The goal of this thread is to get advice as to HOW I can set my firewall so as to protect my personal data when I am using so-called "community-based" HIPS programs such as Cyberhawk.

I am asking for this advice based partly upon an ongoing discussion of the "intrusiveness" of Cyberhawk over at THIS Wilders forum page (http://www.wilderssecurity.com/showthread.php?t=152355&page=5), beginning at Post #113. Here are some PARTIAL quotations...
-{ Quote: " Post #113-I am also somewhat concerned about exactly what data Novatix is gathering and when ...And why on earth is update checking disabled if we choose not to participate in that mysterious Secure Community Protection?

Post #127-I am more concerned with the Filter Driver they install. It means all my passwords etc are filtered by CH. How I can know this data is not being transferred or can't be transferred?

Post #134- Checked in Jetico log: Cyberhawk is attempting a connection to Novatix server every 4 hours.

Post #139- Exactly what does what I have read about CH contacting Novatix mean to any of us using CH? Is all of this implying that someones Bank Accounts can be compromised or something? I'm not saying I feel comfortable with the fact that by turning off the Community Participation it doesn't stop the phoning home, and I did notice after rebooting the services are once again enabled, but what does this prove? ...I'm just looking for some clarity as to how concerned I should truly be about the CH trying to connect to Novatix. Thanks." }-I have been told that when I allow any application to have ANY kind of internet access, it is possible for that app to transmit personal information without my permission or knowledge. Therefore, every app which I configure for automatic update, or to automatically send info to a "community," COULD be sending out my private information.

Yes, I trust the organizations behind the apps where I have granted such access (DrWeb, Avira AntiVir, Cyberhawk, etc), but what if they get bought by someone who is NOT on the up & up?

QUESTIONS-

#1a- How can I configure a firewall in order to prevent my antivirus program (for example) from changing or accessing any of my data except its own folder? #1b- Also, is a firewall the best & easiest way to obtain this kind of security?

#2- Would it be fairly *bullet-proof protection* if I (a) centralized all my personal data into one folder, then (b) password protected that folder, and (c) encrypted it? In other words -- WILL these 3 actions (a,b,c) enable me to give a HIPS app (for example) an "open ticket" to send whatever data it wishes, but still I would not need to worry that my personal data could be compromised?

Here are the first ideas that crossed my mind:

#1
You can only use your 'firewall' features to stop processes from connecting out (like I did with CyberHawk). Once you allow any proccess to do it, you never know what data they are sending out (unless you use software for network packet inspection but even so, most data are encrypted).
Also, it might not be any practical to stop them from accessing 'system' folders (like Windows, programs, Documents and settings), where your most concerning personal info is kept, as they need a lot of other pieces in there in order to work properly.

#2
As I have mentioned, the personal data you should be really corcerned about are not the ones you can put where you wish, but those kept internally by your OS and other Software.

How about AppDefend

-{ Quote: "How about AppDefend" }-

Are you saying that AppDefend is a community based program? Or are you saying that it could be used to block community based communications?

I use AppDefend to Moniter + Block vsmon.exe for example.

Hi guys,

This is an issue close to my heart and I'd like to bring some of the experiences of my involvement with Prevx Home/Pro and Prevx1 to the table.

Prevx Home/Pro was one of the first community apps. The data from it aimed at one thing - allowing us to understand the decisions that the user made when prompted with a HIPS query. We knew from the word go that some people wouldn't like the idea of a phone-home security application, so we made a few important decisions:

1. We ensured that the data we gathered was directly related to the HIPS event that occurred and the user's action - did they allow/deny it etc. We collected nothing else. We also provided a means for the user to see that data in the application.

2. We did our utmost to remove any personally identifyable information. e.g. if blah.exe was created in you %TEMP% folder (c:\documents and settings\ghiser1\local settings\temp\blah.exe for example) we "normalized" this data to remove the username and disk location. So it was sent to the database as %TMP%\blah.exe. We don't care what you username is, the import element of this event was that a file called blah.exe was created in a user's temporary folder.

3. We asked an independent body to review the content of our communications with the database. In our case, we used Fred Piper's team at Royal Holloway as we hoped Fred's reputation for security expertise and independence would help greatly with it's credibility as an independent review. We also published that review.

4. The data collected wasn't published or handed to any third-party for any reason.

5. We used clear-text HTTP-based protocols to pass the data so that the user could see for themselves what we were sending.

6. The Pro option allowed people to opt-out if they wished - though less than 3% of Prevx Pro users opted out of the phone-home in the end!!

When we reviewed this data, we got a very big shock. More than 50% of the Prevx Home/Pro userbase (more than 1 million agents) were allowing HIPS events to occur that we knew were Bad and should have been denied. There was one obvious conclusion to this - the users didn't understand the questions being asked of them. We realised that traditional HIPS for the home consumer was next to useless at providing real security - hence the rewrite in the form of Prevx1.

We realised that the user needed information to help them make decisions. We realised from the 3% of opt-outs on Prevx Pro, that the vast majority of user's didn't actually care about the phone-home element, so we decided the time was right to launch a product based entirely on that phone-home functionality - extending it to a two-way conversation.

There have been a few compromises that we've had to make to the original data gathering in order to produce Prevx1, but they are fairly minimal and the majority of the original decisions still stand. The differences are:

1. As the dataflow became two-way, we needed to uniquely identify each Prevx1 agent to ensure it is was correctly licensed and legitimate. This allows us to prevent license fraud and also allows us to prevent fake data being injected and data being extracted by anything other than a legitimate Prevx1 agent.

2. We decided to publish the data gathered directly to the web to help the general public research malware; primarily in places like Spyware Files (http://spywarefiles.prevx.com), Spyware DLLs (http://spywaredlls.prevx.com), Virus Info (http://virusinfo.prevx.com) and Insight (http://research.prevx.com). We did this to be more open about the data gathered and to allow the user to see the data we have on their processes - double click from the jail or recent program activity. It also provides a very useful resource for users who don't have Prevx1 but have malware problems; as it allows them to locate data about files that may not yet have been classified as malware by the big AV vendors. All files are published, both good and bad.

3. We had to add an element of obfuscation to the event data transmitted and recieved to help thwart the risk of data-feed manipulation attempts that we expected to see from the malware community. At the end of the day you have to put a level of trust in the vendor that produces the app that "phone's home" and we believed that we had earned enough trust with the community at large to be able to take this step to ensure the integrity of the community database. There's no point having a community database if its at risk from data manipulation.

In terms of what you can do to protect your privacy with community/"phone home" apps?

Actually, IMHO, there is very little other than to only use vendors you trust or have been recommended to trust by others. There are a few tools out they that claim to protect your privacy by stopping things like your credit card numbers from being transmitted. Get real! These apps are completely bogus - IMHO. Real malware will not tarnsmit your credit card number IN THE CLEAR. They will encrypt it and obsure it to ensure it isn't detected or seen. These apps are there to give the user fake assurances and sell security suites.

The only sensible approach is "Do I trust this program to do what it authors say it will and nothing else?" If you don't know the authors, or what the program is supposed to do, then what? One approach is to deny it internet access completely - ah now update checks don't work for it - hmm. The other approach is to research what the program does and then decide. Most people don't have time for that - so you could pass the buck to somebody else you trust to do the research for you...

There are users that don't like phone-home at all and that's fine and we respect that view, we just can't protect them the way we would like too. But the majority of users are happy with appropriate data collection providing they see a benefit. We strongly beleive that the benefit of the protection gained from community data collection (in the malware research area at least) greatly outweighs the risk to personal privacy. I can't comment on the data gathered by products other than Prevx1, but I can assure you that at Prevx we do out utmost to ensure that personally identifyable data is not collected.

Just my 2c.

ghiser1

-{ Quote: "The only sensible approach is "Do I trust this program to do what it authors say it will and nothing else?" If you don't know the authors, or what the program is supposed to do, then what? One approach is to deny it internet access completely " }-

Thanks for ur post.
I have two Qs.

1- There can be ways to bypass the firewall?
2- What if encrypt ur data on ur PC?

Thanks.

-{ Quote: "Thanks for ur post.
I have two Qs.

1- There can be ways to bypass the firewall?
2- What if encrypt ur data on ur PC?

Thanks." }-

Hi aigle,

In strict security terms, the quick answers are YES your firewall can be bypassed and YES, encryption MAY help a little.

The longer answers are:

1. A firewall is bypassed by every legitimate application that is approved to communicate through it. This might sound like an obvious statement but it is fundamental as to why firewalls are not solid walls but holy walls - holy as in full of holes. Let's take an example of malware breaching a firewall.... Let's assume that you have your firewall locked tight to allow you email client SMTP access to one host (your ISPs email server). Nothing else is allowed to send SMTP traffic anywhere. Is it secure? No. A firewall only blocks unauthorised applications and communications at the network layer. We can perform an application layer attack against the firewall and it wont see it. If we can get a rogue DLL loaded into your email client in some way (and there's lots of ways of doing that) then that DLL could send email on your behalf to any email address it wishes. Such emails would appear to come from you, using your email client and would be sent from your email client to your ISPs email server straight through your firewall. Such a rogue DLL could easily send small emails every couple of hours (or days) to varying email addresses (anonymous remailers that eventually get the data to the same place) without placing those emails in your outbox. In this way your data could be leaked out of your system bit by bit. Unless you are actively monitoring the content of your network traffic you probably wouldn't even see it happening...

2. Encrypting your data will help, but will not keep it secure. At some point the data has to be decrypted in order for you to access it. Once it is decrypted you are at risk from any rogue process or DLL that can get access to the display or the memory of the app that decrypted your data. Encryption only helps while data is in transit or in storage. Once you decrypt it it is accessible and can be stolen.

There's an interesting paper written by some of my former colleagues on using Outlook/MAPI routing tables and email for covert channel data streams and remote access trojans - the so called Bunratty Attack (http://www.itsecurity.com/archive/papers/andyclarke.htm). Note the date - 1996!! Such attacks are still possible.

Hope this helps,

ghiser1

Thanks a lot for ur explanation. So let me say that the only way is to trust the the software company itself. If u don,t trust, don,t use it.

-{ Quote: "Is it secure? No. A firewall only blocks unauthorised applications and communications at the network layer. We can perform an application layer attack against the firewall and it wont see it. If we can get a rogue DLL loaded into your email client in some way (and there's lots of ways of doing that) then that DLL could send email on your behalf to any email address it wishes." }-This would depend as to what firewall you are using, a number of firewalls now include a check on loaded dll`s/injections.
This blanket statement is incorrect.

-{ Quote: "This would depend as to what firewall you are using, a number of firewalls now include a check on loaded dll`s/injections.
This blanket statement is incorrect." }-

Despite the marketing from company's that sell such things, I would disagree that such an application can be called a firewall. IMHO a firewall can be either "on the box" or "on the network". Any "firewall" that does a job that cannot be done "on the network" and can only be done "on the box" is not a firewall in the sense that I was referring to. That is why I referred to a network-layer firewall. Any application that analyses an application is not working at the network-layer.

We're both right but in different ways, so I'll guess we'll have to agree to disagree ;D

As most firewalls do this job now-a-days so I think it doesn,t matter what a firewall means in reality. Practically it is true that u can see the dll loaded into browsers etc by a capable firewall.

-{ Quote: "The goal of this thread is to get advice as to HOW I can set my firewall so as to protect my personal data when I am using so-called "community-based" HIPS programs such as Cyberhawk." }-I can, at the moment, only think of "coreforce",.. to set a global system policy to block access to the files/directories you want secure. Then allow the programs that require the access permission via a specific policy.

If data is in one folder, u can just protect it wih GesWall as well. U can infact protect more and more folders but u might get pop ups and functionality issues depending upon location of these folders. I think u might protect individual files as well but never tried it.
BufferZone has such an option also but never tried that.
In general I am not at all sure how well these confidential folders work while u are browsing on internet and at the same time u open such a folder to read some ot its contents.

-{ Quote: "If data is in one folder, u can just protect it wih GesWall as well." }-I thought Geswall would only protect a folder from an isolated program. You could not isolate a program this is meant to protect the system.

Oh right, just forgot this point. U are exactly correct.
But may be some advanced rules can be made just like CoreForce but I am not sure.

-{ Quote: "But may be some advanced rules can be made just like CoreForce but I am not sure." }-I did make a request (some time ago) to SSM to include a protected folder (from access etc.) they said it was on their "to do" list.

-{ Quote: "QUESTIONS-
#1a- How can I configure a firewall in order to prevent my antivirus program (for example) from changing or accessing any of my data except its own folder? " }-
I'm not aware any firewall which could set the access rights of the folders/files.

-{ Quote: "#1b- Also, is a firewall the best & easiest way to obtain this kind of security?" }-
Nope!

-{ Quote: "#2- Would it be fairly *bullet-proof protection* if I (a) centralized all my personal data into one folder, then (b) password protected that folder, and (c) encrypted it? [i]In other words -- WILL these 3 actions (a,b,c) enable me to give a HIPS app (for example) an "open ticket" to send whatever data it wishes, but still I would not need to worry that my personal data could be compromised?" }-

Yes, this is the best and very safe way to do.
But the step should be:
a) Put all personal folder in one place --> b) Encrypt your data (you will be asked to set a password/passfile during the process)

Encrypt any important personal data and put them all in one folder (for easy management purpose). To further improve the security, put them in a removable device (eg DVD-RAM, USB). Remove them when you don't need them. This can prevent a hacker from exploiting the vulnerabilities of your encryption software or try to crack your password of the encrypted data.

But beware of the following:
- when you decrypt your data, it is possible for the hacker to access and so steal the data.
- encryption is as secure as the weakest link. The encryption method itself (not the software) is next to impossible to crack (it would take more than thousands or billions of years to brute-force the encryption) (unless the developer of that encryption method has implemented a backdoor behind). To steal your encrypted data, a hacker may need to either exploit the weaknesses of your encryption software or steal your password.
- please create a strong password. Unlike what most people think, it is a misconception that only complex password is strong. No, definitely not. Length is much more important than complexity. Create a fairly simple but long (eg 15-20 character long) is much better than a complex but short password (eg 8 character long but uses all sorts of random letters/numbers/symbols). If you wish to know the details, please ask.
- as far as encryption goes, don't go for any proprietary encryption methods. Go for any established public encryption methods. Some of them have undergone years of peer reviews and so are extremely safe to use.
- beware that it is possible that encrypted data may get corrupted (eg power cutoff when data is being encrypted), so you may wish to make backups too.

Here's another concern when you try to put all personal data in one folder, that is it makes it very easy for a hacker to spot all your personal/important data. However if you take proper care of your computer and the encrypted data, it makes the hacker much much harder to steal them (even if it can spot your personal data easily).

And the limitations of this approach:
- there are still personal data stored in your "documents and settings". "program files", "windows" folders etc.
- you may not even know where to protect these personal data
- and you cannot move the data to another place, or you will encounter some problems or break some of the functionality

In this regard, you can try to set the access rights of the folders in Windows XP Pro, or use any software which can set access rights of each folder. However since HIPS mostly install itself in the kernel level, I wonder if there is any point to do so.

Hope this helps.

-{ Quote: "Hi guys,


In terms of what you can do to protect your privacy with community/"phone home" apps?

Actually, IMHO, there is very little other than to only use vendors you trust or have been recommended to trust by others.

The only sensible approach is "Do I trust this program to do what it authors say it will and nothing else?"

" }-

I got to agree.

Seems very strange to use a *security* app that you don't trust to do what it says.

Or are you guys thinking of a situation where you install 5-10 security apps you don't trust, but expect each one to watch the other? :)

Personally, when I install and keep a HIPS or someother security program on my system, I will trust it fully, what is the point otherwise?

The security program is supposed to help make you feel more secure, not create more worries about whether it is doing something behind your back.

-{ Quote: "
when I install and keep a HIPS or someother security program on my system, I will trust it fully, what is the point otherwise?
" }-

I totally agree.

-{ Quote: "I got to agree.

Seems very strange to use a *security* app that you don't trust to do what it says.

Or are you guys thinking of a situation where you install 5-10 security apps you don't trust, but expect each one to watch the other? :)

Personally, when I install and keep a HIPS or someother security program on my system, I will trust it fully, what is the point otherwise?

The security program is supposed to help make you feel more secure, not create more worries about whether it is doing something behind your back." }-

:thumb: ...well said.
Yes we all know what "layered" security is but sometimes it is drawn to the extreme ;D

-{ Quote: "Personally, when I install and keep a HIPS or someother security program on my system, I will trust it fully, what is the point otherwise? -{ Quote: "I totally agree." }-" }-I think you have both missed one of the main points of the original post:-{ Quote: "Yes, I trust the organizations behind the apps where I have granted such access (DrWeb, Avira AntiVir, Cyberhawk, etc), but what if they get bought by someone who is NOT on the up & up?" }-

Well! Hypotheses can never end. Its, easier to work in reality.

-{ Quote: "but what if they get bought by someone who is NOT on the up & up?-{ Quote: "Well! Hypotheses can never end. Its, easier to work in reality." }-" }-This to me is a possiblility, we have seen products pass over to other vendors,.. maybe the user of the product may have a personal problem with the new vendor,...... such an hypothetical question (which is certainly possible), is still a question.

Should we simply discard this question/possibility?

Well atleast until it doesn,t happen!

-{ Quote: "This to me is a possiblility, we have seen products pass over to other vendors,.. maybe the user of the product may have a personal problem with the new vendor,...... such an hypothetical question (which is certainly possible), is still a question.

Should we simply discard this question/possibility?" }-In answer to Stem's question, my reply is a loud "NO!"

Instead, when granting a trusted application internet access, I want to learn how to configure my firewall, behavior blocker, etc, so that I am able to apply at least SOME limitations as to what that application is allowed to do -- just in case that application suddenly becomes a candidate for addition to a list of suspected BAD apps such as the list at THIS link (http://www.spywarewarrior.com/rogue_anti-spyware.htm).:o

For instance, I THINK I have found a way whereby System Safety Monitor can prohibit Cyberhawk from listening for key presses. As of now, I trust the CH folks (Novatix), and I understand their explanation (http://www.wilderssecurity.com/showpost.php?p=880218&postcount=181) of WHY CH "listens" for key presses. Even so, I prefer NOT to authorize this ability even though I do trust CH & want to participate in their "community."

In my opinion, a powerful behavior blocker (such as SSM or ProSecurity) offers potential for being able to at least partially limit the ability of *trusted apps* -- should they become untrustworthy for reasons unknown to their users.

I just need to learn more about HOW to configure SSM so as to move toward attaining this objective. Learning "how better to protect" was my goal in initiating this thread. I am very grateful to those who have offered helpful comments thus far, and certainly hope that there will be more of the same in days to come.:thumb:

-{ Quote: " As of now, I trust the CH folks (Novatix), and I understand their explanation (http://www.wilderssecurity.com/showpost.php?p=880218&postcount=181) of WHY CH "listens" for key presses. Even so, I prefer NOT to authorize this ability even though I do trust CH & want to participate in their "community."
" }-

It still seems a matter of trust here.

-{ Quote: "This to me is a possiblility, we have seen products pass over to other vendors,.. maybe the user of the product may have a personal problem with the new vendor,...... such an hypothetical question (which is certainly possible), is still a question.

Should we simply discard this question/possibility?" }-

Well if you don't want to discard this question, how about worrying that your firewall you use is bought out by another vendor and starts doing evil stuff? Heck that even occurs without any buying out. Didn't people accuse ZA of doing so? Why aren't you worrying about that?

What's the solution here, run 2 firewalls , to watch each other?

Or given that this is the firewall forum are you saying that you should trust only your personal firewall, but it is okay to run other security components you don't trust?

BTW if the product is bought over by a vendor I don't trust, I will simply uninstall it! Assuming I'm not aware that it was bought over, my firewall isn't going to make a difference.

-{ Quote: "
Instead, when granting a trusted application internet access, I want to learn how to configure my firewall, behavior blocker, etc, so that I am able to apply at least SOME limitations as to what that application is allowed to do -- just in case that application suddenly becomes a candidate for addition to a list of suspected BAD apps such as the list at THIS link (http://www.spywarewarrior.com/rogue_anti-spyware.htm).:o " }-

Bell,

Don't you think there is something absurd about using a behavior blocker to block another behavior blocker? Not to mention not everyone runs multiple security programs of the same class! Next you would be considering running 2 AVs at the same time, so one doesn't suddenly go bad and sneak in malware.

-{ Quote: "
In my opinion, a powerful behavior blocker (such as SSM or ProSecurity) offers potential for being able to at least partially limit the ability of *trusted apps* -- should they become untrustworthy for reasons unknown to their users.
" }-

And what if those powerful behavior blockers go bad? Do you use some other behavior blocker to restrict them?

I personally think this is the way to madness and insanity (not to mention likely system conflicts).

I presume that if some security product goes bad, you will uninstall it.

You are worried about the possibility it does harm before you realise that it is now effectively malware right?

Personally I think iwhen that happens you are dead. For most security apps, you are effectively rootkited by the security software already, and even if you are running multiple security programs, you are likely to have given that security turned malware a lot of permissions for it to run effectively.

And even if it does query you about some new action, I think it is 50-50 whether you will block it, because you might assume it's just a new feature added, unless you really don't trust it. But maybe you are more paranoid than me.

-{ Quote: "
For instance, I THINK I have found a way whereby System Safety Monitor can prohibit Cyberhawk from listening for key presses. As of now, I trust the CH folks (Novatix), and I understand their explanation of WHY CH "listens" for key presses.Even so, I prefer NOT to authorize this ability even though I do trust CH & want to participate in their "community."
" }-

Okay, this is insane, why not simply ask cyberhawk for the ability to turn that feature off? (Also how much have your crippled CH by blocking it!) And if they don't, just don't use it!

What happens if Cyberhawk changes so that it is no longer blocked by SSM? Can you tell when that happens? I can't and I bet 99% of people here can't. And if you do realise that this has happened, are you going to go to SSM and tell them to change so they can block CH alone?

Getting involved in an arms race against malware is one thing, but doing so against your own security software takes the cake!

-{ Quote: "Well if you don't want to discard this question, how about worrying that your firewall you use is bought out by another vendor and starts doing evil stuff? " }-The question could arrise to any security product, even firewalls.
-{ Quote: "Heck that even occurs without any buying out. Didn't people accuse ZA of doing so? Why aren't you worrying about that? " }- I have shown my concerns over ZA in other posts,

-{ Quote: "What's the solution here, run 2 firewalls , to watch each other? " }-I personally will not use any firewall that gives it own applications access to the internet with hard_coded rules. I think a firewall should give the user full control over every internet access attempt made by any/all applications on the users PC.
When ever I see a post concerning a new firewall, I will install that firewall and monitor all comms made, to look for any unauthorized internet access.

-{ Quote: "Or given that this is the firewall forum are you saying that you should trust only your personal firewall, but it is okay to run other security components you don't trust? " }-Not at all,..

-{ Quote: "BTW if the product is bought over by a vendor I don't trust, I will simply uninstall it! " }-I personally would do the same.

Hi,

There's something paradoxical in an "HIPS countermeasures". :)
If someone buy a dog to guard his house, he will certainly not buy another bigger dog to guard the first dog!

But in all cases, i'm not agree with the Devil's Advocate affirmation: "personally, when i install and keep an HIPS or someother security program on my system, i will trust it fully".

I doubt that the majority of users are able to make a deep forensic analysis of the software, neither a simple sniffer analysis.
Systems and sofwares can be trusted...since their designers are trusted.
Unfortunately, we can't be sure in advance that human (and organizations) are trusted.

A simple example of HIPS: http://www.systembodyguard.com/
This product seems great...until the user discovers the business model: Marketing and adware!
And there is many examples that could be mentioned: a cd is trusted, and how many users infected by the sony rootkit; the same for video games, printers, keyboards, OS (Windows) etc.
Since the user take care of his privacy and data, or the corporate of its patents, it's higly recomended to avoid client/server and intrusive security solutions: an example with TrvSecurity Suite (based on Trend solutions):
http://www.trvprotect.com/
Here again they claim (Privacy menu) that they don't collect personal data; but how a normal and unknowledgeable user can verify it?

Security is a process, and more you control this process, more you're able to protect data and privacy.

That's true that some HIPS are intrusive (Cyberw. ,PrevX, BufferZone in a minor way), and as sugested by some people: just avoid these sofwares if there is any doubt.

So Bellgamin, there's many possible answers to your 2 questions.

1. File permission can be used: http://support.microsoft.com/kb/308418
The security tab is not available by default in XP, but it takes 5 minutes to add it.
Some command line can also be used like "CACLS" for instance.
Another idea is to limit the privileges of firewall.exe (like SeDebugPrivileges etc), but that could make the program less efficient.
If you wish a more easy to use solution, you can try SafeSystem: http://www.gemiscorp.com/

But perhaps the most interesting solution is to use HIPS like Viguard or Parador File protection (http://www.e-securion.com/ ) which provide configuration options about what file is allowed to be used by file A or B.

2. A secure way to protect his privacy is to use SSL VPN (free solutions are available), but this is perhaps not useful for home users.
For data protection, it's more simple:an external and encrypted hard drive, protected or not by biometric authentication access, is a good solution.
Data can also be stored and encrypted on the local hard drive: many free solutions exist.
There is an interesting and effective solution (but paid) provided by a french start up which encrypt data on the fly: http://www.primx.eu/en/

I guess that it's more easy to find the best hot spot of Hawai than the ideal security soltion :)

regards

@Kareldjag -- Thanks for the excellent suggestions. I am particularly impressed by SafeSystem (http://www.gemiscorp.com/) -- a potentially excellent security tool for under $20! I also did a cut&paste of the M$ article you linked.

Comments in General directed at no one in particular -- The idea of "you just gotta trust them" isn't a solution, in my opinion. It is, instead, giving in.

Extract from a speech that Sir Winston Churchill gave 29 October 1941 to the boys at Harrow School --
-{ Quote: "Never give in, never give in, never; never; never; never - in nothing, great or small, large or petty - never give in except to convictions of honor and good sense. Never yield to force; never yield to the apparently overwhelming might of the enemy.'" }-Or, as Uncle Tennessee Ernie Ford once said...
-{ Quote: "There never was a horse that couldn't be rode. There never was a man that couldn't be throwed." }-I don't think it absurd to use one security app to keep a wary eye on another security app. Every large Police Department has an Internal Affairs Branch -- policemen watching policemen.

I believe that simple precautions CAN AND SHOULD be put in place in case a *trusted* application suddenly and secretly develops nasty habits. There have been some good suggested solutions made thus far. In my opinion "trust all & hope for the best" is NOT a solution. Indeed it might be a significant part of the problem.

-{ Quote: "Hi,
If someone buy a dog to guard his house, he will certainly not buy another bigger dog to guard the first dog!
" }-

Actually there is a saying that youi keep a little dog to wake the big dog up. More than a saying - it is a fact.

-{ Quote: "@Kareldjag -- Thanks for the excellent suggestions. I am particularly impressed by SafeSystem (http://www.gemiscorp.com/) -- a potentially excellent security tool for under $20!" }-

Hello bellgamin,

I went on the site from SafeSystem. That Software looks interesting for sure.:) Have you tried it yourself already? If so, what is your first impression?

Also, as a similar tool, has anyone tried DriveSentry?

http://www.drivesentry.com/features.htm

-{ Quote: "Hello bellgamin,

I went on the site from SafeSystem. That Software looks interesting for sure.:) Have you tried it yourself already? If so, what is your first impression?" }-I might try it next week. The granddaughter is spending a couple of days here & wants to play computer games.

-{ Quote: "Also, as a similar tool, has anyone tried DriveSentry?

http://www.drivesentry.com/features.htm" }-Oi vey! That Drive Sentry also looks excellent. There's a free version (slightly crippled) and a $29 version with a 60-day trial. So many possibilities. So little time.

-{ Quote: "I might try it next week. The granddaughter is spending a couple of days here & wants to play computer games." }-

Only the granddaughter wants to play computer game.:P

Let us know how you find Safe System.:)

-{ Quote: "has anyone tried DriveSentry?" }-This is just for "write" permissions.(If a program is allowed to write (and where) to disk)

"SafeSystem" gives more protection including the ability to block the reading of files/folders, but on a quick look I could not see the ability to allow certain programs permission to access, it is protect from all or none.

-{ Quote: ""SafeSystem" gives more protection including the ability to block the reading of files/folders, but on a quick look I could not see the ability to allow certain programs permission to access, it is protect from all or none." }-I had a close second look at SafeSecure's website -- especially the screenshots -- and everything I saw indicated that Stem is correct. Even so, I sent SafeSystem's proponent a support message asking about this matter.

I wonder if s/he will answer. I certainly hope so.

IMO Folder Guard (http://www.winability.com/folderguard/) is the best at this ;D

One major problem with trying to use security software A to restrict security software B - both will implement their security measures via hooks (usermode or kernel), drivers and/or services. If you allow a product to install a driver or access physical memory, it can pretty much do anything including disabling other security software.

So if you distrust security software B, you cannot expect to be able to reliably restrict it with A. You may be able to, but if B has privileged access, it will always be possible for it to work around restrictions imposed by either Windows or other software.

-{ Quote: "This to me is a possiblility, we have seen products pass over to other vendors,.. maybe the user of the product may have a personal problem with the new vendor,...... such an hypothetical question (which is certainly possible), is still a question.

Should we simply discard this question/possibility?" }-

OK, the answer is no.
So what can we do to protect our pivacy?

Wouldn't the answer in post #18 help:
http://www.wilderssecurity.com/showpost.php?p=879234&postcount=18

Encrypt your personal data.
Set access rights.
Anything else?

-{ Quote: "One major problem with trying to use security software A to restrict security software B - both will implement their security measures via hooks (usermode or kernel), drivers and/or services. If you allow a product to install a driver or access physical memory, it can pretty much do anything including disabling other security software.

So if you distrust security software B, you cannot expect to be able to reliably restrict it with A. You may be able to, but if B has privileged access, it will always be possible for it to work around restrictions imposed by either Windows or other software." }-

Yes, exactly.

But what if we don't distrust to such a degree, rather we trust it not to do the clearly malicious activities, but it may do something to compromise our privacy. In this case, what can we do to protect our privacy?

I think that's the gist of this thread.

Hello,

The answers I can suggest:

1a. Change read / write / execute rights for the application you don't want to see your personal data, although this might be tricky in Windows, especially under Admin account. Might work with Limited. Could complicate scans and such. Works in Linux.

1b. Place your data on a separate drive - usually these programs scan the system drive.

1c. Don't use programs that you distrust.

2. You cannot ever be sure that a program, installed on your machine, especially if it runs as a service, will or will not read / write / execute files or folders anywhere on your machine, encrypted or not.

To sum it up:

Don't use such programs.

Mrk

-{ Quote: "...it may do something to compromise our privacy. In this case, what can we do to protect our privacy?" }-As stated in my previous post, there isn't much you can do other than avoiding storing personal data in the first place. You cannot reliably use one security program to limit the activities of another.

-{ Quote: "As stated in my previous post, there isn't much you can do other than avoiding storing personal data in the first place. You cannot reliably use one security program to limit the activities of another." }-A) I have SystemSafetyMonitor ACTUALLY doing the following as of right now...

1) It restricts Antivir-Free from being able to pop-up its nag screen every time I update. It also prohibits Antivir-Free from activating AVGuard.

2) It protects all my security applications from termination.

3) It prohibits Cyberhawk from doing a programmed-in function of listening for key presses.

B) Further, I use yet another program to encrypt & render invisible certain folders.

@Paranoid-
Q1- Are you saying that the above configs are futile? If so, why are they working? (At least, I THINK they're working.)

Q2- Or are you merely saying that one of my security programs could *rebel* against being controlled by SSM & thereby break loose? Or.... what?

-{ Quote: "
@Paranoid-
Q1- Are you saying that the above configs are futile? If so, why are they working? (At least, I THINK they're working.)

Q2- Or are you merely saying that one of my security programs could *rebel* against being controlled by SSM & thereby break loose? Or.... what?" }-The second - SSM may certainly be working as you expect with your current configuration but if, say, Cyberhawk's developer decided to gain access to keypresses regardless of SSM, he could do so in a number of ways - unloading SSM's driver, clearing the hooks it sets in Windows (though it would probably be easier to clear all hooks as SDTRestore does) or even replacing the existing keyboard driver (i8402prt.sys on my system) with a custom variant.

"Normal" applications trying this would need to install a driver, gain access to physical memory, have admin access, etc but an installed security application would almost surely have all this.

Now it is highly unlikely that a legitimate developer would go down this road (considering the PR fallout that could result) but given the number of rogue "anti-spyware" applications we've seen in the past, it would be unwise to discount such a possibility in future - and it would be the easiest method to bypass any existing security mechanisms ("Yea, our SystemScrewer Protection needs to install a driver to protect ya - don't worry about Norton disappearing, we just hid it to avoid botherin' ya with silly popups...").

-{ Quote: "("Yea, our SystemScrewer Protection needs to install a driver to protect ya - don't worry about Norton disappearing, we just hid it to avoid botherin' ya with silly popups...")." }-Sounds reasonable to me.:wacko: :gack: :blink: :ouch: :isay: :-\ :gack:

Ulp... anything that makes Norton disappear can't be all bad, can it?;D

But seriously -- thanks Paranoid. I pretty much understand & totally accept your comments. Shalom

-{ Quote: "The second - SSM may certainly be working as you expect with your current configuration but if, say, Cyberhawk's developer decided to gain access to keypresses regardless of SSM, he could do so in a number of ways - unloading SSM's driver, clearing the hooks it sets in Windows (though it would probably be easier to clear all hooks as SDTRestore does) or even replacing the existing keyboard driver (i8402prt.sys on my system) with a custom variant.

"Normal" applications trying this would need to install a driver, gain access to physical memory, have admin access, etc but an installed security application would almost surely have all this.

Now it is highly unlikely that a legitimate developer would go down this road (considering the PR fallout that could result) but given the number of rogue "anti-spyware" applications we've seen in the past, it would be unwise to discount such a possibility in future - and it would be the easiest method to bypass any existing security mechanisms ("Yea, our SystemScrewer Protection needs to install a driver to protect ya - don't worry about Norton disappearing, we just hid it to avoid botherin' ya with silly popups...")." }-

One question:
Even if that security is as evil as described above, it is still not possible to read my encrypted folders/files. The only way it can read is when I try to decrypt them, right?

-{ Quote: "The only way it can read is when I try to decrypt them, right?" }-Assuming the encryption is properly done yes - but a rogue security application could monitor the memory of any encryption software used and have a good chance of being able to extract the plaintext during any decryption operation. So there are still no guarantees...

I was a bit doubtful about Cyberhawk community thing. Maybe because its a young product and I dont know what will happen to it. I wish that they would use this marketing period they are in now to give the users as much info as possible about what they are sending home in realtime with options for users that dont want those popups to shut them down and tick "never show this again". I know I could still be vulnerable to all sorts of scams from an unserious vendor (talking general now - not specifically CH - I am not overworried about them), but at least an open dialog like described about PrevX gives a good impression - and that is a good start.

Hope CH support feels like commenting on this line of discussion again.

After a free version - I view the free versions as marketing - normally comes a paid version - will be interesting to see what the difference will be for CH.

I use Outpost and it has a Feedback feature (sort of community) that I allow because Agnitum is so established and I have used it since version 1 and the Feedback came on somewhere along version 3 something. So I feel safe there and probably will with CH also somewhere in the future.

Edit: Put CH back on and let OP block all internetaccess for all 3 of CHs processes - will leave it like that for a while and suppose it protects me just as well as if it had access. Since communityaccess set to off is automatically set back to on after reboot I must let OP do the job. Probably just temporary meassures.

Best Regards

-{ Quote: "Assuming the encryption is properly done yes - but a rogue security application could monitor the memory of any encryption software used and have a good chance of being able to extract the plaintext during any decryption operation. So there are still no guarantees..." }-

I think the same logic holds true if I encrypt my data after the rogue software is installed. But the encrypted data is safe if it is done before. Sure your data may be at risk when you decrypt it, but I think a legitimate software won't go too far like that. Thus the encryption method may be one of the solution of the poster problem.