I decided put this post in this part of forum because I think it belong here too. Sorry if I made something wrong.

I was never infected or something even I use internet maybe from beginning of its era. (frankly so long I do not remember). Most of the time I was behind router with firewall and just having NOD32 and Outpost up to version 4. And Syware doctor. So I was thinking I am safe etc.

But now NOD32 strat with the version 3.0 and shortly speaking I lost my confidence with it. Also Outpost become problem with my system. So I start looking around.

Solcroft said about strategy and my for sure is not cleaning only. Maby I can describe my strategy and understanding what programs I need to acomplish that as follow:

1. Good inbound protection.
- router with firewall
- software firewall
- antivirus program
- HIPS (behavioural and regular rule based) - maybe fit here?
- real time AS shield - maybe fit here?

2. Good outbound protection.
- HIPS (behavioural and regular rule based)
- software firewall
- antivirus program - maybe fit here?
- real time AS shield - maybe fit here?

3. Making sure I am healthy.
- antivirus program
- ond demand AS scanners (3 of them maybe)
- HIPS (behavioural and regular rule based)
- real time AS shield - maybe fit here?

Also never using IE and Outlook. I try to be safe and download from good sources only what I really need and first read about it somewhere.

Also I do not in which of the 3 departments belong Threathfire and real time AS scanner Like ST or Spyware Doctor.

So my question is is this good strategy? If yes then I just focus on finding proper programs.

I know there are Sandboxie and Virtualization but for me It look like magic and I have to learn first. Also I do not want to much hassle and I am lazy and do not want become security guru etc. Just regular internet user with some p2p.

Hmm Security Philosophy.

"Also I do not in which of the 3 departments belong Threathfire and real time AS scanner Like ST or Spyware Doctor."

I don't know if your 3 "departments" make sense or if they are really a useful way of seeing things.

{QUOTE-> Also I do not in which of the 3 departments belong Threathfire <-QUOTE} ...2 {QUOTE-> and real time AS scanner Like ST or Spyware Doctor. <-QUOTE}
...3
{QUOTE-> So my question is is this good strategy? If yes then I just focus on finding proper programs. <-QUOTE}
Yes, that would be a good starting point.

@feniks

I bit of overkill . A firewall , an antimalware program and common sense would be much better than 3 on-demand scanner , HIPS , antispyware , etc...

{QUOTE-> Hmm Security Philosophy.
I don't know if your 3 "departments" make sense or if they are really a useful way of seeing things. <-QUOTE}

What is wrong in this can you elaborate some more instead making me more confused? ???

{QUOTE-> ...2
...3

Yes, that would be a good starting point. <-QUOTE}

Thank you for answer and for nod making it even more complicated. ;D

{QUOTE-> @feniks

I bit of overkill . A firewall , an antimalware program and common sense would be much better than 3 on-demand scanner , HIPS , antispyware , etc... <-QUOTE}

Antimalware is antivirus like NOD32 or Avira? Or you mean like Spyware Doctor?

Thank you for calming me down. Reading all these posts here make me think I am really way back or something.

So what you think about some setup like that:

1. Router with firewall
2. NOD32 or Avira antivirus
3. Software firewall - WDF, OA free or ESS (first two with HIPS but ESS can be with Threatfire)
4. Some AS scanner sometimes on demand.

Opera, The Bat!, downloading only trusted programs from trusted source.

Overkill already or still reasonable?

{QUOTE->
I was never infected or something even I use internet maybe from beginning of its era. (frankly so long I do not remember). Most of the time I was behind router with firewall and just having NOD32 and Outpost up to version 4. And Syware doctor. So I was thinking I am safe etc.

But now NOD32 strat with the version 3.0 and shortly speaking I lost my confidence with it. Also Outpost become problem with my system. So I start looking around.
<-QUOTE}

This obviously worked for you, so why not just revert to NOD32 ver 2.7? 3.0 is just not ready yet. As for Outpost, which version gives you problems? If it's the latest 6.0, then just revert to 4.0. You could probably ditch Spyware doctor and free up some system resources.

{QUOTE-> This obviously worked for you, so why not just revert to NOD32 ver 2.7? 3.0 is just not ready yet. As for Outpost, which version gives you problems? If it's the latest 6.0, then just revert to 4.0. You could probably ditch Spyware doctor and free up some system resources. <-QUOTE}

Outpost 4.0. I did not try 6.0 as my licences did finished for OF as well as for NOD32. :'( So the another reason for my research is to try find some free replacements. So far I come out with Avira free (hope is good choice?) and can not yet decide between OA free and WDF. OA free is so good in leaktest on matousec but firewall is useless for p2p. WDF works perfect with my system and p2p and only matter with leaktest make me hard to decide to choose it over OA free.

And nobody seems to be able or want to answer my question asked even on OA forum - if I uninstall only firewall in OA will be still as good in leaktest? If not then I have not doubts that I will choose WDF where I can use DSA and firewall both of them.

I think you should go with what has already worked for you for years, and just find new programs to replace the ones you no longer want to use. Avira is a good choice for a free AV. There seem to be a couple of software firewalls out now that are free and popular also. I might be tempted to skip the software firewall since you already have the router, and perhaps find a HIPS program instead for watching outbound. Don't think you need much more than a router, AV and HIPS based on your past success...

{QUOTE-> I think you should go with what has already worked for you for years, and just find new programs to replace the ones you no longer want to use. Avira is a good choice for a free AV. There seem to be a couple of software firewalls out now that are free and popular also. I might be tempted to skip the software firewall since you already have the router, and perhaps find a HIPS program instead for watching outbound. Don't think you need much more than a router, AV and HIPS based on your past success... <-QUOTE}

Thank you Kerodo. So Avira stays. And I dont cross NOD32 off the list yet.

Id like some outbound control therefore software firewall but it is not so big matter. So HIPS then. Both OA and WDF have HIPS and seems I can learn them easy as I am already familiar with both. And dfference between say SSM or Threatfire is I can have firewall also. ;) And always can install Thrathfire to all of them as it is behaviour so someway optionally can complement the other HIPS. Do I understand correct?

And Kerodo can you help with that riddle:

"And nobody seems to be able or want to answer my question asked even on OA forum - if I uninstall only firewall in OA will be still as good in leaktest? If not then I have not doubts that I will choose WDF over OA because I can use DSA and firewall both of them."

You could download "All leak-tests in one archive" from here (http://www.matousec.com/downloads/windows-personal-firewall-analysis/) and test for yourself...

{QUOTE-> And Kerodo can you help with that riddle:

"And nobody seems to be able or want to answer my question asked even on OA forum - if I uninstall only firewall in OA will be still as good in leaktest? If not then I have not doubts that I will choose WDF over OA because I can use DSA and firewall both of them." <-QUOTE}
Well, sorry feniks, but I am not familiar with OA at all, so I can't really comment on it. Perhaps somebody else here will eventually help out though. If you're determined to use a software firewall then I would guess that either one of them would be alright... it's up to you of course..

OA minus FW may not pass all leak tests, but WDF may not either without DSA. OA and WDF did not function well without using all their parts. I tried, and disabling either one, to be polite, made them somewhat inefficient.

{QUOTE-> You could download "All leak-tests in one archive" from here (http://www.matousec.com/downloads/windows-personal-firewall-analysis/) and test for yourself... <-QUOTE}

Yes but I am afraid that I will be not able to do it correctly or interpret it correctly.

There is 3 ways of learning

- from some authority
- on own mistakes (second class inteligence)
- never learn (complete lack of inteligence)

I prefer the first way that is why I register here. :)

By the way I just receive answer from OA forum that OA with firewall off and rest (HIPS) on does not give any leak protection. But that was not Mike but somebody with second post posted so hm... Not yet to be sure I guess.

{QUOTE-> Antimalware is antivirus like NOD32 or Avira? Or you mean like Spyware Doctor?

1. Router with firewall
2. NOD32 or Avira antivirus
3. Software firewall - WDF, OA free or ESS (first two with HIPS but ESS can be with Threatfire)
4. Some AS scanner sometimes on demand.

Opera, The Bat!, downloading only trusted programs from trusted source.

Overkill already or still reasonable? <-QUOTE}
3. Threatfire, PRSC or Prevx.
4. Backup plan. This is the most important step.
5. Optional: reboot-to-restore (Deep Freeze, Returnil, etc)
Learn (http://wiki.castlecops.com/Understanding_Computer_Infections) at your own speed.

{QUOTE-> 3. Threatfire, PRSC or Prevx.
4. Backup plan. This is the most important step.
5. Optional: reboot-to-restore (Deep Freeze, Returnil, etc)
Learn (http://wiki.castlecops.com/Understanding_Computer_Infections) at your own speed. <-QUOTE}

Thank you for the link very good read.

What is PRSC Prevx?

ad 5. I wil check it out.

{QUOTE-> What is PRSC Prevx? <-QUOTE}
Primary Response SafeConnect (http://www.sanasecurity.com/products/sc/features.php) (PRSC)
Prevx (http://www.prevx.com/)

{QUOTE-> Primary Response SafeConnect (http://www.sanasecurity.com/products/sc/features.php) (PRSC)
Prevx (http://www.prevx.com/) <-QUOTE}
Thank you. I just started to look in googles but you were faster.:)

So looks that they are similar in the role they play but Threatfire is free. But is also inferior in something?

Prevx might offer superior protection (in theory) because it also uses whitelists and a malware scanning engine (unpack, heuristics, signatures) in addition to the main behaviour blocker. In practice, I don't know.

The best advice would be to download and install whatever your budget allows and try it out for yourself. I trust you're not surfing unprotected right now....

{QUOTE-> The best advice would be to download and install whatever your budget allows and try it out for yourself. I trust you're not surfing unprotected right now.... <-QUOTE}

Thank you for care. And yes I already have downloaded many things and check them. If I will have to choose based on my personal preferences, feelings and what I read here so far then it will look like that:

1. Router with firewall (linksys AG241)
2. NOD32 or Avira
3. WDF
4. Threatfire
5. On demand scanners for AS (like A2, SD etc.)
6. Optional: reboot-to-restore (Deep Freeze, Returnil, etc) - have to learn and check yet

7. and of course:
backup
Opera and The Bat!
safe surfing and downloading

If only I can solve the riddle between OA without firewall (instead windows xp firewall) and WDF full options - what will be better leak protection because the confidentiality is my priority in this security strategy.

And yes I understand that prevention is first but that is cover with first 3 and point 7 or is not?

PS. And simplicity and ease of use is important subject too. DSA not easier than OA but that is OK.

If I was you, I'd forget about leaktests and on-demand scanners.

{QUOTE-> If I was you, I'd forget about leaktests and on-demand scanners. <-QUOTE}

Can you explain why please?

I know I am asking a lot but I try to understand. ???

{QUOTE->
5. On demand scanners for AS (like A2, SD etc.)
6. Optional: reboot-to-restore (Deep Freeze, Returnil, etc) - have to learn and check yet <-QUOTE}
If you use an ISR-software like Returnil, you don't need on demand scanners anymore.

An on demand scanner removes malware during each SCAN.
Returnil removes malware during each REBOOT.
There is no difference, except that Returnil will do a much better job than 10 on demand scanners, because Returnil removes any bad change (viruses, spyware, trojans, keyloggers, rootkits, ...), while on demand scanners only remove what they know and what they don't know remains on your harddisk.
How long will it take to run 10 on demand scanners and how long will it take to reboot ?
I boot-to-restore in less than 2 minuts and my ISR-software is the slowest.

{QUOTE-> Can you explain why please? <-QUOTE}
A behaviour blocker is very good at keeping you malware-free. Putting a firewall with good performance against leaktests will cause overlap of functions, more pop-ups and less resources.
As for on-demand scanners: what are you going to do when they find something?
Your tools for cleanups should be clean images and/or a reboot-to-restore solution.

{QUOTE-> If you use an ISR-software like Returnil, you don't need on demand scanners anymore.

An on demand scanner removes malware during each SCAN.
Returnil removes malware during each REBOOT.
There is no difference, except that Returnil will do a much better job than 10 on demand scanners, because Returnil removes any bad change (viruses, spyware, trojans, keyloggers, rootkits, ...), while on demand scanners only remove what they know and what they don't know remains on your harddisk.
How long will it take to run 10 on demand scanners and how long will it take to reboot ?
I boot-to-restore in less than 2 minuts and my ISR-software is the slowest. <-QUOTE}

Wow! I just finish read about it on their site. And its free I download it already and sure it will be part odf my sucurity. Thank you and also thanks lucas1985.

But we are talking about clean system. If something is before I install Returnil than stays there correct? So on demand scanners may find their use too especially if they are free?

Or maybe better I install returnil first and learn before ask? ;D ;)

{QUOTE-> A behaviour blocker is very good at keeping you malware-free. Putting a firewall with good performance against leaktests will cause overlap of functions, more pop-ups and less resources.
As for on-demand scanners: what are you going to do when they find something?
Your tools for cleanups should be clean images and/or a reboot-to-restore solution. <-QUOTE}


Understand more and more, keep going guys - dont resign on me please. :)

{QUOTE-> Wow! I just finish read about it on their site. And its free I download it already and sure it will be part odf my sucurity. Thank you and also thanks lucas1985.

But we are talking about clean system. If something is before I install Returnil than stays there correct? So on demand scanners may find their use too especially if they are free?

Or maybe better I install returnil first and learn before ask? ;D ;) <-QUOTE}
Keep in mind that I was talking about ON DEMAND scanners not MAIN scanners, because good MAIN scanners have a real-time shield and not using MAIN scanners is a subject of a long discussion.

On demand scanners are scanners that you run to find malware, what your main scanners didn't find and those are useless, if you have Returnil.
On demand scanners must run EVERY day, each day longer gives a malware more time to execute itself.

{QUOTE-> But we are talking about clean system. If something is before I install Returnil than stays there correct? <-QUOTE}
Correct.
{QUOTE-> So on demand scanners may find their use too especially if they are free? <-QUOTE}
On-demand scanners are only useful to check newly downloaded files/attachments. And having these new files saved to disk already implies that you think they're safe enough (brain-based heuristics ;D)

That's why you need to know how malware works and how your chosen security software works to prevent "shoot in the foot" errors
A chain is as strong as its weakest link. You don't want to be the weakest link in your security chain, do you?

{QUOTE-> Wow! I just finish read about it on their site. And its free I download it already and sure it will be part odf my sucurity. Thank you and also thanks lucas1985.

But we are talking about clean system. If something is before I install Returnil than stays there correct? So on demand scanners may find their use too especially if they are free?

Or maybe better I install returnil first and learn before ask? ;D ;) <-QUOTE}

I see things here completely differently to Eric. I see most real time (Main for Eric) as pointless and On demand as having some value.

You say quite correctly "but we are talking about clean system" and this raises the question of how we know if a system is clean or not. With Returnil there will be occasions when you have to remove the protection and go online to update. Although it is very unlikely that a nastie will get in. If it gets in and is not spotted by real-time protection (a new unknown nastie) then it will be frozen into the system and still be there at every reboot. on demand scans using different programs will hopefully pick it up when the AV AS programmers get caught up.

So I see little point in running only one real time protection AV which only often slows down a machine and prefer to run a variety of on demand scanners on an ad hoc basis.

In any event the chances of getting infected are far less than is often claimed.

{QUOTE-> In any event the chances of getting infected are far less than is often claimed. <-QUOTE}
This is true for those practicing safe hex. I know some people who are specially good at finding malware :o ;D

{QUOTE-> This is true for those practicing safe hex. I know some people who are specially good at finding malware :o ;D <-QUOTE}


I know people who argue with their wives all the time. I have learned that it is preferable to keep quite than to have to wear body armor 24/7.

{QUOTE-> Correct.

On-demand scanners are only useful to check newly downloaded files/attachments. And having these new files saved to disk already implies that you think they're safe enough (brain-based heuristics ;D)

That's why you need to know how malware works and how your chosen security software works to prevent "shoot in the foot" errors
A chain is as strong as its weakest link. You don't want to be the weakest link in your security chain, do you? <-QUOTE}

That was really good one my inteligence contra artificial inteligence. ;D :thumb:

{QUOTE-> Keep in mind that I was talking about ON DEMAND scanners not MAIN scanners, because good MAIN scanners have a real-time shield and not using MAIN scanners is a subject of a long discussion.

On demand scanners are scanners that you run to find malware, what your main scanners didn't find and those are useless, if you have Returnil.
On demand scanners must run EVERY day, each day longer gives a malware more time to execute itself. <-QUOTE}

Yes I understand now as I read some reviews on Returnil. It seems that for non technical person Returnil is the easiest way to keep security if will be used always before connecting with internet and restarted after you done and sure that attachments or whatever you download is OK and disconnect. Then after restart you can use everything what was OK without Returnil protection on. In this case seems like you do not need anything else but … :)

My only concern is if you are connected to Internet 24/7 anyway I need some protection. I can not have Returnil when install uninstall, install good programs, update etc.

Concerning security strategy I want to follow the guidance here as base to start from:

Securing Windows (http://www.firewallleaktester.com/documents.htm)

And of course before I expect (using my brain heuristic) dangerous browsing, downloading, checking software, checking mails attachments - I can always engage Returnil. However maybe will be Sandoxie better as it allows to make the changes permanent?

Do I get it correct? Do you guys agree?

By the way I want to thank you everybody as I really learn a lot here at Wilders. :thumb: :)

{QUOTE-> I know people who argue with their wives all the time. <-QUOTE}
LOL, luckily I'm not married LOL
{QUOTE-> That was really good one my inteligence contra artificial inteligence. ;D :thumb: <-QUOTE}
Do you speak Spanish?
{QUOTE-> My only concern is if you are connected to Internet 24/7 anyway I need some protection. I can not have Returnil when install uninstall, install good programs, update etc. <-QUOTE}
Reboot-to-restore applications work best in static environments (i.e. the software base stays almost unchanged)
When you want to update your software, you discard your current session in Returnil and reboot in thawed mode (turning off protection). Then, you only do the required updated and engage the protection again. Also, you should have clean up-to-date images if the update causes some havok and/or it's infected.
Always try to get (if possible) standalone/offline installers/updates and check their hashes (http://www.wilderssecurity.com/showthread.php?t=176600) or digital signatures and use Virustotal/Jotti.
{QUOTE-> And of course before I expect (using my brain heuristic) dangerous browsing, downloading, checking software, checking mails attachments - I can always engage Returnil. However maybe will be Sandoxie better as it allows to make the changes permanent?
<-QUOTE}
You can use both Sandboxie/another sandbox and a boot-to-restore solution. Returnil protects your entire system, Sandboxie only protects the sandboxed application. Be aware that some malware can steal data inside the sandbox, altough they're deleted when you empty the sandbox.

The more you use your brain, the quieter will be your security apps. In particular, you shouldn't see malware in mail and/or using P2P.

This multi-layer approach is working flawlessly on my XP system:
- DLink EBR-2310 Wired NAT Router hardware firewall protection
- Comodo Firewall Professional RC1 (both Network Monitor + HIPS active)
- NOD32 V3 resident antivirus protection
- Comodo BOClean 4.25 resident anti-spyware protection
- Spywareblaster innoculator protection
- SuperAntiSpyware (non-resident scanner-only) anti-spyware protection
- Acronis TrueImage 10.0 Backup/Restore utility.
- Using IE7 browser.

Regarding BOClean, it offers excellent resident protection to detect attempted startup of malware, but ignores trivia such as adware cookies. You need a manual AS scanner as well for adware cookie removal.

Hope this helps!

Hope