Going AV less- suggestions are welcome

Besides HMP, I would at least use an autorun check (e.g. Windows autoruns or regrun animator).

Maybe add Comodo Programs Manager (notifies you when something tries to install and checks AV-engine through cloud).

Time will tell

 

Well I play videos and music in my VLC, download very little number of apps mostly to try new ones, download some pdf files, documents, browse. That all I do in this pc. In my other main pcs I've got wsa and EAM.

Okay I'll follow that tutorial in Kees' post and try out SuRun. So Sul tell me now how would be my setup if I have everything in post #1 plus SuRun. Would I still need a AE or that sort of thing like Spyshelter?

Another thing, although off-topic I just need to ask should I or rather do I need to use SuRun in a LUA in my other pcs with as you put it traditional defense?

 

Okay okay I'll try SuRun in LUA. And speaking of autoruns how do I turn off the autorun thing in my pc like Panda cloud AV can do?

 

No SUrun is like UAC. Running with LUA priveledges (and the ability to get Admin rights using the same user profile) means you are protected against MBR's, Trojans and other real hard to remove nasty stuff because Windows and Programs File directories are protected as is the HKLM hive of the registry.

As suggested, you could go with Comodo Programs Manager also (you will have a passive AV only checking programs which try to install).

 

http://support.microsoft.com/kb/967715

 

just wanted to say

Don't go AV free!!!
no matter what others says about how bad is an AV in protection
it still detects a large portion of Malware

as for windows firewall what ever with a good config or not
it always fail all the leak tests Like extremely fail
also 100% of Malware bypass windows firewall
the only Malware that window firewall can block is the one written by 3rd grade elementary school student + some of the inbound attacks which is denied by the router by default

if you want a Lite machine just chose a Linux distro with clamTK as on demand scanner

 

So I do not need Spyshelter like apps if I use SuRun? But you suggested me both in your earlier post.

On another note, an you kindly answer this?

 

So you're saying don't go for free AV, but then you're saying they detect a large amount of malware? Sounds logical!

Stop, you need to research what a firewall is, really.

Most Linux distros by default don't have the firewall on, and ufw is a basic firewall just like Windows Firewall is, are you going to complain about malware "bypassing" it?

 

This sounds like a good fit for LUA to me. I think you are just having some "growing pains" while you change things so radically from the ways of the past.

Well, you list

In this set of tools, you have most everything you would ever need. Maybe more than you would ever need. Is it overkill? Would be for me. Is it for you? My bet is most likely, but only you can decide that.

My thoughts, that is my own personal thoughts related to how I am, would be that if you are running as a user (aka LUA) you probably only need Sandboxie.

For example if I suppose I have two kinds of online activities - browsing and banking - then I am going to have 2 browsers and 2 sandboxes. The first sandbox will force the first browser into it (say IE). It will be set to delete all contents upon programs ending. This keeps this box, from day 1, always clean (assuming SBIE continues to be so bullet-proof). I would do all of my banking activity in this box, ALWAYS. Do I need keyscramber? Maybe, it depends on if I trust my bank website or not. I would also allow ONLY the browser to run in this sandbox. Now, even if a keylogger were downloaded, it could not run within this box. So, do I need keyscrambler?

The second sandbox, it would force my 2nd browser (maybe firefox). It would not delete everything. I would limit what would be allowed to run within this sandbox - maybe pdf client, other type needed applications. So I limit again what can run in this box, but this box is persistent. As I go places, history is there. If I download things, they are there. If I get a keylogger, it is there, although contained within the sandbox. But, that keylogger can still get my data. Should I use keyscrambler with this box? Maybe. But maybe I don't go anywhere that I care what it logs. Maybe I delete the box often enough that it won't matter. Or maybe I want this persistent sandbox to stay for months and months, and I log into my email or forum. Maybe I do want to use keyscrambler within this box just in case. I personally setup my sandboxes before going anywhere on a new install, and tightly control both what can run and what can have internet access, so I don't worry about a keylogger personally.

Do I need hitmanpro? Well, at some point I might let files out of the sandbox and run them in the real system. I don't think it hurts to have an on demand scanner really, providing you actually use it. I have mbam installed, but rarely use it.

What about ConnectSafe and the browser tools (NS/AB/WOT/LP)? within the sandbox, do those really benefit you? Maybe. Not a bad idea I suppose. I don't use them, but I really don't see as they are over the top or anything. I'll let you decide if you need those.

DriveSnapshot. I have used these types of tools before. They are neat. And fun. But, really once I started using SBIE, I no longer felt I had the need. I make a master image of my system periodically using Macrium. I can restore quickly if needed. I keep all my data on a separate drive(s) than the OS, so for me, those types of tools really don't do much, as I just don't have problems that would require them.

As for skydrive, that is a personal choise of where you put your data. If you like the cloud, then use it. I haven't tried any cloud related stuff yet. Probably won't.

And finally, windows firewall. It is an inbound firewall, useful if you have other computers in the LAN or if you don't have a router. It can be used for other purposes too, but that is how most use it. I see no reason at all to use it if you are behind a router. I don't think it is overkill, but I just don't see the use for it. If you are worried about what is going OUT of your machine, it is not the right application. But then for me, with SBIE being able to restrict what gets network access, I don't really worry about a firewall anymore.

This is how I look at it, being an admin 24/7. It is much of what I do, plus some other OS tools I employ and using Chromium for its sandboxing effects. It might not be the right approach for you.

That depends I guess. The way I look at it, is most people don't need to be admin all the time. They simply don't do true admin tasks unless they are installing applications all the time (which IMO is a good way to get problems anyway). If they run as admin, then they should use methods to restrict themselves, like a HIPS application. This is really beyond the scope of most average users, so the best solution is to run as a user (LUA). If the PC is used for browsing and checking mail, maybe you don't need SuRun. If there are somewhat frequent tasks needing admin, then SuRun offers you a more convenient way to do these things.

The question is, if other machines are running as admin, and they get a virus, will that virus try to spread on the local network? Is your machine up to that challenge then? That is a case where XP firewall might prove its worth. That is a case where you might have services running that you don't need that would give you issues. That is the case to ask yourself, do I trust these other computers and/or thier users who are running as admin.

An example. I am admin on my win7 machine. My wife is on vista, but using UAC and sandboxie (although she hates SBIE). My kids (3 of them) are all on XP Pro as admins. I use a computer running pfsense (linux router distro) and restrict the kids online activity to a known set of sites. If they need to install a new application, investigate it on my pc, and if I approve of it (maybe I upload it to jotti if in question) I put it on the NAS box. They can then install it. It may need some internet access to get "out", so I have to decide if I want that or not. I don't have any firewalls running on any of the PCs, nor AV nor AM nor - well, pretty much nothing but a tweaked OS. But, I control what happens, not the other users. I have been problem free for a very long time. Is it because I used all the "tools of the trade"? No. Most certainly not, as I don't employ many of them at all. It is just because I educated myself enough to understand where the problems come from, and decided to be very strict with how I did tihings to avoid such problems.

Maybe this information can give you some ideas of where you are, of where you could go, and whether you want to go to such lengths to have what you want.

Good luck.

Sul.

 

I am sorry to inform you that it is very possible to go problem free WITHOUT an AV at all.

It is also possible to have problem after problem even with an up-to-date AV installed.

The saying "damned if you do, damned if you don't" I think is most fitting for the Anti-Virus industry.

It takes knowledge to go without one. It takes being naive to believe just having one will stop infections.

Sul.

 

Sorry Iron Man,

Those were three options either Windows Defender with a tight safe hex (weakest option), Spyshelter free (strongest option) or Surun (good enough sound option).

The second question depends on the OS you are using. When you have something to safe guard threatgates (e.g. DefenseWall or GeSWall on x32 or Sandboxie or Bufferzone on x64), you have tackled 95% of the problems (with an AV as backup). When you do not use an AV as backup, I would like some sort of barrier between ring 3 (user land) and ring 0 (admin/system). On XP Surun is a good implementation of such a barrier, on Vista or Windows7 with UAC on max this also qualifies as satisfactory.

I noticed you use WSA on other machines, WSA also has a HIPS build in for untrusted programs, so on this PC you have an adequate barrier. You also were the lucky winner of EAM. EAM has a very good IDS/Behavioral blocker, so for two PC' s your are really well protected. So what are the OS-ses and other security programs you use on the other machines?

Regards Kees

 

Oh I see. Now I understand.

I use WSA on another XP system with the same setup as the av less pc. EAM is in a Win 7 32 bit pc with the setup in my sig.

 

@Sully Thx for the elaborate explanation. I understand now. It took me sometime but I got it.

 

What's the point of running those sandboxed ?

 

In case he runs a carefully crafted media file designed to exploit either program presumably. I run VLC sandboxed too, and any other program that either faces the internet or runs anything downloaded from the internet.

Remember the old codec trojans? It's not unheard of.

 

Exactly. I also run those apps and any apps facing internet in sandbox.

 

As do I. I have a different box for WMP and VLC, as I use them for different media. If it comes over the wire, I treat it as tainted with very few exceptions.

It might be overkill, but it poses literally no inconvenience once set up.

Sul.

 

Hmmm okay , but I think that scenario is so rare and maybe that's why I'm confused by running media players sandboxed.
I use WMP for mp3's only and XBMC for video files (sometimes for audio as well) and although I'm using Sandboxie I don't sandbox them.
But okay, I can understand the reasons for sandboxing them

 

For me, it's more of a question of why wouldn't I sandbox them Sandboxie is such a powerful program once configured, and as Sully suggests, not inconvenient once various sandboxes have been set up. It's no hassle at all to sandbox everything like Ironman has.

You are right that in the wild VLC exploits would be extremely rare, but looking through version histories of VLC (as well as the Metasploit database) shows that exploits have existed using various vectors. It used to be much more common to see media trojans back in 2008 - the media file would tell WMP that it needed to download a special codec in order to work. Of course this special codec would be a trojan. IIRC Microsoft closed the particular method used. VLC uses its own codecs which is definitely an advantage for security.

I suppose I try to approach security like an engineer might: if it can go wrong, then it probably will. Like many others, I feel 'naked' if I'm running something without using Sandboxie

 

I know the reasons for sandboxing media players but personally don't feel the need to sandbox them except maybe WMP as its an easy target being part of Windows at least not in my setup.

 

You are fine then (browser choice is very personal, but on Vista and Windows 7 chrome/chromium is the browser with the low-rights sandbox implementation and sandboxie now keeps it in low rights/untrusted).

Some tips on WSA https://www.wilderssecurity.com/showpost.php?p=2040007&postcount=6 for your XP setup

Regards

 

Media files can also contain some code (like PDF's and Flash), so a possible entrypoint for ways of exploiting it (and has been in the past). When you buy music etc, don't flush your digital rights with the sandbox.

 

I try to run everything sandboxed.
Right clicking on WMP or VLC takes no more time that the standard left click to access the application. I also run my e-mail client (Yahoo Mail) sandboxed.

Piece of mind !

 

True that , piece of mind

I run utorrent, email client, firefox and IM clients sandboxed, separate sandboxes for each of those.
And I run them in SB more because of the privacy (block access to some folders and partitions) then them malwares.
Just never had encounters with something malicious in media files, never even heard of them to be honest.
WMP is blocked with firewall and XBMC has it's own codecs plus it's open-sourced, so I'm pretty sure everything is okay there.
But yeah, I might start sandboxing media players, it can't hurt

 

AV Free is not equal to Free AV

Try GRC Leaktest on Windows Firewall
and retry it on another 3rd party Firewall

also there is the comodo Leaktest ;-)

I really don't understand why you are attcking me :/
anyway Malware writers are writing Malware For windows Machine as a main Platform so Mass malware won't infect the user on Linux

I quote this "Alternatively use a free linux OS which will not get infected at all." Form http://securitysnapshots.blogspot.co.uk/

anyway if there is someone or something want to get in eventually will
but mass malware won't infect linux

you didn't read my post clearly anyway

even though it can detect a large portion of infection after all depend on the user experiance
I will quote a very smart man " you can overlook something in memory or Look for malware but you can't replace Real time Protection "