How to mitigate 85% of threats with only four strategies

Discussion in 'other anti-malware software' started by Minimalist, May 12, 2015.

  1. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,874
    Best security in computing?

    Common sense and its costs nothing!
     
  2. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    Till you hit a watering hole and get pwned by a zero-day...
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Create an ask rule that checks for direct disk access.
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Thank you, I never thought of that option. Do you have a list o common system executables that should have access allowed for system to operate normally?
     
  5. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    I use common sense and never get infected by zero day threats.
     
    Last edited: May 22, 2015
  6. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,874
    windows itself has a built-in whitelisting - not comparable to faronics but those just want to sell some and get your earned money...
    http://lifehacker.com/5442636/create-an-application-whitelist-in-windows-7

    0day in most cases use flash, java or pdf - in rare cases some flaws in system.
    no flash, no java or no pdf from unknown source = impact nearly impossible.
    at least as i mentioned that LUA reduces any about ~82 per cent (study from MS).
    but who cares - full admin - no risk no fun :rolleyes:
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    The only two processes to date that have asked for access since I created the rule are:

    C:\Windows\System32\svchost.exe and C:\Windows\System32\wbem\WmiPrvSE.exe

    The later is used by WMI to display data in the Computer panel display. I allowed both.
     
  8. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Thank you @itman. Will set it up next time I install EAV.
     
  9. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    It was just a theoretical scenario to indicate that common sense alone is not enough.
     
  10. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    @ropchain But, common sense alone is enought for me. In the rare cases I get infected, it is due to launching an exe I shouldn't have, not due to any zero day exploits.
     
  11. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,874
    you got infected - while you had installed any security software or before?
    may i ask what kind of infection?

    well my last impact is 20 years ago under win98, but in the last years without any pro-active crap i had none, zero, niente.
    "common sense" may not the same for two persons i assume.
     
  12. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    The times I've been infected I've more often than not been running any antivirus or any other kind of real time protection, running an administrator account with UAC and Windows Defender disabled.
     
  13. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    common sense will not save you from exploits. There is a reason why you apply patches and take other proactive measures ;)
     
  14. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    The last time I got infected was on my win 7 64 bit work computer with Norton and Malwarebytes Anti-maleware.
    Norton would alert and say the infection was cleared but it would come back. It was the file less Powerlics.
    The IT people tried to clean it but didn't work so they got fired. I ended up using Esets tool to get rid of it then the new IT people reformatted LOL
    We think the Boss got it via e-mail and infected the rest of us.

    On my home puter I have Quietzone with Tor Firefox browser , Norton's new security suite 2015, Adguard, Malwarbytes Anti-Maware and Malwarebytes Anti-Exploit Plus whatever security features Win 8.1 64 bit offer.
    What ever infects me while in Quietzone by bypassing my security setup is all removed on reboot to disk level by Quietzone. Every now and then I will try out other software just because I have done that for so many years and was a strong addict when it came to testing software but Have gotten much better and don't do it nearly as often.
     
  15. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,874
    get over it and get its original firefox. since 4.5.1 and 5.0aalpha are still based on latest esr 31.7.0 it will be the latest esr (maybe 31.8.0), next will be the present 38esr. at least those dudes screw on firefox so deep and bad - it has more disadvanteages than advantages. it also does not have the latest code and security snippets. also be prepped that half of your extension wont work any longer.

    it seems pretty pointless while mozilla is in process to work with tor since 2014 and going to finish its coding middle 2015
    https://wiki.mozilla.org/Polaris

    just crap. if you installed it as a global proxy, i dont care. if you use it within firefox you should consider a change to uBlock and/or uMatrix from Raymond "gorhill" hill.
    it has abilities some ever dreamed of when filtering the web against annoyance.
     
  16. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    @Minimalist - thanks for the post - very informative for a newbie like me


    i'm using online armor currently - i'm confused as to whether the 'white-list' in OA would be considered to be part of 'hips' (ie - #8 on the list of mitigations) or if it would be considered 'white-listing' (ie - #1 on the list). i've never used a dedicated AE - just OA. Also, OA is of course ending as of early next year so i'm looking at replacing with Emsisoft AM or Webroot - i guess both of these would fall under #8 on the list and i'd need to combine with an AE, right? looking at Voodoo Shield free as it looks like it might be the most user friendly - yes? And for those using EAM - what to use for outbound FW? i'm looking at Windows FW Control - tried Tinywall and don't like it - i need pop-ups... Webroot is a better option in this regard, outbound FW control is built in.

    what applications would cover mitigation #6 on the list? i'm assuming something like Avast web shield would cover #18

    Thanks.
     
  17. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    No, it doesn't cost nothing. It's the product of years of experience.
     
  18. Don't want to spoil the party, but common sense the best security in computing?

    How can something common be the best? Even at the olympics (where taking part is supposed to be more important than winning), only top six get a certificate, top three a mediallon.

    How can something arbitrary as sense (hearing, taste, sight, smell, touch also meaning feeling and rational) be applied in something binary as computing?

    Maybe it is just lost in translation, but it is all Greek to me.
     
  19. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  20. Thanks for the link, but I am ashamed to admit that I am in a higher state of confusion as before reading that explanation!

    [1] I am under the impression that most Wilders members say that Average Joe/Jane does not have a clue about security, so how can this intuïtive understanding of security be applicable to "nearly all people"?

    [2] "Without any need for debate?" Look at the thread 'What is your security setup'' as an example. It has over 35K posts. Seems to me that discussing security is the thing we do here on this forum.

    To me this common sense in regard to security is as hard to grasp as sarcasm is for Sheldon Cooper :D
     
  21. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    @Windows_Security This definition from Google should make it clearer (hopefully)
     
  22. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    i think this posts #28 & #29 answers my question regarding the AE functionality in OA - it would be considered as mitigation #1 on the list


    https://www.wilderssecurity.com/thre...ailable-anti-executable-options.371603/page-2[/USER]
     
    Last edited: May 30, 2015
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Why is it that in Autoruns version 13.40 this line is been removed:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
     
  24. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,418
    Location:
    Slovakia
    Nice find, probably a bug, since it has happened before. http://forum.sysinternals.com/autoruns-1201-missing-hklmwinlogonnotify_topic30709.html

    People with common sense usually apply system hardening, which includes LUA, disabling vulnerable services and such.
    Disabling WSH will protects you from some ransomwares, deleting startup entries protects you from majority of malware.

    For example I shut down my PC running with this reg file: http://pastebin.com/H2y2Kk7v
     
    Last edited: May 31, 2015
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.