What do I need?

Dear Reader,

I'm a newb, so please forgive me asking a question I've seen asked in several other threads, but to which I've not really found an answer I could get hold of.

Okay, I'm running NOD32 and WinPatrol and MSAS, and I seem to get by okay. I periodically scan with AdAware and Spybot also. Now I've started reading Wilders Security Forums and I fear I'm becoming a little neurotic. Have I got enough security?

I ran Ghost Security's RegTest, and that's frightened me a little - I've tested it with my two resident programs, and oh I've also started running SensiveGuard and MJ Reg Watcher, and everything fails RegTest. Everything except Ghost Security, that is - I've downloaded the trial version. Now, is this is a real reflection of a real danger? I really can't afford to buy Ghost right now, and I'm worried I'm not safe enough on the back of failing RegTest.

My question, I guess, comes down to: Am I afraid because I watch too many scary movies? (substitute: read too many scary threads on WSForums, and run too many perhaps-not-a-reflection-of-real-existing-dangers secutiry tests!) Or with my current setup am I really in any danger of being compromised?

Would really appreciate any guidance and/or suggestions.

Thanks.

 

Hi,
It comes down to what you do.
I could tell you that I have computers that I run p2p programs on them and surf porn sites, with only firewall and anti-virus (and recently MSAS) and have never had any spyware, or for that matter, an alert from MSAS. I have also other, more hardened computers, but it's more hobby than real paranoia. I likes to do tweaking and hardening and hear good advice from people here on Wilders.
So, is the danger real? Yes, it is.
Can you avoid it? Probably.
I think you can easily avoid 90% of problems if you do not use IE, OE and insecure chat and messaging programs. Firefox, Thunderbird would do well for you. You could also try Opera browser.
To be infected, something needs to get onto your computer and run. You avoid activex by not using IE and OE. Next, it could be pictures or mail attachments that could contain malware or programs and files you download from the internet.
In this case, it's your logic that will help you. Do not fiddle with things you are not familiar. If you download a program you think you might wanna use but you are afraid to test it, do not doubleclick to see what happens. Ask people here or submit to anti-virus companies for reviews.
If you are going to be hacked on personal basis, little will help you.
However, there are also obscure ways of getting infected, and here I recommend you click links in the signature of a user called Notok. He recommends the hardening of system, and I warmly agree with him. In his signature, there are many useful links to programs, and I suggest you download them and use them, and if you need help, ask people here, they will gladly help you.
Hardening will greatly limit your exposure, including unknown threats.
For starters, I suggest you read about the following programs and see if you want to implement them into your system. They might not be a Ghost Security test, but they will cover you very nicely:

BugOff, SafeXP, WWDC, HTAStop, WSH, Steve Gibson's tools on grc, and possibly SecureIt and HardenIt.

You could also try TeaTimer, Spybot resident protection, if you want.

You can also try a free systems protection programs like Attack Shields Worm Suppression and Anti-Hook, and maybe also an anti-keylogger SnoopFree.

If you want to prevent exploits on web pages, try Proxomitron web filter.

Then you harden yourself even more by disabling services and there are even hardening tools for Firefox.

Now, this is only a suggestion and I might have obliterated you with information. Take your time, study things.

Threats exist, but also defenses. However, the defenses are only as effective as their user. It comes down to clicking something and you are the one that clicks.

Cheers,
Mrk

 

Very likely

RegDefend is a very nice and highly targeted tool, among registry control programs it is among the best.

On my own PC, see here, NOD32 is the program that captures everything. The other applications are there for specific roles, but part of what I plan for is visiting questionable links posted here to see if they contain malware, so my configuration is a little stronger than needed by a regular user.

My casual observation is that many folks do not necessarily have too many or too few security applications, but that they often have highly overlapping products while leaving gaps elsewhere. If you were to ask me, what do I need from a structural point of view, I'd say:

• Filtering of unsolicited in-bound communications using either a firewall (native XP firewall or 3rd party software firewall) or a hardware router. My preference is the router in order to provide some load balancing.
• A strong AV/AT product or combination of products for signature/heuristic based identification of malware. Many of us employ a dedicated AT in addition to a general AV. While this was really needed in the past, trojan coverage by all the major AV vendors has reached a state where I now view this as a recommended conservative course as opposed to required. Naturally this comment depends on the specific AV chosen. As long as it is NOD32/KAV/Norton/McAfee/BitDefender or a couple of others, I'd say you are probably set. If you want dedicated AT coverage as well, BOClean/Ewido/Trojan Hunter/a2 are all decent products. Good coverage here supplants the need for realtime coverage from dedicated antispyware products. I have a number of AS products installed, and while they performed a large amount of cleanup in the past, most of that activity appears to be caught by the AV/AT these days. I still believe it's useful to have dedicated AS applications on-hand for periodic on-demand clean up.
• An application(s) to counter specific operations (registry manipulation, key file edit/deletion, hooking into the OS, etc.) that could compromise a system. These operations require something to execute them, which would generally be handled by the AV/AT. Assuming the AV/AT mishandled the incident due to the newness of the threat, I have backup measures provided by SafenSec and RedDefend. There is overlap here in the area of registry protection, which I do feel is important (the protection that is, not the overlap). Given the small footprint of both applications and lack of conflict, I'll live with the duplication of effort.
• Finally, while I use a firewall, I use it for application based control only and I view it as an entirely optional component.

Of the four elements I list, I view the first two as required, the third as nice to have, and the fourth as really optional.

Blue

 

Honestly, even with the best setup in the world, there are still tests that exist or could be written that would cause failures.

The regtest illustrates the difference between hooking and polling, some would say if you have a poller, your protection is completely useless, because, the registry entry would be inserted before it's detected.

On the other hand, I have yet to see a real world example where a couple of miliseconds makes a difference.

 

Absolutely. It comes down to which set of potential issues you choose to deal with.

I agree that blanket statements such as a polling based approach is "completely useless", and I've seen them as well, are, well, completely useless. As with most of these items, there are gradations in potential vulnerability and that has to be weighed against the extant risk.

I should have been more explicit. While I feel RegDefend is among the best at what it does, for the vast majority of users polling type approaches, such as MJ Reg Watcher, are fine at present. You are not overly at risk M_S.

Blue

 

Thanks to each of you - I'm grateful for your responses. I should have said: I use Thunderbird for email, Opera and Firefox for browsing, and my email is pre-scanned and well filtered by gmail. Oh, and it is the Plus version of WinPatrol I'm using too.

I'm reassured by what you've all said. But now I want to go the other way: do I need everything I've got running now? And would you recommend swapping on or more of these for other programs? This is what I now have:

NOD32
Kerio Personal 4
MSAS
WinPatrol Plus
SensiveGuard
MJ Registry Watcher
Spyware Blaster

 

M_S,

Just looking at the list, I would examine the potential duplication between WinPatrol Plus, SensiveGuard (firewall is covered by Kerio P4, but what about the other functions?), and MJ Registry Watcher. I personally don't use any of these applications, so I really can't comment in detail, but this is where I'd look and a quick peek at the respective websites indicates at least some overlapping functionality. That's not inherently bad, especially if you do not experience system drag and the overlapping functions cover ranges of different scope (for example - monitoring selected registry entries vs. the entire registry). The remaining programs are unique and fine as is, as is your use of Opera/Firefox/Thunderbird. I've used Firefox for so long, I tend to forget the security implications of it.

Blue

 

Thanks, Blue. I've uninstalled SensiveGuard. I'm not sure about MJ Registry watcher. Each time I restart or return from hibernation, it asks me about an apparent change to win.ini, but the two versions it lists differ only in their timestamp. This is a bit of a pain, and I can't figure how to stop it doing that. So I might dump that too, especially if what it does is pretty much covered by other things. Have hardened my system with Secure-it now, too.

 

This is the message I get from MJRW:

File Details Changed from
c:\windows\win.ini - Size=856 Date=Mon Sep 05 20:22:06 2005 Attributes=---A-
to
c:\windows\win.ini - Size=856 Date=Mon Sep 05 20:52:31 2005 Attributes=---A-

 

Thanks again to all who contributed here and helped me. An update a few days down the line: I've gone back to Kerio, MSAS, Winpatrol Plus, and NOD32. I wasn't convinced I needed everything else. I'm a bit concerned whether Kerio's free version is sufficient - I see it scores low on some tests. So all I'm wondering about now is whether I maybe should invest in a better firewall (although there are rumours of a firewall in the next version of NOD)?

 

A Router would help improve your security. But is no magic bullet.

 

Another 2 things you can add to your layered protection are..
IESPY ADS
and
MVPS Hosts File

Neither takes up any memory/resources..check it out.

 

Hey Rawr, thanks so much for the link to the Hosts tutorial - I've got that up and running now, and I feel better already! I've also managed to get a few others in my house interested in buying a site home license for RegDefend, so I'm not much worried anymore...

 

No problemo..

 

A quick follow-on question: I downloaded one of the programs recommended on that site, HostsMan, which makes things really easy - but do you know if I need to keep that running. Hey, it's only using 5-10mb, but if it's not necessary, I'll free that up. Thanks.

 

I don't think you have to have it running..after you do the necessary of 'Scanning, Find Dups, Lock' Host file.

 

Is this a hint of what a casual user should look at having on their computer to prevent problems? I am an older (over 50 y.o.) student, mother of a son in college, work full-time, browse e-bay, do a little on-line banking, and cannot afford to buy a lot of "stuff" for the computers (desktop for me-laptop for son). I have Grisoft AVG virus scan (free edition), Spyblaster 3.4 and Spyguard 2.2 and Ad-Aware SE. Also Checkit86 popup blocker. Any other suggestions? For some reason, my family seems to think I'm the expert and as it is stated in Gone with the Wind "I don't know nothing about..."

antivirus: NOD32
· firewall (hardware/software): Linksys WRT54GS/Filseclab Personal Firewall PRO
· spyware: Ad-Aware SE PRO, SpywareBlaster, Spy Sweeper, Spyware Doctor
· malware/other: a² (free), Ewido
· privacy: CCleaner, Window Washer
· other: MRU-Blaster, Registry Mechanic, Tune-up 2004

 

mcqfox,
I would add these FREEWARES

Spybot S&D v1.4 (PepiMK Software)
http://www.safer-networking.org/en/mirrors/index.html
Additional Anti-Spyware scanner and realtime protection (Teatimer).
A classic recommendation in all security forums/websites.

IE-SPYAD
http://www.spywarewarrior.com/uiuc/resource.htm
This preventing tool will add thousands of infected websites in the Restricted Zones of MS Internet Explorer.
After that you can't visit these infected websites anymore with MS Internet Explorer.

MVPS Hosts
http://www.mvps.org/winhelp2002/hosts.htm
OR
Bluetack’s HOSTS File (much larger, more protection)
http://www.bluetack.co.uk/forums/index.php?showtopic=8406
Replace you Windows Hosts File with MVPS or Bluetack Hosts File.
After that you can't visit these infected websites anymore with any browser.

Mozilla Firefox
http://www.mozilla.org/
Use this browser for surfing and searching on the internet, much SAFER and CONVENIENT.
Keep your MSIE for Windows Update and safe websites.
You can use both at the same time.

Mozilla Thunderbird
http://www.mozilla.org/products/thunderbird/
Replace MS Outlook with Thunderbird.
Thunderbird is safer, easier and above all faster and has an excellent anti-spam system.
I still enjoy Thunderbird after 2 weeks. It cleans my inbox in one second. Unbelievable.