I've been playing with security softwares for about 3 years.Although I have not become an expert,I get some "common sense" at least.
I used to think my security combo were so powerful and it would be hard enough to break in.In (link removed) her blog,she showed several security flaws in RTD、MD、EQSecure etc.
A month ago,I found her blog from her post "Helpless and useless Diskshield" in Comodo's forum.
Well,maybe I'm just too naive to realize the real danger earlier.:doubt:

Caution,on the link your providing my geswall just blocked an attack.

-{ Quote: "Caution,on the link your providing my geswall just blocked an attack." }-
really?what kind of attack was it?

-{ Quote: "Caution,on the link your providing my geswall just blocked an attack." }-
Hey,seriously!?:blink:

-{ Quote: "Hey,seriously!?:blink:" }-
i click on the link but all is quiet here???my security is sleeping maybe,they work hard all day long

yea a big orange warning and blocked checking logs if I can make sense of them

Same. The page is full of chinese and some code, perhaps the code there triggers this alert of yours?

Some software react even to posted, non-harmful code.

Hmmm

The blog link returns for me this.........The page cannot be displayed


I wouldn't be so put off by any of that. The key is multiple security and with the right combination of certain security apps (including HIPS), it would be a difficult climb to pierce thru them all.

Malware makers, exploit investigators and the like commonly reverse engineer security programs of all sorts to surface limitations they can point to.

EASTER

I got an alert from OA about an activeX control to be loaded by this page. Maybe that's why.

I can not make sense of geswall logs,the only thing I see is a deny 3 messages to geswall serv.exe at around the time I clicked the link.The deny was imediate clicking the link.anyway I manged a second attempt on the link and captured it.

-{ Quote: "I got an alert from OA about an activeX control to be loaded by this page. Maybe that's why." }-
I'm using OA v3 free.It's quiet as usual.
BTW,I don't think it contains any malicious code except some in her post like lordpake said.

-{ Quote: "really?what kind of attack was it?" }-It appears to be a working proof-of-concept BSOD denial-of-service attack against MD, RTD, and EQS. It crashes my Vista + MD systems. I submitted my minidump to MD (Xiaolin) last week. I gather that the next release will include a fix.

Nick

Well my geswall is getting upset about it consistent.Man I love Geswall

-{ Quote: "Well my geswall is getting upset about it consistent.Man I love Geswall" }-
I bet it is a FP of your GW.:thumbd:

-{ Quote: "I bet it is a FP of your GW.:thumbd:" }-
better a false postive then a false negative if it was real and if a simulation of real attack then it did its job with out crashing.

-{ Quote: "Caution,on the link your providing my geswall just blocked an attack." }-I get this.

-{ Quote: "I can not make sense of geswall logs," }-
catroot dberr, difficult to say, could be windows internals thing
or maybe a attempt to manipulate catalog database.
-{ Quote: "I get this." }-If you really install a new language could be windows internal pepatch.

-{ Quote: "I get this." }-
thanks Aigle somewhat different then what mine say but same results I guess.

-{ Quote: "catroot dberr, difficult to say, could be windows internals thing
or maybe a attempt to manipulate catalog database.
If you really install a new language could be windows internal pepatch." }-
Thanks systemJunkie,

Since the link is questionable it is being removed.

Pete

Hi peter,

I searched her blog and links in her blog,found that she is security software
360safe's developer.Maybe the best in the team I think.Hence,I don't think her blog would contain malicious codes.
360safe is a popular security software in China at the moment.

-{ Quote: "Hmmm

The blog link returns for me this.........The page cannot be displayed


I wouldn't be so put off by any of that. The key is multiple security and with the right combination of certain security apps (including HIPS), it would be a difficult climb to pierce thru them all.

Malware makers, exploit investigators and the like commonly reverse engineer security programs of all sorts to surface limitations they can point to.

EASTER" }-
easter do you use mvps host file?

-{ Quote: "It appears to be a working proof-of-concept BSOD denial-of-service attack against MD, RTD, and EQS. It crashes my Vista + MD systems. I submitted my minidump to MD (Xiaolin) last week. I gather that the next release will include a fix.

Nick" }-that is bad,man sorry aout that,so is your malware defender updated already to defeat this kink of attack?

-{ Quote: "that is bad,man sorry aout that,so is your malware defender updated already to defeat this kink of attack?" }-No harm done. I always image before I play. According to Xiaolin, the next release of MD (due to be released this month) will include a fix.

Nick

I'm a little bit curious. Can someone PM me the removed and probably innofensive link?

-{ Quote: "No harm done. I always image before I play. According to Xiaolin, the next release of MD (due to be released this month) will include a fix.

Nick" }-thats good to hear and also good news that malware defender in fast in developing:thumb:

-{ Quote: "I'm a little bit curious. Can someone PM me the removed and probably innofensive link?" }-
Check your pm

-{ Quote: "thats good to hear and also good news that malware defender in fast in developing:thumb:" }-

Malware Defender is not to be taken lightly. It's at the moment on the same scale as the "few" others (excluding firewall/hips combos).

I find it reliable and stable on XP Pro and it's compatibility with all my other security software is encouragment.

It's exciting to see how far what few HIPS developers there are, improve this amazing windows security innovation.

My DREAM TEAM ballistic missile system is gathered momentum & now coming into reality. Sandbox/Virtual System coupled with a STRONG! HIPS plus a workable Behavioral Blocker and some script protection as a backdrop prevention followed up by a reserve backup image! in event of any kind of unexpected happening.

EASTER

-{ Quote: "Malware Defender is not to be taken lightly. It's at the moment on the same scale as the "few" others (excluding firewall/hips combos).

I find it reliable and stable on XP Pro and it's compatibility with all my other security software is encouragment.

It's exciting to see how far what few HIPS developers there are, improve this amazing windows security innovation.

My DREAM TEAM ballistic missile system is gathered momentum & now coming into reality. Sandbox/Virtual System coupled with a STRONG! HIPS plus a workable Behavioral Blocker and some script protection as a backdrop prevention followed up by a reserve backup image! in event of any kind of unexpected happening.

EASTER" }-sounds good,i learn alot and from what i discovered that if one have a really well configure hips program there is no need of any antivirus/antispyware note:my taste,own experience

I'm always amazed when you can LOCK OUT so very many sections of Windows by applying a simple rule with a checkmark and it sticks TIGHT!

I use a desktop app named ICONOID. I created a rule to prevent reading the DESKTOP then ran the "finjan" test which puts that silly folder named "you been hacked" after using Wscript to copy some My Document files to it. Well, with a simple rule in EQS, finjan chokes and entirely aborts since it cannot access the DESKTOP that it thinks isn't there to begin with.

On a refresh, some of my icons went AWOL and that was directly attributed to the "LOCK DESKTOP" rule i made and enabled. After removing the checkmark and APPLY, all my icons returned to normal again. ICONOID was prevented from ANY interaction with the desktop because of that HIPS rule.

Now imagine locking down other folders that way such as TEMP directory in Windows folder and such. I don't do that but was a good test of EQS strength in blinding signals to these areas. I normally allow anything to "READ" but demand to be alerted on some file signalling to land or modify files within various folders, especially vital system folders.

EASTER

hell, I am just using SD and FD. Waiting on the new Prevx but in the meantime, I just reboot once a day and forget about all this stuff.

-{ Quote: "hell, I am just using SD and FD. Waiting on the new Prevx but in the meantime, I just reboot once a day and forget about all this stuff." }-

Heretic - you should be burned at the stake for not understanding that 4 program layers minimum are required. Reboot once a day ? you must learn to live in fear and stop spreading such nonsense ;)

-{ Quote: "hell, I am just using SD and FD. Waiting on the new Prevx but in the meantime, I just reboot once a day and forget about all this stuff." }-

ROFL

Your doin it all wrong! You need at least 15 security enhancement software programs to protect yourself while online~!



.
.
.
.
.

.
.
.
.


Ok, I guess I dont have 15 different security programs either,just glad I have Returnil :argh:

Must not be any code there for SSM. Nothing happened. Nothing ever happens. ::) Hope I never see a fly that looks like that. What is that "music"?

-{ Quote: "Must not be any code there for SSM. Nothing happened. Nothing ever happens. ::) Hope I never see a fly that looks like that. What is that "music"?" }-
Yea,there are some codes to bypass SSM paid version in her or her friends' blogs I remember.I am no expert,but I thought she writes some codes relied on drivers or bios.She said one of her computer was ruined because of her bios rootkit or maybe bootkit(i don't know what are they.) test.
check this pic:
http://hiphotos.baidu.com/mj0011/pic/item/4279ecfa8e177acab48f31ae.jpg
Although I don't know what it is all about,in the blog she said:""Tophet" -- most powerful bootkit in the world?In this boot mode,it neither infects MBR\BootSector\Ntldr,nor modifies or adds any files in the windows folder.Even if you use WinPE or take off your hard disk,you can not dectect the bootkit."

You still think you are safe with SSM?

I'm a little bit curious too. Can someone PM me the removed and probably innofensive link?

-{ Quote: "I'm a little bit curious too. Can someone PM me the removed and probably innofensive link?" }-
check your pm plz.

Anyone want to check her blog may go to Comodo's forum and in the "Diskshield" section you may find her blog's address in the post "helpless and useless diskshield'

I didin't see that image anywhere. Most likely, Proxomitron filtered it out. That site is almost impossible to read, even with a translator.
-{ Quote: "
You still think you are safe with SSM?" }-
SSM doesn't keep me safe. My security policy, default-deny, does that. SSM is part of the package that enforces it. As for any code on that site defeating my package, if I'm stupid enough to launch the code, anything is possible. For the malicious code to infect me from the net, it has to get thru Proxomitron unfiltered, a tall order. Then it has to execute without being detected by SSM. I don't see how this is going to happen. No, I'm not worried about it.

Can't make the image of the code appear as a link instead of an inline image. Removed. The code in your link doesn't target my OS anyway. It won't do anything to it.

-{ Quote: "In this boot mode,it neither infects MBR\BootSector\Ntldr,nor modifies or adds any files in the windows folder" }-

Not in the MBR, not in the boot secotr even. Where does this bootkit then stay?

-{ Quote: "Not in the MBR, not in the boot secotr even. Where does this bootkit then stay?" }-
Same question and wild guesses are followed behind her post in the blog with no answer.BTW,she rarely tests her roots or bootkits to see if they can bypass HIPS,but she likes to check if they can be hidden from icesword,rootkit unhooker etc.Since she posts them out, it is mostly a positive.Those attacks are considerably low level attack,when it can cause hardware damage as she once said.
But I don't mean that we need to panic or add more security to our pcs because the attacks are so heavy.We,especially the ones who like to spend time on wilders forum,are mostly far from danger.People here are even kind of paranoid in my opinion.The point of my post is that,I think most of the time,the attackers are in front of the security softwares in the competition.We said signature based AVs were out of date, we go to HIPS.But HIPS is actually another kind of signature based AV.It can be called attack methods signature based AV.
We have guns before we have shields.Right?

-{ Quote: "We said signature based AVs were out of date, we go to HIPS.But HIPS is actually another kind of signature based AV.It can be called attack methods signature based AV." }-
Conventional signature based AVs are definitely obsolete technology that can't keep pace with the threats, but few AVs rely on just signatures anymore. HIPS, at least the classic ones like SSM have nothing in common with AVs. HIPS and AVs use entirely opposite security policies. AVs are an example of default-permit. Anything not specifically identified as malicious is allowed. With default-deny, anything not identified as safe and whitelisted is blocked. The biggest difference between them is in how the unknown or unidentified is handled. That's where conventional security apps like AVs fail. Classic HIPS can best be described as application firewalls with additional registry, services, autostart locations, and other protections. Classic HIPS is anti-change software. IMO, apps like SSM are the ultimate whitelisting tools. When used to enforce a default-deny policy, any application not whitelisted can not execute, which includes most malicious code. When malicious code is inserted into files or web content, and these are opened by the allowed applications normally used for those types of files, HIPS ability to control the parent-child permissions of individual apps will often prevent that code from accessing and compromising more of the system. It's that ability to effectively isolate the targeted applications from each other and from the operating system in general that makes HIPS so effective, provided the user is knowledgable enough to configure the HIPS, operating system, and installed software to the same policy.

IMO, when malicious code is allowed to execute, there are no guarantees, no matter what kind of security package you're using. There's no operating system or security application that's invulnerable. There's no containment software that's impossible to escape from. Eventually it will happen, the vendor will fix it, and we'll do it all over again (penetrate, patch, repeat). Too bad for those who get compromised in the mean time. Hopefully, something else like their AV will detect and stop the code from compromising their system.

A system wide default-deny policy attempts to do several things.
1, It attempts to prevent malicious code from getting onto the system.
2, It prevents any malicious code that does from being executed.
3, It attempts to mitigate or contain the effects and actions of any malicious code that does get executed.

The first item, preventing the code from getting onto the system is a combination of traffic control, content filtering, and user discipline and/or control.

The second item, preventing the code from executing is fairly easy when the code is its own executable, such as a trojan process or an installer for a rootkit. It gets harder when the code is embedded in familiar types of files the user regularly uses, like PDFs, media files, web content, etc. Filtering apps, AVs, etc also have roles here.

The third item is the point when the strategy shifts to damage control, preventing that executed code from installing, altering the system, and/or gaining access to the OS itself or to other applications that have sufficient access to perform the task for them. This is the harder part, isolating the attack surface as much as possible. It is the opposite of what is normal for Windows and most user software, the integration of applications and operating system together to make things easy and convenient. Most users don't like applications isolated from each other and won't use a security policy that does this.
An example of malicious code that can exploit this integration is the POC for last years zero day PDF vulnerability (http://www.gnucitizen.org/blog/0day-pdf-pwns-windows/). If the system is configured to open online PDFs in the browser, HIPS can not contain the actions of the exploit code. If that browser is Internet Explorer, the malicious code would have access to the OS itself because Internet Explorer is part of the OS. If that same PDF is saved to file, then opened with Acrobat directly (not in the browser), then HIPS can prevent the code from launching the browser and gaining access to the OS.

Much of what I've posted may seem off topic, but it does show one way that unknown or new malicious code can be dealt with. In my opinion, a default-deny policy is the best way to secure a system against unknown threats. Yes, some of this new malware is very nasty. The thought of it running on your system is frightening. I truly think some of it is reaching the point of becoming almost permanent, either undetectable or not removable by anyone without specialized equipment. It's definitely not something an AV is going to remove. Thanks in part to botnets, malware can be spread quite far before the AV vendors can get detections for it released. This makes prevention more important than ever. It's impossible to specifically defend against every new type of malware or every potential delivery method. The more interactive the internet becomes, the more methods there will be for delivery. Regardless, it still has to get onto your system and it still has to be executed. Both of these can be stopped. IMO, a default-deny security policy is the best way to protect your system against new threats. The more the user understands the workings of their system, the better they can configure it and their security apps to enforce the security policy.

Where would one encounter these threats?

If you practise safe surfing - mail checking, visiting two or three regular sites (up for debate, I know), what would the chances be for a user to get infected by these kind of viruses?

Hi no1 particular,
I agree with what you said above.We don't have disagreement there.

-{ Quote: "hell, I am just using SD and FD. Waiting on the new Prevx but in the meantime, I just reboot once a day and forget about all this stuff." }-

I hear ya brother. Shadow Defender, best program I've used.

-{ Quote: "I hear ya brother. Shadow Defender, best program I've used." }-
Maybe I misunderstand your point of talking about SD in this post.I have to tell you that,according to this hacker's post in her blog,all softwares like deepfreeze,comodo's diskshield etc,including 360guardshield,which is the product of the company she work for,can be bypassed using her new tech.And the method will be released on XCON2008.

Mentioned DiskShield, but that's in beta stage and a new program. It will improve as time goes by. From my understanding, programs like Returnil and Shadow Defender, have been tested more thoroughly and put through their paces.

But maybe you're right. However, what's the degree the exploit can work as a drive-by download. Maybe the exploit only works once it's already configured and installed.

But then again, what are the chances of that happening when I visit a handful of reputable sites? IMO, I'd have more chance of my house being blown up by a submarine missile. :)

-{ Quote: "However, what's the degree the exploit can work as a drive-by download. Maybe the exploit only works once it's already configured and installed. " }-
I don't know.
-{ Quote: "
IMO, I'd have more chance of my house being blown up by a submarine missile. :)" }-
You are probably right.

It's all cool. You're doing the good thing and informing others about it.

I wasn't trying to sound like a smart @ss, as anyone can have things go wrong when they least expect it. I watched as all my files/resume/application letters were all deleted while I had a firewall and AV on.

And you're right that a lot of the programs we have today are reactive. They were created in response to what was/is affecting systems. But the creators of 'malware', they are proactive, always trying new things. So it's a matter of time before something new takes shape. There will be a short period, but the 'reactive' programs will obviously catch-up, and then you'll have problems again, a lag when a program/patch is being developed, then catch-up.

On another level, best thing I've done is avoid torrents. They're free, but there's a catch. Nowadays, if I want a DVD, I'll pick one up for cheap online and save myself all that 'long careful monitoring' that comes with opening large unknown files.

If we talking about bios modification, appz. like shadow defender or disk shield can not prevent this, they are ment to prevent disk modifications, not bios, also bios modification from windows OS could be stopped by: HIPS (if there is protected API which malware hooks on), "sandbox" software like sandboxie should also prevent bios modification and virtual machines also (your virtual bios will be modified)

~shiver P.S.~ try to flash bios from SD defended partition e.g. system drive, I think you will succeed...

-{ Quote: "

If you practise safe surfing - mail checking, visiting two or three regular sites (up for debate, I know), what would the chances be for a user to get infected by these kind of viruses?" }-

Slim and none. These perceived evil threats lurking around the corners of every website we visit are so overblown by some in these forums, it's hilarious.

-{ Quote: "Slim and none. These perceived evil threats lurking around the corners of every website we visit are so overblown by some in these forums, it's hilarious." }-
It's not people like me are hilarious but those hackers and virus writers.They always try to do something impossible.Why do they waste their time?

What makes you think it's impossible? As fast as computer technology advances, I wouldn't call anything impossible. Ten years ago, if someone would have claimed that they could control hundreds of thousands of other peoples PCs without their knowledge, then use their combined power to launch attacks that could take anyone offline, people would have said it's impossible. As for why, malware is big money and greed is a powerful motivator. Many things are difficult to accomplish. They're called impossible when someone isn't motivated enough.

Regarding:

"Where would one encounter these threats?"

All the usual places, plus a few methods that are more recent. The recent vulnerabilities found in the DNS system has the potential to be a security nightmare. As best as I understand it, the vulnerability is its design. The "fix" that's been applied is nothing more than a quick fix. The design problem remains. If DNS is exploitable and browsers can be directed to sites that are not the ones the user wanted to go to, how can any site be considered trustworthy if the system that's supposed to take you there isn't?

We're also seeing more instances of legitimate sites being compromised. Look at the Bank of India (http://www.wilderssecurity.com/showthread.php?t=184525&highlight=%22bank+India%22) incident last year. I'd bet that some of their customers have an altered opinion of "trusted sites."

IMO, the entire concept of trusted sites needs to be re-evaluated, now. Obviously, there are not "evil threats lurking around the corners of every website we visit". The internet itself has been proven to be vulnerable, as are the sites we visit and choose to trust. IMO, the internet itself and everywhere it takes you has to be regarded as potentially malicious. No, we won't be getting attacked by every site we visit or trust. We won't be getting attacked daily, or weekly, or monthly. There's no way we can know where or when we'll encounter a malicious site, or a compromised legitimate one, just as we have no way of knowing what method of exploit that site will use or what it will try to infect us with. That doesn't mean we have to worry about every page we visit, every link, media file, etc. "Potentially malicious" can be dealt with by limiting trust. Forget trusted zones and trusted sites. Make all of the internet a restricted zone. The majority of attacks use some form of active content. Block active content by rule, then allow it as needed on a one time basis only when it's something that you want or need to see, not because the webmaster or adserver wants you to see it.

In one respect, we've been very fortunate. How many times has someone found a new way to exploit PCs, software, the web itself, etc, then wasted it? Anyone remember Slammer, the first Warhol worm (http://en.wikipedia.org/wiki/Warhol_worm)? Slammer infected 90% of all vulnerable machines within 10 minutes, but carried no real payload! How much worse could it have been if that worms writer had added a payload like an AV killer and released a new rootkit right behind it? The day will come that someone finds a new zero day exploit, then uses it to deliver a brand new type of malware. There will be hell to pay. A new DNS exploit combined with phishing websites would make some criminal hacker very rich. A new method of exploiting the servers for websites combined with some new malware would do the same. When the criminal element stops wasting new exploits, using them to deliver old or known payloads, look out.

Hi no1 particular,
You don't see my point when I said "impossible".Someone just want to believe their PCs are impossible to get hacked since they have so many well tuned HIPS and paid antivirus plus SD,SB,DF or whatever.
This thread makes many people here unhappy.They need to have their hands on the wheel.

-{ Quote: "It's not people like me are hilarious but those hackers and virus writers.They always try to do something impossible.Why do they waste their time?" }-
I took this to mean that the hackers and virus writers were wasting their time. You'll get no argument from me on your last statement. The completely secure PC or security package doesn't exist. My security policy is based on 3 assumptions.
All software can be hacked or exploited.
The software that handles internet and external content will eventually be exploited.
Users make bad decisions.

Even if the perfect security package did exist, as soon as it's under the control of a person, it would no longer be perfect.

-{ Quote: "

Even if the perfect security package did exist, as soon as it's under the control of a person, it would no longer be perfect." }-

which is why it is good to know that threats are no where near as serious as some would argue. There is no doubt that threats exist and that they can do harm but the idea that we all need fantastic levels of security is misguided.

Hi everyone,

Long View: I am 100% agree with you.
I do not smoke, do not drink, not going on bad sites, do not click anywhere.
It is the human factor, which is a determining factor.
Look to my signature.

PROROOTECT8)

the problem is that when security is feeble more and more layers are added and then the desire to test the limits of this so called impregnable cyber castle sets in ....if nothing untoward happens more risky and hazardous challenges are thrown at the poor setup....and forlornly if it fails the set up is again up set and the odyssey for the proverbial fort knox is again begun.......how do i know well i am one of the journeymen.................

Thathagat, longview

Although I enjoyed the journey, I am now only using ThreatFire free and XP Pro power user plus some additional SRP rules.

And what when I get busted with malware? I fallback to an older image.

And what when files get infected/corrupted? I recover data from my external (off line) harddisk

And what when this all fails? **** happens, accept it as a fact of life, but it is important to realise that it is not realistic and healthy to let a 0,00001% chance influence your life for 99,99999% of the time. Do the maths and you will accept that the security saga is in fact a journey to learn your own limitation of having control on your virtual world and dealing with it, like in real life.

Zen and the art of fixing security set ups :)

Cheers Kees

-{ Quote: "
And what when I get busted with malware? I fallback to an older image." }-

or even if something non-malware related corrupts my system, I simply love my image software for the easy and seamless recovery :)

-{ Quote: "And what when files get infected/corrupted? I recover data from my external (off line) harddisk" }-

another wise security measure overlooked by probably too many.

-{ Quote: "And what when this all fails? **** happens, accept it as a fact of life, but it is important to realise that it is not realistic and healthy to let a 0,00001% chance influence your life for 99,99999% of the time. Do the maths and you will accept that the security saga is in fact a journey to learn your own limitation of having control on your virtual world and dealing with it, like in real life.

Zen and the art of fixing security set ups :)

Cheers Kees" }-

:thumb: ;D

-{ Quote: "I've been playing with security softwares for about 3 years.Although I have not become an expert,I get some "common sense" at least.
I used to think my security combo were so powerful and it would be hard enough to break in.In (link removed) her blog,she showed several security flaws in RTD、MD、EQSecure etc.
A month ago,I found her blog from her post "Helpless and useless Diskshield" in Comodo's forum.
Well,maybe I'm just too naive to realize the real danger earlier.:doubt:" }-

What is the url?

can some one please pm me the link or repost it?

-{ Quote: "which is why it is good to know that threats are no where near as serious as some would argue. There is no doubt that threats exist and that they can do harm but the idea that we all need fantastic levels of security is misguided." }-
The malware itself is serious. I wouldn't want to be the one who had to find and remove some of it. Fortunately for us, the ones who write that malware and the ones who look for software and OS vulnerabilities to exploit don't appear to work together very often. Someone finds a new browser exploit, then uses it to distribute a common mass mailing worm, which exposes the new exploit and results in its being patched. We are fortunate that they don't plan ahead more and work together.

The last time I thought I knew what you meant, I was wrong, so this time I'll ask. :ouch: Can I assume that "fantastic levels of security" refers to large quantities of overlapping security apps? I remember when I took that road. I had 2 firewalls, 3 AVs, many anti-spyware and anti-trojan apps, multiple layers of integrity checking, and several other apps I can't remember right now. Lately I see too many users running multiple HIPS, firewalls, and behavior blockers, and calling it layered security. With some of the setups I've seen posted here, I think their strategy is to use up all the disk space, memory, and processor cycles so that there's nothing left to run the malware! Layered security is not a big pile of security apps. I've never understood the logic of running more than one HIPS, unless you don't trust one of them. Those I'd ask why they use it at all if they don't trust it. If something is so flawed or misconfigured that a single HIPS can be defeated, a second one is just an inconvenience to an attacker.

The biggest problem I see with most of these setups is that the OS, user software, and security apps aren't configured to work together. The user hasn't planned out their strategy, aka developed a security policy. It might take a bit more time and study to put together a good security policy, but it's worth it. Stacking up multiple security apps, adding this one, replacing that one, then trying to make them all get along takes time too. My base security package is 3 apps, a firewall, HIPS, and a web content filter. Everything is configured to work together. There's no way I'll claim that my security package and policy is 100% secure, but it has been good enough to keep my system clean for over 3 years with multiple users. I'm not a safe user. I go anywhere I want. I use P2P for both media and software. I collect malware, attack phishing sites, test exploits, etc. I have full system backups in case my defenses aren't good enough, but I've never had to use them. Sure, I could build up my defenses even more. Thought about making my present OS a virtual system and running it on a stripped down, locked down host system. In theory it would be more secure. In the real world, it would be slower, heavier, more complicated, and would require faster hardware in order to get what I already have. Why bother?

-{ Quote: "Lately I see too many users running multiple HIPS, firewalls, and behavior blockers, and calling it layered security." }-

either that or a ballistic missile defense system ::)

-{ Quote: "With some of the setups I've seen posted here, I think their strategy is to use up all the disk space, memory, and processor cycles so that there's nothing left to run the malware!" }-

LOL! well said.

-{ Quote: " I've never understood the logic of running more than one HIPS, unless you don't trust one of them. " }-

second that, and why even bother running a HIPS if it can't be trusted to serve without help from another HIPS?

-{ Quote: "My base security package is 3 apps, a firewall, HIPS, and a web content filter." }-

and nothing at all wrong with this setup, especially if you run it on a reduced account, even if it's a softened power user account, something I do and I see kees does as well.

-{ Quote: "I have full system backups in case my defenses aren't good enough..." }-

imo the pinnacle of a sound security setup.

-{ Quote: "

attack phishing sites" }-
sir..........they need the protection................

Noone particular the BEST of the BEST:
'With some of the setups I've seen posted here, I think their strategy is to use up all the disk space, memory, and processor cycles so that there's nothing left to run the malware!'
- I think the same thing!:argh: :-*

-{ Quote: "The malware itself is serious. I wouldn't want to be the one who had to find and remove some of it.
" }-

I have never actually suffered from a virus or malware but if I did I would not try to remove it I would simply restore a known good image.

-{ Quote: "
The last time I thought I knew what you meant, I was wrong, so this time I'll ask. :ouch: Can I assume that "fantastic levels of security" refers to large quantities of overlapping security apps?

Yes. Also my aim is to run as little security as possible. Most of the time, for me, that means a hardware firewall and nothing else. Going on line I use FF with Noscript, Cslite, and Adblock plus and when I go somewhere that might be dangerous I turn on Shadow Defender. Every so often I load up an on demand to check.

-{ Quote: "I have never actually suffered from a virus or malware but if I did I would not try to remove it I would simply restore a known good image.

-{ Quote: " Yes. Also my aim is to run as little security as possible. Most of the time, for me, that means a hardware firewall and nothing else. " }-

I dare to say built-in firewall (Windows XP an Vista) is not a bit worse than any hardware firewall (recently). I'd say built-in one is even more safe because it is application oriented. Only one task HW firewall can do better (but not every one HW FW), it's DOS attack which is irrelevant in most cases. And it is definitely completely useless when you try to run something new on your computer. Yes, in case you do need nothing new you may be safe. But I'd say this is very inconvinient limitation for the most people.

-{ Quote: "-{ Quote: "The malware itself is serious. I wouldn't want to be the one who had to find and remove some of it." }-I have never actually suffered from a virus or malware but if I did I would not try to remove it I would simply restore a known good image." }-
On my own system, that would be my choice as well. I was thinking of a service call for a PC I haven't worked on before, where a good system restore isn't available, and neither is an install CD. There's been a few times that fighting the malware was more hassle than it was worth, but there were no other legal options besides buying a windows CD and starting over.

I also run a hardware firewall, an old PC converted to Smoothwall (http://smoothwall.org/). Best way I know to recycle an old PC, even ones too slow to run Win98 decently. I do also run a software firewall, Kerio 2.1.5. Controlling internet access for each application and process individually is something I consider central to my security policy, default-deny. Very few apps and system components are allowed internet access. Besides, Kerio is so light you wouldn't know it's there if it wasn't for the tray icon.

SSM always runs with the UI disconnected. No user prompts means no bad user decisions. I don't have to worry about what someone else might install because the installer can't run and the browser doesn't have permission to launch much of anything.

Instead of FF, I use SeaMonkey (http://www.seamonkey-project.org/), aka the old Mozilla Suite. It connects through Proxomitron only (thanks to Kerio and its excellent control over local\loopback connections). If malicious code did manage to successfully attack Proxomitron and kill it, most apps will lose internet access, including the browser. A configured failsafe. Proxomitron serves as ad-blocker, script blocker, user agent and referrer modifier, remote proxy switcher, whitelister of site permisions, etc. IMO, it's one of the best apps ever written, of any kind. Too bad that the author died and didn't reveal the source code. The filters are a blend of the default, JD-list, Sidki, and other custom filters and permission lists.

SeaMonkey has several extensions installed that help out too, FlashBlock, Show-IP, User Agent Switcher, Switch Proxy (used with other proxy utilities and TOR), Media Player Connectivity, JSView, all very useful. The browser cache and temp locations are located on a virtual drive from which nothing is allowed to execute, courtesy of system configuration and SSM rules. If I expect problems from sites I'm going to visit, I'll take an Inctrl5 snapshot before I start and another when I'm done. If anything gets changed, I'll know it.

During normal usage, it's easy to forget that there is a security policy in place and being enforced. An Internet Explorer user may notice changes in web pages they know, the lack of banner ads, flash not running, embedded media not playing etc. Most of the time, that's not an inconvenience, but an improvement to the site being viewed.

Alex_S - sorry if I confused you . I was the one who wrote the things you seem to disagree with not noone_particular.

2 points - I was simply saying that if I ever did have any malware I would not feel confortable with removing it. Iwould prefer to turn the clock back a few days or weeks.

secondly I wasn't saying that a hardware firewall was the thing which protected me - rather that a hardware firewall, Firefox and Shadow defender are the only things that others might consider as security.

Running something new is something I do almsot every day. Perhaps not running just any old program from the gutter helps keep me safe. My view which I will repeat is that people make too much fuss about security software.
I run up to 7 machines on a regular basis and have done so for years. I might just be lucky

Just curious - how often are you attacked ? when was the last time ? how did you get attacked ? did you go out of your way to get attacked or could this have hapened to a "safe" surfer ?

I'm having a hard time determining to whom the different questions and comments are directed in the last several posts.
-{ Quote: "And it is definitely completely useless when you try to run something new on your computer. Yes, in case you do need nothing new you may be safe. But I'd say this is very inconvinient limitation for the most people." }-
What is this referring to?

-{ Quote: "Just curious - how often are you attacked ? when was the last time ? how did you get attacked ? did you go out of your way to get attacked or could this have hapened to a "safe" surfer ?" }-
Who are these directed to?

-{ Quote: "secondly I wasn't saying that a hardware firewall was the thing which protected me - rather that a hardware firewall, Firefox and Shadow defender are the only things that others might consider as security.
" }-

Nothing personal :)

I just opposed the idea HW firewall adds much to security or can replace other "traditional" security tools. It seems recently HW firewalls value is overestimated a bit.

-{ Quote: "Just curious - how often are you attacked ? when was the last time ? how did you get attacked ? did you go out of your way to get attacked or could this have hapened to a "safe" surfer ?" }-

It can be said I'm attacked every day by malicious emails. I can't remember that I was successfuly attacked by web means other than downloading something which then appeared to be not it declares to. It can be also said that I'm attacked by different "probes" when I connect Internet, but I do not regard those attacks as having any potential danger. As long as I'm developer and my system is filled with lot of commercial and NDA things my main concern is leakproof. And here I cannot wait for the attacks to decide either I should be protected or not, I just must be ready all the time. I also often plug my laptop to different networks, and this is why I need good s/w firewall.

-{ Quote: "I just opposed the idea HW firewall adds much to security or can replace other "traditional" security tools. It seems recently HW firewalls value is overestimated a bit." }-My own take is that their role is underestimated if anything. All unsolicited net based attacks as rejected with no performance impact on the user PC. This is a fairly significant chunk of potential threats. After all, this is precisely the route followed for virtually all those examples out there of machines becoming infected within x minutes of being placed on a broadband connection.
-{ Quote: "It can be said I'm attacked every day by malicious emails." }-Many of us never see this anymore - it's handled by server side protection managed by the ISP.
-{ Quote: "I can't remember that I was successfuly attacked by web means other than downloading something which then appeared to be not it declares to." }-This will invariably remain the route of choice for some time - a user initiated series of events started either by deliberate navigation to an infected site, redirection to an infected site, or launch of a malicious program.
-{ Quote: "It can be also said that I'm attacked by different "probes" when I connect Internet, but I do not regard those attacks as having any potential danger." }-That is quite true of most of those probes, they're benign.
-{ Quote: "As long as I'm developer and my system is filled with lot of commercial and NDA things my main concern is leakproof. And here I cannot wait for the attacks to decide either I should be protected or not, I just must be ready all the time. I also often plug my laptop to different networks, and this is why I need good s/w firewall." }-Good advice for anyone regarding a software firewall, particularly for a mobile system.

Blue

I just have a feeling that there would be malwares in the future that attack us like the old CIH ever did,and shock most of us.
Maybe because I'm too pessimistic.

-{ Quote: "I just have a feeling that there would be malwares in the future that attack us like the old CIH ever did,and shock most of us." }-If that feeling reflects an appreciation and general awareness of what's possible and general points that one should be aware of, then it's a healthy perspective. On the other hand, if it reflects an anxiety over pure hypotheticals that have not been realized in practice and which violate some very basic constraints of reality, it's more of an unhealthy paranoia. I see both extremes floating around out there.

Blue

-{ Quote: "If that feeling reflects an appreciation and general awareness of what's possible and general points that one should be aware of, then it's a healthy perspective. On the other hand, if it reflects an anxiety over pure hypotheticals that have not been realized in practice and which violate some very basic constraints of reality, it's more of an unhealthy paranoia. I see both extremes floating around out there.

Blue" }-
I mean an ordinary virus can't bring me down while if there comes a top attack all over the world one day which I think will probably happen,by then I will definitely be one of the victims.
BTW,(maybe it's offtopic)I also think mankind will ruin themselves like those Hollywood movies.
I myself can't tell if I'm sick.:argh:

-{ Quote: "And it is definitely completely useless when you try to run something new on your computer. Yes, in case you do need nothing new you may be safe. But I'd say this is very inconvenient limitation for the most people." }-
Control of internet access for individual applications is the domain of the software firewall. A firewall has to be installed on an OS in order to be aware of the applications running on it. Except for the fact that both filter inbound traffic, hardware and software firewalls can't really be compared. Hardware firewalls are superior when it comes to inbound protection. They're separate from the OS and are not influenced by anything that attacks via Windows, like malware that kills security software. When outbound control and data leakage are important, a software firewall is a necessity. That's why I use both.
-{ Quote: "As long as I'm developer and my system is filled with lot of commercial and NDA things my main concern is leakproof. And here I cannot wait for the attacks to decide either I should be protected or not, I just must be ready all the time. I also often plug my laptop to different networks, and this is why I need good s/w firewall." }-
Exactly!

-{ Quote: "My own take is that their role is underestimated if anything. All unsolicited net based attacks as rejected with no performance impact on the user PC." }-

Well, this is theory and speculations. Does anybody have any figures, statistic or something ? As for me I never used HW firewall and never felt any difference in performance between linked and unlinked computer. Why ?

-{ Quote: "Well, this is theory and speculations. " }-

No it's fact. All unsolicited incoming connections are dropped by the hw firewall, taking all the load off the software fw, thereby decreasing the resources that would otherwise be used on the pc to handle these connection attempts. The impact may be very minimal if using a software fw for all incoming traffic, but it's indisputably there, especially if logging is enabled for all types of traffic.

-{ Quote: "Thathagat, longview

Although I enjoyed the journey, I am now only using ThreatFire free and XP Pro power user plus some additional SRP rules.

And what when I get busted with malware? I fallback to an older image.

And what when files get infected/corrupted? I recover data from my external (off line) harddisk

And what when this all fails? **** happens, accept it as a fact of life, but it is important to realise that it is not realistic and healthy to let a 0,00001% chance influence your life for 99,99999% of the time. Do the maths and you will accept that the security saga is in fact a journey to learn your own limitation of having control on your virtual world and dealing with it, like in real life.

Zen and the art of fixing security set ups :)

Cheers Kees" }-

Impeccable logic there :thumb:
The fact is that if the system gets 'destroyed' a few minutes loading a good image and sanity is restored.Keeping all important data off the system drive and the whole thing becomes nothing more than a minor irritation.

-{ Quote: "Well, this is theory and speculations." }-Ummm..., no, it's not. It's a simple statement based on how these devices function.

Blue

-{ Quote: "Impeccable logic there :thumb:
The fact is that if the system gets 'destroyed' a few minutes loading a good image and sanity is restored.Keeping all important data off the system drive and the whole thing becomes nothing more than a minor irritation." }-
I agree in fact I find it fun To trash a system then build it back.I feel confident enough from what I have learned that nothing can touch me or at least for long.At this point in Time I have imaged and restored with 100 percent success a dozen times give or take but by choice and by no means forced to from infections and if the images fail oh well **** happens.I think the most to worry of is identity theft,banking safety etc.If one takes proper pre cautions we can do all this with success 99.9 percent of the time with out incident.IMO if one surfs adult site,downloaded cracks and so fourth then goes online banking,Well then perhaps one should be paranoid.IMO paranoid is lack of confidents or at least a mindset

System backup images solve the problem of having to remove malware infections and are good for undoing user experiments that don't go as planned, provided that the user keeps their backups fairly current. The problem then becomes when to use them. Daily, weekly, each reboot, as needed? Using them "as needed" gives the user the problem of knowing when one might be needed. Modern malware hides very well. A user can be infected and never know it unless they regularly run rootkit detection software.

The other problem with relying on backups and images for security is that they offer no real time protection. A user could easily become infected by a keylogger or password stealing trojan between backups and have personal info stolen before they use the backup image. Malware doesn't have to be permanent to be costly.

Reboot to restore and system backups would be ineffective against another Slammer type worm that infected PCs within minutes of their going online. I seriously doubt that Slammer was a one time oddity that we won't see the likes of again. IMO, a system that relies on system backups or reboot to restore software still needs real time protection to protect it from malware that doesn't get installed to the hard drive, but lives in memory.

There is no single method of securing a system that doesn't have some weakness. Reboot to restore is vulnerable to short term and memory resident malware. AVs are vulnerable to missed detections. HIPS is vulnerable to user decisions and weak configuration. When they're used together, ones weakness is anothers strength. The most effective security systems don't rely on just one line of defense.

-{ Quote: " IMO, a system that relies on system backups or reboot to restore software still needs real time protection to protect it from malware that doesn't get installed to the hard drive, but lives in memory. " }-

Absolutely! That's why I'm also an advocate of application control software firewalls such as Outpost or Jetico for control of outbound traffic, as well as antivirus software.

-{ Quote: "There is no single method of securing a system that doesn't have some weakness. Reboot to restore is vulnerable to short term and memory resident malware. AVs are vulnerable to missed detections. HIPS is vulnerable to user decisions and weak configuration. When they're used together, ones weakness is anothers strength. The most effective security systems don't rely on just one line of defense." }-

This ought to be a sticky somewhere :thumb:

-{ Quote: "No it's fact. All unsolicited incoming connections are dropped by the hw firewall, taking all the load off the software fw, thereby decreasing the resources that would otherwise be used on the pc to handle these connection attempts. The impact may be very minimal if using a software fw for all incoming traffic, but it's indisputably there, especially if logging is enabled for all types of traffic." }-

This is what I talk about. Impact is INVISIBLE. Since this is invisible, is there really anything to worry of ? I guess disk defragmentation has more sensible impact, still most people do not care. Additional RAM has more sensible impact, still people do not care much.

-{ Quote: "Ummm..., no, it's not. It's a simple statement based on how these devices function.

Blue" }-

I mean my initial statement "HW firewalls are overestimated a bit". I do not argue it can stop some traffic and have some impact on a system performance. I only want to know that impact expressed in accurate figures or at least half-accurate figures.

For example:

"in general case HW firewall saves 0.01-0.02% of CPU resources and 0.0001-0.0002% of RAM resources" or something like this.

-{ Quote: "System backup images solve the problem of having to remove malware infections and are good for undoing user experiments that don't go as planned, provided that the user keeps their backups fairly current. The problem then becomes when to use them. Daily, weekly, each reboot, as needed? Using them "as needed" gives the user the problem of knowing when one might be needed. Modern malware hides very well. A user can be infected and never know it unless they regularly run rootkit detection software.

The other problem with relying on backups and images for security is that they offer no real time protection. A user could easily become infected by a keylogger or password stealing trojan between backups and have personal info stolen before they use the backup image. Malware doesn't have to be permanent to be costly.

Reboot to restore and system backups would be ineffective against another Slammer type worm that infected PCs within minutes of their going online. I seriously doubt that Slammer was a one time oddity that we won't see the likes of again. IMO, a system that relies on system backups or reboot to restore software still needs real time protection to protect it from malware that doesn't get installed to the hard drive, but lives in memory.

There is no single method of securing a system that doesn't have some weakness. Reboot to restore is vulnerable to short term and memory resident malware. AVs are vulnerable to missed detections. HIPS is vulnerable to user decisions and weak configuration. When they're used together, ones weakness is anothers strength. The most effective security systems don't rely on just one line of defense." }-

By keeping only Windows + programs on the system drive and all saved data elsewhere,it's very easy to load a clean image,update everything,then re-image,to be reasonably confident of always having a clean bassline to deal with.
The frequency with which you restore from that image would be dependent upon a few factors such as the activities undertaken and technical expertise of the user.

Alex_s I don't know if this helps or just adds to the confusion ?

I have been using Broadband now for just over 5 years using the same Netgear DG834 and Firefox. For most of that time I have NOT run real time av or as or hips and have only once or twice tested a software fire wall. even when I did run AS or av they found nothing.

Perhaps I'm wrong and the Harware firewall is of little use ?

I guess I have to conclude either that:

(a) The firewall and FF are enough or
(b) threats are very much overrated and I have never been attacked
(c) threats are real - I have just been lucky
(d) some combination

will report back in another five years but even before BB I had 7 years with dial up and still couldn't catch a cold

I would say that although the threats are hyped up,they do certainly exist.However,I'd guess that for the users of forums such as this it's fairly unlikely that most would find themselves too badly hit.

It's the majority of users running very insecure setups,blissfully unaware of the problems that are being hit hard.The fact is the security of their data is way down the priority list of the majority of users,well below watching funny videos or playing cool online games etc.The simple truth is elaborate hacking methods aren't required most of the time,simply inviting the user to install the malware themselves via an 'install this codec' prompt or similar works very effectively indeed.

-{ Quote: "Alex_s I don't know if this helps or just adds to the confusion ?

I have been using Broadband now for just over 5 years using the same Netgear DG834 and Firefox. For most of that time I have NOT run real time av or as or hips and have only once or twice tested a software fire wall. even when I did run AS or av they found nothing.

Perhaps I'm wrong and the Harware firewall is of little use ?

I guess I have to conclude either that:

(a) The firewall and FF are enough or
(b) threats are very much overrated and I have never been attacked
(c) threats are real - I have just been lucky
(d) some combination

will report back in another five years but even before BB I had 7 years with dial up and still couldn't catch a cold" }-

I think the only way you can be infected with FF or any other browser is to intentionally start something dowloaded by FF (or any other browser). Other theoretical way is flash. There are some exploits demonstrating flash can be used to execute unauthorised actions (let us take clipboard exploit as an example).

Just yesterday I googled to find a "crack" for one program. I didn't really need a crack, it was just our of curiosity, was it really cracked or not. The first two "cracks" I found were the true trojans my AV missed, but HIPS immediately reacted when one of them tried to create dll in system32 and the other tried to create sys file. At this point the both were successfuly blocked.

Could FF and HW firewall help me ? I'm afraid not.

-{ Quote: "
Just yesterday I googled to find a "crack" for one program. I didn't really need a crack, it was just our of curiosity, was it really cracked or not. The first two "cracks" I found were the true trojans my AV missed, but HIPS immediately reacted when one of them tried to create dll in system32 and the other tried to create sys file. At this point the both were successfuly blocked.

Could FF and HW firewall help me ? I'm afraid not." }-

This morning I put my hand in a pan of boiling water and noticed that my hand got burned and that the new hips program that you had recommended so highly did not protect me.

you are confusing the possability of infection with the probability. If you had not gone looking for cracks all would probably have been well. Refering to the original title of this thread it is not hard to be safe - you deliberately tried not to be safe.

-{ Quote: "This morning I put my hand in a pan of boiling water and noticed that my hand got burned and that the new hips program that you had recommended so highly did not protect me.

you are confusing the possability of infection with the probability. If you had not gone looking for cracks all would probably have been well. Refering to the original title of this thread it is not hard to be safe - you deliberately tried not to be safe." }-
You have missed the main point. This was just an example of how true content appeared to be not it pretended to be (cold water appeared to be hot water). Though, even in this case correct security setup prevented any damadge. Actually it can be anything, new diskdefragmenter, new browser, new game, new taskmanager, new archiver. There is no way to be sure downloaded content is safe until you run it and see its behavior. Oher way is to wait until other people test it and say "this is good" or "this is bad". But I do not like to be relient on others, I regard it as very inconvinient limitation.

-{ Quote: "There is no way to be sure downloaded content is safe until you run it and see its behavior. " }-

Download content from known, trusted sites, usually the product vendor, and you can be about 99.785% it's safe :) Yes, there will be arguements of "the site could be hijacked or dns poisoning has mislead you to a rogue site" ...whatever, but we're talking of infinitesimal small odds here. This common-sense approach has never once failed me.

-{ Quote: "You have missed the main point. This was just an example of how true content appeared to be not it pretended to be (cold water appeared to be hot water). Though, even in this case correct security setup prevented any damadge. Actually it can be anything, new diskdefragmenter, new browser, new game, new taskmanager, new archiver. There is no way to be sure downloaded content is safe until you run it and see its behavior. Oher way is to wait until other people test it and say "this is good" or "this is bad". But I do not like to be relient on others, I regard it as very inconvinient limitation." }-

Then we appear to be missing each others point. you deliberately went looking for trouble and found it. I deliberately try to avoid trouble and have done so without all the security programs "on sale". Whilst I accept that any new software can be contaminated I also argue that years of being careful in what I download and from where has so far saved me. If I think there is any real risk I will fire up Shadow defender but I am trying to stay OT. The OP is not feeling safe because the risk are being exagerated rather than because they may do damage.

sorry if I'm repeating myselfBUT when was the last time you were contaminated or one of your security programs stopped a danger ? testing doesn't count. How often are you contaminated ? unless you answer last week and on a regular basis is it not possible that there is less need for security than you think ? Hardware firewall and FF is more than enough for most especially when backed up by something virual and a few good images.

-{ Quote: "Then we appear to be missing each others point. you deliberately went looking for trouble and found it." }- I was not looking for trouble, but it appeared that the thing I was looking for cannot be dowloaded from the trusted source.
-{ Quote: "sorry if I'm repeating myselfBUT when was the last time you were contaminated or one of your security programs stopped a danger ?" }-Two days ago. Also 6 monthes ago I needed D7 installer. D7 is abandoned long ago, also you cannot buy it, so again, there is not trusted source to download it from. So I downloaded it from my LAN using P2P and it appeared to be infected. -{ Quote: "Hardware firewall and FF is more than enough for most especially when backed up by something virual and a few good images." }-

I'm not sure this setup is "for most". Most modern users hardly imagine what is "trusted source". Moms, dads, childrens, grandmas. And even those who knows sometimes need to get something that cannot be got from a "trusted source". As for backup, there is also one sensitive moment. Full backup erases your data, partial backup may appear to be not safe. Also managing multiple backups is a bit troublesome and timeconsuming task.

OK, now what I talk about. There is not just a single safe and convinient setup for everybody (including HW firewall + FF). Depending on what a person does with his computer and on how experienced he is optimal security setup can differ much. I cannot regard HW firewall + FF as safe setup for most users because the only security layer in this setup is user himself, and most users I'm sure are just not experienced enough to be good security layer. For most users HW firewall + FF is the same as built-in firewall + IE.

-{ Quote: "I was not looking for trouble, but it appeared that the thing I was looking for cannot be dowloaded from the trusted source.
Two days ago. Also 6 monthes ago I needed D7 installer. D7 is abandoned long ago, also you cannot buy it, so again, there is not trusted source to download it from. So I downloaded it from my LAN using P2P and it appeared to be infected.

I'm not sure this setup is "for most". Most modern users hardly imagine what is "trusted source". Moms, dads, childrens, grandmas. And even those who knows sometimes need to get something that cannot be got from a "trusted source". As for backup, there is also one sensitive moment. Full backup erases your data, partial backup may appear to be not safe. Also managing multiple backups is a bit troublesome and timeconsuming task.

OK, now what I talk about. There is not just a single safe and convinient setup for everybody (including HW firewall + FF). Depending on what a person does with his computer and on how experienced he is optimal security setup can differ much. I cannot regard HW firewall + FF as safe setup for most users because the only security layer in this setup is user himself, and most users I'm sure are just not experienced enough to be good security layer. For most users HW firewall + FF is the same as built-in firewall + IE." }-thats why is good idea to configure you hips programs to reject any executable files to write to the hard drive:thumb: pasword protect the app,so for security.denny all and only allow what you think is safe and before that virus scan it:thumb: