I've done a lot of experimenting on windows security in the past few years, and have tried a lot of security applications out there. I personally think there needs to be an approach to windows computer security, and some approaches are better than others. Please note that this is just for educational and discussion purposes and that I know many people who use no security and never get infected.

Here is how I've personally approached security in the past:

Initial security approaches (early days):
1. Real-time Antivirus (that's all folks)
2. Windows Firewall
3. Not running unknown/untrusted applications, avoiding untrusted web-sites if possible, keeping software up to date etc.
Here, I thought that a decent antivirus was all I needed. Then, around 2004, I discovered that a more solid firewall was necessary:

1. Real-time Antivirus
2. ZoneAlarm Firewall
3. Not running unknown/untrusted applications, avoiding untrusted web-sites if possible, keeping software up to date etc.
Here, I thought I was bullet-proof, and that this was all I would ever need. Then I heard of a free firewall that got 100% leak protection out of the box:

1. Real-time Antivirus
2. Online Armor Free
3. Not running unknown/untrusted applications, avoiding untrusted web-sites if possible, keeping software up to date etc.
Here, I discovered my first classical HIPS, and I was very impressed by it. I even got used to the pop-ups and learned how to confidently deal with most of these pop-ups. Arguably, this security approach is close to being bullet-proof, because it has this classical HIPS component which does NOT rely on signatures that need to be updated and which does NOT only detect a proportion of malware out there. Then, I got sick of the slow-down at start-up (the long pause on the Welcome screen), and made a switch:

1. Real-time Antivirus
2. Comodo Firewall Pro
3. Not running unknown/untrusted applications, avoiding untrusted web-sites if possible, keeping software up to date etc.
I was very impressed once again. My system ran lighter than ever, and I felt just as protected with this Firewall/classical HIPS on board. Then, I discovered programs like DefenseWall and Sandboxie, with Sandboxie giving me the security approach I'd been looking for all this time:

1. Real-time Antivirus
2. Comodo Firewall with Defense+
3. Sandboxie
4. Not running unknown/untrusted applications, I can now surf wherever the heck I want to haha, keeping software up to date etc.
Here is where the break-through came. As I learned more about Sandboxie, I discovered that it could cover everything (except eg. LAN network protection), and that this security approach might be the best and most convenient there is (for me). I even realised that I didn't need a real-time antivirus anymore:

1. Sandboxie
2. Comodo Firewall with Defense+ disabled (only enabling it in Paranoid Mode if I ever connected to LAN networks etc, or wanted to analyse the behaviour of unknown/untrusted applications).
3. Running unknown/untrusted applications in a virtual machine etc, running newly downloaded files from unknown/untrusted sources (regardless of file type) sandboxed, continuing to surf wherever the heck I want to haha, keeping software up to date etc.

So there you have it. Anyone care to share what their security approaches have been like? I think it's important to have one, and to understand it well. The following security approach is very welcome too, but lacks detail haha:

1. Common sense.

Also, this is probably a good security approach to have (for a lot of people), and I'm sure we'll get many people posting about it here:

1. LUA, SRP etc etc

It is odd that with all your testing of security combinations you are not concerned with backup solutions (that is according to the poll you don't use any imaging software).

I went through various stages like everybody who has an interest in keeping their computer in pristine conditions, and in the end it comes down to two essential types of applications:light virtualization and imaging software. I bought 2 computers in the last 2 years, and my first concern was to have an imaging program to make sure that no matter what happens my system can be recovered within minutes.

-{ Quote: "I've done a lot of experimenting on windows security in the past few years, and have tried a lot of security applications out there. I personally think there needs to be an approach to windows computer security, and some approaches are better than others. Please note that this is just for educational and discussion purposes and that I know many people who use no security and never get infected.

Here is how I've personally approached security in the past:" }-

You, my friend, have developed "Wilders Syndrome" ;D

It happens to us all. Do I understand correctly that you've now gone to a Sandboxie-only approach? I heard that somewhere deep in the forums, lol. I believe the common sense approach is the best and lightest form of security you can get. However, some interpret that as not needing ANY security program. I'm afraid that unless you can judge malware from innocent files just by looking at them, that kind of security utopia isn't here yet. Common sense to me is keeping your browser updated, tweaking it just slightly to keep malicious scripting at bay, and scanning everything you download with a reliable AV/AS before execution.

I tell you what SSJ, after going so long using Sandboxie and merely using it as a "cleaning tool" instead of active protection against malware, I'm nearly ready to go the route of AV only with an on-demand AS as backup. Using Firefox every day and with Internet Explorer 8 tweaked a bit, I'm just not seeing the "malware epidemic" that so many are afraid of.

-{ Quote: "If you're so keen on "backing up", what do you use to protect against hard-drive failure? " }-

I don't understand. Imaging software is first and foremost geared at reinstalling your system in case of hard drive failure.

These are some of my favorite types of threads because you get to see others viewpoints/approaches and often you can get some good food for thought out of them.

Myself, I am self-taught geek, starting with the original Apple my dad brought home when I was a kid, ranging through the years up to today. My dad worked on mainframes for varying companies over the years, being primarily a computer programmer (punch card days) to IT etc. You know, when your dad gives you a dozen computers in various states of working order, and you have to build your own, install the OS and find why hardware don't work in those days was harder than todays plugnPray.

Anyway, whilst I initally used to just tweak the OS for performance in 311/95/98 days, because you only had 1gb hdd, and 233mhz cpu etc, you had to. Security was not that important because the internet was just a big forum for some time. I forget the year, but maybe 97/98 the dotcoms really took off, along with of all things 'personal firewalls'. lol, looking back I remember when ol' Norton was the thing to have, but only to scan floppies. As time progressed into ME/2k and then XP, the gigahertz barrier was broke, sdram was abundant at 133mhz, hdd's were spinning at 7200rpm with ata66/100 speeds, and things started to work better. Gone were the days of looking to make it perform better, now it was more focused on making XP/2K consume as little because the programs were utilizing the extra power. To this day I think many experienced users who have great machines (myself anyway) still try to keep those resources low because of the programs habits of using all they can.

As the internet boomed, of course the haxors/script kiddies took advantage, and you basically had to respect the threats they posed. Enter more AV,AS,AM,FW,HIPS etc etc. And so it progresses, a never ending route from close the exploit to new exploit. Too bad the OS in major use (M$) was so slow to respond. The reason does not matter, as the top dog gets targeted the most, so it is what it is.

Now today, having run through so many different versions of windows, and so many different worries about what is vulnerable, and so many security schemes built around either protecting data or protecting the integrity of the OS install, I have some definite different viewpoints than just a couple years ago.

I think much of what you need to know or do about security lies in just what you use your comptuer for, how much you know, and what you stand to lose. For many people I know, average users, they do online purchasing or banking. They need some protection from keyloggers and such, any malware/virii that might try to steal thier data. But there are numerous ways to deal with it, if the user is willing to take a few extra steps to insure thier protection. Sadly, many are not. But I think most would be.

It is so common that people use their computer as entertainment, and they put pictures/music/video/documents on thier computer. They don't have much to lose that is sensitive, only things they have not backed up or the inconvenience of putting it back on thier computer. I really think that if everyone had a regular backup scheme, whether data backup or imaging the drive, it woudl solve a large majority of issues. Consider that you store your data on an external drive. This is good in case you need to reinstall the OS, but the data is not really safe on a hdd. Optical media (or flash these days) really is the only way to be sure your data is backed up. But SOOOOO many I know don't want to do that. It is like it is taboo to them or something. The way I look at it, if it is important, it goes onto a mirrored raid array AND optical/flash media. The rest, I keep on hdd and if it goes TU, I will dload it again or whatever.

Think of it like this, if you only have to worry about online banking, and you don't store any account data/passwords, and you use SBIE or LUA/SRP or VM or other such simple method, what do you stand to lose from infection? Infecting others, yes. Losing data? If it is backed up, no. If it is sensitive and you have a good scheme, then no. So why get all fussy about using HIPS and Firewalls that you have to continually maintain settings/configs for, that use your resources for.

You know, there are many ways today for users to be free of needing complete control, having to answer yes/no to everything. But, you have to desire this, and learn a little something to do it. It is not really hard, but you have to want to.

Some just like to play. Or be in complete control of everything that comes and goes. lol, I wonder what % here fall in that category. I used to. And some are tired of that and want something more transparent. Some don't care as long as it works. Some flat don't have the slightest care until something goes wrong. And some I am sure just don't get it, don't have a mind to follow such things, which is fine too. (I think the same people that have a hard time programming the vcr/dvd players might have a hard time with computers, but who knows).

So what is the correct security approach? IMO, if you don't back your data up or know what you are doing on restore/reinstall, maybe it is best you use a suite or learn 3rd party tools to keep everything at bay. Maybe you should just switch to LUA and learn how to live in that realm.

If you do know what you are doing, it opens the doors to many possible solutions, ranging from very secure/complicated to very easy and mabye not as secure. I fall there now. I want it easy, and I am not afraid to catch something. I have never caught anything myself other than a BHO I should have caught but was careless on a shareware install. I don't want to get bitten, but I certainly do not fear it. Inside 5 minutes I can be back to where I was. If my data drive is formatted, worst case scenario is I have to spend the time copying from dvd or server raid drives back to my data drive.

But like I say, it really depends on a few factors. You know, hopefully people get bitten who are not interested, and it makes them become interested so it does not happen again. I know lots who have had this happen. A few infections later, or lost photos etc, they suddenly become very attentive to what I was telling them before.

Ah, computers. Our world revolves around their use, our time is consumed by them, our security can be threatened by them, we can lose our identity/money from them. But oh, what a great great toy they are. So full of things to know, so fun to break and fix and figure out how they work.

Later.

Sul.

I am currently surfing on wilderssecurity with the browser on run safer in Online Armor Premium + the additional protection of NAV 2009 but I am also sometimes
protected by VMware since I am testing various defenses with it, currently privatefirewall and nod32 v.4 (av only). Am also behind a router and therefore protected by some hardware firewall as well. Well nothing is 100% safe but since I am doing some back up job with Acronis from time to time, well let's just say that I feel pretty safe. ;)

When I started around win 98 , I got a good uninstall program.
That kept my PC in shape. Had no AV I think .. maybe an early AVG ...
I didn't bother with security until I got XP and had to go online
to register it. Wasn't sure if XP firewall would be enough, so got AVG anyhow , then started getting interested in security.

Found a wealth of knowledge at wilders.;)
But even here , people weren't always/often focused on exactly how [/I]people got infected, which was what I wanted to avoid !
Some posters were though , and really helped ( Rmus in particular ).8)

So now I'm much clear on how exploits work , and how my own attitude to risk influences me. :lurking:
And much more disappointed/annoyed when I read all the FUD:gack: that the media comes out with when there is a computer virus outbreak .

-{ Quote: "But oh, what a great great toy they are. So full of things to know, so fun to break and fix and figure out how they work." }-
Computers are technological jigsaw puzzles.

-{ Quote: "I was just wondering what approach people used " }-

I like "computers serve to people" approach. So, there is no Trusted/Untrusted/Sandboxed/Unsendboxed/Quick Recovery/Immediate Recovery or similar endlessrecoveringjob for me. Just let Avira and Threatfire to find and kill malware for me. Know that I am old fashioned guy and that my pc is only 99,9% secure. In my country there is the saying "Life is harmful to health", so I do not care too much.

P.S. Thanks for great topic.

For free programs, go for the 'layered' approach.
First and foremost, install a good FW (hardware or software). I highly recommend Outpost Free.
Then a real-time anti-malware scanner like Avast or Avira and/or use a sandbox-type policy-based program like Sandboxie or GeSWall.
Alternatively, if you want complete control of any suspicious activity in your PC or an all-in-one suite, you can try COMODO Internet Security.
Having a rollback program like Macrium Reflect Free or a system virtualization like Returnil won't do any harm either.


For paid programs, an all-in-one suite would do just fine.
I highly recommend Norton 360.

The correct approach ... for me, is to turn the computer off at the end of the day and it to be still in the same, or as near to, condition it was when I turned it on, aka using virtualization products - Scrubbing the amassed crapware effects off, maintaining privacy, keeping Windows healthy.

Computers are Work/Pleasure, for me. I am now just picky about what I want remaining on them at the end of the day.

This site, Wilders, is probably the best I've come across for finding info about niche virtualization products that actually do as they say.

well a correct security approach is that which is understandable and usable.A pc should not be so tightly configured that let alone malware even the user can't get into it.

-{ Quote: "The correct approach ... for me, is to turn the computer off at the end of the day and it to be still in the same, or as near to, condition it was when I turned it on, aka using virtualization products - Scrubbing the amassed crapware effects off, maintaining privacy, keeping Windows healthy." }-
Your privacy is still compromised if you use a system virtualization alone.

It won't protect you from keyloggers and hackers. You need a firewall to compensate for this vulnerability.

I honestly believe that a firewall is the most fundamental part of ANY PC setup.

-{ Quote: "Your privacy is still compromised if you use a system virtualization alone.

It won't protect you from keyloggers and hackers. You need a firewall to compensate for this vulnerability.

I honestly believe that a firewall is the most fundamental part of ANY PC setup." }-

A properly configured SBIE setup can protect from keyloggers as it has the ability to restrict run or outbound access.

-{ Quote: "
I honestly believe that a firewall is the most fundamental part of ANY PC setup." }-

I agree with that. I definitely value *above all* the ability to control what of mine connects to the internet and what can potentially connect to me. My browsers are tighter than a ducks bum, for instance :D

I haven't lost sight of the firewall importance. Infact, Online Armor's firewall, that I use, goes much further than the traditional unauthorized connection protection. As someone that can't be bothered with limited user rights accounts; I can get "somewhere" near to the much recommended setting by adding as many functional Windows and 3rd party applications into permanent Reduced Rights/Untrusted state. As an XP user this has been as good as it's gonna get with LUA, for me.

The firewall lines are a bit blurred now for me - as to their role. But I agree with the point.

-{ Quote: " I personally think there needs to be an approach to windows computer security, " }-I agree that everyone needs to have a security strategy that covers their computing workflow and setup.

-{ Quote: "and some approaches are better than others. " }-I would phrase that a bit differently:

-{ Quote: ""Not all strategies work for everyone, but this doesn't mean that a particular strategy isn't effective in a given situation just because someone thinks it wouldn't work."" }-My approach is to look at exploits in the wild. If I find one that can penetrate my defenses, then I will make a change.

Recent example:

-{ Quote: "55,000 websites hacked" }-Evidently thousands of individuals became infected by being re-directed from compromised (SQL injection) legitimate sites to one with malicious code. Upon investigation, I learned that the infections resulted from either an old IE6 exploit, or PDF exploit.

My Conclusion: already covered. No further action necessary.

----
rich

You are missing the whole point.

The phrase, "The correct security approach" implies one approach. "The" is a limiting adjectve.

No one can dictate for another, without understanding that person's computing workflow, technical expertise, state of mind, etc., The correct security approach. Anyway, I prefer the word "strategy" because it takes in one's mind-set, as well as security products.

In another thread, you are worried about LAN protection. For someone who doesn't use a LAN, this is a worry that is unfounded and irrelevant.

You also warn about using the Windows Picture and Fax Viewer. What if a person doesn't use it? Again, you are speculating and introducing a worry that is unfounded and irrelevant for that person.

In my view, you just can't make blanket statements about "The correct security approach."

----
rich

-{ Quote: "You are missing the whole point.

The phrase, "The correct security approach" implies one approach. "The" is a limiting adjectve.

No one can dictate for another, without understanding that person's computing workflow, technical expertise, state of mind, etc., The correct security approach. Anyway, I prefer the word "strategy" because it takes in one's mind-set, as well as security products.

In another thread, you are worried about LAN protection. For someone who doesn't use a LAN, this is a worry that is unfounded and irrelevant.

You also warn about using the Windows Picture and Fax Viewer. What if a person doesn't use it? Again, you are speculating and introducing a worry that is unfounded and irrelevant for that person.

In my view, you just can't make blanket statements about "The correct security approach."

----
rich" }-


:thumb:

-{ Quote: "You are missing the whole point.

The phrase, "The correct security approach" implies one approach. "The" is a limiting adjectve.

No one can dictate for another, without understanding that person's computing workflow, technical expertise, state of mind, etc., The correct security approach. Anyway, I prefer the word "strategy" because it takes in one's mind-set, as well as security products.

In another thread, you are worried about LAN protection. For someone who doesn't use a LAN, this is a worry that is unfounded and irrelevant.

You also warn about using the Windows Picture and Fax Viewer. What if a person doesn't use it? Again, you are speculating and introducing a worry that is unfounded and irrelevant for that person.

In my view, you just can't make blanket statements about "The correct security approach."

----
rich" }-

Agree.

well rmus if semantics is the issue then please do look at the " ? " at the end of the topic: "The correct security approach ? " so its a query not a statement

-{ Quote: "So yes, you seem to have missed the point of this thread, which is rather unfortunate." }-OK, I see that some think the "?" in the thread title softens the implication of the statement. So, I misinterpreted the meaning.

But I stand by my comment about "some approaches are better than others."

"Better" and "correct" are relative terms. Better in terms of what? That phrase is what caught my attention at first.

-{ Quote: "Sure, perhaps the thread title is inappropriate (moderators please feel free to change the title to: "Security approaches...care to share yours?")," }-Probably not necessary, since you've now clarified it!

----
rich

-{ Quote: "It is odd that with all your testing of security combinations you are not concerned with backup solutions (that is according to the poll you don't use any imaging software).

" }-

Agree,

Our first and best security meaure consists of:
1. An offline harddisk
2. A monthly data backup (syncback free) with an old fashioned three generations repeating scheme (last month = child, last month -1 = parent, last month - 2 = grandparent)
3. A two generations image backup with a clean install image (with all our basic software, including some malware fighting software) using paragon.

Second level is a plain well configure router (all the usual stuff plus some specific measures against man in the middle threats).

Third level is changing all the defaults and using all the authentication abilities of hardware and OS, hardening by disabling all remote admin capabilities and distributed services needed in a business/corporate environment.

Fourth level the policy management capabilities of the OS

Fifth level a security software (either an HIPS or an AV), depending on the user (wife = DW, son = MSE, myself Appguard + SRP)

I really don't think there is a correct approach.

I bought my first computer in 98.
Came with Norton's Security Suite.
Used it for a year and moved on.
Since, I have tried many forms of security and many for at least a year.

NOD32, ZAPro, Kaspersky, Avast, Avira, AVG w/firewall, Trend Micro, GesWall etc,.etc.

In these almost 12 years I have never seen a virus, maleware or any other kind of nasty.

For the last 3 years my son has used AVG w/Firewall on his laptop with the same effects and he does alot more then I do.
I've suggested other forms of security but he likes the way AVG runs on his system.

My point being that I think there is more then just one's security set up.

Common sense plays a big part in my opinion.

My son and I would never open a suspicious e-mail, click on ads or go to questionable sights.

I think it comes down to what works the best on one's system with a little
common sense thrown in. ;D

-{ Quote: "
Common sense plays a big part in my opinion.

My son and I would never open a suspicious e-mail, click on ads or go to questionable sights.

I think it comes down to what works the best on one's system with a little
common sense thrown in. ;D" }-

True off course, but what about a trusted friend, who might have his e-mail address hijacked from a third party of even his service provider.

The smart intrusions using social engineering and exploits are only common knowlegde to an incrowd after they have surfaced. So common knowledge will not help to this types of events.

It basically boils down to likely hood of an event is going to happen to you (and others in your home network) specifically and the impact they have.

Default deny execution (1) and policy management/virtualisation (2) are the two most proven prevent something from happening (1) and limit their impact (2).

Filtering out anomolies/un-addressed request (e.g. firewall at basic level and spam filter at specific level) and and known bad guys (anti virus) will reduce the chances of something to happen dramatically. Discussions on what is best is personal preferences within the options available.

Again commen sense will not help you much at low level intrusions (e.g. the firewall filtering out unsollicitated messages or messages with protocol errors at network level, or stack/buffer overflow exploits at process level or code exploits hidden in data formats such as PDF or JPG at data level).

Common sense is a toping on your approach and highly overrated for its effectiveness when dealing with low level intrusions.

Regards Kees

There is no single correct approach to security. Every method has its strengths and weaknesses, advantages and disadvantages. The best approach is the one that matches the users skill, needs, and available time.

I started with a security suite, Norton Internet Security, a firewall, AV, popup blocking, privacy defender combination. I fell for the "one suite does it all" advertising, 2002 I think it was. Less than 6 months later, a malicious webpage went right through the popup blocker, crashed the AV and then the firewall. The whole suite crashed followed by the OS. Upon reboot, Norton informed me that I was infected but it couldn't remove it. Later on, something on that system decided to connect out (dialup internet service at the time) in the middle of the night, granted itself internet access through the firewall and send out several megabytes of data. Whatever it was then deleted itself. Norton logged the entire event but did nothing to prevent it. That was the last security suite I've used.

Afterwards, I learned about free AVs, firewalls, and other tools. Installed AntiVir, which was a keeper for many years. Went through a few firewalls, Zone Alarm, Tiny, and eventually Kerio, which I still use. Found anti-spyware software. Somewhere during this time, I got the idea that if one is good, two or more is better. That evolved into 2 firewalls, 3 AVs, too many anti-spyware, and most every other free security app I could find. It was a configuration nightmare that went to hell every time one of them updated. My system was very bogged down and every time one of them updated, the new version was more bloated than the one before. I was dragging my system to a halt. Sure, my system was quite secure, but for the wrong reasons. There weren't any resources left to run malware.

I was forced to abandon this mess by AV updates that made it nearly impossible to run the AVs the way I wanted. I also lost all trust and respect for some anti-spyware apps/companies when I found that they ignored their own threat assessment criteria when an adware company threatened to sue them. After a very heated debate at their forum, several of us walked away and/or were banned for having the nerve to question them in open forum. Combined with similar incidents involving other signature based security software, I'd lost all trust in such products.

About this time I learned about System Safety Monitor, somewhere around version 1.8. By this time, I had a basic working knowledge of how Windows worked, but was very intimidated by SSM. It was a lot different in its early days, but was probably the best teacher I'd ever had regarding how an OS worked and how to defend it. By the time SSM 1.94 was released, it was at the core of my defenses. About that time, AntiVir updated from a smooth running, lightweight AV to a version with too many processes, unfixed bugs, stability issues, the works. Their forums were plugged with complaints for problems that weren't being fixed. I'd obtained more hardware by this time, so I made a copy of my system, secured it with SSM and Kerio, and made a serious effort to infect it. After about 6 months of malicious and drive-by sites, infected mail, and collecting every piece of malware I could get (about 40MB worth), I concluded that SSM was completely capable of preventing my system from being altered unless I chose to allow it, and SSM could be set up to say no for me. I no longer had to worry about what another user might do. Default-deny had impressed me enough to become my security policy. I threw out every AV, anti-trojan, anti-spyware, etc and started using the core package that I'm using now, SSM, Kerio 2.1.5, Proxomitron. Since then, I've applied the default-deny policy to the activities of the allowed processes, their internet access, and the web content reaching internet apps. It's been over 5 years since anything has infected my system. The performance improvement was amazing. With Norton, my boot time was almost 3 minutes. It was worse with my multiple firewall, AV mess. Now it's 45 seconds. With no AV in the way, my internet connection flies. For me, default-deny is THE correct security approach. My system will not change at all unless I specifically choose to change it.

I would not expect someone who isn't a computer hobbyist to adopt this approach. The time it takes to learn your system well enough to implement such a defense makes it the wrong security approach for most users. I wouldn't dare to implement this full package on any of my clients PCs, but I can use some of the components with more permissive settings. No matter what approach you choose, there's a price to pay, but that price doesn't have to be paid with money. I paid with time, time spent learning my system and the apps I use. Those who can't or won't invest their time pay with money and get a security suite.

Sandboxing is another approach that can be very good. I'm quite impressed with SandBoxie but I will not put it in the position of having to stand alone. On the Win2K system it's installed on, I use it to isolate the attack surface. The rest of the OS is still protected by my standard package and security policy. The same applies when I use a virtual OS. The host system is default-deny protected. IMO, that's the correct approach when using these tools. No matter how good they are, there's no guarantee that some malicious code won't find a way to break out of that containment and infect the underlying system. If/when that happens, chances are that you won't be aware of it. They should not be expected to stand alone.

System backups should be part of every approach, no matter what it is. I don't consider backups to be part of my security package. Except for test systems, I've never had to use one to fix an infection. That said, there's plenty of other reasons to have backups of both system and data:
hardware failure
accidental deletion
file corruption
a new application proves to be incompatible with other software
a defective Windows update
a security app update with false positives that deletes or quarantines system files
an update to an app you use breaks something else or takes away features you want, and you want the old version back

What you use for backups isn't that important, as long as it works. Until you know that it can be trusted to work properly, you should find a way to test it. A 2nd hard drive bought used will do. Depending on what you use, a virtual system may work as well. Nothing is worse than needing to restore your system and finding the backups are corrupt or incomplete.

-{ Quote: "True off course, but what about a trusted friend, who might have his e-mail address hijacked from a third party of even his service provider.

The smart intrusions using social engineering and exploits are only common knowlegde to an incrowd after they have surfaced. So common knowledge will not help to this types of events.

It basically boils down to likely hood of an event is going to happen to you (and others in your home network) specifically and the impact they have.

Default deny execution (1) and policy management/virtualisation (2) are the two most proven prevent something from happening (1) and limit their impact (2).

Filtering out anomolies/un-addressed request (e.g. firewall at basic level and spam filter at specific level) and and known bad guys (anti virus) will reduce the chances of something to happen dramatically. Discussions on what is best is personal preferences within the options available.

Again commen sense will not help you much at low level intrusions (e.g. the firewall filtering out unsollicitated messages or messages with protocol errors at network level, or stack/buffer overflow exploits at process level or code exploits hidden in data formats such as PDF or JPG at data level).

Common sense is a toping on your approach and highly overrated for its effectiveness when dealing with low level intrusions.

Regards Kees" }-

Thanks for your input Kees.
As usual you bring up some valid points. :thumb:

I agree with you on low level intrusions, stack/buffer overflow and protocol errors.
I didn't mean to come across that some common sense is a cure-all for all the ills of the internet. It's not, but can save users from some needless problems and ills.

-{ Quote: "
System backups should be part of every approach, no matter what it is. I don't consider backups to be part of my security package. Except for test systems, I've never had to use one to fix an infection. That said, there's plenty of other reasons to have backups of both system and data:
hardware failure
accidental deletion
file corruption
a new application proves to be incompatible with other software
a defective Windows update
a security app update with false positives that deletes or quarantines system files
an update to an app you use breaks something else or takes away features you want, and you want the old version back

What you use for backups isn't that important, as long as it works. Until you know that it can be trusted to work properly, you should find a way to test it. A 2nd hard drive bought used will do. Depending on what you use, a virtual system may work as well. Nothing is worse than needing to restore your system and finding the backups are corrupt or incomplete." }-

A very informative post particularly for people who are developing an interest in computer security. It's funny to read how many members began the security melodrama with a Norton suite (I will never forget NIS 2004)!

When one mentions 'security' it isn't just what is blatantly destructive as a virus or a worm can be. What seems to be happening to me every other month are either configurations mistakes or conflicts which often end up crashing the system.

Yesterday, for example, I was trying out an online storage software on my new netbook. The damn software completely paralyzed the machine and I could barely shut down and reboot in the same conditions, no way to uninstall the offending application. I'm not kidding, it took me 2 minutes to start the ShadowProtect recovery CD and 4 minutes to restore my system (XP + programs are about 10GB).

There are things that can be prevented, but situations as the one that I've just described can only be resolved either with a complete reinstall (time consuming), an image (6 minutes), or a great knowledge in computer diagnostics (which I certainly don't have).

I also agree there are different strategies in keeping computers in tip-top condition, it is a matter for users to choose the one most appropriate for their habits and environments.

Started (wrt Windows) with ZoneAlarm Pro firewall with A/S & adblocker - the most important aspect was always "being careful" - and I never saw the need for an AV..

Then, on a new machine, used also for business and with "a need to be able to demonstrate that I was properly securing", I also tried running with an AV and some other bits and pieces - and promptly learnt all about FP's..

Finally, through reading more at Wilders etc than I should ever have had time for, I think I have finally properly understood the holy grail of not allowing malware (or anything unknown for that matter) to run, and understanding more clearly the means by which it might try to run..

Hence, I now try to follow the sound advice of those on here who advocate whitelisting (ie an anti-executable or "default deny" approach rather than the "default allow / blacklist deny" of the AV world) to deny the likely points of attack from the likely sources of attack, as best as I understand them - as follows:

1) Firewall
2) Browser initially in default deny (Javascript, i-frames, Java, plug-ins etc), adblock, autorun disabled, macros restricted, etc..
- [..1) and 2) should be enough most of the time]
3) LUA / SRP / DEP etc - Provided that the admin password is not entered: Then unless it is already installed, it cannot run...
4) Sandboxie - Just in case it does!
5) A blacklist (AV etc), for which the best value to me is the additional opinion etc as regards something that I have already decided to trust and install, but for which an upload facility can perform equally well..

I am sure you guys understand all this far better than me, but if whitelisting does become more "main stream" on OOTB set ups, then do blacklist products going forwards, to protect their substantial revenue streams, increasingly also act as whitelisters (or even simple HIPs), ie like an Online Armour Oasis equivalent concept alongside the existing blacklist. You might then have say four settings, if ever any program or executable tries at all to run (or download):

1) Known malware - Deny
2) Heuristic malware - Most likely to be bad - strongly suggest deny unless known (ie by the user) to be good
3) Unknown - Only if you are sure?
4) Known good program - Allow

along with user policies available to determine whether 1) to 4) are questions for the user, predetermined allow / disallow or whatever. Hence, 3) on routine browsing could be default configured to be "prompt" blocked (or even simply auto-blocked)..

Because of the "Known good program" list, this might even have value over the combination of "SRP (or other anti-executable) plus blacklist A/V", especially for "the practical home user" or equivalent looking for an all in one and not wanting to understand too much..?? Is this already happening with the AV (or cloud) feedback options - by collating information about what their users are running, are they effectively generating whitelists for ongoing products..??

Peter

-{ Quote: "I am sure you guys understand all this far better than me, but if whitelisting does become more "main stream" on OOTB set ups, then do blacklist products going forwards, to protect their substantial revenue streams, increasingly also act as whitelisters (or even simple HIPs), ie like an Online Armour Oasis equivalent concept alongside the existing blacklist." }-
They have been to a degree. For vendors, whitelisting has many of the same problems as blacklisting, mainly keeping that list up to date and complete. Whitelisting has to include some form of integrity checking or it's worthless. The problem arises with new versions, especially new system components introduced by Windows Update. The vendors don't get to see these files any earlier than the users do. When for example the digital signature of explorer.exe doesn't match any of the known ones, there's 2 possible reasons:
1, It's a new version that's just been released or one that was missed.
2, It's a malicious file with the same name that replaces the legitimate file.
Does the vendor allow it to run?

With the addition of some form of authentication, it would be possible to create a commercial whitelisting based security package. It would require a lot of cooperation between all software vendors to be good. Verification thhat they are clean would be another huge problem. For that reason, strong whitelist based security setups aren't likely to be mainstream. Keeping tract of all the good files is just as bad as keeping up with all of the malicious ones. Fortunately, that isn't necessary for your own system. All you have to keep tract of is the known good ones on your system, a few hundred executables or so, a very small workload in comparison.

Whitelisting the executables is not the whole story. It's only the starting point. Legitimate files can be used maliciously. You wouldn't want your instant messaging program editing your configuration files or your browser adding/removing registry autostart keys. I wouldn't want a PDF reader launching my mail handler. All the files may be legitimate, but I don't want one routinely running the other. That's one of the primary reasons I prefer HIPS over the built in restriction tools. IMO, the ability to control what processes each one can start or be started by (parent-child settings) is important. The downside is the same as before. The user has to know or be able to determine what other executables each process needs to be able to launch in order to work properly. Rules this specific take time to create properly. Specific parent-child settings can prevent a lot of new/unknown exploit code from working properly. While most exploits will eventually want to download some type of executable payload (which can be blocked as an unknown) they often involve getting the targeted application to perform some task they wouldn't normally do. Quite often, the official patch is nothing more than a blacklisting of that specific activity. That can get almost as unlimited as the malicious files themselves. Killbits are examples of this. I'd rather whitelist the activities I need to allow than to try to keep up with what shouldn't be allowed. I should mention that I'm using unsupported operating systems and systems that are at the end of their support cycle. These require a default-deny policy in order to be used securely as conventional security applications dropped or are dropping support for them. That said, a default-deny policy will work on new systems just as well, within the limits of what the OS will allow you to control.

Just my opinion but an approach I've fondly taken to recently:


The router should always be a staple for the perimeter, even just a basic home NAT unit.
Some form of application network access control: A software firewall or something like Sandboxie to restrict Internet access to selected sandboxed programs.
Virtualization/sandboxing; Either a virtual guest such as Virtualbox or another or sandboxing such as Sandboxie. Better yet, combine the two which I have recently done.
Use a limited account whenever possible
SRP or maybe Surun to restrict software installation, especially unexpected running of executables.

IMO it's tough to get much more bullet proof than this without sacrificing excessive system resources or usability.

I have run some malware samples recently in the virtualbox guest and they just don't seem to have any real impact whatsoever. Maybe they don't like the combination of the virtual environment running in limited accounts on top of the host limited account, no less? Who knows, but they have not been at all successful at inflicting noticeable damage. Besides, when I'm done and just to be safe, all I have to do is revert to the current snapshot and I'm right back to a perfectly clean slate again. So easy :)

-{ Quote: "IMO it's tough to get much more bullet proof than this without sacrificing excessive system resources or usability." }-
This depends on what you consider to be "sacrificing usability". On my system, SSM normally runs with the user interface (UI) disconnected. This setting corresponds to a limited user mode in which default-deny is strictly enforced. In this mode, SSM will deny anything not whitelisted and will not prompt the user. The user can't install or update anything, but everything already installed will function normally, within the restrictions set by the rest of the security policy.

In order to install new software or to update existing software, the UI of SSM has to be connected, which requires a password. In this setting which corresponds to an administrator mode, the user is prompted for new and unknown items. Switching from one mode to the other is quick and easy (for the administrator) and can be done from each users account or profile. For users without the administrative password, it's impossible.

On my system, I consider updating and installing software to be administrative tasks, not to be performed by the users. In other environments, this policy would be unacceptable depending on who actually owns the PC. Depending on how your system is equipped, variations of this policy are possible, such as new installs are only permitted in virtual environments, not on the host system. That would allow whoever maintains the system to evaluate the new software before installing it on the host system. This should all be part of your base security policy.

IMO, most people approach PC security from the wrong direction. The user/administrator should first take the time to lay out that security policy and work out the details for different situations. The PCs primary role is specified. This should include separating user and administrator privilege, specific policies for installing and updating, what the default applications for different file types will be, how much (if any) access users have to the configuration of the system, software, and security package, etc. Once the policy is ironed out, then security and user software is selected that can best enforce that policy. When approached from this direction, the user is less likely to leave gaps and vulnerabilities in their security package and will cover scenarios they might not have accounted for otherwise. When the security policy is well thought out and the security software, operating system, and user software are all selected/configured to enforce it, you'll have achieved the balance between security and usability that matches your needs.

I wonder, if there are so many ways that make a system much more secure, as Wilders is all about, why the OS does not utilize them more? Ever thought that? I mean, I know full well that M$ 'could' roll out an OS that was rigidly secure. But then WHO would buy it? IT/Corporate only? Certainly not most of the users I help.

I think because windows is geared towards the masses, and the masses are basic users majorily, the almighty $$ says make it as easy to use, and as easy to use with all the things the users want to use it with, aka internet gambling and flash movies/games. Don't restrict them too much or they won't spend thier $$. And then the flip side, make sure it is capable of becoming secure enough for IT but be sure to make it or it's sibling products in a way that 'encourages' staying on the windows platform.

Maybe we should stop using money and go to the barter system with M$. Yeah, you give me Windows 7 Ultimate, and I will use it AND tell my mom and dad to barter thier favorite goat for a copy of it. And when I want to become a haxor, I will trade my favorite Bunny Wabbit for a keygen with a virii in it. But I won't have to worry about the virii because since we are bartering the windows is now as easy to use as *nix and just as safe. lol.

Sul.

-{ Quote: "This depends on what you consider to be "sacrificing usability"." }-

I mean that even though I'm running primarily on a limited account, my programs work fine on it so I'm not having to constantly jump over to my admin account other than for installing software or updates or a few other occasional miscellaneous tasks.

-{ Quote: "On my system, SSM normally runs with the user interface (UI) disconnected. This setting corresponds to a limited user mode in which default-deny is strictly enforced. In this mode, SSM will deny anything not whitelisted and will not prompt the user. The user can't install or update anything, but everything already installed will function normally, within the restrictions set by the rest of the security policy.

In order to install new software or to update existing software, the UI of SSM has to be connected, which requires a password. In this setting which corresponds to an administrator mode, the user is prompted for new and unknown items. Switching from one mode to the other is quick and easy (for the administrator) and can be done from each users account or profile. For users without the administrative password, it's impossible. " }-

Sure, and I've used SSM extensively. It's a great product, low resource usage and one of my all time favourites, but it is quite possible to achieve the same restrictions you mention using SRP or Surun. Also, and unfortunately, SSM is no longer updated. However, this latter caveat is inconsequential if you don't install a patch that conflicts with it.

-{ Quote: "Thanks for your input Kees.
As usual you bring up some valid points. :thumb:

I agree with you on low level intrusions, stack/buffer overflow and protocol errors.
I didn't mean to come across that some common sense is a cure-all for all the ills of the internet. It's not, but can save users from some needless problems and ills." }-

Sorry Danny I know you know, just read to many common sense replies, should have made it a seperate post.

I also disagree that there is no correct approach, there is a common approach with different implementations. There are only two variables risk (management) and impact (or damage control) which have to be tuned to the user's knowledge and wallet.

Regards

-{ Quote: "I mean that even though I'm running primarily on a limited account, my programs work fine on it so I'm not having to constantly jump over to my admin account other than for installing software or updates or a few other occasional miscellaneous tasks.
" }-

YEP,

I am always surprised by the limited set of options mentioned on wilders: some of the easyones are pretty much neglected in favour of the more 'shootthem/nuke them' options.

Hardening,
Rights restriction
Staying out of risky area's/community watch (like WOT)
Black listing
Heuristics
Anamoly or behavior analysis
Intrusion vector control (classic HIPS)
White listing
Virtualisation

Also you will see more vendors including more options in their solutions, so these discussion become less relevant anyway.