Locking things down

[Aestus]

Hey, I recently had security issues with a group of people, turned into a huge mess and I'm just now getting everything fixed up and updated, passwords changed etc..

I was wondering what your suggestions would be for software to secure the machine so it doesn't happen again. Should I try a livecd of some sort to scan for rootkits? I tried to use the sophos scanner it errors out telling me "unexpected end of archive"

Currently, I'm running an old version of comodo that I'm thinking needs updated or replaced. I just updated to the latest free avg. This is all on a windows xp (soon to be sp3) installation.

I was thinking of going with zonealarm after reading a review, though the last time I tried zonealarm it made it so I couldn't utilize a connection with any application (note that I'm currently using a dialup connection). What firewall (preferrably free or cheap) would you guys suggest for maximum security? If not zonealarm why? Also I would like one that monitors things on a program by program basis.

Also what other programs would you suggest if any to stack on top for extra protection? I have been looking at http://www.zerovulnerabilitylabs.com/home/ but want to get your opinions. I also have to ask if such a program sends any data out about my applications and such which I find unacceptable.

[wat0114]

You probably want to be starting with a clean installation of XP with SP3 and all updates, then start with Applying the Principle of Least Privilege to User Accounts on Windows XP . As for security software, there are so many choices available, Sandboxie might be one of the best, but I really think you need to start with some serious policy restrictions first.

Oh, and another link for some excellent advice:

http://www.wilderssecurity.com/showt...90#post1538690

[jmonge]

appguard in lockdown mode with password protection

[siketa]

NVT ERP

[Peter2150]

Actually I use both Appguard and NVT's ERP.

Pete

[Sully]

I would ask what happened before being able to determine what to use to keep IT from happening again. The fact that you are changing passwords means what? Was it local or remote? There is a lot you COULD do, but to me the question is what do you NEED to do. And the only way to answer that is with more specifics.

IMO at least.

Sul.

[Notok]

Quote:

Originally Posted by Sully

I would ask what happened before being able to determine what to use to keep IT from happening again. The fact that you are changing passwords means what? Was it local or remote? There is a lot you COULD do, but to me the question is what do you NEED to do. And the only way to answer that is with more specifics.

IMO at least.

Sul.

This was my thought as well. Can't really give targeted advice if we don't know what we're targeting.

[Aestus]

Well I've been having problems with a group of trolls/hackers that have been causing problems, stalking-style stuff. They have been able to get some information and throw bits in here and there though I'm uncertain of the full extent.

It has all been remote, without question.

So the picture I'm getting is do a fresh reformat and install with sp3, install whatever firewall would be best, latest avg, and appguard on lockdown mode. What is ERP and what are the benefits of adding it?

I'm looking into policy restrictions now. So how does the free zonealarm sound, should I get the antivirus version even with avg installed?

I should also note I use very strong passwords that you can't count the digits of on both hands typically with random numbers and such so I have that figured out

[pablozi]

My vote goes to NVT ERP since it is more easy to use and it has no problems with running along with other security software

[1000db]

Quote:

Originally Posted by Peter2150

Actually I use both Appguard and NVT's ERP.

Pete

Do you use these on the same computer? If so, I'm interested in what advantages you see in doing this.

[AMIGA500]

Upon research of the NVT program it would appear the free version doesnt actually do that much and the paid for product is the one to go for.
Correct me if im wrong here but the free exe radar pro just whitelists your apps and alerts to unknown things so obviously there is nothing incredibly new or innovative here and seems more like it is a victim of its own over-hype.

The differences between the free and paid versions are quite substantial and so the free version is certainly not something i would wish to download and use when windows has a built in function that basically does the same.

[Sully]

Quote:

Originally Posted by Aestus

Well I've been having problems with a group of trolls/hackers that have been causing problems, stalking-style stuff. They have been able to get some information and throw bits in here and there though I'm uncertain of the full extent.

It has all been remote, without question.

I am not one to tell people what to use to secure thier system. I quit that a long time ago. There are plenty of people here who use different apps reguarly or change them so often, they will tell you what to use. I am more of the "what is the problem" and "how do you stop it" sort of person.

With that in mind, I am still uncertain as to what you really need to have done. I would assume this group of trolls/hackers are "pestering" you, maybe found some of your passwords and messed with your accounts? If that is the case, then HOW did they get that information to begin with?

If they breached your nat/firewall, how did they do that? What were you running, do you have remote login enabled? Were you on hamachi or something so that they had remote access to your lan "virtually"?

Were they just hacking hotmail and stumbled into your account and harvested other account info or credentials, or are they targeting you? Did it come out of the blue, or did you meet them and (for whatever reason, not important) they decided to mess with you.

Just what do they have? Email account info? Forum credentials? Real life name/address etc?

Quote:

So the picture I'm getting is do a fresh reformat and install with sp3, install whatever firewall would be best, latest avg, and appguard on lockdown mode. What is ERP and what are the benefits of adding it?

I'm looking into policy restrictions now. So how does the free zonealarm sound, should I get the antivirus version even with avg installed?

If they have installed a botnet and can control your machine, reinstalling fixes that. Setting up security so that a browser or email doesn't allow infection again works. The restrictions you set on the local machine, with group policies or apps that control what a user may do only protect the machine from physical tampering (ie. user doesn't have rights to view restricted directories or install applications to restricted areas). Do you want to apply these measures because the bad guys might have that kind of access (remotely)?

These measures are also used to keep you from doing things like installing a botnet or trojan or whatever. You restrict yourself (or some applications) so that they won't allow the "door" into your system that the bad guys created/found.

Quote:

I should also note I use very strong passwords that you can't count the digits of on both hands typically with random numbers and such so I have that figured out

Now this statement leaves me wondering, passwords for what? You have indicated you might like to lock your system down (ie. not being an admin and using apps that help restrict the logged in user). If you are changing passwords for the computer/account or other applications, this might mean that the bad guys are infiltrating your system, which is pretty serious.

Or, are these password changes you mention for your web based activities, like email accounts etc?

I guess the thing I am looking at is, if you are being "attacked" in your online dealings, like email accounts etc, I don't see what restricting your local machine is going to do against those. That is more in the lines of not giving out information that can compromise you (like account info or using really weak passwords to email). The thing that would protect you though, if you apply user restrictions, is that things that are online would have a much harder time getting installed to your machine. That is a big deal, but I see two possibilities here: one online based only, the other directly affecting your local machine.

So, a firewall might be in order if they are getting to your machine. A check or your router/nat settings might be in order if they are getting to your machine. Restricting user rights would be in order if they are getting to your machine. Appguard and other tools of like nature would restrict local or remote logins, etc etc.

But if its online based, managing your passwords (keeping them safe and strong) would be a start. A service that tells you if a website is "bad" might be good, like WOT. Maybe NoScript or something like that would help. Maybe disabling java or not installing it if you don't need it. Maybe using a different browser with different technology (ie. chrome/ie rather than FF). Perhaps using Sandboxie to contain what happens in the browser, or in general restricting what internet facing apps may do to your system.

Heck, even not going to certain websites that could compromise you could be a start.

Lots of IFs there. Not trying to have any attitude with you, just trying to sort out the how and why to better determine what you should do. Nothing wrong with imposing rights restrictions to your machine, but is that really the solution or does it lie in other places?

Sul.

[Peter2150]

Quote:

Originally Posted by 1000db

Do you use these on the same computer? If so, I'm interested in what advantages you see in doing this.

Layers. For one thing Appguard is very tight, but has to be virtually turned off to install new software. I don't changing anything in NVT's ERP. I just install. Usually there are two alerts. The exe file, and the tmp file.

Also another way they play together is say for Java. I run guarded in Appguard, but took it out of the ERP whitelist so I know when it wants to run, and when does, and I am okay with it, I just allow once.

Pete

PS. They run fine together on the same computer.

[Peter2150]

Quote:

Originally Posted by Beethoven1770

Upon research of the NVT program it would appear the free version doesnt actually do that much and the paid for product is the one to go for.
Correct me if im wrong here but the free exe radar pro just whitelists your apps and alerts to unknown things so obviously there is nothing incredibly new or innovative here and seems more like it is a victim of its own over-hype.

The differences between the free and paid versions are quite substantial and so the free version is certainly not something i would wish to download and use when windows has a built in function that basically does the same.

You are right. I think the plan is to do away with the free version and offer a trial of the paid version.

It isn't anything all that new, but it is a whitelist application, very well done, and also fairly inexpensive.

Pete

[1000db]

Quote:

Originally Posted by Peter2150

Layers. For one thing Appguard is very tight, but has to be virtually turned off to install new software. I don't changing anything in NVT's ERP. I just install. Usually there are two alerts. The exe file, and the tmp file.

Also another way they play together is say for Java. I run guarded in Appguard, but took it out of the ERP whitelist so I know when it wants to run, and when does, and I am okay with it, I just allow once.

Pete

PS. They run fine together on the same computer.

Hadn't thought of using ERP that way but it makes sense. Thanks.

[gery]

eset is a keeper here