I'm back at this stage again; wondering the level of protection I really need.

After anaylzing my daily tasks on the PC, given I don't deal with "cracked software", and I spend most of my browsing in Opera or FF.

Till date, I have not had any infections pertaining to Viruses, Adaware, or Spyware.

My current level of protection is Spywareblaster, SAS on demand.
I have been a week without anything else as protection, but am thinking of using a lightweight firewall + hips.

My intention is to have a very lightweight security setup that will be able to detect things such as malicious intentions when plugging in someone elses USB drive, or connecting to multiple wireless connections. Other than that, I don't worry about being infected.


So my question to you all is:
What would be a easy to use, effective and lightweight firewall to use for a laptop?
Is threatfire(without an AV) the right choice when dealing with malicious intent as stated above?

Note: I would like to avoid running an AV, so please don't suggest them. My new security setup is towards intended malicious attacks instead of infections from things 'I' do.

Thanks.

I suppose some type of sandbox software would be in order. Sandboxie or Defence Wall perhaps.http://remove-malware.com/prevention/

My current setup maybe interest you: CIS (firewall with D+), sandboxie and Prevx Edge, very light and effective. You can choose other firewall, like Online armor and add other sandboxie like Geswall or DefenseWall. I Think for what you need, DefenseWall/Geswall maybe better, because of the restrictive policies for removable media/devices.

The only way to protect your self is with 3 layers. That is:
Prevention
Detection
Cure

Sure you can have alot of detection security programs, but the reality is detection wont stop a new malware. So something like DefenseWall, Defense+ (in Comodo Internet Security) is good for prevention, followed by a detection solution (AV), Cure...

Cheers,
Josh

-{ Quote: "I suppose some type of sandbox software would be in order. Sandboxie or Defence Wall perhaps." }-
Agreed.

-{ Quote: "
What would be a easy to use, effective and lightweight firewall to use for a laptop?" }-
PC Tools Firewall Plus is a free, easy-to-use, effective, and lightweight firewall that works very well in conjunction with ThreatFire. It perfoms well, strikes a good balance between security and ease of use, and rates highly in the Matousec Firewall Challenge. The main issue that people appear to experience is with ESV (Enhanced Security Verification) enabled. ESV is the HIPS component and like any HIPS has the potential for conflict with other applications. I'm running PCTFWP with ESV enabled alongside ThreatFire and haven't experienced any problems. If you decide to go with PCTFWP you could try turning ESV on initially and see how it goes. If you experience any problems you can always turn ESV off again.
-{ Quote: "
Is threatfire(without an AV) the right choice when dealing with malicious intent as stated above?" }-
ThreatFire is a very good choice and is very effective at blocking malware. There have been complaints from users about the lack of a Deny option but PC Tools have said they will look to adding this in a future release. As TF is a behaviour blocker, it's quieter and less intrusive than a classical HIPS. In any case, a number of firewalls already have a HIPS component so a BB makes a perfect complement.

As has already been mentioned, you might also want to consider virtualisation and/or policy-based HIPS (quieter than classical HIPS) as an additional layer. Good examples of virtualisation are: Sandboxie (application virtualisation) and Returnil (partition virtualisation). Good examples of policy-based HIPS are: DefenseWall and GeSWall. Plus, it doesn't hurt to have a couple of on-demand scanners, just to make sure the PC is clean.

While I may be considered to be a member of the "risk-takers group"...I have used TF (since the dawn of the Cyberhawk days) and Windows Firewall as my "sole" "active" malware protection. I am behind a router that offers hardware firewall protection. I have never - to date - had any malware sucessfully gain access to any of the systems that I support when using this configuration - except when a user intentionally continues an operation after having been warned....agreed, maybe I am just lucky...but, nonetheless, the systems I support are generally older and of moderate performance capabilty and these require a lightweight anti-malware footprint in order to remain realistically operable for the user.

I use the "Default" "Sensitivity Level" and I do employ all of the "Custom Rules" available in TF and I add an additional rule for monitoring untrusted processes attempting to monitor any network connections....effectively, monitoring any outbound listening. One of the available custom rules does monitor untrusted attempts to actually create network connection. Essentially, these two rules will provide an "ersatz" outbound firewall capability. One does need to add "Trusted Processes" as they are flagged by TF or tell TF to remember your decision on each pop-up.

This type of setup provides a very lightweight footprint and provides the user with minimal pop-ups and questions...and, has to date, not permitted sucessful malware penetration. Thus, leaving the user with what one wants - performance with a reasonable modicum of safety. Security is always a balance between usability and safety...after all, how many prophylactics are too many...:o

Obviously, if one "wanted" to breach a system configured as this, one could. But, that is not the point of providing security. One can "always" provide more guard dogs and more fences - and one can "always" find a way around them all. But, at some point, providing security becomes the dominant focus rather than providing a useable system...and thus, defeats the very reason why one is using a computer in the first place. The issue is one of "probability" not one of "possibility"...in my view.

So, to answer the original question posed in this thread....Yes, with some attention to the custom rules. As PrevX Edge develops it may become a good or even better alternative than TF...and may even result in a lighter footprint...while maintaining a reasonable level of protection...we shall see as it moves along.

"All things in moderation"...;)

galileo

galileo you been either lucky or very safe surfer cause i know that threatfire in some of my test was bypass very easilly;D even in level 5 senstivity level,anyway your router firewall it is not responsible if you agree to download a malware(for example)so it will not help you to stop it:) you need a antivirus or a sandbox(virtualizer)to fully detect or contain malware:thumb:
now i know that threatfire and with a good/strong firewall will give a very solid protection againts malware you have to be carefully cause there some malware there very nasty that can bypass your firewall or behaviour blocker very easilly.but if you an expert and you know what you are doing go for it with that combo and if it work for you cool:thumb: i like people with a brave soul,i am like that:)

-{ Quote: "...anyway your router firewall it is not responsible if you agree to download a malware(for example)so it will not help you to stop it:) you need a antivirus or a sandbox(virtualizer)to fully detect or contain malware:thumb:" }-

Your statement is correct..."if you agree to download a malware" but, then why are you agreeing to download malware...?...:blink: If you do in fact wish to swim with aligators then, perhaps you should expect an occasional bite...:argh:

-{ Quote: "...now i know that threatfire and with a good/strong firewall will give a very solid protection againts malware you have to be carefully cause there some malware there very nasty that can bypass your firewall or behaviour blocker very easilly." }-

Again, your statement is correct. However, this is an issue of philosophy as to how much protection one wants to expend effort creating. However secure the bank is, there will "always" be a bank robber...IMHO, at some point one accepts that the plane "may" crash but, that it is still safe "enough" to fly....to use an analogy....:P...(and I am big on analogies)

galileo

that's exactly the way we learn the hard way"the way to learn about how malware works"id never says or agree to download malware,i do some testing"happy tester here" do you think i am damn to test malware in my real pc without virtualization or at least a sandbox program:) if i said that i like brave soul and i know i am one cause for the reason that i do my testing with either within defensewall/sandboxie;) malware is cointain very well:thumb: again about been lucky yes you are lucky or even safe surfer;D and a brave soul:)

You are correct and sensible in what you are doing. With respect to the question posed by L815 at the beginning of this thread, I have been speaking to the issue of what does an average user need to use for one's typical daily needs. I would submit that the average user is perhaps not doing what you (or I) may be doing when we are "testing" to see what an effective security configuration might require. The average user is most likely not "bungee" jumping for his thrills....he is probably just going out to dinner...:)...LOL...Hence, the question is what restaurant are we suggesting he visit...rather than what life insurance policy he should carry....:lurking:

These are always good conversations to have as they help users identify what and why they may want to learn about how to protect themselves and their systems...:)

galileo

that is cool i am also going to answear the question in the post it is not enough just a firewall with threatfire,have to have a antivirus at least

anyway i will never recomend these for daily use especially my friends

-{ Quote: "that is cool i am also going to answear the question in the post it is not enough just a firewall with threatfire,have to have a antivirus at least" }-

Respectfully, if TF blocks viruses - and, it is a zero-day virus blocker thus, it would also be a 1000-day virus blocker - then, IMHO, for the average user, TF with rules and Windows Firewall are adequate assuming you are behind a router with a hardware firewall - which most users are in today's techworld.

All are entitled to their opinions...8)

galileo

ok if you get infected(never say never)will threatfire remove the malware "no"imagine a regular people with no knowledge at all can not have these type of aproach"not recomended"still need an antivirus especially for regular people:)

-{ Quote: "ok if you get infected(never say never)will threatfire remove the malware "no"imagine a regular people with no knowledge at all can not have these type of aproach"not recomended"still need an antivirus especially for regular people:)" }-

There is nothing wrong with having an on-demand virus scanner/remover. In fact, that is a reasonable tool to have onboard given that the "possibility" of a security breach is truly 100%. The issue again, is one of the probability of a breach, not the possibility of a breach.

However, IMHO, the average system does not require a real-time AV tool. And, real-time AV tools have a notable impact on system performance...particularly on moderate capability systems. My approach has been to balance security against performance through a realistic assessment of the "probability" of a breach. My experience with the average user and the average system has thus led me to where I am today.

I have simply not seen that the "probability" of security breaches under said conditions requires any further real-time protection than I have noted, IMHO. I agree wholeheartedly with you that one should have suitable removal/recovery tools available...I simply take the position that given the realities of the average user, one does not need them in a real-time mode. And thus, one can avoid the performance hits that come with additional real-time tools.

...good discussion...:thumb:

galileo

i agree good discussion,now look at this situation one of my friends he has spyware doctor with antivirus and threatfire and a solid firewall,(and he has antivirus)(imaging without it,maybe worse)
it took to just click a link and guez what;D i am not saying that your aproach is wrong but like i said before for regular/average people is not recomended,out of all my friends this one didnt listen to my advise when he requested and advise and he was the one getting hit hard,i am not saying it can happen to you,cause i feel that you have some knowledge but what about the inocent that dont even know how malware can damage their pc's
one of my happy clickers friend was infected last year and his pc got trojans,spywares,adwares,etc,etc that was last year,got him a program call appranger and i saw him last week and he invited me to his house and same time i check his pc and guez what"clean"have to find the way buddy,my point is that a behaviour blocker/firewall is not enough for a regular user especially those happy clikers:) for you i know it may be enough(good luck)

@jmonge

...LOL...I just re-read our discussion...I think we are esentially starting to repeat ourselves. So, I guess its time to give this a rest for a while. I hope that L815 has gained some perspective...if not specific direction.

galileo

sorry;D i need some coffee:)

"So my question to you all is:
What would be a easy to use, effective and lightweight firewall to use for a laptop?
Is threatfire(without an AV) the right choice when dealing with malicious intent as stated above?"

Yeah, I go through the same thoughts about what is enough security.

For my laptop the last several months I've chosen to just run Sandboxie without an antivirus. Next came Edge free to detect any unusual behavior. It also gives a user right-click scanning of files without the overhead of a tradtional antivirus scanner. Then I added Returnil the other day with the latest free version. The new anti-executable feature and file protection feature caught me by surprise and is worth checking out.

Basically, I wanted programs with high protection strength and low cpu use and low disk i/o to preserve battery life. All of these programs fit the bill.

I think if you try any combination of the above you might find what you are looking for. In my opinion Edge will sniff out more bad stuff than TF and I also think windows firewall is sufficient without the disk i/o (battery consumption) of a hips firewall.

Throw in AppGuard or EdgeGuard Solo and you have a real solid and light combo.

If you are willing to try a firewall with HIPS included, Online Armor is good.
I use PCTools Firewall Plus with the HIPS activated and have suffered no problems with it.
These are both light on resources in my experience and would be very good choices for your firewall.

It is better to have a anti-malware scanner besides having a firewall and a behavioral blocker.

You never know if your system is infected.
A few days ago, I posted my experience with a mutated SVCNOST.EXE disguising itself as SVCHOST.EXE.
It was able to bypass even COMODO Firewall, since COMODO reads it as a "trusted" process.

I don't know how long it has been in my system, and how long it has been perhaps taking info from my browsing data and/or account passwords.

I installed SpySweeper and Spyware Doctor. Both were able to detect the hidden process, when even MBAM and SAS failed to do so.

So I recommend you should use a top-notch anti-malware scanner for added security ;D

agree with your coment 100%

-{ Quote: "I have used TF (since the dawn of the Cyberhawk days) and Windows Firewall as my "sole" "active" malware protection." }-

Is anyone else running this setup? :P

-{ Quote: "Is anyone else running this setup? :P" }-

should be fine especially considering since an av+fw is considered rather safe when used with care - knowing TF focusses mostly on 0 day malware id have to give it a :thumb: up

I don't see a problem with ThreatFire and windows firewall for an 'intelligent' user.

That is, someone who is content with paying for programs, only downloading free programs from trusted sources ( eg. www.portableapps.com ), and visits forums like wilders, watches the odd video on youtube.com etc.

I think it all depends on the user.

-{ Quote: "I don't see a problem with ThreatFire and windows firewall for an 'intelligent' user.

That is, someone who is content with paying for programs, only downloading free programs from trusted sources ( eg. www.portableapps.com ), and visits forums like wilders, watches the odd video on youtube.com etc.

I think it all depends on the user." }-

I couldn't agree more - it most certainly depends as much on the user as on the security tools one is using.

With Threatfire, one can add a simple rule for monitoring/trapping "untrusted" processes that are listening for (i.e. monitoring) network connections. This, coupled with the default rule for controlling actual network connections, will essentially create an application/process permission control and monitoring system - not perfectly, but then again, IMHO, one is dealing with issues of "probability" not "possibility". Thus, making an outbound firewall somewhat redundant....depending on your tolerance of risk aversion...8)

From the perspective of "lightweight" and small "footprint", one cannot get much lighter than TF + Windows Firewall and still maintain a competent security perimeter against the most "probable" attacks.

It is worth noting that this is an approach that is more skewed toward "prevention" and "detection" - and, that adequate "removal" tools should still be "onboard". But, again IMHO, such tools do not need to be real-time tools that are degrading the everyday system performance. Further, one should employ a simple drive/partition imaging tool - such as Drive Snapshot - and maintain a clean up to date image before engaging in, shall we say, dubious activities...:o

galileo

Add the registry startup protection mentioned here http://www.wilderssecurity.com/showthread.php?t=235984

Also add a rule to warn you when IE is executed, allow Explorer. This way you will get notified when IE is spawned also.

@Kees

Yes indeed - there has been an ongoing discussion over in the TF forum (both online and offline with Daniel) regarding other default or inbuilt rules. I have seen you over there as well :thumb: discussing the same and similar topics regarding TF's "rules".

One of the issues surrounding additional and generally more sophisticated rules, is that the average user is somewhat intimidated by the potential entry of many registry keys and/or folder/file paths. And, more importantly, is likely to make either errors of omission or errors of entry due to the more complex rule strings. Either will likely result in not achieving the security intended by the rules or creating a malfuntioning system. Hence, and I believe that you would agree...:)...the average user will be intimidated into simply not building the rules or not using the product. There has been considerable commentary over there regarding import/export capability for the rules - which would/could address the issue of adding more rules and in particular more sophisticated rules. Hopefully the devs will address that sooner rather than later.

Like everything surrounding security issues, probability, IMHO, should be the driver for what and how sophisticated one employs security software. If one "believes" - and that is the issue - that the "prevention" capability of a given tool is adequate, at least for one's risk tolerance, then one could make the case that rules regarding system changes are not necessary - because - the prevention capability will block any malware activity from initially occurring and thus, installing anything that would change the system. That is a philosophy that perhaps requires "kryptonite cahones" but, nonetheless can be benchmarked on an ongoing basis in terms of performance and adequacy.

If one truly wants to breach a typical system, it is always "possible". However, if one has reasonable security measures in place, even if they are minimal, and an up-to-date patched system, then the "probability" of a transient breach is quite low. As can be evidenced by the relatively few true transient malware events that are observed in this forum across the many differing types of anti-malware tools that are investigated and tested here. Even among the Wilders' "veterans", breaching a typical system generally requires forcing a piece of malware (usually from warez sources) upon a given security tool rather than casual browsing or legitimate downloading.

Philosophically, if one is approaching security "for" the typical user, the choice of tools must be simple and must avoid complex warnings for which the typical user will have no real guidance as to what or why to take a particular action. No matter how tight a security perimeter one can create, one must return to the average user's perspective and ask if such a system can be maintained or even used adequately...much less understood.

For the opening post in this thread, IMHO, "yep" the simple firewall and TF (with some rule additions) are adequate for you given that you are not visiting "these"...:-X...or "those"...:lurking:...sites...:argh:

galileo