Hi, all

After quitting with anti spyware progs, I now removed my Antivirus (Antivir). It had not found a virus in a 1.5 year. The combi of sandbox (DefenseWall), process/registry monitor (SSM-free) and Fire/Data wall (SensiveGuard) proved to be sufficient. So let spice up discussion.

Removed from realtime or completely?
In the not too distant future, my security strategy will be:
- Host-based: whitelisting/behaviour analysis/hardening/sandbox/forensic analysis.
- Network/perimeter/gateway based: blacklisting, content filtering, network behaviour (UTM router).
So, the blacklisting will be moved from hosts to the gateway.

I haven't taken Anti-Virus apps seriously since one particular HIPS surfaced on this scene not so long ago now and has taken the internet AND THIS FORUM by storm. I think you all know of what i speak of here. I wouldn't want to scratch any wounds by saying they are a total replacement for AV's but they have completely proved to me that they can handle the job just fine. That is a really efficient combo.

I recently took on KIS6 because i wanted to complete the full-spectrum of security for one machine unit that gets the most internet attention, BUT I STOPPED DOING ANYTHING BUT ON-DEMAND with it. Why bother as you say when you haven't been troubled. The only trouble i could possibly run into is by infecting myself and i done that so many times it's commonplace. Same goes with drive-by downloads since Power Shadow is here now.

Online i go something on this order, SSM (full), CyberHawk, ST + Kerio 2.15.......occasionally EQSysSecure for testing sake mostly.



So let's do spice up discussion over this phenomena. 8)

I kind of agree, and also have cut back. I am using Sandboxie, and if I want an extra layer I will do something in a vm machine. Also in many ways FDISR serves as a higher level sandbox.

I've already pulled SAS, and Prevx off. I still have SSM,KAV and OA on the machine.

Pete

ive cut back as well.
all ive got is kis6.0 superantispyware and spysweeper
also spyware blaster and A squared hijackfree.
i removed a squared free a while back.
lodore

I've been running my windows box for about a year with only Deep Freeze and the software restriction policy built into XP Pro. I almost forgot, a NAT router too.

While I still have signature scanners in the form of AV and AS, I acknowledge the reasoning against them and agree with the rationale for dumping them. Over the long-term, that approach simply isn't viable. It will only be matter of time till they no longer meet the standards of effectiveness and efficiency for most people with computer security know-how. However, they will likely maintain their dominance of the computer security market well past this mark, given the vast majority of computer users are ignorant in the realm of computer security.

The primary problem with doing away with signature scanners is that the alternatives typically aren't user-friendly. Most people I know would have no idea how to use the simplest HIPS, sandbox, or virtualization software. Granted with some of the programs out there you could potentially set it up for them in a manner that would not require much further user input, but that usually isn't the case.

-{ Quote: "lol lodore, I think this thread is talking about moving away from blacklisting and signature scanners in general and towards other security software like HIPS, sandbox, virtualization, etc. Don't take it the wrong way, I just found it funny that you vocally jumped on this bandwagon but you still only have signature scanners

On Topic: While I still have signature scanners in the form of AV and AS, I acknowledge the reasoning against them and agree with the rationale for dumping them. Over the long-term, that approach simply isn't viable. It will only be matter of time till they no longer meet the standards of effectiveness and efficiency for most people with computer security know-how. However, they will likely maintain their dominance of the computer security market well past this mark, given the vast majority of computer users are ignorant in the realm of computer security." }-

yes it is lol

i never know what type of HIPS,,sandbox or visliation to use.
with a IE sandboxed you cant do windows updates.
most people here at wilders can be safe with just an AV and firewall and nothing else.
if you never get infected a av with signiture updates is fine.
of course sandboxies mean no popups and be emptyed with one click.
somepeople get annoyed with all the popups from some HIPS

lodore

Removed that part of my post as I figured it wasn't pertinent to the discussion, and given that this is an important discussion to have, I didn't want it to get sidetracked.

I don't believe in curing anymore, preventing yes if I can, I use a HIPS for that. More importantly, the ability to detect malicious system file(s) modifications, changes, deletions, both hidden, and seen which I 'am able to do in under 15 seconds sometimes less with TinyWatcher setup with mod settings, there will be no hesitation on a clean system restore which is worth the 30 second wait as opposed to a 5min¿ or longer scan(s) by AV, Trojan, and Malware type scanners in hopes that it gets it all. Well as we all know, if you running PowerShadow then all the easier on a clean restore. ;D

I boot every morning in a clean computer, in the past I only had a clean computer twice a year. So that's an improvement.
Now, I'm only interested in softwares that prevent the installation of malware and/or stop the execution of malwares to save the day between two reboots.
I don't need softwares anymore that remove malware, I took care of that already (100% in theory), much better and faster than scanners and without false/positives ::).

When i finally get my new hard drive in and partition everything to choice, then add the famed FD-ISR i think that one will just about complete matters finally.

It'll be great to be able to turn to a working snapshot with everything in order and not have to jockey apps so often like before. Plus can really go full steam with experimenting the facing off of Security apps vs. malware.

Hi,
I've never been a one to run an as and av constantly in the background on a computer. Through virtualization such as VMWare or wether its FD-ISR, plus a firewall I do not think it is needed here in that capacity.

advanced users (or rele rele safe surfers) may be able to do with HIPS/sandbox/virtualation etc but for the rest of us i think scanners will stay.

If the scanner takes less than the time it takes me to restore my system then yeah, I say keep them scanners, if not, than LOL ;D

Hello,

Time to spice it up. Protect from what?

Now a difficult question. Let's say you want to use a program called froop.exe. This program is something you need. And you have used previous versions and liked them. Or a very good geek friend recommended it - even brought it on the CD for you.

So you start installing. Of course, to install, you need to disable DefenseWall, right. And your HIPSs start warning you about reg key changes and startup entries, but this is only normal, because that's what programs do when they get installed...

So I'm wondering at what point will you decide that HKLM\entry1 is malicious and HKLM\entry2 is not. And whether some inline or V12 hook is doing naughty stuff beneath the hood. And so forth.

Now the real question is:

If you suspect a file, why run in the first place?
If you don't, why check it then at all?

And again, will you let scvhost.exe connect to windowsupdates.com, via port 80. Nothing special.

Mrk

-{ Quote: "Hello,

Time to spice it up. Protect from what?

Now a difficult question. Let's say you want to use a program called gfroop.exe. This program is something you need. And you have used previous versions and liked them. Or a very good geek friend recommended it - even brought it on the CD for you.

So you start installing. Of course, to install, you need to disable DefenseWall, right. And your HIPSs start warning you about reg key changes and startup entries, but this is only normal, because that's what programs do when they get installed...

So I'm wondering at what point will you decide that HKLM\entry1 is malicious and HKLM\entry2 is not. And whether some inline or V12 hook is doing naughty stuff beneath the hood. And so forth.

Now the real question is:

If you suspect a file, why run in the first place?
If you don't, why check it then at all?

And again, will you let scvhost.exe connect to windowsupdates.com, via port 80. Nothing special.

Mrk" }-
I'll answer this based on my own personal reasonings, others will have different seasonings oops I meant reasonings ;D
1st to protect myself from possible BSODs' and to learn more about a specific programs installation, files created, directory, hidden deleted, registry entries? Of course its a learning thing for myself I get off on it. ::)
2nd about that program I need and used in the past well then its quite obvious that I would have some trust in something that I liked and used in the past its a no brainer, same could be said of any program, there is always a risk factor of any program going rouge especially if its not open source and you don't understand code. Thats why you test programs out, for myself after using previous versions of froop.exe I have since then studied and learned about key registry entries, what they mean and why the settings are set the way they are set, I'm glad I know this as I could easily recognize an entry that should not be if it should ever get flagged. That was hard ::)
3rd I speak for myself but I'm sure others have other methods of testing a program out maybe through virtualization or another box if they $rich$. ;D
4th if I ever suspected a file or not the reason I would run it is simple, for the learning and the experience...LOL ::) Will I let svchost.exe connect to do updates? I speak for myself NO WAYS! Aint Happening! LOL the idea of MS trying to patch things and then adding new holes doesn't flyby me

-{ Quote: "And again, will you let scvhost.exe connect to windowsupdates.com, via port 80. Nothing special." }-
Mrkvonic, scvhost.exe as in this (http://www.liutilities.com/products/wintaskspro/processlibrary/scvhost/) virus?:);D

-{ Quote: "If the scanner takes less than the time it takes me to restore my system then yeah, I say keep them scanners, if not, than LOL ;D" }-
I remove my possible infections during reboot (90-120 seconds), no full scan can beat that and most users have more than one scanner.

Not bad Erik Albert, I remove my infections in under 25 seconds with a reboot, I can do a complete clean overwritten restore in under 2 min :thumb: this by the way includes time to put my pc-dos disc in and boot into the environment and then select my clean .gho image off external. Now thats as fast as I go.
Actually Tiny Watcher won't remove infections but can full scan and allow me to know of newly created files and reg entries that should'nt be in under 15 sec. Try it for yourself I have ran live malware against this scanners detection abilities and it will pick up the added entries seen and hidden that the baddies create or delete, you just need to modify the default settings.

-{ Quote: "Not bad Erik Albert, I remove my infections in under 25 seconds with a reboot, I can do a complete clean overwritten restore in under 2 min :thumb: this by the way includes time to put my pc-dos disc in and boot into the environment and then select my clean .gho image off external. Now thats as fast as I go.
Actually Tiny Watcher can full scan and allow me to know of newly created files that should'nt be in under 15 sec. Try it for yourself I have ran live malware against this scanners detection abilities and it will pick up the added entries seen and hidden that the baddies create or delete, you just need to modify the default settings." }-
I'm glad, I'm not the only one. My scanner period is over.
No incomplete removal anymore, no false/positives anymore, my history is gone and my registry is clean again. That's the future.

There's one big problem with an SSM-only approach -- namely, depending upon the OS, such files as user(32).exe, system.exe. shell(32).exe, rundll(32).exe, etc., shall still be exposed, and are the real weaknesses of any Windows OS. Hackers know this, as do some very "intelligent" maliciously coded apps. E.g., lowering a firewall at the wrong time, could result in the creation of a Trojan attack which SSM and other similar apps cannot prevent.

If by emulation, these files, as well as all possible command or run switches, can be placed on the registry protector side, there shall be victory over crudware.

Dave

-{ Quote: "I remove my possible infections during reboot...No incomplete removal anymore, no false/positives anymore, my history is gone and my registry is clean again. That's the future." }-
Must be better than, select Full scan. Ya not alone there EA.;)

-{ Quote: "Must be better than, select Full scan. Ya not alone there EA.;)" }-
Well, they can't blame me for not telling how I fight against the bad guys. It's all published at Wilders.
I'm doing this for myself and I'm satisfied with the results so far.

-{ Quote: "Hello,

Time to spice it up. Protect from what?

Now a difficult question. Let's say you want to use a program called froop.exe. This program is something you need. And you have used previous versions and liked them. Or a very good geek friend recommended it - even brought it on the CD for you.

So you start installing. Of course, to install, you need to disable DefenseWall, right. And your HIPSs start warning you about reg key changes and startup entries, but this is only normal, because that's what programs do when they get installed...

So I'm wondering at what point will you decide that HKLM\entry1 is malicious and HKLM\entry2 is not. And whether some inline or V12 hook is doing naughty stuff beneath the hood. And so forth.

Now the real question is:

If you suspect a file, why run in the first place?
If you don't, why check it then at all?

And again, will you let scvhost.exe connect to windowsupdates.com, via port 80. Nothing special.

Mrk" }-

I agree totally.

@dw2108

The flaw isn't ssm, but the user. SSM will detect the manipulations, trick is for the user to not allow them.

-{ Quote: "Removed from realtime or completely?
" }-

For real time, kept on-demand (though I try bitdefender)

-{ Quote: "I agree totally.

@dw2108

The flaw isn't ssm, but the user. SSM will detect the manipulations, trick is for the user to not allow them." }-

ON PC-1 we have SSM-free running with the UI disconnected. Wife uses PC only for Internet, music download.
The setup without AV in real time only works on stable PC's. My wife's does not get asked to decide, the setup either it allows or blocks/denies (see first post).

On the other PC (PC2) I did not remove Antivir because Antivir every now and then finds something (Son's a gamer and tries software). So I agree also

Setup PC2

-{ Quote: "There's one big problem with an SSM-only approach -- namely, depending upon the OS, such files as user(32).exe, system.exe. shell(32).exe, rundll(32).exe, etc., shall still be exposed, and are the real weaknesses of any Windows OS. Hackers know this, as do some very "intelligent" maliciously coded apps. E.g., lowering a firewall at the wrong time, could result in the creation of a Trojan attack which SSM and other similar apps cannot prevent.

If by emulation, these files, as well as all possible command or run switches, can be placed on the registry protector side, there shall be victory over crudware.

Dave" }-

I have not an SSM only, SensiveGuard takes care for the protection of files (when the malware was able to sneak by DefenseWall). So the above won't happen

I have a backup of everything on external harddisk, so anyone mention a website which is very dangerous. I tried all the key-gen sites, some russion maleare sites, no one was able to crack the defense as a drive-by.

As mentioned earlier, a shoot in the foot in our set up is not possible because download/startup of excutables is denied.

I would be happy to try. Post the site or send me a private message. I will try and honestly tell you what happened.

Regards K

-{ Quote: "After quitting with anti spyware progs, I now removed my Antivirus (Antivir). It had not found a virus in a 1.5 year. The combi of sandbox (DefenseWall), process/registry monitor (SSM-free) and Fire/Data wall (SensiveGuard) proved to be sufficient. So let spice up discussion." }-
I stopped using anti-spyware apps a couple years ago. About a year ago, I stopped using a resident AV. I run SSM-free for process/activity control, Kerio 2.1.5 for traffic control, Proxomitron for content filtering, and DOS batch files to restore the registry. The combination has been completely effective. Should my protection ever fail for whatever reason, system backups will cure the problem, though I've never had to use them to cure an infection.
-{ Quote: "Now a difficult question. Let's say you want to use a program called froop.exe. This program is something you need. And you have used previous versions and liked them. Or a very good geek friend recommended it - even brought it on the CD for you.

So you start installing. Of course, to install, you need to disable DefenseWall, right. And your HIPSs start warning you about reg key changes and startup entries, but this is only normal, because that's what programs do when they get installed...

So I'm wondering at what point will you decide that HKLM\entry1 is malicious and HKLM\entry2 is not. And whether some inline or V12 hook is doing naughty stuff beneath the hood. And so forth." }-

I can't comment on disabling DefenseWall as I don't use it. As for SSM, I keep it running during all installs, along with the firewall and InCtrl5. All activity and traffic is monitored and recoreded for every install. Yes, registry changes are normal during an install or update, but I still want to know what gets changed. Too many apps change things they don't need to.

-{ Quote: "If you suspect a file, why run in the first place?
If you don't, why check it then at all?" }-
Because all files, apps, and code are suspect until it proves otherwise, just not all for the same reasons. Something that's poorly coded, bloated, or calls home is just as undesirable as something that's malicious. Unless you know how to disassemble an app and are willing to take the time to do so, the only way to know how it will run on your system is to try it. If I don't like the app for any reason, the Inctrl5 report identifies all the new files and my batch files will restore the registry. If it's a big application, I use my backup images.

What apps or methods you use doesn't matter, as long as you have the option to undo the changes without having to manually dig out a bunch of registry changes or waste time manually deleting hundreds of files.

dw2108,
Using SSM only is a bad idea. At the very least, add a good firewall, one that can control the internet access of system components. There's no reason for a user to lower the firewall, especially during an update or install. Software installs and updates are when your system is most vulnerable. If anything, that's the time to have all your defenses running. If an installer wants me to shut down my firewall, I want to know why.
Rick

I agree with the title of this thread...other then that I am still not yet ready to get rid of the AV and AT. Stuff can happen.

I suppose Cyberhawk and/or SSM could substitute along with router or hardware firewall. :-\

I think many of you are exaggerating the scope of non-signature based applications. HIPS are notorious for pop ups and even a single wrong click by user might be enough and such a single click is quite possible IMO.

Regarding FDISR frozen snapshot, ok-- allow a single click on killdisk virus and it will tear all of the first defence in peices( never tried on frozen snapshot but I believe so, have tried on non-frozen one). FrozenSnapShot/ PowerShadow will not stop per session keylogging. Moreover I don,t want to loose my data on each reboot and I can,t bother to arrange my data before each reboot. I am on dial up and I like to keep even my internet history saved, for few days.

I use HIPS, Behaves, Sandbox, Restore to Fresh Image etc all but still I keep running a good real time AV scanner. It runs in background without any slow down and updates in few minutes and does not hurt me at all. It gives me relief when I click on a HIPS pop up that I don,t even understand well. I can,t google now and then for these pop ups and don,t want to break up OS things while being so paranoid and I am still safe.

BTW I do believe that with a single sig based AV and FW I will be safe as I do safe surfing. Next thing is Privacy..... well, let me say I believe there is no real privacy on www, so I don,t care so much about that( doesn,t mean that I don,t care at all).

Hello,

More spice:

Visiting malware sites, checking drive bys - you need nothing more than FF.

All apps are suspect until proven otherwise - then use virtualization software. Best way to check.

Mrk

-{ Quote: " ...Or a very good geek friend recommended it - even brought it on the CD for you..." }-

Common sense: obtain software from known, legitimate vendor’s site.

The thing is, whenever you install an app, you never really know if it´s malicious or not, that´s why signature/heuristics based solutions will always be needed. The problem is that none of the av/at/as tools can identify all malware, so I did loose some confidence in them. Never the less, I still scan files over at VirusTotal, at least if they are under 5 MB.

But normally speaking, when you do a bit of research and download an app that is more widely known, the chances of it being malware are slim. A second thing you can do is to execute it in a virtual machine and see how a certain tool behaves. Of course I know that more advanced malware can try to act "legit" on a VM, but from what I´ve read, most malware won´t run at all inside a VM.

Also, a HIPS (on VM or real machine) can notify you of suspicious behavior, for example a simple text editor that wants to install a service/driver is strange stuff. But there are a lot of other apps who need to do suspicious stuff in order to work correctly, and if you trust them you will allow it. But I guess as long as your PC isn´t acting strangely, you haven´t really got anything to worry about. :shifty:

Btw, currently I´m only using 2 realtime protection tools, namely ZA Pro and SSM Pro. A HIPS like SSM can of course save you from zero day/drive by attacks, that´s the main reason why I´m using it.

I haven´t been using an anti malware scanner (realtime/on demand) for almost a year now. And that´s because the only 2 apps that I´m interested in are not really good enough based on my criteria. AntiVir gets on my nerves, and KAV is too expensive plus it can make the system a lot slower.

I´m also not doing any on demand scans, they take way too long, and if my PC isn´t acting strangely I don´t see the need to do this. However, I do monitor my PC with tools like Process Explorer, Pserv, RK Unhooker etc. Perhaps I will also add Tiny Watcher to my setup, it certainly does look interesting. ;)

-{ Quote: "
I´m also not doing any on demand scans, they take way too long, and if my PC isn´t acting strangely I don´t see the need to do this. " }-
Lean, mean, clean and speed is my motto.

C: drive partition is 8 gig in size - XP pro with Office 2003 components - word, excel and powerpoint.

Sandboxie, Powershadow, Icesword and PC tools firewall as my only security with ghost images on E: partition.Coupla maintenance tools such as Ccleaner, Perfectdisk and Regseeker.Also a hardware firewall so I only need one of the lightest software firewalls for outbound control.

I have used Bold Fortune's slimming XP guide to get rid of mainly the larger useless files and folders from C drive which now runs at a total of 894 meg of data.

On the rare occassions I do a free online check of C: drive with Kav or one of the others it doesn't take long at all to do a scan which never find a thing.

Perfectdisk smartplacement defrags take around 20 secs and Ghost images around 3 mins which includes an integrity check.

I can restore from an image in less time that it takes some machines to boot.

D: partition - 120 gig - is where I keep pics,flicks,music and personal stuff.

There is only one other security app I would like to add and that is Defensewall but I only deal in cash or beer and I won't post any bank details online.

The new Neoava Guard sounds interesting but doesn't seem to be released as yet.

The funny thing is, even when I´m using a signature/heuristics based solution, I find myself not completely trusting them because I know how often AV/AT/AS can´t spot/identify malware. So I end up scanning the file at VirusTotal anyway. It got me thinking, why use a scanner in the first place? It does give a bit peace of mind, but you can never be sure if your scanner is right or wrong. ::)

Btw, I would also like to add a sandbox/virtualization tool to my realtime setup (like BufferZone, Sandboxie and DefenseWall) but I´m afraid they are all not quite good enough.

I do currently use SBIE on demand, it´s very handy when you quickly want to check out tools, and if certain tools do not install correctly, it´s an indication of how deeply they want to install themselves into the system. It would be cool if you could easily track file/registry changes that a sandboxed tool made, I´m not sure if this is possible yet.

I have been running without an antivirus for the past four weeks and have yet to be infected with anything of consequence. Time will tell for a period of one year. Although, I acknowledge the limitations of such scanners, for peace of mind I continue to run an occasional weekly scan with A-Squared, AVG AntiSpyware, CounterSpy v2.0, NOD32 and SuperAntiSpyware. After experimenting with various security applications over the past eighteen months, I have come to the conclusion that, at the very least, a set-up that consists of a software firewall, real-time process memory scanner and application sandbox with little or comprehensive virtualization offers simple, strong and reliable protection. Lastly, I have posted links to articles below that present food for thought regarding the use of antivirus programs.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9002695&pageNumber=1
http://prweb.com/releases/2007/1/prweb499085.htm
http://download.microsoft.com/download/3/d/e/3de2470b-ab9a-4a7f-b760-ee2421df294a/WindowsRemovalToolWP.doc
http://www.zdnet.com.au/news/security/soa/Eighty_percent_of_new_malware_defeats_antivirus/0,130061744,139263949,00.htm
http://www.eweek.com/article2/0,1895,2040760,00.asp
http://www.businessweek.com/technology/content/jan2007/tc20070122_300717.htm?chan=top%2Bnews_top%2Bnews%2Bindex_technology
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9010460
http://www.securityfocus.com/news/11446
http://blogs.msdn.com/aaron_margosis/archive/2006/06/02/614226.aspx
http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss407_art803,00.html


Peace & Love,

CogitoErgoSum

-{ Quote: "The thing is, whenever you install an app, you never really know if it´s malicious or not... " }-

But in eleven years of using a pc and downloading masses of software from known, vendor's sites I have never encountered anything malicious this way. So is this a fluke? I don't think so. The only times (2) I've encountered malicious software was when I ventured into warez and P2P territory. Those days are long gone ;)

-{ Quote: "
Regarding FDISR frozen snapshot, ok-- allow a single click on killdisk virus and it will tear all of the first defence in peices( never tried on frozen snapshot but I believe so, have tried on non-frozen one). FrozenSnapShot/ PowerShadow will not stop per session keylogging. Moreover I don,t want to loose my data on each reboot and I can,t bother to arrange my data before each reboot. I am on dial up and I like to keep even my internet history saved, for few days.
" }-
I don't use a frozen snapshot to protect my computer against malware.
I use a frozen snapshot to REMOVE all possible malware, because scanners can't do that. Scanners give you only a reassuring psychological message "Congrats, your computer is clean" to comfort your mind, but that doesn't mean your computer is clean.

I still need a group of security softwares in my frozen snapshot to save the day, because a frozen snapshot is unable to do this.
As I said so many times, separate problems from one another if you want to solve them.

froop.exe is analysed by Prevx1, if not flagged by heuristics, maybe the comunity, and then cleaned if malware (since it monitored all events, or hopefully).

DefenseWall and SandboxIE are there to give the user control. I install and save what i want, nothing else.

And of course, what's the fun without some HIPS? At least execution protection, it's oh so cool;D
I think SSM installed on a clean computer can be of good help, it would function as an alarm. It's up to you to see if there are burglars, not SSM.

Even cooler is trying to set up "Linux", but that's another chapter.

-{ Quote: "Common sense: obtain software from known, legitimate vendor’s site." }-

I'm sure everyone here at Wilders does that right?

Nobody ever runs off and try some new cool HIPS or app that someone just posted right?

of course there is vmware and spare machines for all that....

Honestly, these days I'm not really worried that someone will hack me from the outside. You will have to do so some silly stuff for that to happen.

I'm not too worried about being nailed by some browser exploit or something too, but I suppose if I were, I would run it sandboxed.

Realistically speaking, I think for me the greatest threat is that I go download and install some new software (or even new upgrade) that turns out to be compromised. Sure I know I'm supposed to run it in vmware or something but sometimes I'm lazy and sometimes, even running it in vmware does not give you an indication something is wrong.

E.g if the software is actually a rootkit, you could run it in your vm for weeks without you noting anything is wrong then you decide not to mess around further as it's 'safe' and install it on your real machine...

So yeah I could forsee going without AV but it would take some work.

1) Sandbox all internet facing software.

2) Run all software that isn't from a reputable known company in VM.

That would handle the bulk of the threats really. SSM/Sensiveguard and all that is really for the paranoid, who want to handle cases where somehow someone breaks through and starts running stuff, deleting/replacing your files etc. And even then as many have pointed out, it depends on the user being able to realise something is wrong.

Devil's Advogate,

My son turned out to be a gamer and a script kiddy. He strolled the internet and when he could break in to someone's PC he left a message "your friendly hacker was hear, close port 9999". I only found out when he hacked the wrong guy and that guy decided to return the favour. At that time my wife was working on her PC with only Windows firewall and AVG-free antivirus. Maybe because he found an encrypted folder (software provided by her work), he formatted the harddisk.

So yes I became paranoid, with a hardware firewall, DefenseWall sandbox, SSM and SensiveGuard for an extra second and third defense layer and external harddrive for backups/recovery.

My wife is a HR-advisor and has confidential data on her PC occasionally when she works at home. These documents and the loss of photo's made me carefull (maybe paranoid). I know script kiddies can not break in, I still think professional hackers will find a way in. My son is only allowed to game now, so I do not think he could spring of somebody's anger to return favours.

Her PC is completely 'sealed' with SSM UI disconnected, SensiveGuard denies or allows does not ask, DefenseWall is quite by nature, so I am not worried about a 'shoot in the foot' decision of the PC-user.

Regards K

@ CogitoErgoSum

In the past few years I´ve read almost all of these articles, and it really makes you wonder if it´s worth paying money for signature scanners. I mean, even if the best scanners may identify 80% of all malware in the wild, there is still a chance they might miss something. ::)

@ cprtech

I agree, like I said before, when you don´t download cracks and do a bit of research before downloading stuff, normally you shouldn´t have any problems. I have also downloaded quite a few apps in the last few years and I don´t think that I have ever encountered malware.

@ DA

Yeah, you never really know for sure if an app is malicious or not, when you think about it, it´s almost ridiculous the way the whole system works. Would be cool if someone could build a non infectable OS. Of course this is not possible due to the nature of software, I think.

But perhaps in the future, virtualization technologies integrated into the OS can make computer life a lot easier and saver. What if you could split your OS into various sandboxes and could switch to another "OS sandbox" in only seconds? So you could run a new videogame in a sandbox and even if it´s malicious it wouldn´t be able to hurt your real system.

-{ Quote: "But perhaps in the future, virtualization technologies integrated into the OS can make computer life a lot easier and saver. " }-

Vista already have it. And I need to say- this makes OS more vulnerable. Why? Because I may modify kernel32.dll and it will be stored within VirtualStrore folder and used by other low-privileged programs (that is default working mode). Or wininet.dll. And you won't see it, because it is stored not within the folder you look at.

@ Ilya

Of course I am hoping that this new OS virtualization will be very robust, it should not be easy exploitable, no Blue Pills and stuff. And I´m not talking about Vista´s virtualization, I´m talking about stuff like Xen and Virtuozzo. Of course I´m hoping that this technology will be improved in the coming years, it should become faster and more secure. But 100% security doesn´t exist, all tools have their flaws. ::)

http://www.swsoft.com/en/virtuozzo
http://en.wikipedia.org/wiki/Xen

-{ Quote: "I agree totally.

@dw2108

The flaw isn't ssm, but the user. SSM will detect the manipulations, trick is for the user to not allow them." }-

I agree as well. In fact, the real computer savvy users cna get away with minimal to know protection.

Unfortunately, I do not fall into that category and I am looking for the maximum protection that puts the least number of decisions is my hands and at the same time makes the right decisions and allows functinality of the machine without too much of a drain on resources.

Hi.

-{ Quote: "originally posted by Mrkvonic:

So I'm wondering at what point will you decide that HKLM\entry1 is malicious and HKLM\entry2 is not. And whether some inline or V12 hook is doing naughty stuff beneath the hood. And so forth." }-

If I don't know what these entries are, I will naturally allow them (because I usualy allow everything during installations, so why not now), and I will get infected. My system is dead and I feel like an idiot. So I am taking my backups and I am restoring my system and my data, end of story. But getting infected has another purpose besides the obvious negative one: I am one step higher on a lerning curve. I have learned my lesson, and I am twice the wiser man now (well, assuming that I was reasonably itelligent initially). I know now what HIPS is and what kind of havoc can it summon if I don't learn how to use it properly. I am starting to read about security and to learn more. I find Wilders and register with it and learn some more. And of course, I am still learning, this is a perpetual process, and no matter how savvy I am, there is a fair possibility that some hideous monster, unknown yet to mankind, can destroy my system any minute (there are unkown monsters in the wild). Now, I'm not saying that the learning curve has to be a path covered with thorns, this is of course the hard way. But I believe that we all have a horror tale to tell, whether it is out of personal or second-hand experience.

Greets.

Hello,

Horror as in computer-related. No. I don't have any.
The worst thing that happened is when I dropped a PC monitor on my foot.

Kees, getting hacked does not work by magic.

Mrk

-{ Quote: "Hello,

Horror as in computer-related. No. I don't have any.
The worst thing that happened is when I dropped a PC monitor on my foot.

Kees, getting hacked does not work by magic.

Mrk" }-
yup you right hacking doesnt happen by magic.
ive had nothing needed to be blocked by my software firewall ever since i got a firewalled (nat) router

Hi there.

-{ Quote: "originally posted by Mrkvonic:

The worst thing that happened is when I dropped a PC monitor on my foot." }-

Quite, that's not classical horror, it's more of a gore-fest. ;D

Cheers.

Hello Mrk.

Here's (http://www.wilderssecurity.com/showthread.php?p=972835) a real-life example from my post #50. That's a classical horror story... The lesson is learned there, that's what's important. :)

Regards,

Hello,
No that's not the same thing.
Here you have a hardware driver vector - ahead of the firewall - with a vulnerability. Not what I was aiming at. But we'll discuss this later. I gotta go play UFO: Enemy Unknown... such a sweeping old goldie...
Mrk

-{ Quote: "@ CogitoErgoSum

In the past few years I´ve read almost all of these articles, and it really makes you wonder if it´s worth paying money for signature scanners. I mean, even if the best scanners may identify 80% of all malware in the wild, there is still a chance they might miss something. ::)
" }-

Is the chance bigger than you installing some new product, and clicking yes to prompts from HIPS blindly when it installs?

-{ Quote: "Devil's Advogate,

So yes I became paranoid, with a hardware firewall, DefenseWall sandbox, SSM and SensiveGuard for an extra second and third defense layer and external harddrive for backups/recovery.
" }-

Yes I know. It's pretty funny how you can spot people who have being hacked before just by their postings. Some have even being hacked twice! But then again, some people are just paranoid by nature.

-{ Quote: "
I know script kiddies can not break in, I still think professional hackers will find a way in.
" }-

That's the problem with the forum here. The whole premise of most setups here is to stop some unknown super hacker , which is unrealistic.

Could the world's best hacker get through Hardware firewall, software firewall, SSM, Defense wall, a couple of scanners, etc ? Sure since we are postulating almost infinite skill and resources. He would probably start first by taking a very very close look at these products....

Most security professionals don't aim for this level of protection at least for their personal setups.

If you really want to *start* aiming at this unreachable target, the correct method isn't to pile on as every security products as you can think of, move from product to product based on hearsay, or even reason on some high level model on threatgates or whatever (though that is necessary but not sufficent). For those of you "testing" by running malware (rootkits are popular because they are perceived to be high tech), that's even dumber, that's just blind hammering. Obviously you are going to pass, since they are not targetted.

Want to really *try* to meet this unrealistically high level of security? acquire the source of what you are using, review the code for flaws. The hypothetical super bad guy who is out to get you, will do that. Nothing else will suffice.

Hello,
Some fair points there, DA.
Cheers,
Mrk

Matters not IMO and besides how many peeps actually have physical access to the genuine trademark/copyright code of microsoft systems?

Some vendors no less have negotiated with $M enough to offer reasonable protection for end-users in general and programmers in particular, but then you are hypothetically suggesting the opposers who construct malware have adequately dissected windows O/S from various tools to possess that capability which in that case i would have to agree to a point.

But then in all their efforts isn't that really a mute point and useless given the "numbers"? Tell me. There is far more attention focused AGAINST those type efforts now then the opposite then ever before. Anyone, including a noob can confirm that in spite of the many who still regularly get hacked or exploited.

-{ Quote: "That's the problem with the forum here. The whole premise of most setups here is to stop some unknown super hacker , which is unrealistic. " }-


Valid assumption but unrealistic?
Maybe, maybe not.
Most here do fashion a Super setup (me included), AGAINST just that possibility of some super hacker(s) as you say who i see are really talented programmers and have already proven quite capable to trump most (not all) security programs.
But how long does their version last and can they crack thru "ALL" HIPS?

I know you and i don't look thru the same spectacles on many issues DA but you do bring up some very worthwhile points to consider realistically, of that i won't be brash and deny.

If i read you right your main point of contention (even with me), is that piling on security programs is not in reality useful, of that i have to disagree for the very reason that it is all too simple to exploit windows vulnerabilities given the fact that microsoft (by design), leaves holes in each version deliberately exploitable enough to compromise.
But you have to look at the whole picture here. If they didn't, then that would not open the door for talented people to exercise either their training or skills to fashion all these safety programs we enjoy today.

I can't make it more simpler then that and i do believe that you are wise enough to see this comparison in the same light without resorting to some defensive posture that i don't know what i'm talking about.

-{ Quote: "Want to really *try* to meet this unrealistically high level of security? acquire the source of what you are using, review the code for flaws. The hypothetical super bad guy who is out to get you, will do that. Nothing else will suffice." }-
I know what you are trying to convey here but still as this maybe okay for you(?), me or whoever else here, that is just an unobtainable notion to most who either rely on an av scanner, or just pile on the defence to try and cover everything usually overlapping their protection with claws into every instruction.
-{ Quote: "That's the problem with the forum here. The whole premise of most setups here is to stop some unknown super hacker , which is unrealistic." }-
But thats where this forum can help with knowledge and a decent discussion:).
-{ Quote: "For those of you "testing" by running malware (rootkits are popular because they are perceived to be high tech), that's even dumber, that's just blind hammering. Obviously you are going to pass, since they are not targetted." }-
Rootkit 'perception' doesn't come into it, its another malware but different. From my view, I don't understand the rest of your statement:).

A caution to all - let's keep individuals out of the discussion and focus exclusively on technical matters.

That said, I do think that the mythical superhacker mentioned by above factors much too strongly into many user's approach to security.

One can view it from a realistic/unrealistic angle, from a perspective of aggressively diminishing returns, or from a perspective of maintaining operational stability of the computer. It doesn't matter which perspective you employ, the end result is the same: implementing a security solution which accommodates all extant, conjectured, and hypothetical approaches without providing for any filtering with respect to perceived likelihood of occurrence or magnitude of impact begs for problems worse than the threat being supposedly turned away.

One must certainly be prudent on the net, perhaps we should also add that a touch of parsimony in implementing security measures is also warranted. The ongoing discussion should be what's a reasonable balance in between prudence and parsimony...

Blue

-{ Quote: "A caution to all - let's keep individuals out of the discussion and focus exclusively on technical matters.

That said, I do think that the mythical superhacker mentioned by above factors much too strongly into many user's approach to security.

One can view it from a realistic/unrealistic angle, from a perspective of aggressively diminishing returns, or from a perspective of maintaining operational stability of the computer. It doesn't matter which perspective you employ, the end result is the same: implementing a security solution which accommodates all extant, conjectured, and hypothetical approaches without providing for any filtering with respect to perceived likelihood of occurrence or magnitude of impact begs for problems worse than the threat being supposedly turned away.

One must certainly be prudent on the net, perhaps we should also add that a touch of parsimony in implementing security measures is also warranted. The ongoing discussion should be what's a reasonable balance in between prudence and parsimony...

Blue" }-

Couldn't have said that any better.

BlueZannetti:
-{ Quote: "One can view it from a realistic/unrealistic angle, from a perspective of aggressively diminishing returns, or from a perspective of maintaining operational stability of the computer...problems worse than the threat being supposedly turned away.
" }-
Exactly.
-{ Quote: "One must certainly be prudent on the net" }-
Wise words. One certainly must be careful and sensible.

-{ Quote: "I know what you are trying to convey here but still as this maybe okay for you(?), me or whoever else here,
" }-

Actually if we are talking really about defending against the mystical super hacker, I doubt if 1 in a million programmers are qualified to review the source and to ensure that it is okay. It takes more than just knowing how to code to do this properly. Even those who are qualified don't do this for their own individual use, since it takes too much time and effort.

Not that they are unaware of their vulnerable to superhacker variety of attacks , but rather they wisely realize the cost/benefit ratio makes it pointless to worry.

On the other side, they know that common untargetted attacks are fairly easy to foil. That is *why* they don't run so much security. (Another reason is that simple setups are easier to analysis for flaws)

There's this myth that the very knowledgeable people can protect themselves a lot better than say the average regular wilders member here hence they run so little.

I submit this is false. The average regular wilders member here knows enough to get by with very little really , leaving aside paranoia.

In terms of knowledge protecting you from common malware, beyond a certain point there isn't much difference between an expert of say the caliber of ever popular Joanna Rutkowska of blue pill fame and most people here. Both can protect themselves almost equally well.

The expert faces the same threats as people here, with exactly the same options - save maybe one which is not used as often as you might think.

Against the mystical super hacker most experts are equally vulnerable , but they don't worry about it and neither should you.


-{ Quote: "
that is just an unobtainable notion to most who either rely on an av scanner, or just pile on the defence to try and cover everything usually overlapping their protection with claws into every instruction.
" }-

They can do it, heck I do it! I'm just pointing out that most people have defenses that are too good against the most common threats (that they face and should worry about), while at best having no idea if all that software really helps against the ultra-rare super hacker scenario.

-{ Quote: "
But thats where this forum can help with knowledge and a decent discussion:).
" }-

I really don't see how this is going to help. Short of us, spending 5-10 years learning and gaining experience on how to do a proper security code review
, how does more discussion help?

We can discuss on the high level what the different security programs do, this can be grasped by anyone, but that won't help if you want to know if you are hackproof from a super hacker capable of targeting software.

-{ Quote: "Against the mystical super hacker most experts are equally vulnerable , but they don't worry about it and neither should you." }-

Not only some "mystical hacker" but lest we forget, even some commonly acceptable commercial vendors can sometimes produce their own form of let's say, a hack, but in essence was meant to deter copyright infringement. Results are the same though, entry was made easily.

Speaking specifically of the Sony's ordeal and most notibly Mark Russonovich of WindowsInternals caliber.

-{ Quote: "Matters not IMO and besides how many peeps actually have physical access to the genuine trademark/copyright code of microsoft systems?
" }-

I guess you never heard of reverse engineering? Nobody ever said securing against a superhacker is going to be easy.

-{ Quote: "
Anyone, including a noob can confirm that in spite of the many who still regularly get hacked or exploited.
" }-

People like you seem to think that windows exploits are a dime a dozen.
That's true to some extent, but it takes some skill to find them, particularly if we are talking about really *critical* ones (I find a large number reported actually can't do much without the user doing something first), and people who find them don't just use it at a drop of a hat, they horde it and use it only when needed against high value targets.

The noobs who get infected typically do so because of their own mistakes/social engineering OR they don't patch and they get hit by some script kiddie who reuses an exploit that was released. Of course to them, they can't tell the difference (most people don't know how they got hacked, or wouldn't be able to find out), so you can blame super hackers using super exploits if you like. Much better than admitting one is stupid or lazy.

-{ Quote: "
Most here do fashion a Super setup (me included), AGAINST just that possibility of some super hacker(s) as you say who i see are really talented programmers and have already proven quite capable to trump most (not all) security programs.
But how long does their version last and can they crack thru "ALL" HIPS?
" }-

Your question shows you still don't get it. They don't mass produce "versions".
This isn't a guy releasing worms and having to keep up with AVs as they respond. They know of a weakness you don't and you can happily go about your day working on all sorts of things, without knowing you have a critical weakness. if you don't know a problem exist, it will continue to exist unless you change it by accident.

I grant you that most super hackers probably don't give a damn about beating HIPS since they are not popular, but i have no doubt if one of them decided to look at it, they will start finding stuff, particularly since we are talking about products that have not being subjected to scrunty of any amount. This btw isn't hypothetical.

-{ Quote: "
I know you and i don't look thru the same spectacles on many issues DA but you do bring up some very worthwhile points to consider realistically, of that i won't be brash and deny.
" }-

Really? You seem to deny everything.


-{ Quote: "
If i read you right your main point of contention (even with me), is that piling on security programs is not in reality useful, of that i have to disagree for the very reason that it is all too simple to exploit windows vulnerabilities given the fact that microsoft (by design), leaves holes in each version deliberately exploitable enough to compromise.
" }-

Leaving aside the paranoia about deliberate exploits, If you worry about that, use *one* of the tools, sandbox, hips whatever. maybe two tops. Not ALL of them.

If you are postulating a guy who is going to take the trouble to target you and with enough skill to beat one of your HIPS, you bet your ass, he will do it even if you have two or three.

-{ Quote: "
I can't make it more simpler then that and i do believe that you are wise enough to see this comparison in the same light without resorting to some defensive posture that i don't know what i'm talking about." }-

Actually, it's clear to me you don't know what you are talking about. I'm not saying it to be malicious. But you have a habit of stating things with 100% certainty even when it's wrong. Have you considered you don't know as much as you think you do?

I recommend you read a recent journal article that BZ posted.

-{ Quote: "Even those who are qualified don't do this for their own individual use, since it takes too much time and effort. " }-
Yes, but speaking for myself it isn't for individual use.
-{ Quote: "Against the mystical super hacker most experts are equally vulnerable , but they don't worry about it and neither should you. " }-
??? I don't worry about it.
-{ Quote: "I really don't see how this is going to help. Short of us, spending 5-10 years learning and gaining experience on how to do a proper security code review
, how does more discussion help?" }-
again,
-{ Quote: "The whole premise of most setups here is to stop some unknown super hacker , which is unrealistic." }-
...you don't think you are helping by pointing things out?

-{ Quote: "Not only some "mystical hacker" but lest we forget, even some commonly acceptable commercial vendors can sometimes produce their own form of let's say, a hack, but in essence was meant to deter copyright infringement. Results are the same though, entry was made easily.

Speaking specifically of the Sony's ordeal and most notibly Mark Russonovich of WindowsInternals caliber." }-

And you think your HIPS would have stopped it? Most likely you would tell your HIPS not to borther with prompts when it installed and there it goes...

-{ Quote: "Yes, but speaking for myself it isn't for individual use.

??? I don't worry about it.
" }-

It was more a universal "you" to people who believe that one of their duties should be to worry about that. Clearly you know better.

-{ Quote: "
...you don't think you are helping by pointing things out?" }-

Not if people don't want to accept it. :)

It's futile really, people need a reason to play with their tools. So they
overestimate the risk of such attacks and/or their ability to guard against it.

-{ Quote: "It's futile really, people need a reason to play with their tools. So they
overestimate the risk of such attacks and/or their ability to guard against it." }-

Some food for thought no doubt.

So one might be to a point of full agreement with that when accented especially by the single term of "overestimate", (me included), that is if not for the scope of the full picture (from past experiences) which also affords us just the opposite POSSIBILITIES, as in "underestimate".

-{ Quote: "It was more a universal "you"" }-
;)
-{ Quote: "Not if people don't want to accept it. " }-
But you are discussing your point and some people are digesting by just reading:).
-{ Quote: "It's futile really, people need a reason to play with their tools. So they
overestimate the risk of such attacks and/or their ability to guard against it." }-
Yes that is the learning curve for some, but hopefully they'll get there in the end.

Not taking any sides here, note. But a HIPS could help avoiding an atack from some hacker. Is it still vulnerable? Sure, but that's the whole problem with software, we agree on that. For the sake of discussion:

HIPS can detect buffer overflows, code injection, process modification, termination, etc.
What does it not cover, that hackers could do? Feature wise first, then flaws if you want. Because unless we address this, the discussion is going nowhere, and i ain't gonna learn!

Let's get back to the topic posed by the subject question: Why cure when you can protect? It's really a rather different topic than the prophylactic (and no, I'm not indirectly referring to the topic of this (http://www.wilderssecurity.com/showthread.php?t=170173) thread, so no need to raise that...) administration of mutliple measures to combat conjectured malware problems. In the original post, protect means implementation of measures such as a sandbox/process monitor/firewall/datawall while cure seems to refer to a classical AV type of monitoring solution.

There's really a couple levels at which to examine this.

First, many of the more powerful commercial prophylatic protection add-on measures (notification based HIPS) simply cannot be effectively administered by the bulk of the user base. The ones that I'd generally consider as suited for the mainstream user base (say PrevX, Online Armor, AntiExecutable; and there are many others) may have a substantial gap with respect to a user assessing whether specific downloaded content is malware or not. Note, that doesn't mean these tools don't have a place on peoples machines. Each of these programs have different approaches to dealing with the shortfall mentioned, but all ultimately rely on a "curative" measure akin to a classical AV as final diagnostic tool of record. It may be the community based/analyst validated white/black list of PrevX, the associated AV in Online Armor + AV, or the vendor recommendation to combine their product with a classical AV in the case of AE.

Second, current implementation of classical AV's do not juxtapose cure versus protection where the implied concept behind protection is "anticipatory action" as opposed to pure post-event reaction. The realtime monitor of classical AV's are on-access. If a file is flagged, it is before any cure in needed. They can also act after the fact, although performance in this regime is mixed. Protective measures act in the same way. A user determines on-execution whether or not to allow a specific process in the same way a classical AV renders an on-access assessment. The difference resides in the explicit need for user provided approval for a preventive measure while this is automated and based on blacklisting with a classical AV. If the process starts to perform specific actions, there may be some follow-up interaction with a protective approach. Unfortunately, unless the user has an advanced understanding of program operation, actions taken after the initial allow/block of execution are perfunctory operations at best and system destabilizing at worst. Note, it is extremely unlikely that a novice user employing the specific programs that I mention above will destabilize their system - these products are designed to minimize that eventuality.

If one accepts the above brief analysis, an obvious couple of questions would be why these products exist, are they useful, and are they absolutely needed by everyone?

Let's take the questions posed in order. Why do these products exist? Basically, they exist for a couple of reasons. First, they fill gaps that may develop in a classical AV. Generally, those gaps are highly time dependent, but, in principle, they can exist. Furthermore, classical AV's respond to threats by varying degrees, at varying rates, and to varying degrees of comprehensiveness. By extension, the time dependent gaps vary in a similar fashion. Are these gaps important? That depends on the user and their usage style.

Are these products useful? In many cases, yes. Like any tool, you do need some rudimentary understanding of its function to beneficially use it. They can be useful as second tier coverage to plug the time dependent gaps that occur with all products. In addition, on occasion, every AV program that I've used has encountered problems. At times it has been a failed update that did not self-correct, at times it has been lack of availability to the update server. This shortfall is not alway immediately apparent. These applications do provide a level of safeguard against this eventuality. They tend to be useful in this role since, by design, they tend to be compatible with the AV application (as opposed to attempting the same end result by installing a second AV product).

Are these product absolutely needed by everyone? Of course not, although that answer applies to all security software when you get down to it. On the home machines that I don't personally use, I have more or less settled on one level of secondary protection since I don't verify that everything is working on a frequent basis. In some cases, this may have been a useful bit of insurance to have (e.g. when an AV updater went south for a few weeks) even though this second level was not called to jump into action. What people don't really need is backup for the backup, backup for the backups' backup, or a regime where they effectively re-approve their last explicit approval a couple of times over.

Finally, all the eventualities covered by protective applications require code to be realized. Malware is not acquired by passive osmosis. That code has a signature. That signature can be quantified and dealt with via classical AV's. One might presuppose that protective programs are vastly superior to classical AV's in that signatures are not required, but in a fashion they are. How does a user know how to respond to an alert? If you download content from a public website that, for example, purports to provide you with something you really want - let's say you're a weather freak and it's the latest hook into the Weather Service feeds - how do you know it does that and simply doesn't on installation a process to upload personal files to a Internet based server for later harvest? Are you able to review a disassembly of the executable code and figure out that it is programmed as advertised? I'm not, but I will place some measure of faith in those who are.

Blue

-{ Quote: "Feature wise first, then flaws if you want. Because unless we address this, the discussion is going nowhere, and i ain't gonna learn!" }-

Good point Pedro and well put i might add.

If we focus strictly on the title for this topic my answer would be a resounding YES.

The problem (to use as an analogy i choose AAW) is it was signature based just like anti-viruses and samples need constantly collected then transferred to the server.
A lot of legwork and tremendous pursuit is poured into those efforts and the end results always turn out the same, that is someone's system still gets compromised to the point that even more time and effort is required in tracking down, then removing the intrusion, "OR" guiding a user (forums)fully thru to returning the system to as close a normal operation as it was before.
I was told by a very good programmer who designed one of the CWS fixes that those alternative (Fixes) had reached a state where 100% removal via those methods was unrealistic, mainly due to too many registry modifications plus modifications to the policies XP was gifted with.

You use an AS.
It's detected an identifiable threat and alerts to the same.
It proceeds to remove the threat by well-conceived automation.
The threat either seizes up the scanner or constantly crashes the program or the O/S itself refuses to respond to the boot up signal.
Enter HijackThis or another registry detector MAYBE if can reach SafeMode.
Looks bad, won't go away, have tried everything floating that the AntiSpyware scanners offer, but wait a minute! We now have a fix!
Run fix, problem solved, or is it?

The answer to all that frustration/lost time etc. IMO is to, as the title of this Topic states is to PROTECT! before the fact.

I just so happen to have found thru much experience and confirmed right here in this forum as well as many others, and also after a great deal of local research myself that HIPS is the PROTECT; and most you'll find would much rather deal with a PROTECT factor then go thru the dreaded CURE phase which can't with any real certainty guarantee 100% restoration before the fact.

So with that conclusion folks, i hope to have added a little something of interest that others will no doubt relate to.

Hello,

Easter, you have skipped a huge, huge part that preceeds your bolded section.

AS detects an identifiable threat...

Wait!!!

How come? Where and why?
Why would you have a threat on your machine? Why?

How does the threat come on? The answers are:
Automated process - exploit - which if you do not use MS crapolla is zero.
Deliberate execution - which is what the user decides to do. And here's the key.

If the user wants to run a program, he will - regardless of what anyone tells him, regardless of the HIPS.

Because process X trying to write to HKLM\Spartacus is no different than process Y trying to write to HKLM\Brain of Nazareth. And from the OS point of view, they really are the same.

So, HIPS is not PROTECT. It is INFORM.

PROTECT is limiting the user from doing harm. That is protect. You do that by giving the user least choice to make the wrong decision - or any decision - and given a decision - the least systemwide impact.

Here, the key is limited environment with full productivity - Linux. In Windows, the best PROTECT you can have is pure knowledge. And if you are a lazy person, an imaging software to quickly undo unwanted changes to the OS, for whatever reason.

Mrk

-{ Quote: "So, HIPS is not PROTECT. It is INFORM." }-

Disagreement! HIPS programs of choice (mostly) are not fashioned only to inform but are designed to also SUSPEND! which in my book also equates to PROTECT! or perhaps one of us interpret a different description from that term then is commonly meant to suggest.

Heck for that matter and i don't know about the rest of you but i found CyberHawk a pretty good TERMINATOR too after given the deny command.

Agreed,like Prevx1. It has a jail.

I think HIPS is more of a monitoring tool, and control tool. Also protects, but this is all inside job, covering things already in.

-{ Quote: "
So, HIPS is not PROTECT. It is INFORM.
" }-
Yes, or as IceCzar mentioned, a tripwire. Up to the user to interpret, with some exceptions (Prevx1, CH...)

BlueZannetti: thanks for the post. You sure know how to summarize things.
But regarding my questions, about the usefulness of these tools defending against an attack from some bad hacker, how do you fit that? (i don't even have a clue how anyone could fool a NAT router, lol, but lets get the other scenarios).
I think this is on topic, since this is about the ability to protect.

Hello,
Easter, if you allow malware - what's protect about that?
If you deny legit stuff - what's protect about that?
HIPS prompts you to take action - that's INFORM in my vocabulary. Up to YOU to make the protect / not decision.
Mrk

-{ Quote: "I think HIPS is more of a monitoring tool, and control tool. Also protects, but this is all inside job, covering things already in." }-

I like this description best (personal choice). Pretty much sums them up without going into detail even though there is a lot of detail that goes into them, hence why they are quite capable of PROTECT! as you mention, and so much more.

Hello,

I have yet to see one person - take any of my regular co-workers for instance, people who have never heard anything except Microsoft, IE, Norton, Outlook - handle the simplest of simple HIPSs.

Then, I have to see a single geek getting infected, with whichever setup you choose, Jetico, Outpost, LnS, Comodo, Sygate, BitDefender, Prevx, SAS, Spybot, you name it. It does NOT matter what you run. That's the magic. Once people figure that out....

Like cars. BMW M5 does not make you a driver. It's the other way around. So it comes as no small wonder that when the light turns green I leave cool cars like Mazda 6 or Honda Civic some 500-600 m behind, in a trail of smoke, in my humble rocket '97 Citroen AX.

The same applies to software.

Mrk

-{ Quote: "BlueZannetti: thanks for the post. You sure know how to summarize things.
But regarding my questions, about the usefulness of these tools defending against an attack from some bad hacker, how do you fit that? (i don't even have a clue how anyone could fool a NAT router, lol, but lets get the other scenarios)." }-Pedro,

These tools don't thwart an attack per se, you do, and therein lies the rub.

Recall how these programs function. They basically filter a set of vendor chosen OS system function calls - the specific calls could be anything from a file open operation, to a process create, you name it. You can assess the specific calls hooked, as well as all of those available, using tools such as Rootkit Hook Analyzer (http://www.resplendence.com/hookanalyzer) or the equivalent.

These programs give you the ability to explicitly approve a current and/or all future occurrences of this operation by a specific program. For example, you determine whether Program X is allowed to execute, be it from a deliberate launch you've just executed, to an autostart operation, to another process launching Program X. If Program X is already running, you can control whether or not it can create or alter a registry entry and so on. Now, the primary problem with this is that oftentimes valid programs were written with the assumption that these operations will be allowed as a matter of course. If some of them start to be blocked, unpredictable results can follow.

Can these tools be used to defend against an attack? Sure, but how does one differentiate between an attack and normal program operation when it involves that neat little utility you just downloaded? (I know, not always recommended, but let's consider real examples here)

You've probably seen comments that, at their current state of development, these programs can be rather noisy immediately after installation. That is basically due to the user explicitly allowing all forms of routine program activity. It's the type of operations a program could use to malicious ends, but those are also the operations that a program uses in everyday use or when being initially installed.

The structural issue is that the key alerts come when a program is installed, and if a user is installing that nifty little utility, they're expecting alerts and will just blow through them because they are expected. Unfortunately, most examples of these programs working involve blocking activities in the course of a test or after the launch of known malware (.... to see if the HIPS program works....), which is a remarkably uninformative result.

Blue

I see two ways that you can infected.

One is surfing the internet and going to the wrong site. A HIPS will protect you because it will stop executions. That's the end of it, you don't need to see any more prompts because if you are not installing something why should something be executing.

The second way is when you deliberately download and install a programme. This time you will allow the execution. However, will you allow that simple note taking programme to install a driver? I wouldn't and the HIPS would have protected me by informing me that something odd was going on.

Would I allow Daemon tools to install a driver? Yes I would and if it wasn't really Daemon tools then I'd be screwed. The HIPS would not have protected me.

In some instances the HIPS would protect and in others it wouldn't.

Understanding Computer Infections:
Part I (http://wiki.castlecops.com/Understanding_Computer_Infections)
Part II (http://wiki.castlecops.com/Understanding_Computer_Infections_-_Part_two)
Part III (http://wiki.castlecops.com/Understanding_Computer_Infections_-_Part_three)

The way I see HIPS:

First of all, IMO they are a whole lot sexier than scanners ;D and they can both protect and inform.

Protect: They should be able to protect you from (zero day) "drive-by" attacks, you know, malware that gets installed via flaws in the OS or other apps like IE, MS Office etc.

Inform: When manually installing an app yourself, a HIPS should notify you about possible malicious behavior, of course it´s up to you to decide if it really is malicious or not, this requires some knowledge.

-{ Quote: "I mean, even if the best scanners may identify 80% of all malware in the wild, there is still a chance they might miss something" }-
-{ Quote: "Is the chance bigger than you installing some new product, and clicking yes to prompts from HIPS blindly when it installs?" }-
@ DA

I never respond blindly on alerts, otherwise what´s the point of using a HIPS? The thing is, when I look at all the apps that I´ve installed (and are allowed to run on my system), I see that at least 90% of these apps don´t (need to) do anything possible malicious, so normally it´s not really that hard to spot malicious behavior for me. But I´m not trying to say that I will get it right everytime, I´m no expert.

To give an example, just last week I downloaded some app, and I executed it in my VM (KAV labeled it as clean). But I saw that without any good reason it wanted to do stuff related to Winsock (modify or install an LSP) so I immediately thought this was bad stuff, and blocked and terminated it.

After this I scanned the file at VirusTotal, and to my surprise AntiVir, KAV and NOD32 could not recognize anything, but Ikarus, AVG and CAT-QuickHeal identified it as "Trojan-Dropper.Win32.Joiner.aj" (Panda labeled it as "suspicious") so I don´t think it was a false positive. So a HIPS + some knowledge basically saved my ass.

Hello,

Spikey et al, you can get infected via drive-by when you visit a site only if you use the inferior IE. This will not happen is you use normal browser. Sure, sure, some geek at the University of Utrecht has written a PoC that shows this can be done, but you need to time it with the Assyrian moon cycle to work.

If you exclude the inferior, default-shoot-yourself-in-the-foot MS thingies, all that you are left with is deliberate suicide, which can be as easy to avoid as real-life suicide.

Mrk

Very! valid points coming down the list of replies here and equally interesting results made. I'm straight in observation mode right now.
Topic discussion like this is when i'm extremely grateful for Wilder's and all the membership here.

(really good reads) :thumb:

-{ Quote: "Spikey et al, you can get infected via drive-by when you visit a site only if you use the inferior IE.Mrk" }-Hi Mrk
I appreciate that but I prefer to use an inferior browser. And I can't block active X etc because it winds up my wife and daughter because pages don't load like they want. So I can't install FF with NoScript and I have to use other methods.

Also, I have never ever noticed an ActiveX installed on my system that I hadn't put there. But I have noticed that randomly named .exe's in the root directory and TIF have been blocked from running.

-{ Quote: "
…To give an example, just last week I downloaded some app, and… " }-

If I may ask, where did you download it from?

-{ Quote: "
If you exclude the inferior, default-shoot-yourself-in-the-foot MS thingies, all that you are left with is deliberate suicide, which can be as easy to avoid as real-life suicide.
" }-

Very good point, but I have seen several, random examples throughout your posts where you make endorsements to Linux, as if to suggest everyone using Windoze drop it and adopt Linux instead. Hopefully you don’t actually mean that (I don't think you do, just wondering), because realistically it is not, for obvious reasons, going to happen.

I am spending way too much time on this forum lurking in the background and reading up on these issues. I have gained some insight and have progressed from the "standard" browser , the "standard" AV and the "standard" Firewall to the less "famous" more sophisticated or effective programs. I even use a program monitoring running processes and registry. I am sure you are all very impressed now :dry:
Despite this I know I have only a very basic understanding of many of the isuses involved and think while the OP's suggestion may be suitable for some, the percentage of users on the net being able to follow is miniscule.

-{ Quote: "To give an example, just last week I downloaded some app, and I executed it in my VM (KAV labeled it as clean). But I saw that without any good reason it wanted to do stuff related to Winsock (modify or install an LSP) so I immediately thought this was bad stuff, and blocked and terminated it." }-

I believe earlier in the thread someone made a similar comment about monitoring any changes to drivers, registry entries being made by programs intentionally downloaded from reputable sites. The idea is to evaluate everything first in detail before allowing it to run normally.
As a normal user (who already frequents the Wilders Forum) this suggestion is completely unrealistic for almost everyone except those who make IT their living or total hobby.

As Blue said earlier there are limits as to what the average or even above average user can do to protect themselves. I will continue to read up on isuses here, try the odd program but will have to rely on these programs to be user-friendly, to hold my hands and not expect me to be a supergeek who can write and analyse code. Having said that I am happy for you guys who can do all of these things, just don't assume this will be the solution for the anyone but a small minority.;)

-{ Quote: "@ DA

I never respond blindly on alerts, otherwise what´s the point of using a HIPS? The thing is, when I look at all the apps that I´ve installed (and are allowed to run on my system), I see that at least 90% of these apps don´t (need to) do anything possible malicious, so normally it´s not really that hard to spot malicious behavior for me. But I´m not trying to say that I will get it right everytime, I´m no expert.
" }-


Exactly! The question is the number of times you don't get it right, is it higher or lower than the number of times that the AV will miss it? OF course, in reality it's not either/or , but you get my point.

People seem to like to focus on the upside of HIPS (potentially catching all),
at the same time focusing on the downside of AV (potentially missing unknown).

More specifically the question is how many times does your AV fail, when your judgement doesn't (assuming you use both)? That is the value of your HIPS.

People like to talk about blocking driver installs as the obvious decision to make, which convienetly forgets that 1) Most HIPS do a lot more than that and if that was all they did 2) You can achieve the same by just running limited accounts.

-{ Quote: "
HIPS can detect buffer overflows, code injection, process modification, termination, etc.
What does it not cover, that hackers could do? Feature wise first, then flaws if you want. Because unless we address this, the discussion is going nowhere, and i ain't gonna learn!" }-

Feature wise like the much cited http://wiki.castlecops.com/HIPS/IDP_programs/services ? So you get this table, what next? You pick the ones that has the most ticks? And then you move from product to product depending on who gets the most ticks?

I'm sure most HIPS vendors will be glad that this mentality has taken hold.

At this rate, you will end up being prompted a hundred times before you even start pressing the on button!

And as i said, you want to worry about really skilled hackers (lousy ones wouldnt be a threat anyway), features ain't going to save you.

-{ Quote: "Feature wise like the much cited http://wiki.castlecops.com/HIPS/IDP_programs/services ? So you get this table, what next? You pick the ones that has the most ticks? And then you move from product to product depending on who gets the most ticks?

I'm sure most HIPS vendors will be glad that this mentality has taken hold.

At this rate, you will end up being prompted a hundred times before you even start pressing the on button!

And as i said, you want to worry about really skilled hackers (lousy ones wouldnt be a threat anyway), features ain't going to save you." }-
DA, you totally missed me. When i say feature wise, i mean feature wise. I can't repeat myself over and over that it is up to the user. That's not possible, so i'm not going to.

What i asked was if the HIPS can detect everything some hacker might do. I do not put the user in the equation. Repeating what the user has to interpret, or comparing to an AV is beyond my question.

If you prefer, assume an expert user, running by choice a non hardened OS, with some HIPS like SSM or PG.

Dear members,

Some start to discusssions about the decisions a user has to take when using a HIPS. Please have a look at the pop-up frequency of DefenseWall and Primary Response Safe Connect (or even PrevX1, but that also uses blacklists). Hope this will end the user discussion.

With the setup of my wife's PC no pop-up emerges DefenseWall is quite by nature, SSM-free runs with user interface disconnected, SensiveGuard either allows or blocks (deny's).

As for the question how many times I had to make a decision compared to the automated decision, that is easy. I used CyberHawk during the training period of SSM-free as a second reference. I never had to make a decision when SSM and CYberHawk popped-up both.

For over a year my AV did not pop-up. This proves the point some of the members are making: Yes I had to make at least a two dozen choices more than my AV made for me. Decisions User versus AV = 24 - 0.

POINT IS: THE AV DID NOT INTERCEPT 1 MALWARE (Noppes, Nada, Null), so this is also proves my point, why cure when you can protect. Obviously there was nothing to be cured from, so why use a medicine? Especially when th emedicine does not cure against zero day treaths?

http://winnow.oitc.com/AntiVirusPerformance.html

Regards K

If you have to remove malware on your computer, it's too late when the malware has done its evil job already between two scannings.

You better try to prevent the installation of malware or stop its execution if the malware is installed. That's the security I need to save the day, because I've already a 100% REMOVAL of malware, better and faster than scanners can do and without f/p's.

Scanners ask too much time of the user and it will get worse and worse, because the bad guys make the blacklists longer and longer every day.

-{ Quote: "What i asked was if the HIPS can detect everything some hacker might do. I do not put the user in the equation. Repeating what the user has to interpret, or comparing to an AV is beyond my question.

If you prefer, assume an expert user, running by choice a non hardened OS, with some HIPS like SSM or PG." }-
If the HIPS is configured to allow only the processes and applications the user needs and also limits the activities of the allowed processes to only those needed to function (hooks, parent-child settings, etc), then HIPS will alert to most of what a hacker might try to do. This is assuming that the HIPS is part of a well designed layered security package, not a solitary line of defense.

Too much is being made of how a user might respond to prompts. Once the HIPS is configured, there should be no prompts during normal usage. If a user is not installing something and an updater is not running, there should be no prompts. If there are, they should be denied. Ideally, the user interface should be disconnected during normal operations so the user doesn't get prompted at all. No prompts, no mistakes.

HIPS are designed to prevent changes in your system, and are best suited for systems that change little if at all, systems which are equipped the way the user wants them. On setups like this, HIPS can effectively protect from most any malicious code, whether it's malware or sent by a hacker. HIPS is a less than ideal choice on systems where the users are installing new apps regularly. The more software a user installs, the more the systems integrity depends on the users decisions. Constantly installing software is high risk behavior, not just from the increased chances of contacting and allowing malicious code, but also from the increasing chances of conflicts and unwanted changes, plus any new vulnerabilities introduced by the new software.

HIPS does not address every possible attack vector. It needs to be combined with other security apps that address the other attack vectors. When combined with a good internet firewall and content filtering of the allowed traffic, HIPS is very effective.

Regarding what some hacker may do, no matter how good he or she might be, they have to start with gaining access to your system, either thru or around your firewall or via traffic that's already allowed. There are no magic doors they can enter. There are no secret codes that take down all the firewalls and open ports. While all security software can be defeated, each app is different, with different strengths. When properly chosen and configured, the components of a layered security package monitor and defend each other. It's much harder to kill a firewall when HIPS defends and/or restarts the process. It's hard to inject a "kill" command when HIPS won't allow the code to run or to get it past a firewall that only accepts incoming traffic from specific locations. It does little good to kill a firewall only to find there's no open ports available. It's hard to get an autostart entry into the registry when the system components that can edit the registry are blocked from running and attempts to use them result in the users being alerted. It's very hard to rootkit a system when the installer won't run on its own and the user won't start it. When all of it and more is blocked by both security apps and system configuration, it's very difficult to compromise such a system. When the system has regularly run integrity checks, it doesn't do an attacker much good when, even if he succeeds, the user restores the system to a clean state.

An attacker doesn't know what your defenses are or how they're configured unless you or your system advertize it, like many here do in their signatures. Nothing like giving an attacker a roadmap. He doesn't know if his probing a likely port will result in a firewall alert on the desktop. What one users configuration allows causes an alert on anothers, warning the user of the activity. If you start with securely configuring your system, no unnecessary open ports, good system policies, etc, then add good traffic control, application control, and content filtering, you can get very close to bulletproof.
Rick

Before going online
1st-Clean install of OS with all the programs you will use and trust.
2nd-save settings with imaging software and other restore programs, having more that one option of restoring is a good thing.
3rd-Install your HIPS and let it learn. Some HIPS are better at this than others.
Save settings with imaging software and other restore programs again.
4th-You ready to rockNroll !

A good HIPS, after it has learned your setup, will make alerts only to the unknown, new stuff.
Depending on which HIPS you have, there could be settings that block unknown new stuff silently, or prompt for user action etc. etc. etc...

-{ Quote: "Too much is being made of how a user might respond to prompts." }-It's not so much how..., but as to what is that basis of a response given.
-{ Quote: "Once the HIPS is configured.....," }-That road can be a harsh mistress to the unwary. It's not that I believe these tools cannot be used, rather I believe that the arms race in feature set creep starts to render them potentially more insidious than what they will propose to cure.

If one wishes to go this path, a simple and pure run whitelisted processes/deny all else/do not try to finesse the situation by tweaking with a processes inner workings would seem the best route.

Blue

-{ Quote: "HIPS are designed to prevent changes in your system, and are best suited for systems that change little if at all, systems which are equipped the way the user wants them. On setups like this, HIPS can effectively protect from most any malicious code, whether it's malware or sent by a hacker. HIPS is a less than ideal choice on systems where the users are installing new apps regularly. The more software a user installs, the more the systems integrity depends on the users decisions. Constantly installing software is high risk behavior, not just from the increased chances of contacting and allowing malicious code, but also from the increasing chances of conflicts and unwanted changes, plus any new vulnerabilities introduced by the new software. Rick" }-

Exactly, that is why my son still uses his AV (GeSWall Pro, CyberHawk free, Regdefend liteware with Toni Kleins ruleset and Antivir free with heuristics set to high). I did not want to claim a one size fits all with this post, just to stirr up discussion.

Regards K

I agree ErikAlbert. The damage is already done after the malware is run and exchanged signals with the system & whatever else it's capable of doing.

If theres any consolation in any of this AFTER-THE-FACT scenario it's that some Anti-Spyware's like SAS and i'm sure others, have gained more vital data into various structures of malwares enough to at least safely remove most of the more critical aspects of them (files/reg entries) including the elusive rootkits/hiders. Anything more severe or critically destructive and then RESTORE principle is the next alternative to recovery, thats understood.

Ok, so then thats of the CURE factor.
Prevention on the other hand though is supposed to provide the proper shielding and for that HIPS/AV/AS/Sandbox combinations in real-time seem like a lot to have to depend on and they are, but technology & study is risen to a higher degree then ever before with each following passage of time & experience and thats consolation for a BEFORE-THE-FACT approach and the one most popular with more experienced surfers/users of the internet.

I think most users here at Wilder's and also other security forums take into account all possibilities of forced intrusion and set up their configurations with a full Layered approach as those mentioned above as well as keeping readily restorable images to external or other alternative media.

So yes, why cure when you can protect and i expect most here do just that.

-{ Quote: "The damage is already done after the malware is run and exchanged signals with the system & whatever else it's capable of doing.
" }-
Since I have a 100% removal method by rolling back to a previous healthy state, including history cleaning and registry cleaning without needing a history/registry cleaner.

Now I have to solve TWO other problems :
1. Prevent the installation of malware.
2. Stop the execution of malware, if they pass through my security.

Which security softwares are able to do this, except realtime shields of main AV/AS/AT/AK-scanners ???
Keep in mind that these security softwares only have to save me during ONE session between two reboots. After reboot all infections during that session are gone.

A. Firewall (+ router)

B. Anti-Executable, which has a whitelist, based on the legitimate softwares, installed on my computer with a verification of File Size, File Type, File Location, Creation Date and Code Sample and AE detects more than 80 different executable file types (.exe .sys .drv., ...) and does NOT need an updating of definition files.
http://www.faronics.com/html/AntiExec.asp#Standard

C. Sandboxie : data flows in both directions between programs and the sandbox. During read operations, data may flow from the hard disk into the sandbox. But data never flows back from the sandbox into the hard disk.
http://www.sandboxie.com/

-{ Quote: "

Now I have to solve TWO other problems :
1. Prevent the installation of malware." }-There are two ways, it seems to me, that malware installs:

1) By accident, either
By intrusion via a port
By remote code execution, aka, drive-by download
By running an email attachment inadvertently
It seems to me that your A. and B. solutions take care of this.

2) By piggy-backing on a program, or a tainted program, which you install, while your security is disabled.

Nothing to say to this, since everyone has her/his own way of dealing with trusted sites/software. If you are confident enough in how you deal with this, it is a non-issue.

-{ Quote: "2. Stop the execution of malware, if they pass through my security." }-This is a non-issue if you are confident with how you deal with the above two scenarios. If you are not confident, then you will never feel secure and be aways worrying.

Your setup/methods (A., B., and rollback) seem more than adequate for secure protection.

I would just enjoy what you have, have fun computing and surfing, and not fret and worry!


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

Rmus,
Thanks for the info.
If A and B fail, rollback will take care of it.
Emails aren't a problem, because I ignore and delete them without even opening them.

Sandboxie isn't a bad add on to 1 and 2. I like because if nothing else cleaning up after surfing is easy. Ths safe surfing that is.

-{ Quote: "Sandboxie isn't a bad add on to 1 and 2. I like because if nothing else cleaning up after surfing is easy. Ths safe surfing that is." }-
OK. I will try that one for awhile and see how it works.
And I will have an army of backup images and archived snapshots after re-installing my computer, to recover from any malware-attack.

You won't regret it. I think you will stick with it too. It's dead simple and effective.:thumb:

Rmus: thank you. That's kind of what i'm thinking, but asked for confirmation.
Since joining Wilders, i've learned a lot, and among the things i've learned, is how to download. I don't think i'll be getting trojans just like that.
So i've cut back, and run Comodo, SandboxIE and Avast!.
WinPatrol is there for kicks, and trying out AnalogX Script Defender. Not sure how the latter will help, but i'm just taking a peak.

I still think Prevx1 is the best monitoring tool, but i think i can handle it:)
Once it matures, i'll recomend it as stand alone for me friends (those who are willing to pay, or give a damn). For the masses, i can't think of a better program. And for those who want some peace of mind.

-{ Quote: "And I will have an army of backup images and archived snapshots after re-installing my computer, to recover from any malware-attack." }-

I like that line of planning. ;)

PREVENT!
SSM fills in the gaps for me in much the same way as showing you what is entering your blind spot while driving your vehicle down the road of a dual-lane one-way road.
Is intercepted potential intrusions with ease courtesy of the SUSPENDING command which offers you to first identify the source name, location, instruction, and targeted destination while awaiting your decision to allow it to proceed or not. Works for me to a tee!

Prevx1 does rank very high in PREVENT from the reviews i covered and i read much the same for BoClean although i believe they differ somewhat if not quite differently in methods, success rates.

-{ Quote: "OK. I will try that one for awhile and see how it works.
And I will have an army of backup images and archived snapshots after re-installing my computer, to recover from any malware-attack." }-
In that case instead of a complete virtualization sandbox, I think a partial virtualization sandbox like GeSWall might be more appropriate as it will not allow anything to run like keyloggers etc due to stricter policy restrictions. And u will ofcourse clear them on reboot.
Finally it depends upon ur choice too.

-{ Quote: "I like that line of planning. ;)

PREVENT!
SSM fills in the gaps for me in much the same way as showing you what is entering your blind spot while driving your vehicle down the road of a dual-lane one-way road.
Is intercepted potential intrusions with ease courtesy of the SUSPENDING command which offers you to first identify the source name, location, instruction, and targeted destination while awaiting your decision to allow it to proceed or not. Works for me to a tee!

Prevx1 does rank very high in PREVENT from the reviews i covered and i read much the same for BoClean although i believe they differ somewhat if not quite differently in methods, success rates." }-
SSM is also a possible, but I have troubles to understand it. Can you use it without being knowledgeable ?

I'm not sure about Prevx1 yet, I like it but I'm not sure if it fits in my frozen snapshot. Never liked its blacklist either and it has too many updates.

Keep in mind that a frozen snapshot can be replaced by refreshing a snapshot with an archived snapshot. The only difference is that a frozen snapshot is an automatic copy/update, the other methods have to be done manually.
Most manual work could have been avoided, if FDISR had schedules on demand, but they don't exist.

What is also interesting to think about, is this :
A frozen snapshot removes also the GOOD changes. Is this a problem are not ?
When a frozen snapshot restores my computer to a healthy state after EACH reboot, why do I need these GOOD changes ?