A light best of freeware breed HIPS do it yourself setup

Discussion in 'other anti-malware software' started by Kees1958, Feb 26, 2009.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    READY EMJOY playing with it, sorry ENJOY (EDIT)

    Remember when you update windows, set Comodo into installation mode and disable protection of EdgeGuard Solo (do not forget to enable afterwards).
     

    Attached Files:

    • end1.JPG
      end1.JPG
      File size:
      29.3 KB
      Views:
      1,520
    Last edited: Feb 27, 2009
  2. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    thanks kees;)
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    This setup is based on risk contingency (see picture) and uses different counter measures for different risk categories (and it is very light on resources too).

    Highest risk: EdgeGuard Solo, applies a limited user policy containment (easy and solid) EDIT plus hot patch protection of F-secure exploit shield beta (now also free), with proactive measure against IE shell exploits

    All programs: ThreatFire, looks at behavioral aspects, makes the weak AV of Comodo stronger and deals with the common intrusions Comodo's Defense+ is now configured to neglect (to minimise pop-ups)

    Last stand: Comodo defends the admin/system space intrusions, with an ASK policy for existing applications and a block policy for applications residing on other drives (D = data, E = DVD/CD, F=USB and more when you need them)

    When you test this setupfrom inside (like AV comparatives does), it is not as strong as when you test it with dynamical intrusions like the "hey you guys Matt" does on youtube.

    When you run Vista64 forget Solo, install Norton UAC tool to be warned for elevation requests (Vista uses minimal rights policy, so you are already browsing with IE in protected mode).

    See picture for visualisation
     

    Attached Files:

    Last edited: Feb 27, 2009
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Last tip :D enable DEP for all programs and Comodo memory buffer overflow protection
     

    Attached Files:

    • last.JPG
      last.JPG
      File size:
      193.8 KB
      Views:
      47
  5. Newby

    Newby Registered Member

    Joined:
    Jan 12, 2007
    Posts:
    153
    Well,

    I figured I might try it myself, since it is a cheap setup. It works, very few pop-ups. I have looked with task manager and it has a very low CPU time and has stunning little disk I/O. How is that possible? Does Comodo's AV work at all?

    Newby
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yes, it has very little disk access. My guess is that the image control of D+ prevents checking of executables. As long as the executables hash still is the same, it has no use to check it with the AV (in clean PC mode). So the AV is very efficient (problably only checking new arrivals).

    Cheers

    Kees
     
  7. Newby

    Newby Registered Member

    Joined:
    Jan 12, 2007
    Posts:
    153
    Thx,

    I added USB Firewall 1.13 to stop autorun inf files from USB sticks. :thumb: to me as a Newby to improve Kees1958 set up :D
     
  8. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    556
    Location:
    Sonoran Desert
    I'm setting this combo up now. Only have Comodo to install.

    One question about chromium. Does it have the privacy issues of Google Chrome or is it closer to iron?

    Also, I like EdgeGuard Solo even though I have AppGuard available because it allows Sandboxie to run properly should I choose to use it.

    I also like that your choice of apps that are Vista capable.
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    AppGuard is from the same company, only more configurable plus USB, so when you would like tio use Sandboxie it is better for you (I think all members with AppGuard can use this instead of Solo).

    No Chromium with -incognito has no privacy issues, You can use Iron instead, only need to change the directory.

    Cheers
     
  10. Criss

    Criss Registered Member

    Joined:
    Oct 3, 2008
    Posts:
    186
    Me and Eirik juz solved on how to use sandboxie and appguard tgt.:argh: Which is juz moving the virtual directory into other places such as the D: drive. U can folo the instruction here on how to do it. :D

    Criss.
     
  11. tetsuo55

    tetsuo55 Registered Member

    Joined:
    Aug 12, 2008
    Posts:
    126
    Awesomely done.

    The Comodo team should read this as you are basically "patching" all the problems with CIS with other applications LOL
     
  12. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    556
    Location:
    Sonoran Desert
    Thanks Kees and Criss
     
  13. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Happy to do it,

    Just installed an extra free tools http://www.f-secure.com/weblog/archives/F-Secure_Exploit_Shield_Beta_Demo.wmv

    Download http://support.f-secure.com/beta/estp/estp.shtml

    It hot patches exploits of Windows OS, IE and WMP, Messenger type of applications. So your always up to date (F-secure releases solutions earlier than MS releases the official patch), and has some shell script protection for IE.

    I had all relevant patches om my system (5 out of 7), so I disabled all, still hopes that it checks web sites I visit on these exploits (like browser defender does, only without the "in the cloud check" delay).
     
    Last edited: Feb 28, 2009
  14. tetsuo55

    tetsuo55 Registered Member

    Joined:
    Aug 12, 2008
    Posts:
    126
    Thanks again.

    I just finished setting this up.

    Some comments and questions:

    *Keyscrambler does not really install in my system, it says it got installed but it does not show up
    *I don't use the Comodo Virusscanner so i have Avira Antivir Premium instead

    *What security setting level do i select with Comodo?(for firewall and defence+)

    I also have the following applications, some of these might cause problems or access the internet, do i need special rules for them??

    -CCleaner
    -Cleanmem
    -filehippo update checker
    -foobar2000
    -Hostsman
    -Malware bytes anti malware
    -Mediacoder
    -Minimem
    -peerguardian
    -Perfectdisk 10
    -Process lasso
    -Spybot Search and destroy
    -Spyware blaster
    -Superantispyware
    -Teracopy
    -Windows live messenger
    -Winrar
     
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    FireWall in safe mode, Defense+ in clean PC.

    Try installing keyscrambler with comodo and EdgeGuardSolo off

    Comodo FW should show a pop-up when they access (or even allow when it is a safe program)

    Edit nice read http://www.securitynowblog.com/endpoint_security/dual-web-browsers-can-avoid-information-disclosures says two browsers are more secure than one AND that is exactly the same with this setup. Keep IE clean use only adhoc, use chrome as common browser. I have a free licens of AppGuard, but Solo offers just enough functionality in this combo at the moment.

    Cheers
     
    Last edited: Feb 28, 2009
  16. tetsuo55

    tetsuo55 Registered Member

    Joined:
    Aug 12, 2008
    Posts:
    126
    Even after doing that i cannot install keyscrambler, so i will drop that from the list.

    A lot of programs refuse to work correctly (up to the point of giving me BSOD's) unless i add them to the threatfire trusted list.
    Reduces the level of security but still better than BSOD's

    Also had to manually adjust a lot of applications from any to trusted application in the comodo settings to get everything working again.

    -Perfectdisk crashed horribly, kept running, had to press RESET
    -Peerguadian crashed horribly, kept running, had to press RESET
    -Live messenger is freaking out, popping up the installer every chance it gets
    -Wlan was blocked, had to add all its related files to the trusted list in TF and give it trusted application rights in comodo

    PS
    I forgot to mention that Comodo was pre-hardened using the following guides:
    http://forums.comodo.com/defense_guides/setting_up_defense_for_maximum_security-t30473.0.html
    http://forums.comodo.com/firewall_guides/setting_up_firewall_for_maximum_security-t30535.0.html
     
  17. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well these are rules to tighten security, while the combo makes protections less restrictive, I started from a standard install (tightening only a few options). WirelessLand not connecting is really bad. I run a wireless lan also. No problems.
     
  18. Newby

    Newby Registered Member

    Joined:
    Jan 12, 2007
    Posts:
    153
    Hi,

    I did exactly what was told, I do not have these problems. Was once forgotten to go into installation mode when starting from download directory, off course the limited Comodo policy prevenst changes of system/admin space. User space programs install fine from D:\downloads (when they behave nicely :)
     
  19. tetsuo55

    tetsuo55 Registered Member

    Joined:
    Aug 12, 2008
    Posts:
    126
    I finally got everything working(except keyscrambler).

    99% of the problems get solved by putting the application into the threatfire trusted list.

    The remaining 1% was simply changing the existing Comodo rule from any to trusted application or existing application, a completely new install should not suffer from this problem.

    The combination of This guide and Avira as the virusscanner instead of Comodo does cause some slowdowns.
    CIS checks read and write operations right?
     
  20. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Avira is a far better AV, CIS does check on reads and writes (on execution), can't be set to check at writes only (like Avira and Avast). You might try the new beta 9 of Avira, it is very good, you can set it to check at writes only with heuristics high (so FP's only affect new arrivals).

    I did some testing with Avira9 heuristics and it has an incredible high percentage of detection of new variations. May be that is worth trying (new beta plus only check at writes using smart list instead of standard list).

    Cheers
     
  21. tetsuo55

    tetsuo55 Registered Member

    Joined:
    Aug 12, 2008
    Posts:
    126
    So would you say that simply disabling CIS antivirus and replacing that with AVIRA is enough? or do i need to change some of the other security settings to match?
     
  22. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    When you are behind a router with hardware FireWall, I would set both D+ and FW ro the settings I described and disable AV of COmodo (replace it with Avira). Then you are covered well.

    When directly on the internet, leave it as it is now and just disable Comodo's AV (because Avira premium is better).
     
  23. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Hello Kees

    Very nice guide. It's really useful for people wanting a great security, without the hassle of popups, and, most important, not sacrificing security by reducing the amount of popups (alerts.

    I have implemented a similar setup into two systems of two relatives of mine.

    I used other tools for the effect, as I've found them more stable when interacting with each other. But, the principle behind it, the same.

    Anyway, just to give you my congratulations of this guide. :)


    Regards
     
  24. tetsuo55

    tetsuo55 Registered Member

    Joined:
    Aug 12, 2008
    Posts:
    126
    Would you mind telling us what you did differently?
     
  25. Yoda1953

    Yoda1953 Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    163
    Location:
    Netherlands
    Very sophisticated indeed. :eek: Thanx Kees !

    Does anyone know how to backup the TF and CIS settings?

    After painstakingly applying these settings, I hate to loose them. :doubt:
     
    Last edited: Mar 2, 2009
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.