Bullet Proof Setup

I got hit with a trojan & rootkit the other night which had been bundles into another application so I need to re-think my security. I am currently using Norton & Prevx. Norton completely missed it and Prevx only picked it up a few hours after install, presumably after the cloud analysis.

This had me thinking a bit here. If you download a setup file for an application, even after scanning it with every anti-malware known to man, that doesn't indicate its clean it just means if there is malware it is undetectable.

Real cloud scanning such as panda & prevx is obviously a fantastic line of defence here, but the downside is that could take up to 48 hours for any notification of infection. By this time any rootkit will be well hidden away.

My current setup looks something like this:

Disk Backup
Paragon Disk Backup 10 (PAID)

Real-Time Proection
Norton Internet Security 2010 (PAID)
PrevX (PAID)
Sandboxie (FREE)

On-Demand Scanning
Malware Bytes (FREE)
Hitman Pro (FREE)

 

Far, far from bullet-proof (it doesn't exist), though your imaging solution will at least get whatever malware that does show up off of your system. NIS is not as good as people want to believe, though it is far from the worst. Prevx, I need to see more from them to validate all their claims, but I'm a picky sort. Sandboxie, if you can afford it, pay for it. The free version is just too restricted to be of much use, imho. MBAM has proven itself, in certain areas. Hitman Pro, I'm not really a fan of the "pay us to clean your system" business model. It's too rogue-like for my taste.

I didn't post this to shoot down your setup, btw. You picked some well-liked applications. If they totally sucked no one here would keep recommending them. I'm just posting my personal thoughts on them. Always understand though that nothing you do can "bulletproof" your system, unless of course you unplug it from the wall.

 

Hi sorry to hear about that, but at least you have backup. What was the file, and where did you get it ?

A lot of us upload any new files to places like http://www.virustotal.com which has multiple AV scan engines. Not always 100% foolproof with brand new malware, but better than just one or two local options. Not much you can do about unknown malware, apart from not running it. That's why it's best to err on the side of caution if you're not totally sure of the source.

What happened with Sandboxie ?

 

If I were to install an application of unknown legitimacy I'd be looking to isolate it from the system.If it didn't need to install drivers I'd either install it within Sandboxie or Symantec Workspace Virtualization (formerly Altiris SVS).On the other hand if it did require a driver installation I'd use Virtualbox.

 

You bring up some interesting points.
So what do you use for AV/AM etc?

 

At the moment I have Avast 5 Free and MBAM paid doing the "heavy lifting", with Sandboxie paid as my "if all else fails" measure. Far less "bulletproof" than even the OP's setup. I however am not trying for that kind of a setup. I cannot and will not sacrifice my enjoyment of a very fast, lean system (Windows 7 64) because I'm afraid of some world-ending malware destroying my life or turning me into a member of the botnet army.

I feel that if I run a file through both a well-received AV and AM and it comes up clean, well, to me, it's clean. Getting 10 different opinions from vendors not only is a waste of my time, it opens the door to FP detections and confusion even wider. I need my system to do what I bought it for, not scan every letter I type on the keyboard and throw a pop-up at me every time Windows or an application does something.

To be honest, I believe that the more security you have, the less secure you are. Hell, anymore security vendors can't keep up with the ever increasingly sophisticated malware, so how on earth am I supposed to? I block ads, I use Noscript, I tightened IE zone settings, I run a well-known AV and AM. If that can't secure me enough, screw it, I won't worry about it.

There's no sense in running several security apps when they all can fail no matter how good they are. All it does is suck up resources, and the OS already is quite good enough at that and doesn't require help with it.

 

I suspect someone used a fudder to attach the rootkit/trojan into the genuine application. I did run a pass with virustotal but only got 2 hits.

I wasn't expecting Norton to find 0day malware but the SONAR has let me down big time. Where is the point popping up to say suspicious file, then allowing it to takeover my system. As for FileInsight, this should have been developed more like Prevx.

You share the same opinion of millions my friend. Not saying there is anything wrong with that, but its not good to trust files based on 2 scans. You'd be the perfect 0day attack.

 

The only bullet proof solution is to shut off your computer and leave it off. Barring that, there is always the chance of getting hit so the important part is having a bullet proof back up strategy to get you up in going as quick as possible.

 

Thanks for your info.
Though I have a little more than you do, I try to keep it simple for the same reasons.
I don't sit around all day and worry about terrorists. And I won't be a slave to perceived security.

 

What was the application, and where (what site) did you obtain it?

thanks,

-rich

 

FWIW, My set up is as follows:
Avast 5 AV
Outpost FW 2009
MBAM on demand, SAS real time
SpywareBlaster
Shadow Defender, virtual surfing
FD-ISR (original)

 

The problem is unless you run a HIPS program, you can have every AV and AM created running real time and still a true 0-day is going to bust you. And, with the current state of true HIPS applications, an average user is more likely to get infected and/or hose their system than be protected. Damned if you do, damned if you don't.

 

That is the big question, isn't it? Because quite honestly, to me, "I got hit with a trojan which had been bundled into another application" sounds a whole lot like "I downloaded some warez off some P2P and it turned out to be infected." Yes, I realize people want to do that stuff. But in that case, one must realize that occasionally they are likely to run into infected files, and things even worse than that.

As others have said, there (practically) ain't no such thing as bullet proof security. A good place to start, though, would be your own actions, in particular, deciding who to trust. Consider whether you really trust, and should trust, the source of the file, before you open and execute it! You downloaded it from Microsoft, and the file seems to have a valid Microsoft Corporation digital signature, and your AV doesn't complain about the file? Well, that file doesn't sound very risky. But if you downloaded it from some file sharing service, the file has no valid digital signature and its checksums do not match the checksums reported for that application's installer on the developer's official download page? This file you should consider suspicious. You can scan it with anti-malwares, but even if they report nothing, that is no guarantee the file is really clean. You can monitor the execution of the file with a HIPS product, but that doesn't mean the HIPS won't be disabled or bypassed, or that you can interpret the HIPS alerts correctly and conclude that the file appears malicious. You can execute the file in a virtual machine or sandbox, but that won't mean the file isn't virtual machine or sandbox aware malware that refuses to do anything malicious while it knows it's being virtualized, and it also won't mean that you'll be able to detect the malicious actions made by the file even if it's not virtual machine aware. So, in short, it isn't exactly easy to tell whether a file is malicious or not. Of course, you can "improve your chances" that the file is clean with rather simple actions like anti-malware scanning, but that only improves your chances, it doesn't give any bullet proof answers.

So, if I was you, I'd start by concentrating on the issue of trust: do I trust the source of the file and should I? You need to rethink who to trust and how much risk you're willing to take. After making reasonable choices on who to trust, then it's time for the other possible measures like malware scanning, HIPS, and what not. Like the recent Energizer USB charger malware issue (http://www.kb.cert.org/vuls/id/154421) shows, sometimes you'll trust someone who made a mistake. In those cases, HIPS, malware scanning and such can come in handy. But the "primary" line of defence should be your brain.

 

Yes It call comes back to trusting what you run on your PC.
Sometimes you'll get it wrong , but use brain first .

One option is getting into the habit * of not installing something straight-away.
Upload it off to some AV to check. Loads of them will test files on their machines.

Much safer than using your own PC as a test bed !

*Habit is the key thing here. Then you won't break your own rules in a rush and regret it later.

 

Deep Freeze, which I use on occasion, is highly bullet resistant but not bullet proof. You might also try Virustotal Uploader to checkout downloads before installs. If you are looking for bullet proof computing, try the public computers at the library. I've never gotten an infection from them except for a cold or two (a little joke lol). Always have a clean offline image just in case.

SourMilk out

 

Please could you tell me what were your settings for NIS 2010? With all NIS 2010 settings set to max, NIS is pretty good; I'm pretty sure that the trojan and rootkit processes were unknown, then Norton file Insight and Norton Download Insight should have protected you by given you a warning.

http://www.symantec.com/norton/products/tutorials/tutorials.jsp?pvid=nis2010&tutid=download_insight

http://www.symantec.com/norton/products/tutorials/tutorials.jsp?pvid=nis2010&tutid=file_insight

Thanks.

 

Yup, I'd say the most important question here. If someone wants badly enough to venture into the unknown for their applications, then perhaps a "safe haven", of sorts, test bed is in order. Maybe a vm setup? Either that, or accept the risks involved with the real system and make sure you're reliably backed up to latest point and ready to restore an image at a moments notice. With Sandboxie you might be able to gain some idea of the application's characteristics - good or bad - but that seems to be mostly difficult with SB. A vm-aware virus will probably either not proceed to install or behave in some other "unexpected" way, so that should set off alarm bells right away.

 

I was looking to trial something which didn't offer a shareware/trialware. The application was from P2P and to be honest I did expect malware to be added into it. Most P2P does does. I did VirusTotal it which didn't show much. I did sandbox it, again nothing much. It was executing the setup file which saw an unknown loader bypass all my security and infect my system. Not really a problem, I was just very suprised it did.

Does Norton IS 2010 have any HIPS protection or is it limited to SONAR? Yes all my settings are on full, and no I don't have the file anymore.

 

I had started a thread back in Oct 2008 which I thought was my Bullet Proof Setup or (Golden Bullet Setup). Boy, has that changed to my current setup of SBIE, Avast 5 and Mbam (on-demand). Running this setup on a Win7 Home Premium 32 and Win Xp Pro 32 without any hiccups and nice all around security. Unfortuntaly, there are some issues with SBIE and my Win7 64 notebook.

Ice

 

icecube are still running sandboxie?

 

Consider this overkill but heres what I have now...

Norton Internet Security 2010 (Anti-Malware & Firewall, Both on maximum)
PrevX - (Gets the 0day missed by Norton, Set on maximum)
Threatfire (Blocks the 0day missed by Prevx, Set on level 4)

Sandboxie (IE, Chrome, PDF)
WinPatrol (For monitoring system changes)

MBAM & HitMan (On-demand scanning)

Paragon Disk Backup (For when it all goes wrong)


If anything gets passed me this time then I will put an elephant condom over my machine.

 

Yes, it is overkill and is heavily reliant on heuristic/behaviour blocking for 0 day. If you are going to venture back to the dark side then an AV+Sandboxie+Classical HIPS (such as Malware Defender) would serve you well. Add in Virustotal uploader, Buster Sandbox Analyzer and Virtualbox and you're well set.

If you're not venturing back to the darkside then your existing setup was just fine.

 

Yep. I switch between GeSWall and SBIE but find SBIE a bit more compatible with certain applications I use. The only issue I have is with SBIE running on Win7 64 OS.

Ice

 

ah isee

 

I'd like to know how your running prevx and sandboxie together/ There was a big issue running both together in the past.Sandboxie kept prevx out of it and never found a way to use it.