargain on AT software.;)

Shopping and testing are the fun part.

Hi trjam,
[People spend way to much, and listen, way to much when it comes to this stuff.]

I'm still waiting on a reasonable alternative for the average guy who cannot do any serious testing.

Thanks,
Jerry

-{ Quote: "If you ask members "What kind of security setup do you have?" You get MANY DIFFERENT answers and I don't need to prove this because Wilders has several threads, where these security setups are mentioned and discussed.
Each security setup requires another approach, has it's own inconveniences and are not for everyone suitable.
If you decide to put your computer full with scanners, you have to maintain and run these scanners. If you decide to put HIPS on your computer, you have to learn how to use HIPS and answer its questions correctly.
If you want to talk about the advantages and disadvantages of each security setup, this is going to be a looong discussion and my security setup is just ONE of the hundreds.
All security setups have inconveniences, but users get used to these inconveniences and forget that they were ever inconveniences and therefore don't consider them as inconveniences anymore." }-

I simply point out probably most people have difficulties following your security setups, since this would mean they need to adopt another approach or way of using their computers, which are very different.

While your securiy setup is much much safer, people may not follow for this reason. It is similar to people still use administrative accounts even if they know limited accounts are better security-wise.

-{ Quote: "The problem is that you are comparing your security setup with my security setup which is quite different from the classical security setups and you see all kinds of inconvenciences, that aren't different from the forgotten inconveniences of your security setup." }-

Yes, that's the point.
If it is just you who is concerned, that's no problem. But if we wish to promote this security setups to others, we need to address its inconveniences and problems to them, so people will have a better understanding and pick the one which suit them best.

That' what I'm trying to do. It is not an attempt to completely discredit your security setup. No offense indeed.


-{ Quote: "
For now Prevx1 is indeed my only defence, because I'm looking for two kinds of security software :
1. Softwares that PREVENT the INSTALLATION of malwares (Prevx1)
2. Softwares that STOP the EXECUTION of malwares. (??????)
I don't need more, because my frozen snapshot doesn't allow any change.
All the rest of your question apply to other security softwares also.
" }-

Read this thread. It is a security test:
http://www.wilderssecurity.com/showthread.php?t=150840

I don't understand why Prevx1 simply allows it from running without any prompt. :thumbd: :thumbd: :thumbd:

Personally I think you are better off with other whitelist-type anti-execution product instead of Prevx1. I don't know if this problem is caused because Prevx1 thought it is okay to run, or it doesn't monitor this kind of files, but you may see similar problems may occur when you use Prevx1.

The whitelist-type anti-execution product should offer better protection than Prevx1 since everything is blocked outside your list. So some of my problems explained above will eliminate.

I think the installation and execution are just either side of the same coin. If the malware writer manages to install their malware into your computer, they would execute it as well during the installation. They won't give you a second chane to stop them.


-{ Quote: "
I decided not to anchor my Prevx1 anymore, because anchoring makes my frozen snapshot vulnerable.
I will update Prevx1 right after reboot (= clean snapshot) and re-freeze it.
I can do this for all softwares, that require an online-updating.
The period between reboot and re-freeze will be very short and of course there is little chance that I might
be infected during that short period. That little risk, I'm willing to take.
That risk is still smaller or equal :
- than scanners, who didn't find a threat because it wasn't blacklisted
- than a false positive that was removed by a user
- than a HIPS-question that got a wrong answer from the user.
- than an updating of a scanner that was too late or didn't happen at all.
" }-
Good as it is consistent with your own security philosophy.


-{ Quote: "
Let us talk about the disadvantages of scanners.
Let us talk about the disadvantages of HIPS.
" }-
So ???

-{ Quote: "
What are you talking about ? Problems with space, while you can get internal and external harddisks from 70gb upto 700gb ?
I can have maximum 4 harddisks in my computer case of 500gb or more and at least 2 external harddisks.
The special clean archived snapshots are stored on my off-line external harddisk and they are only used for restoration.
Only my daily backups can be infected, but that is common problem for ALL users.
I've read enough posts of users who run a NEW scanner, which finds malwares that were never detected before. During all that time these malwares were included in their backup files.
" }-

I simply point out this would be the obstacles some people following your security setups. They may ether don't wish to buy additioal space or the price of hard disk is expensive in their countries.

-{ Quote: "
I considered encryption already and it was a very big disappointment for me.
Encryption protects you against PHYSICAL THEFT only, like a burglar in your home, who steals your computer or you lose
your laptop in the train, etc.
Encryption doesn't protect you against theft by malwares or hackers." }-

I think the malware can only steal your data when your data is decrypting, or your encryption key is stolen.
Otherwise please why you think so.


-{ Quote: "Once you mounted your encrypted partition, your data is an open book for millions of malwares and hackers on the internet." }-

No, I don't think so. Please explain.

After all, leaving it encrypted is still better than unencrypted.

It is equal to:
- they require some locks to steal your properties even if they break your house.
　　VS
- they are free to steal your properties after they break your house.

I don't see why you feel the other way round is safer, or they are just the same.
Sorry, it doesn't make sense to me.

-{ Quote: "I like to keep my system clean as possible. When troubleshooting problems I don't want to take in account drivers that are active but don't perform any function except being part of a program I use for on-demand scanning.



I've installed some products and disabled the active part, but then it still installs drivers. Preventing conflicts with resident scanner is the primary for not using these program for on-demand scanning.



They're not dedicated on-demand scanners, but programs with the resident part disabled. The dedicated on-demand scanners like MWAV Toolkit and a-squared don't install drivers." }-

Yes, you are right.
That's why I tell others not to install an anti-virus program (even if you disable the real-time part). This may still get conflicts.

I only install on-demand AV scanners, or AV programs which are configurable to install on-demand components only.


-{ Quote: "Nice overview. I only use web scanners if there's no dedicated on-demand scanner and the product installs drivers when the resident part is disabled." }-

Thanks. :)

-{ Quote: "
I think the installation and execution are just either side of the same coin. If the malware writer manages to install their malware into your computer, they would execute it as well during the installation. They won't give you a second chane to stop them." }-
Installation and execution are different. Installed malwares don't always do their evil job immediately after installation.
Some malwares are sleeping until the user or some other program activates them.
Some malwares execute themselves at a specific day. I call them time-bombs ;D

-{ Quote: "
Personally I think you are better off with other whitelist-type anti-execution product instead of Prevx1. I don't know if this problem is caused because Prevx1 thought it is okay to run, or it doesn't monitor this kind of files, but you may see similar problems may occur when you use Prevx1.

The whitelist-type anti-execution product should offer better protection than Prevx1 since everything is blocked outside your list. So some of my problems explained above will eliminate." }-
I might use both Prevx1 and Anti-Executable together in the same frozen snapshot. I have to test this.
I can't use Anti-Executable's highest level of security, because FDISR doesn't like that, but a lower level might be sufficient enough.

-{ Quote: "Installation and execution are different. Installed malwares don't always do their evil job immediately after installation.
Some malwares are sleeping until the user or some other program activates them.
Some malwares execute themselves at a specific day. I call them time-bombs ;D" }-

I see your point, but.............................. they still need to EXECUTE their time-bombs before they can run at a specific time or event. ;)

So installation and (a part of) execution happens at the same time. ;D 8)

Anyway, it doesn't matter since we essentially know this at heart. :D

And you may wish to use behaviour blockers or the like to control how they execute (perform their actions).

-{ Quote: "I might use both Prevx1 and Anti-Executable together in the same frozen snapshot. I have to test this.
I can't use Anti-Executable's highest level of security, because FDISR doesn't like that, but a lower level might be sufficient enough." }-

Good choice again - two are better than one unless they conflict with each other.

By the way, do you use limited account? Limited account is one of the best HIPS in the world, not to say it's free of charge. :)

PS: I miss your signature.

-{ Quote: "And you may wish to use behaviour blockers or the like to control how they execute (perform their actions).

By the way, do you use limited account? Limited account is one of the best HIPS in the world, not to say it's free of charge. :)

PS: I miss your signature." }-
Behaviour Blockers and a Limited Account are also good ideas, I have to meditate in trance about this.

My signature contained an unfinished security setup, so it wasn't really usefull.
I found the expression "Rollback Intrusion Prevention System" funny, because
- it also means "Rest In Peace System", in case it was a total failure.
- it doesn't even exist in the security world. ;D
- it sounds so serious and it isn't. ;D
- I like to play with words and expressions, although it is much more difficult in English (short vocabulary).
I removed it, because the fun was over at least for me.

-{ Quote: "Behaviour Blockers and a Limited Account are also good ideas, I have to meditate in trance about this.

My signature contained an unfinished security setup, so it wasn't really usefull.
I found the expression "Rollback Intrusion Prevention System" funny, because
- it also means "Rest In Peace System", in case it was a total failure.
- it doesn't even exist in the security world. ;D
- it sounds so serious and it isn't. ;D
- I like to play with words and expressions, although it is much more difficult in English (short vocabulary).
I removed it, because the fun was over at least for me." }-

Yes, your RIP is funny.

RIP may also mean:
# rake: a dissolute man in fashionable society
# rend: tear or be torn violently; "The curtain ripped from top to bottom"; "pull the cooked chicken into strips"
# an opening made forcibly as by pulling apart; "there was a rip in his pants"; "she had snags in her stockings"
# move precipitously or violently; "The tornado ripped along the coast"
# cut (wood) along the grain
# a stretch of turbulent water in a river or the sea caused by one current flowing into or across another current
# rent: the act of rending or ripping or splitting something; "he gave the envelope a vigorous rip"
# criticize or abuse strongly and violently; "The candidate ripped into his opponent mercilessly"

I have a similar security setup like you. The idea is as follows:
- you have 2 divisions - yellow and green. Both divisions are separate.
- you carry out any normal things you may do in your life on your first (yellow) division
- you strictly do only very safe, or completely trusted things on your second (green) division
- while your yellow division may get infected unknowingly, it doesn't hurt you much since all important, sensitive or money-wise things (eg online banking, shopping) are done in the green division.
- About the 2 divisions, it could be any two separate entities which is completely isolated from one another (so cross-infection is impossible). It could be 2 separate computers, 2 separate operating systems, and so on.
- I would still try to ensure the cleanness of my first division as hard as I can.

After all, good job. Your security setup is interesting and creative. While others are still striving to protect their PCs with more and more security programs (1AV, 1AT, 1AK, 1AH, 1AR, 1AS, 1Firewall, 1HIPS...), you come up with another perspective - no change is the best change! It offers the best protection! :D

You need to set up security measures that provide layers of defense against risks. Generally when you use a computer you should not wonder if you will experience security breaches instead, you should assume that you will experience a security problem.
A layered approach when you plan your security ensures that an attacker who penetrates one layer of defense will be stopped by a subsequent layer.
Most of us follow this.
The Internet is home to a variety of threats, an attacker can monitor traffic passively replacing a component with a Trojan horse program, or theres exploits, crypto (password), spoof etc etc. Recently I have been working on killing antivirus components replacing with dummies even down to the notification area, where a repair will not work or reinstalling doesnt work either.
So its really all down to your decision and experience ;) where your at in your experience.