Hello Wilders

Im looking for a light Whitelist standalone application for the average user (prevention strategy).
By reading Rmus excellent analyses and comments I really think this is the future.

I know applications like ThreatFire - Online Armor - Geswall - Comodo - DefenseWall etc.
But for the average user I find them too complicated (HIPS learning mode + firewall prompt)

I also heard about the upcomming BLADE. That could be a good candidate. But I have to test and evaulate it first.

Then there is Anti-Executable from Faronics, It's really light and easy.
But some people don't want to pay that kind of money for a small product like this. Also it seems that Faronics is now aiming their product for the enterprise market

When I advice people and other security person's about the strength of LUA/SRP, they just don't get it or tells me it to complicated.
Also SRP and Applocker are not in all version's of Windows.

We are all talking about a simple éffective prevention strategy, but to find an application to do the job is quite hard.
Do you have other good approaches to a simple whitlist prevention strategy, please let me know.

Thanks,

/Jesper

-{ Quote: "
When I advice people and other security person's about the strength of LUA/SRP, they just don't get it or tells me it to complicated.
Also SRP and Applocker are not in all version's of Windows.
" }-

Have you considered setting up LUA/SRP as explained at http://www.mechbgon.com/srp/?

Also, have you considered Pretty Good Security (http://www.wilderssecurity.com/showthread.php?t=244265)?

-{ Quote: "Have you considered setting up LUA/SRP as explained at http://www.mechbgon.com/srp/?

Also, have you considered Pretty Good Security (http://www.wilderssecurity.com/showthread.php?t=244265)?" }-

Thanks for your feedback.

The link's you point to, are great sources and I have used mechbgon guide many times.
It's also nice that Sully made a great project like PGS.

LUA/SRP can be an easy setup when you sit in front of the user and the laptop (ex. family, friends, neighbor).
The problem is when you have to advice/guide the user in a newsgroup,forum....

Follow the steps below:

Create a new user profile with admin right.
Make your own account standard user.
login with admin account
Remove inherit permissions from program files and system....etc (ACL).
Setup SRP (deny all policy) - logout
Login with standard account
Test the setup

Somewhere in the above process the user will say to me "STOP...are you mentally ill".

Don't get me wrong, to me it's one of the best and secure setup, but for the average user, it can be really hard to understand.
That's why Im looking for a simple "setup and forget" whitelist application that can protect them against drive-by exploit/USB/Mail/DVD.

Some other simple freeware alternative would be nice, we really need it today.

Thanks,

/Jesper

Try SuRun, while not a whitelister per se, it will make your account limited, and you can elevate privileges when needed, so you get an automatic whitelisting approach for many undesired changes, whether triggered by you or else.
Mrk

I am wondering, how can you tell someone to use a whitelist tool, when they don't fully understand what is going on anyway? I have the same issues with those I support. It seems to boil down to some very easy situations:

1. the persons(s) are inclined to learn, so you walk them through your security scheme, explaining what is happening. If they are interested, they grow from there.

2. the person(s) are not inclined to learn, they just want protection and security. Whether they are admin or user, they don't want to understand what is happening. I suggest making them a user, and as Mrkvonic says, SuRun/UAC type approach. It does not matter IMHO at this point, as the user is going to give admin approval to whatever they want to run.

In my mind these types of situations have no real clear-cut solution. Without the interest to understand that some things are not allowed and more importantly, why they aren't allowed and how to circumvent the protection when needed, I don't know how they are supposed to have any security. It is like putting a HIPS/Firewall on a novices machine, they just click yes/allow and move on.

Sandboxie I have found is a good tool for these types, along with LUA mode. For some reason explaining that everything is "locked inside the sandbox" and that "you have to get it out to keep it" type thing is fairly well accepted.

I wish you luck, it is no easy task to teach technical details or use technical tools with someone who does not want to know about the technicalities.

Sul.

Anti-Executables - List of (http://www.wilderssecurity.com/showthread.php?t=252601)

Returnil also has anti-executable functionality.

Hi

Thanks for all your great comment and suggestion.
I agree with you, it can be hard to advice some newcomers to look into prevention instead of detection.
Im just so sick and tired of the whole anti-malware industry as we see it today.

- Bigger security suites, with only 300 pages PDF manuals.
- Constantly deployment of Beta/upgrades/updates features. Always keeps the poor user busy.
- Constantly malware/performance/crash/bugs/bsod issues in all the support forum.
- Cloud AV/services where some of the pitfall could be DDoS attack, infection in the cloud, availability and privacy.
- Scary headlines all over, in the press/media, security forums/blogs.
- Big buisness. If they did prevention, they fear loss of profit.

Does the above give the end users a better understanding about basic attack vectors?.
To me, that is the main problem. Nobody in the press/media gives nearly any advice about simple prevention.
I belive many people today have the skills but they need 5-10 minutes education about the subject "prevention vs detection".
That belive keeps me going :-).

/Jesper

If, as you say, you're talking about the average/newcomer user, I'd go for Returnil Free (as flagged by MrBrian) and set it to "Trust programs from real disk only".

I use it - it's simple, unobtrusive, makes you think that little bit longer about what you allow to run, and (hopefully) alerts you to any non-requested install, though I couldn't comment on whether it's absolutely watertight......

philby

Hi philby

Thanks for the tip. Do you know if I can trim down features in Returnil and only use the Anti-executable function.

/Jesper

System Safe needs to be on, set to either save or drop changes, but that's the only requirement.

philby

Thanks, I will give it a try. Have a nice weekend.

/Jesper