what will be the best rootkit prevention???detention???blocking???etc any coments??? thanks friends;) :thumb:

-{ Quote: "what will be the best rootkit prevention???detention???blocking???etc any coments??? thanks friends;) :thumb:" }-

since signature based AVs are mostly useless against 0 day malwares i think we can only rely on light virtualization (Geswall/Defensewall/Sandboxie) or anti executable apps. (Applocker and the likes)

i think hips also as they protect the whole system;)

Don't play with malware ;D

TH

Easy: Stay away from questionable websites.

Next question?

*puppy* -{ Quote: "Easy: Stay away from questionable websites.

Next question?" }-

how do we know if this stuff is any good if we only go to safe sites? :P *puppy*

-{ Quote: "*puppy*

how do we know if this stuff is any good if we only go to safe site? :P *puppy*" }-

Talk to the guy behind the keyboard ;D

Most of the malware which use Rootkit technology come to the system through the exploits in the web browser.If the browsers are sandboxed, then there is no way a malware can enter into the system, as Sandboxie intercepts all the data flow from the browser and stores in its transient storage area.;D

I will recommend DefenseWall as it can protect you very well against rootkits & other bad stuff. Other option will be Emsisoft Mamutu, as it is also very effective against bad stuff/rootkits/keylogger etc.

-{ Quote: "what will be the best rootkit prevention???detention???blocking???etc any coments??? thanks friends;) :thumb:" }-

If only one, HIPS.

just dont execute anything but trusted and verified by you :thumb:
so... default-deny or anti execution method is my best answer.

cool;) very true:thumb:

I REPEAT THIS FOR THE umpteenth TIME.

Always "Keep" a pair of clean system backups either on external or internal hard drives as an absolute failsafe safety solution against not only rootkit or virus attack but hardware failures too.

You will be so glad that you did one day.


My own personal backup choices remains both Paragon & Drive Snapshot. Without a solid physical backup plan the best laid plans (aka troubled softwares/viruses) can go sadly awrey and ruin your time and data in a single bound..

EASTER

a strong HIPS should be able to stop (or at least warn you) a rootkit from patching/modifying system files... :thumb:
As EASTER said, a backup strategy is always mandatory against zero-day stuff....

-{ Quote: "a strong HIPS should be able to stop (or at least warn you) a rootkit from patching/modifying system files... :thumb:
As EASTER said, a backup strategy is always mandatory against zero-day stuff...." }-

the problem i have with HIPS is that often their warnings is way too technical for me.
even if i search on the Net about the names shown in the warnings i am left having to chose to Deny or Block something i don't quite fully understand.

for me, it's way too risky to use HIPS, although i like a lot Online Armor Premium.
i just had to stop using it for those reasons.:doubt:

At this moment 64-bit OS still prevents 95% of the rootkits, next to that I use just my antivirus and nothing else (except for some other OS hardening).

HIPS are only as good as the one who configures it and the security policy it's enforcing. If that policy is default-deny and the HIPS is well configured, rootkits are not a threat.

is there a special rule for hips to make for stoping rootkits?

-{ Quote: "Originally Posted by jmonge

is there a special rule for hips to make for stoping rootkits?" }-

Yes, just tick Don't Allow ;D

thanks that helps alot;D

The default-deny security policy is what prevents being rootkitted. The HIPS merely enforces that policy. Rootkits are no different than any other software. It has to install and be made part of the system in order to work. Not allowing an unknown to execute prevents the installation of rootkits.

Any other policy that allows an unknown to run is a calculated risk. That includes behavior blocking, sandboxing, virtualization, etc. These all work on the idea that the software will detect and contain all potentially malicious activity, that they have no flaws.

thanks for the nice explanation man:thumb: :thumb:

-{ Quote: "HIPS are only as good as the one who configures it and the security policy it's enforcing. If that policy is default-deny and the HIPS is well configured, rootkits are not a threat." }-


Quote. The golden rule is: deny for default and allow for exception.

-{ Quote: "the problem i have with HIPS is that often their warnings is way too technical for me.
even if i search on the Net about the names shown in the warnings i am left having to chose to Deny or Block something i don't quite fully understand.

for me, it's way too risky to use HIPS, although i like a lot Online Armor Premium.
i just had to stop using it for those reasons.:doubt:" }-

Take heart and be patient as you gradually learn the way HIPS operates on your behalf.

A quality HIPS software will offer even the most novice user relevant enough information to make a safe determination on how to proceed or not.

You will do fine with the proper time spent to study thru any HIPS techniques, alerts, and it's information on to why it aborts executables before handing over control back to it's user again, mainly yourself.

I recommend using a solid performing behavioral blocker, (few that their be right now) such as MAMUTU in a supporting role to your HIPS to give you more confidence and keep your HIPS program honest and on target as to what needs allowed compared to what can be blacklisted.

EASTER

My question would be:

How many rootkits have you gotten that makes you concerned about best rootkit detection?

or is this just theoretical?

-{ Quote: "My question would be:

How many rootkits have you gotten that makes you concerned about best rootkit detection?

or is this just theoretical?" }-

I just like to add that there is no way for any rootkit to hide in your system so long as your defenses are are at maximum against that sort of attack, MBR Protection, and a regular practice of using all the many rootkit detection tools available now.

EASTER

-{ Quote: "Take heart and be patient as you gradually learn the way HIPS operates on your behalf.

A quality HIPS software will offer even the most novice user relevant enough information to make a safe determination on how to proceed or not.

You will do fine with the proper time spent to study thru any HIPS techniques, alerts, and it's information on to why it aborts executables before handing over control back to it's user again, mainly yourself.

I recommend using a solid performing behavioral blocker, (few that their be right now) such as MAMUTU in a supporting role to your HIPS to give you more confidence and keep your HIPS program honest and on target as to what needs allowed compared to what can be blacklisted.

EASTER" }-

tnx for the help Easter but i've given up on HIPS.

i feel pretty secure with apps like Geswall/Defensewall/Sandboxie.

they're much easier to use than HIPS.

-{ Quote: "tnx for the help Easter but i've given up on HIPS.

i feek pretty secure with apps like Geswall/Defensewall/Sandboxie.

they're much easier to use than HIPS." }-


Not a prob.

IMHO, there are enough solid AV's out there which accomplish basically the same, and afford the same if not better protection then any HIPS if we really get down to brass and tacks here.

Best of luck on your security choices and whats easiest for you that your internet safety and machine plus your conscience all stay safe together. ;)

+1 for DefenseWall Personal Firewall (3.07)
In MRG tests (http://malwareresearchgroup.com/category/malwareproducttesting/), it is doing very well against every type of threat.

http://www.youtube.com/watch?v=JVsBntkgRmw&NR=1

jmonge for the simplest protection, run Sandboxie and use NoScript in Firefox, it doesn't get any better, lighter and simpler, for at least your online surfing protection. ;)

Ugh. Noscript is a nightmare. The amount of notifications that thing throws up is obnoxious. Yes it works well though. Of course so do turning my computer off.

-{ Quote: "Ugh. Noscript is a nightmare. The amount of notifications that thing throws up is obnoxious. Yes it works well though. Of course so do turning my computer off." }-

Mwahahaha! ;D

i stopped using it for the same reason.
what a bloody PITA! :thumbd:

You shouldn't blame NoScript for your lack of skills.

There is nothing complicated or difficult about it, nor can you hardly call it a nightmare or a mess.

UNCHECK 'Show message about blocked scripts'

NoScript is one of the simplest and lightest layers you could ever add.

Oh and all the typical websites that run a ton of optimization services, along with checkers, loggers, etc... this will block all that crap.

kjdemuth and moontan, the problem is not in NoScripts abilities, it's in your lack of, so don't blame the program because you're incapable of using it or understanding it, because if you did you'd realize what a GEM it is! ;)

-{ Quote: "You shouldn't blame NoScript for your lack of skills.

There is nothing complicated or difficult about it, nor can you hardly call it a nightmare or a mess.

UNCHECK 'Show message about blocked scripts'

NoScript is one of the simplest and lightest layers you could ever add.

Oh and all the typical websites that run a ton of optimization services, along with checkers, loggers, etc... this will block all that crap.

kjdemuth and moontan, the problem is not in NoScripts abilities, it's in your lack of, so don't blame the program because you're incapable of using it or understanding it, because if you did you'd realize what a GEM it is! ;)" }-

if i wanted to play Whack-A-Mole i would download a game instead of No-Script! ;D

beside, it's not about the lack of skill, it's about using my computer for stuff i enjoy instead of spending time configuring and tweaking the hell out of it. :)

you mileage may vary, of course.

-{ Quote: "if i wanted to play Whack-A-Mole i would download a game instead of no-Script! ;D" }-


No really if you're going to give advice and you don't know what you are talking about then it's better not to say anything then to call an app a piece of crap because you are not educated on how to use it or it's benefits.

We can all have our opinions there is nothing wrong with that, but yours is not an opinion, you called something a mess because you lack the skills to handle it and that is wrong and you are giving false information to help others with.

NoScript happens to be one of the finest layers of security to add to Firefox and I'm not getting paid to say this or a fan boy, I'm just an IT Tech that knows better.

And look I'm not trying to give you and kjdemuth a hard time but he called it a mess and you a bloody pita and that's where I was putting my foot down because that was wrong to call a perfectly fine piece of a code this, when you are really misleading others because of your lack of education on the matter.

This was quoted on their page by someone: (With that being mentioned, there's simply no reason not to add this simple light layer, to be safer.)

NoScript selectively, and non-intrusively, blocks all scripts, plug-ins, and other code on Web pages that could be used to attack your system during visits.

Also as I mentioned before all the things sites run for plugins, checks, optimizations, coming off of all sorts of different URLs, can really drag the load time of a site down really bad, so aside from security, this is going to kill everyone of those and now watch websites load FAST! Then just allow what you need! This is one of the biggest advantages to this app that is really great, not having to wait on sites to load anymore because of all the BS they run in the background, it's all killed, then only load if you need to any other URL.

-{ Quote: "No really if you're going to give advice and you don't know what you are talking about then it's better not to say anything then to call an app a piece of crap because you are not educated on how to use it or it's benefits.

We can all have our opinions there is nothing wrong with that, but yours is not an opinion, you called something a mess because you lack the skills to handle it and that is wrong and you are giving false information to help others with.

NoScript happens to be one of the finest layers of security to add to Firefox and I'm not getting paid to say this or a fan boy, I'm just an IT Tech that knows better." }-

oh! i handled it (No-Script) allright.
in fact, i got sick of handling it.

i got better things to do.

if you enjoy that sort of things more power to you. 8)

-{ Quote: "oh! i handled it (No-Script) allright.
in fact, i got sick of handling it.

i got better things to do.

if you enjoy that sort of things more power to you. 8)" }-


Well sure you have to click a little, just a bit of small user intervention.

But the thing is, if someone can show me something just as light and as simple that provides this type of layer I'd like to see it, again we're saying just as 'LIGHT'.

So for what NoScript is and what it provides it doesn't take much to handle, LOL...

The only thing I've seen that provides something close to this is a 'Behaviour Blocker', because HIPS doesn't, your AV isn't, a Sandbox isn't going to stop this, nor a Firewall...

And then last, if you're going to sit here and tell me you've never had to sit waiting forever on a website to load because of the different checks, services and optimizations they ran and ads, popups, etc., also it's more a pain when those services are having problems for whatever reason too, that this isn't all very annoying, then come on, you haven't been on the web that long. There's hardly a site nowadays that isn't running a bunch of stop and lagging the loads times down. Like I said this is one the best things going on here that you really overlooked.

i know No-Script is good.

but i got rid of HIPS for the same reasons i got rid of No-Script; i don't want to be bothered with that stuff.
i just want a "set it and forget it" solution.

different strokes for different folks i guess. :)

-{ Quote: "i know No-Script is good.

but i got rid of HIPS for the same reasons i got rid of No-Script; i don't want to be bothered with that stuff.
i just want a "set it and forget it" solution.

different strokes for different folks i guess. :)" }-


Hey I hear ya, I like it simple too, I was just getting upset when you're calling something a mess that isn't. That's just misleading people with false info and that's what we don't want to do, if we really want to help people.

If NoScript was crap I'd be right there yelling at it too! LOL...


But didn't you notice how nice and fast sites loaded now that all those crap services were being killed. ;)

In fact just this past week on ImageShack and Mediafire they're running some sort of optimization from a Rubicon http://www.rubiconproject.com/ and with Avira Premium it was going nutts all over their sites, so you could hardly do anything or go anywhere without Avira going off in your face because of the BS code. Then with NoScript of course it just kills Rubicon and no more problems. But I emailed everyone telling them about some infected code or bad code.

DasFox:
But didn't you notice how nice and fast sites loaded now that all those crap services were being killed.

oh, it was fast allright!

but would i recommend No-Script to Joe Average and grannys?
absolutely not.

it's a toy for techno-geeks. ;D

anyway, nity nite everybody. :)

-{ Quote: "DasFox:
But didn't you notice how nice and fast sites loaded now that all those crap services were being killed.

oh, it was fast allright!

but would i recommend No-Script to Joe Average and grannys?
absolutely not.

it's a toy for techno-geeks. ;D

anyway, nity nite everybody. :)" }-


I never said it was for the complete newbie, but then again it's not that difficult to understand the basics and use it.

I'm a geek but I don't know everything, but then who does? LOL...

-{ Quote: "The only thing I've seen that provides something close to this is a 'Behaviour Blocker', because HIPS doesn't, your AV isn't, a Sandbox isn't going to stop this, nor a Firewall..." }-
VIPRE's firewall can block JavaScript, VBScript, ActiveX, persistent cookies, session cookies and ads... ;)

cool;)

-{ Quote: "i i don't want to be bothered with that stuff.
i just want a "set it and forget it" solution.

" }-


Yes, rootkits are just so. ;D ( I'm joking ). ;)

maybe 2 to 5 introduce from rouges applications

Hi

Relative newbie here. Very interested in this thread. How would you set up Default - Deny with Comodo Internet Suite?

The idea being to stop RootKits installing.

Thanks

Terry

-{ Quote: "
The idea being to stop RootKits installing.
" }-
With that in mind, try to use a Limited User Account (LUA), and enable Software Restriction Policy (SRP) using the Group Policy Editor (http://www.mechbgon.com/srp/) if you use Windows XP Pro. If you use Home, there's a workaround using the registry.

Only if this is somehow unsuitable for you, look elsewhere.

-{ Quote: " (...) How would you set up Default - Deny with Comodo Internet Suite? The idea being to stop RootKits installing." }-
Comodo is based on the default-deny principle. So you should be perfectly safe as long as you answer correctly to the pop-ups shown by D+ and Sandbox (which is quite easy with some average knowledge).

I think the best prevention is using extensions such as WOT, SiteAdvisor, and DNS service like ClearCloud.

If you do not get into dangerous sites can not catch a rootkit.

If you still get the virus, you can stop him with a HIPS/BB (Mamutu) during installation.

The Mamutu is not full of pop-ups, it acts only when necessary (unless there place in Paranoid mode) for me is a great BB.

I do not like LUA, AppLocker, SRP and NoScript think that bothers a lot much, I prefer just to have a secure browser, a good Behavior Blocker and a large suite.

This is my way of thinking, first think about prevent. :thumb:

-{ Quote: "Hi

Relative newbie here. Very interested in this thread. How would you set up Default - Deny with Comodo Internet Suite?

The idea being to stop RootKits installing.

Thanks

Terry" }-
Hi
Sorry I know it is not really polite to say search it.
It's just that I am from the phone so I can't really search and copy-paste links.

So if you search the terms like "comodo Internet security anti executable" you should find it.
There is a nce tutorial from MrBrian (sorry if I can't recall name correctly)
I don't think it wil be difficult to find.
Just put those terms in the forum search and look for post by above mentioned poster.

-{ Quote: "Hi

Relative newbie here. Very interested in this thread. How would you set up Default - Deny with Comodo Internet Suite?

The idea being to stop RootKits installing.

Thanks

Terry" }-

here's MrBrian tutorial here:
-http://forums.comodo.com/defense-sandbox-help-cis/using-comodo-internet-security-as-an-antiexecutable-t60303.0.html-

it's not for the faint of heart. ;)

Hi All

Thank you

To Jav I did search it and found nothing.

To Mootan thank you for a more positive and user friendly reply.

Your comments about the link put Javs observation in perspective.

Why o why is that there is always one ~ Snipped as per TOS (http://www.wilderssecurity.com/faq.php?faq=wilders_tos#faq_wilders_tos_1) ~ lurking in the wings when all I want is help?

Thanks
again

Terry

Sorry, if you think I offended you.
But I hoped I explained why I couldn't post the link.

222540



::)
Anyway, whatever....

so it will be better to prevent rootkits infections than removing them ;) ;D
i think a good and solid hips program will do the job:thumb:

-{ Quote: "i think a good and solid hips program will do the job:thumb:" }-
won't do it on it's own tho, remember a HIPS is as good as the one answering its inquiries... :thumb: but in your case, I'm sure it would even do it eye-blinded... hahaha ;D

Duhh;D

-{ Quote: "so it will be better to prevent rootkits infections than removing them ;) ;D
i think a good and solid hips program will do the job:thumb:" }-

Surely a good HIPS/BB along with common sense you will be free of rootkits. :thumb:

nice to know man;) thanks

-{ Quote: "Surely a good HIPS/BB along with common sense you will be free of rootkits. :thumb:" }-

I guess running SSM and EMSI Malware (Fileguard switched off), BB and Surf Protection switched on, qualifies.

As to commonsense that is in eyes of the beholder...;)

yes;) :thumb: agree

-{ Quote: "-{ Quote: "i think a good and solid hips program will do the job" }-won't do it on it's own tho, remember a HIPS is as good as the one answering its inquiries..." }-
That's the reason I keep saying that it's your security policy that protects you, not your security software. Policy dictates configuration ---> configuration obeys policy.

Securing a system without a security policy as a guide is like mixing the pieces of a dozen large jigsaw puzzles together, then trying to assemble one of them without a having picture. The pieces represent the various security apps available, the different rules and options you can use in them, your system settings, settings for individual apps, internet access, etc. All of the pieces have uses but may not fit the picture you're building.

-{ Quote: "-{ Quote: "
Ugh. Noscript is a nightmare. The amount of notifications that thing throws up is obnoxious. Yes it works well though. Of course so do turning my computer off." }-


Mwahahaha! ;D

i stopped using it for the same reason.
what a bloody PITA! :thumbd:" }-

At least get some of its protection. :-\

http://www.wilderssecurity.com/showpost.php?p=1766718&postcount=5

-{ Quote: "At least get some of its protection. :-\

http://www.wilderssecurity.com/showpost.php?p=1766718&postcount=5" }-

i switched to Chrome a about a year ago anyway.

like i said, i think No-Script offers excellent protection.
i just don't want to be bothered with building a whitelist or decide what page should be allowed what scripts etc...:blink: