My Final Setup - Any Conflicts? Plus Hosts File Question

After much deliberation and research, I've arrived at a final security setup. Will there be any conflicts or issues? I should add my equipment info:

• Operating System: XP SP3
• CPU: Pentium 4 - 2.4Ghz - slow by today's standards, but not too bad
• Memory: 2GB DDR
• Habits: Very heavy internet use. Home office. Lots of password protected sites.

Here's what I'm thinking for real-time protection:

• NAT Router
• Firefox 3 with NoScript Plugin
• Avira Premium AV
• Online Armor Paid
• Mamutu
• KeyScrambler
• Sandboxie
• Spybot S&E - to lock Host File, IE Start Page, and IE Control Panel
• SpywareBlaster - ActiveX, Cookie, and Restricted Sites protection

This is alot! I have to emphasize that I spend alot of time online with sensitive information, so that's why the extra HIPS with Mamutu. I read here that it doesn't conflict with OA. But then you add Avira, KeyScrambler, and Sandboxie… I don't know.

I noticed that Online Armor has "Trusted Sites" and "Untrusted Sites" features. I don't know if it hooks into IE's Trusted Sites and Restricted Sites. But if it does, then I'm going to have I think four softwares all hooking into IE's Trusted Sites and Restricted Sites: IE itself, Firefox 3, SpywareBlaster, and possibly Online Armor. Any thoughts on this?

Are any others using Spybot to lock down their Hosts File? Are there other ways of doing this?

Thanks!
IB

 

See above OA will deal with web site protection (so use spyware blaster only for Active X and Cookies).

Set your host file read only.


Iron Portable (= Google chrome) is way faster than FF and has internal sandbox). Just set it to not remember passwords (something you should never do with browsers)

 

Thanks Kees! If Iron Portable has internal sandbox, that's great because I was kind of iffy about the whole sandbox idea anyway. (That's why I was beefing up on the HIPS.) I didn't mention that I run TredoSoft's MultipleIE's: http://tredosoft.com/Multiple_IE. It allows me to run IE6 in addition to IE7. It's very flaky in operation. IE6 and IE7 don't like interacting and sharing with each other! But that's not its purpose. I only use it to view how a site will look in IE6. Plus I will be running FF2 and FF3 simultaneously - along with Opera, Safari, IE6, and IE7. So it's browser hell (or heaven I suppose) on my pc. I just don't know how Sandboxie would deal with all that. That's why I was going to install all the above first and see how it goes for a month - then trial Sandboxie.

I'm looking into Iron Portable now. Only one possible deal breaker. I'm really in love with the DownloadHelper plugin for Firefox. It lets you save Youtube and other similar embedded videos onto your hard drive. Does Iron Portable have something similar? I know it sounds silly, but I really can't do without that. I would rather compromise a bit on the security instead.

You know what I noticed too? I was able to change my hosts file manually by just unchecking "Read-Only" in the file properties - while Spybot had it protected. Wouldn't a malware be able to do the same thing anyway?

Thanks again Kees. It looks like you have alot of respect around here. So this really helps.

 

You are welcome,

In OA you can run all your internet facing software as run safer (meaning running with limited rights).

When you want a real light setup, consider adding another user with limited rights and try SURUN. Search post for TLU and Mrkvonic (https://www.wilderssecurity.com/showthread.php?t=227600&highlight=Surun). It really is a good tutorial on how to run without admin rights in a practical way.

Only do not add an admin account, add a limited user account and then add it to Surun. Looking at your bit dated PC, you could save some money and enjoy its CPU capacity.

Simply invest in reading the Surun tutorial, add ThreatFire free (add protect host file and outbound protection custom rules) and you have decent security for free (use A2 malware free v4 and SAS free for on demand scans). You would be only running TF as security (plus limited rights user), so you keep your CPU cycles for your security aps (and off course Key Scrambler free when entering passwords). Spyware blaster does not eat CPU cycles so keep that also (for your other browsers).

Cheers Kees

 

Spybot, as you already stated, won't protect the HOSTS file, at all. Setting the HOSTS file as read-only, won't either.

I also found out, that if you configure your HOSTS file to something like 127.0.0.1 baddomain.com bad_domain.org one_more_bad_domain.net ... up to 9 entries, it will make Spybot go mad! Try it. ... Or not.

How to protect it? I'm not sure, but I think that Online Armor protects it? No idea, as I do not use it.

One alternative could be to use Hostsman to manage your hosts file, which will offer a better protection than Spybot. It will allow you to see if any hijacked entries, disabled ones, modified. Will also allow to change all your entries from 127.0.0.1 to 0.0.0.0 and from 0.0.0.0 to 127.0.0.1, or any other format you wish.

Or you could try ThreatFire, as suggested.

 

Sorry forgot, when not using OA and investing in Surun, download http://www.fajo.de/portal/index.php?lang=en&option=content&task=view&id=6&Itemid=0

Just disable the write access right of your host file of your LUA account with Fajo

Cheers

 

ZoneAlarmPro has a Lock hosts file feature under Advanced Settings in the Firewall section.

 

Yet another wrinkle. Scanning through that link, it looks like it's working for people. I'll check it out. If it's easy enough to implement... I'm trying to come up with an arangement that I can recommend to friends and people that I help out. That's one reason I was opting for OA instead of Malware Defender. Trying to stay a little within the mainstream. I guess there's no reason I couldn't use SURUN AND Online Armor - just for my system. I'm really not starved for speed. I keep a clean computer. It looks like some people are bagging their security apps and just running SURUN.

I'll check that, maybe see what OA does first.

Thanks for the replies!

 

Wow, I'm seeing the light! The more I look into Limited Accounts, the more I like the idea. It seems like this is the ultimate sandbox. I mean isn't a sandbox just a different way of running a limited acccount? Or at least the end result is the same - just a different way of getting there? The lazy way. I think the "proper" way to achieve this is through Limited Accounts and Software Restriction Policies. We should have been setting XP up like this since the beginning. Sure it's more work, but I'm sure it will feel satisfying to tackle this issue. I guess there are limitations that XP presents. But I think I have more options with XP Pro. I'm going to experiment with just a basic limited account and a Software Restriction Policy - and see where that takes me. These links here do a good job of explaining setting up a Limited Account: http://www.mechbgon.com/build/Limited.html and a Software Restriction Policy: http://www.mechbgon.com/srp/.

What I also learned is that the Limited Account by no means replaces your AV and HIPS software. Just like with a sandbox, you're still vulnerable to real-time type attacks to stuff in MyDocuments and Favorites (and probably other places). Sure your odds now are much, much lower of an attack. But still, you never know where your attack is going to come from. So I believe you still need to be prepared on each front.

One thing I'm not sure about, though, is the outbound firewall protection. When a malware "phones home", does it need access to system files outside of MyDocuments or Favorites? Or can it phone home completely within its own little network it setup within MyDocuments or Favorites? In other words, does the limted account remove the need to have a software firewall?

Okay, I feel like I'm making real headway. Thanks for showing me the light! I think I said this once before, but this time I really mean it!

 

No, when running LUA an relatively easy firewall like OA will give you a lot of protection. Somethings are prohibited in LUA (installing a driver some regsitry hives and access to windows an dprograms directory with create intend), others like dll injection not.

LUA will skip 80% of the horror stories about PC security.

Try a few setups like OA + Avira or PCToolsFW + DriveSentry when running LUA (and off course IRON webbrowser)

 

I don't use it, but I have read that WinPatrol will allow you to lock your HOSTS file and will monitor changes.

 

also zone alarm firewall lock down the host file too

 

Duly noted five posts up.

 

OA protects your HOST files from every changes in that file.

 

Thanks for the replies. I haven't had the chance to experiment with LUA's and SRP's yet. Since they don't completely take the place of AV, HIPS, and firewall, it would make more sense to get those nailed down first. I'm going to experiment. I had already paid for Avira AV. I read so many great things about Mamutu that I couldn't resist buying it last Friday - while it was still on sale for $8.69. I still want to try Online Armor. So real-time protection is going to look like this for now:

• NAT Router
• Firefox 3 with NoScript Plugin
• Avira Premium AV
• Online Armor Paid
• Mamutu
• KeyScrambler
• SpywareBlaster - ActiveX and Cookie Protection

I know this is overkill. But I've never used a HIPS program or software firewall before. So this will give me the chance to experiment with all these great programs I've been only reading about for the past two weeks. Then I can figure out what I like about each one - and utlimately what I can recommend to friends.

Once I have my security apps in place, then I'll work with the LUA's and SRP's. Like I said before, that looks like the ultimate sandbox - but working within Windows itself, rather than adding new software. I'm sure it's not as simple as I made it sound earlier. SURUN wouldn't be needed if it was. But I'm still going to experiment from the ground up. Start by setting up a basic LUA and SRP and see for myself what limitations are there.

I'm sure that Online Armor's host file protection will be sufficient. If not... if I can still go into file properties and change it to "Read-Only", without going thru OA first, then I just won't worry about it. If something gets that far anyway...

Thanks again!
IB