What is your security setup these days?

I've always wondered about this.

I use web browser for work and I have to save a lot of stuff off the web.

This prevents me from using the browser constantly inside a sandbox.

I've resorted to using 1 browser (with particular settings/proxy/scripting limitations) for work and another for everything else.

If anybody has a better setup for a work browser (things must work, must be able to print, save and use javascript/flash/java), then I'd be happy to hear.

PS On another note: Word of warning about Norman Malware Cleaner. It completely rewrites your HOSTS file without any warning and comments out (i.e. disables) malware sites you have already entered in the hosts file yourself. This is akin to the way Spybot used to mess up HOSTS while a few versions back, but which it doesn't do anymore.

 

halcyon, you can install sandboxie easily on your work computer.

To ensure all your downloads are recovered easily, setup your browser, say it's opera to save files to a specific location, say the desktop.

Then set sandboxie up to instantly recover files that are saved to the specified location, say it's the desktop.

Sandboxie gives you the prompts to as soon as the file downloads, allowing you to save it from out of the sandbox.

See steps in setting up your browser and sandboxie, and an actual download below.

 

Cont...Setting up sandboxie, then peforming a download in Opera.

 

Cont...Sandboxie alert to auto-recover file from 'specified folder'. And file on desktop.

 

@Saraceno
Thanks for you comment really helped me

Sandboxie is a gem very ligth and strong protection and Shadow Defender will clean things that may bypass sandboxie

I am thinking about add Malware Defender to my setup. Do you think that is necessary ? thanks again =)

 

I've been thinking the same thing, but I'm yet to use it, so I wouldn't be the best person to ask. Someone else with more knowledge should help you out on here.

I think it would depend on how much 'new stuff' you're downloading and keeping. And how often you have your system in 'Shadow Mode', and how often you open and run files 'sandboxed'.

If Shadow Defender is on all the time, and you're not downloading any 'new/unknown' programs, and you're running a scan on the files/documents you're keeping, then you might not need it.

But, you could use Malware Defender it to determine if the files you intend to keep (commit with Shadow Defender) are behaving 'suspiciously' when you're testing them out. Or to use when Shadow Defender is off.

I think my option would be to test out how light your system runs with it.

Or an alternative could be (which I'm considering), is installing Avira Personal (free), as it is extremely light, with no system impact, and seems to be leading the pack for real-time malware detection. You could allow it to update once a day, before turning Shadow Defender on. The free version wouldn't have the web scanner, so no slow downs while browsing, and you wouldn't need that feature anyway, as sandboxie is running.

When I used it last, was only using 10-14MB of memory. Let me know how you go!

 

Shadow Defender is on all the time. For now i will leave my setup in this way , about Avira i have a license to the premium version i was using it before my " Shadow Setup" it is a great antivirus for sure

 

Good to hear.

If you haven't tried it, you could try ThreatFire. Could help in determining if a file/installation is safe. A file could be clean, but TF could alert you about the program you intend to keep/commit with Shadow Defender, if it is displaying keylogger behaviour or trying to install additional drivers and so on.

I tried the older version, not with the setup I have now (not sure how it works with Shadow Defender), and it worked well. Latest version is said to performing even better.

Otherwise, I'm looking forward to see how the new Prevx performs (to be released shortly). It could provide that real-time analysis I'm looking for.

 

Threatfire 4 seems a useful choice with much improvement noted lately. After experiementing with several combinations over the past weeks i find myself almost back to square one where i began some time ago in heaping security apps. The good news is that this time and thanks to better advancements & developments over time, they all seem to compliment each other with little overlap for my system, and it goes like this, (for now).

XP Professional (SP2 only) w/only 512Mb Memory

ProcessGuard 3.5 = EXCEPTIONAL!
SandboxIE 3.30 = EXCEPTIONAL! Yet On-Demand Only Here.
Real-Time Defender = EXCEPTIONAL!
Mamutu Behavioral = EXCEPTIONAL!
Script Trap = EXCEPTIONAL!
Kerio 2.15 = EXCEPTIONAL!
FireFox 3 = EXCEPTIONAL!

All that backed up with DriveSnapshot (.SNA)

 

Hi Easter,

I'm not sure that Mamutu deserves that EXCEPTIONAL tag. I'm not a researcher in your league but whenever I've done any testing, Mamutu has been very quiet and not very impressive. I've just tested it against AKLT with Mamutu in Paranoid mode and it failed all tests except Screenshot 1. It says it's monitoring AKLT for keylogger activity but didn't detect anything. I just don't have a lot of confidence in it.

 

Hi hammerman

Don't be put off on the keylogger failure for that reason alone because it also returned an absolute 0 rating when i tested it against AKLT. No alert whatsoever. On the other hand it intercepts executables and such just fine, but you do raise a very valid point on that concern.

What that particular failure indicated to me is that in it's current state, it's useless against keyloggers per say as we both confirm, but it does do an admirable job otherwise. That limitation is likely to remain or they would have addressed it by now, so as for keyloggers, i depend on both RTD + Snoopfree which IS able to stop loggers.

Good point nonetheless.

EASTER

 

I'm interested by Mamutu's apparent failure on the KL test,since the interface claims to 'watch for possible keylogger like activity'.I wonder if it just ignores this harmless,simulated threat,or if in fact it is a weak point.

Has anyone tested this against real keyloggers?

 

Virtualization doesn't stop loggers such as keyloggers, screenloggers, webcamloggers and clipboardloggers. On Demand protection is useless for users who do not want to waste time by scanning their computer 5x a day. He has no firewall or NAT so all his ports are visible. He has no (good) antivirus to remove current infections and trojans that can allow hackers remote access to the system. A lot of his programs such as Shadow Defender and AVZ toolkit are time consumers/wasters (Don't forget the 4 on demand programs he has to run everytime just to make sure he's safe since he has no real-time scanner). The only way you are safe when using his security setup is if you don't download much or if you have no internet or if you like wasting time and making your computer good for nothing but scanning itself. Not everyone is willing to sacrifice security (and time) in exchange for a little bit less resource usage. But of course it all depends on what you use your computer for.

Mamutu is bad vs loggers of any type. I suggest you try Zemana Antilogger.

 

Everyone has different needs. And you made a good point "But of course it all depends on what you use your computer for".

For example, you got to weigh up the chance of a keylogger being installed and launched through sandboxie. The developer continually upgrades his product to be as robust as ever. How is a keylogger going to be installed if you download/recover a few PDFs or images? But if you download a lot of unknown programs, then I agree, you have a higher chance of being affected.

But lets just say someone installs a keylogger on my system, either they know the login password, or install it while I'm away. In all honesty, chances of the keylogger/clipboard logger etc finding anything useful is slim. Say for a few hours before I reboot and the keylogger/clipboard logger is removed (as Shadow Defender is running), the keylogger might detect me burning a few cds, or typing on this forum, or reading the news. Then after reboot, it's gone. That 'rare' instance, isn't a serious concern (to me anyway).

Shadow Defender, if you've tried it, also has password access control. Which means, a file or program can only be committed to the actual drive only if the set password is known. Otherwise it's removed upon reboot. This makes it more difficult for an unwanted program to stay for longer than a few hours - before you reboot (if you just rely on 'one' specific program, you are 'hoping' it detects the problem file, but if it doesn't, then you might have the problem file for weeks or even longer).

Regarding AVZ, I don't want to get into a you say vs I say discussion, as I don't want to ruin this valuable thread. I have read however, that Ilya Rabinovich who develops DefenseWall, has even recommended the AVZ program. And he knows his stuff. It's powerful tool if you know how to use its system analysis/service manager features.

I'll still standby sandboxie being a great line of defence, even better than not having it and installing several other programs. Anyway, programs like MBAM and superantispyware and Dr Web's Cureit, do detect keyloggers as well, once a scan is run. But the user uses Shadow Defender all the time, and most likely reboots daily, and uses sandboxie, so I don't see how keyloggers would be a problem.

I agree that something like Malware Defender/ThreatFire could be installed, and his setup would be even better.

But it all comes down to how often you're downloading and launching 'unknown' files and programs, and if these are from 'questionable' sites. If I visit a questionable site and notice an unusual download, I'll delete the contents of my sandbox, and reboot to allow Shadow Defender to remove any unwanted files, before proceeding to say internet banking. It's common sense. If I've just been browsing here, and a few other known sites, I will just delete the contents of my sandbox before proceeding through to internet banking, and wouldn't bother about performing a reboot.

Lastly, regarding the zemana program, from my understanding, their testing tool was a test, but it 'may' have served as a promotion tool rather than replicating an actual threat. But then again, it could be an excellent product, although I'm yet to try it.

 

@evilscribble

You are wrong I have a Nat Firewall you didnt notice that , and i am running with no infections for about 3 years I know Gmer , Online Scans ,Ice Sword , Avp tool for to be sure that i am clean and shadow my system =) . You are a bit paranoide i am just a teenager user who found the " Shadow Setup" a good way to avoid windows problems simple as that. I dont think that the super crackers are trying to hack me , security is important but people are really paranoide and I dont scaner 5 x a day just avoid p0rn and warez software is enough. So enjoy the life

@back to the topic

My "Shadow Setup" is enough for me i am thinking about adding Malware Defender or Threat Fire ( extra protection) both runned very ligth


If keyloggers someday become a real problem for me i will use KeyScrambler and if doesnt work i will give up and start to use Linux

Cheers

 

I must echo in support of xXDarkStalkerxX due to overreaction of MAMUTU behavioral blocker's single weakness or apparent limitation. In fact for years i just run snoopfree, and although it's not entirely thorough when pitted against some keyloggers, it suffices against most or as many as it was designed to match up to with microsoft internal code entry potentials.

As said, if keyloggers, stealth or otherwise ever become some real problem, Key Scrambler and others are always an alternative. But i never had nor expect any penetration from them, even in rootkits due to the enormous security structure i've fashioned around my units.

EASTER

 

My setup is

Real-time:
NAT
Avira Premium Security Suite
Zemana Antilogger

On-Demand:
Malwarebytes

Virtualization:
Returnil (I rarely ever use this)
Sandboxie

Firefox Addons: WOT, Adblock Plus, Secure Login (for 1-click logins)

This is by no means a paranoid setup (; I also have a lot of maintenance software. Btw I am also a teenager (;

I used other testing suites such as AKLT and Zemana detects and can block everything. There is no way I will rely on the tests done by the company that made the product. I am a heavy downloader. I use up my 95GB monthly bandwidth so it is necessary for me to have a non system-wide-virtualized environment so it is hassle-free. I instead use real-time protection and sandboxie. I am not a fan of classical HIPS because they prompt too much and waste too much of your time. That's why I'm looking into DefenseWall. I agree when you say AVZ is a powerful program, etc. however I am simply a casual user and since my current setup has kept me safe for 9 months with my continuous downloading (9 months ago the only security program I knew of was AVG and I got a virus that wiped my internal and external HDDs). Since I use my computer for banking and other related activities, it is necessary for me to protect against loggers of all kind.

You definitely do not need keyscrambler, etc since you have 20 different security programs installed on your computer already (as per sig). It was Mamutu's failure to detect AKLT's hooks that made me hit the uninstall button because they clearly say they can detect keylogger behaviour.

 

EVILSCRIBBLE

Just to clarify for truths sake, i DO NOT, use all those apps in my sig all at once at any one time on any one machine, and i hope members aren't let on that way as my security.

In all those apps exhibited in my signature, i carefully select and sometimes experiment with different combinations not to exceed 4 or 5 at any one time, but as an indication of my own strategic inventory i easily turn to in order to throw off anyone which combo i use and thus force them to work to guess exactly which combinations i might be exercising as my security set up at the time.

I do however sympathize in your favor & against Mamutu's claim that it also captures keyloggers in much the same way that it fiercely aborts certain potential risks. It's finally returned to the TERMINATOR that Cyberhawk once was and then some with the added bonus of remote if any FP's it used to suffer from. In that i have complete confidence in MAMUTU BY WAY OF TESTING AND EXPERIENCE.

In my opinion, i don't expect it to to be an effective keylogger shield as much as that would make it even better at what it does if it could, but it does knock out a lot of potentially malicious forced files of risk to Window's machines, and for that i'm thankful.

EASTER

 

Thank you for your reply evilscribble.

I'm envious of that bandwidth (went from ADSL2+ to wireless! ADSL2+ will be back soon. )

Avira, I think it's the best around, and you've got the premium suite along with Malwarebytes. And sandboxie is a gem of a program. My apologies as I didn't realise you also use it.

The only thing I might suggest would be the free personal edition of Returnil is good, but lacks a few features and flexibility as the premium edition, which is similar to Shadow Defender. In that, with Shadow Defender, you can save specific files and folders (eg. large iso files/dvd files - 4GB handles nicely, 8GB iso file took me longer, about five mins) just by right-clicking and selecting 'commit', or you can allow a folder to be excluded. Shadow Defender reeled me in as the licence is life-long and includes free product updates.

EASTER, I interpret your signature as products you approve of/use a combination of rather than running all at once. Some confusion might be due to most users listing the products they always use in their signature.

 

i always use no more than 2

 

Just added another:

I already use Avira AV (free) as resident (very lite/effective/quick) on one of my units.

Nod32 is my On-Demand AV (Another Favorite)

Now have added good ole DrWeb (free) as well.

EASTER

 

I sort of reduced my protection to only router + XP Pro (Power USer + SRP) and ThreatFire (with some extra rules).

The security aps tend to get stronger, and I am using less of them (opposied to Easter), I still sort of believe in the layered defense approach, the software sort of integrates:

FW: inbound = Router, outbound = TF
HIPS: Power User + TF behavior blocker + extrarules (bith TF and SRP)
AV: TF checking Virus bister DB when an intrusion occurs

So I still got a layered defense only it is tackled by one application and XP Pro build in policy management

Forget: Chromium with sandboxed rendering engine (reduces attack surface with 70% of te browser, not as good as f.i. DefenseWall or SandBoxie, buy hey it is fast and free)

The good side it makes a cheap E5200 dual core (@3,0Ghz) on a cheap mobo 'fly' with so little overhead on the system.

EDIT: I am still on the same image, since posting thsi setup for the first time (meaning no failure, no defeat when malware testing).

 

Someone knows me well

If it comes down to having to heap a multitude of security apps just to ensure some sense of freedom from being bit by one or another of malicious junk, it doesn't hurt my feelings or performance for that matter to run gauntlet of collections to make penetration virtually useless, which it has for me for quite a while now. (Thanks M$) (How kind to jeopardize customer's who forked out for your O/S only to have to quadriple investments into a myriad of safety protection software)

 

Comodo FireWall Pro and DriveSentry

 

Thanks to PM post of Kees1958 now running Chromium in GesWall policy restriction.

Current setup
- router
- XP Home
- Surun (thx TLU, Cerxes)
- TF with Kees1959 custom rules
- GeSWall Free with Chromium (thanks Kees for PM)

Note: open a webbrowser you do not use, change file location properties to chromium.

Set following rules in GesWall