New x64 setup - recommendations welcome

Hello,

well, it's been quite a long time since I've last visited Wilders - where security meets paranoia

Let's come to the gist of the matter - I took a quick look at the forums and see that some things changed some didn't - OA still strong, SBIE has a x64 version etc. I also see that M$ devised something called EMET and Baseline Sec. Analyzer.

OS is Win 7 x64 SP1. It will be used as a production machine, also for testing (so virtualization is a must). I am inclined to use free software, however I see the possibility of purchasing one, two apps - it they are worth it.

So, in points:

1. System hardening:
EMET - how do you have it configured?
Secunia PSI - still worth using?
Any other tools, configuration tweaks?

2. Backup/imaging:
For obvious reasons - I am using Win 7 build-in backup. However, I'd welcome any sensible, simple and free software that would make an image of system partition (with MBR, the best would be the possibility to also back up/restore MBR alone and ability to manage - this means delete - certain images, when not needed). Any suggestions here? Keriver? Macrium Reflect?


3. Virtualization:
Well, those days ago I've been using Returnil, however I feel that the landscape of virtualization software has changed a little bit, therefore - is Returnil still dependable? Any other free software in this area? Or is it worth to go for Shadow Defender or other?

4. HIPS/memory protection/run protection/USB protection/application behaviour enforcement (I do not want those A*dobe Updater etc. to run when I need all the system & bandwidth resources).

I consider Comodo FW 5.4 with D+, however I remember that the company's policy sparked a little bit controversy some time ago, so I refrain from installing it yet, however I feel that it might be better than free OA. Moreover, I prefer to inflict system security policy through system hardening, sandboxing, backups and virtualization that with use of [H]IPS. Any ideas here? If not Comodo neither OA then what? I see other software like Appguard but they are rather different tools in my view.

5. Anti-Virus

Well, Avira plus Immunet Protect for now are my best bet, suggestions here? Maybe new Panda Cloud as a secondary engine?

A-Squared and MBAM as on-demand?

6. Browser security

SBIE? Anything? What about GesWall - no x64 yet?
Prevx SOL or BitDefender - anyone compared both of them? What functionality is built in SOL? Does it act more like a browser security app or more like a cloud-scanner?

EDIT: it has to support FF,IE, Chrome and Opera (yes, all four - or at least FF and Chrome).

7. DNS service

OpenDNS or whatever?

This is quite a lot of questions above, I'd like to know your opinions before I proceed.

Thanks a lot in advance

 

Comodo IS or OA free.
Avira or Avast free.
EMET and UAC
Sandboxie
MBAM (real time or demand) and hitman pro
Clearcloud or norton DNS
Imaging program with clean image.

 

Comodo IS without AV (Firewall, HIPS, Sandbox, CloudAV, Cloud Behaviour Blocker -> All in One)
Avast free.
Prevx Safe Online Free (real time scanner without desinfection and browser protection)
Clearcloud or norton DNS
BitDefender TrafficLight for Firefox http://trafficlight.bitdefender.com/index.html
Addblock Plus and Ghostery http://www.ghostery.com/download
MBAM on demand and maybe Emsisoft Anti-Malware Freeware on demand
Backup: Comodo Time Machine (ShadowProtect (Paid))

At the end you have 3 diferent AV engines: Avast, Prevx, Comodo Cloud AV (only the unknown files are sent), If you install the full version of Traffic LIght you will also get the bitdefender engine for the broswer (Antivirus web filter) but maybe is too much http://trafficlight.bitdefender.com/extensions.html.

If you think is not enough you can consider Spyshelter (Paid) or Immunet Free

If you dont like Comodo or OA another choice si Privatefirewall, or Outpost Firewall

All FREE software!

 

THX guest, just a few short questions:
1. You mean installing only FW part of Comodo? (will then the cloud av be included?)
2. You stated: "Prevx Safe Online Free (real time scanner without desinfection and browser protection)" - I'm not sure if I get you: SOL has the browser protection built-in or not? (to be precise: is it just only a link-scanner or does it filter and scan http/https traffic? I also consider BitDefender TrafficLight (that would be Avira, Immunet, SOL/TrafficLight and SBIE plus virt. software).

 

Set EMET system-wide settings for maximum protection and manually add apps like browsers, PDF readers, office applications, media players etc. to the protected applications list.

Secunia PSI is now v2 with automatic updating, which could be nice if you like it and don't keep up with software updates, but I rather use v1 on demand, as I find v2 a bit bloated.

If you create a free account you can customize a lot for OpenDNS and which categories of websites should be blocked, but if you want protection from malicious sites then Norton DNS, ClearCloud DNS or something similar is a better choice.

Prevx is a realtime antimalware with SafeOnline browser addon. SafeOnline blocks bad URLs, protects against keylogging, screengrabbing, MitM and MitB attacks and more. It is a paid app, but you can get the SafeOnline license for free(called facebook version) and then the Anti-malware part will only scan, but not remove or block malware.

 

1. During the installation do not select install the AV, and still you will get access to the Comodo Cloud, including the Cloud av and the Cloud behaviour blocker, but only the unknown files (not safe) will be send to Comodo.

2. Prevx Safe Online Free includes the complete broswer protection and the Prevx AV scanner but only the detection part, not desifection or blocking. Install it and take a look.
With prevx SO you dont need immunet, you can have both but is a bit overkill.

Are you going to use a virtualization software and sandboxie at the same time?
If you are going to use sandboxie you dont need TrafficLight or Prevx SafeOnline.
With Comodo sandbox TrafficLight and Prevx SO is more than enough for broswer protection.

Virtualization software? if you are going to use this you dont need that much protection.

 

Thank you, this is what I thought regarding EMET and PSI v.2.

I am testing at the moment SOL and TrafficLight together - no conflicts at all, however I like the link-scanner functionality of TL (together with WOT it should provide more than adequate notion of what's beneath the link).

I see, so, the FW part of CIS installed stand-alone will also act as a cloud AV?

I actually do not need disinfection nor blocking - I just need the malware/exploit to be detected. How good is Prevx's rootkit detection? (I mean, the possibility of detect hooks from userland.)

Yes, definetely.
Because, I am going to use both of them together and separately for different purposes. I decided I will stick with SBIE (Is there any comparision between x86 and x64 versions of SBIE in terms of 'leakage possibility'?)

I do understand your point, however, I will be anyway using SBIE (for example for p2p client and other internet-facing apps), unless I devise other way to isolate these apps.

Honestly, I like the flexibility of virtualization software, the additional layers like EMET, SBIE etc. is just fun through paranoia. Pure and simple

New questions emerged:

1. While updating IE8 to IE9 something like 'Adobe Flash Player ActiveX 10' installed (actually UAC popped up message before). I think that I still need more 'classical' HIPS to control such situations, I don't like when something downloads and _almost_ installs in the system without my knowledge. Btw. I cannot isolate what browser actually did this - IE9?

2. Disk imaging. Looks like there's no clever way to manage the disk images done by the Win 7 built-in backup utility. For example: I can delete all but the latest images, but what if I want to delete images 2,3,4 and keep 1 and 5? (where 1==oldest, 5==newest).

3. SBIE, one small thing: I have an app, lets call it X, X has two directories, where it can read and write, should I set under Resource Access -> Direct Access or Full Access?

4. ARK's - anything new emerged since last one and a half year? Sanity Check or anything?

Many thanks.

 

Good tutorial here: -http://rationallyparanoid.com/articles/microsoft-emet-2.html-

 

Comodo firewall (Comodo internet security without the AV you can unchek the box during the installation) is formed by the firewall the HIPS the sandbox and all the cloud habilities of Comodo.
You can also install CIS and deactivated the AV later and use it on demand only, I usually do this.

Take a look to this video and try to understand the work flow of Comodo with the computer files if you still don't know how it works http://www.comodo.tv/home-computing/what-makes-comodos-technology-superior/

I dont know about rootkits, but I like it because you can configure the heuristics with 3 different settings (I have the settings on medium or high) so I get alerted for some rare files, and them I discard them from being a malware or fp. It's like an ultra sensitive AV so I have some kind of control about "rare" files on my computer so I upload them to virus total or...

it's up to you it's depend how paranoid you are I dont like being sandboxing everything like the p2p
If you use p2p try peerblock

1. Use Comodo or OA

2. Take a look to any of this 2 Comodo Time Machine (ShadowProtect (Paid)) they work in different ways but the purpose is the same

3. I have no idea about sandboxie, I use Comodo sandbox for the browser sometimes that's all, OA has something similar called "run safe"

 

I favor the policy of hardening the system, virtualization, and system image sandbox. Maybe some HIPS/BB mix works well!

1 - Hardening, just have the EMET, I personally only use the recommended settings, since the maximum configuration has some problems with Java. With it you have DEP SEHOP ASRL and easily configurable. I have no program directly applied to it, so I'll explain later ...

2 - Virtualization, I am a happy user of Shadow Defender, which I leave in Shadow Mode 99.9% of the time, password protected it with everything back to normal, like almost all my applications are portable (and are stored in D:/) using Shadow Defender is irrelevant when it comes to keeping them updated. I got a key from him, but if you buy some kind of program, go Returnil or Deep Freeze.

3 - Sandbox, the fact is that there is no better than the Sandboxie program in this area, with restrictions on startup, internet access, configuring it correctly, which takes time and patience you will have an almost foolproof protection, it really is excellent uses and I'm sure it's worth every penny!

4 - Finally, and perhaps the main one is the image of the system, any problem you back in time, and fast and safe! In my opinion by far the best program I tested was the Keriver 1-Click Restore Pro, is simple, functional and enjoyable. Another good one is the Macrium Reflect, it is worth testing it.

PS: If you really want an AV, stay with Avast! Free indeed!

Stay there my tips!

Sorry for my English!

 

good advise my friend good advise

 

I don't think you can use Panda Cloud as a secondary engine.

 

According to Panda itself, there may be incompatibilities (not advisable).

 

So, one can come to the conclusion that if considering CIS, it's better to install all and then turn of the AV, so that there's one additional AV-Scanner on demand? There's obviously a question of detection rates of Comodo AV vs. (let's say), Avira, Avast, A-Squared etc.

Apart from VT and Comodo CIMA are there any other on-line scanners worth mentioning?

The thing is, that I'd rather have some apps isolated from system/other files and that's why I want to use SBIE.

CTM - made a total mess on my PC one day, so now I am choosing between Returnil, Shadow Protect, Shadow Defender etc. - just need to carefully analyze and compare them.

Thank you! All your suggestions are well noted!

EDIT:
Target configuration is slowly emerging:
Hardening will be done by SRP + EMET.
Main browsers will be FF and Chrome, both running in SBIE environments.
Additionaly Prevx SOL and/or TrafficLight.
Avira free will stay, as well as Prevx and I can't decide whether does it make sens to leave Immunet, no conflicts however for the time being.
A-Squared, MBAM and SAS as on-demand and Sanity Check and Process Explorer, Process Hacker and FileMon as additional tools.
I think I'll give Comodo HIPS another chance, what do yo think?

Thanks!

 

@Swordfish_

If you are going to install Comodo anyway you dont lose nothing installing the AV also and them deactivate it. (just some ram xD)
ShadowProtect is a backup tool
ShadowDefender is a virtualization tool

You may consider this others:
http://www.urlvoid.com/
http://valkyrie.comodo.com/ (still beta and will be added to CIS cloud soon, gives many fp's since it's not still balaced with the rest of the cloud)
http://www.virustotal.com/advanced.html (remember that there is an uploader for VT)

I would not add Immunet if you already install Prevx Safe Online, also prevx run faster in the computer and adds the broswer protection
I recommend you to try Comodo Internet Security again, especially if you tested it a long time ago, you will see that has improve a lot.
If you are going to use P2P you need to change a setting in the firewall (Alert me to incoming connections and make my ports stealth on a per-case basis) -> http://help.comodo.com/topic-72-1-206-1981-Stealth-Ports-Wizard.html
Also change the preset to COMODO - Proactive Security http://help.comodo.com/topic-72-1-206-2051-comodo-preset-configurations.html
You will not get almost any HIPS popups due to the whitelist, if you want popups try the paranoid mode but as the name says you are going to end paranoid xD
Take a look to all the settings in Comodo you may want to change something else and if you have any question take a look to the help is very well explained
http://help.comodo.com/topic-72-1-206-1951-Introduction-to-Comodo-Internet-Security.html

I installed OA premium a week ago and I'm already missing Comodo xD I don't like that much the workflow of OA also is blocking my peerblock at the start although is a trusted app

 

RAM is not a problem in those days, thanks for pointing the difference between the two above products. I don't need any advanced backup/imaging tool, just something that can make images, together with MBR and restore it. I think I'll try Keriver or Marcrium free.

Thanks.

What I actually like in Immunet is that it has ClamAV engine which works offline (or at least they tell so). I strongly consider using Immunet plus Prevx instead of Prevx plus Avira, what do you think?

Thanks, I did use port stealthing and custom rules before, looks like I'll have a closer look at new CIS.

Yes, but the first thing I am going to do is to turn off Trusted Vendor Lists, because the reason behind installing HIPS to the above configuration (with Immunet, Prevx and/or Avira together with EMET/SBIE etc.) is to have control over some applications like A*dobe Updater and similar ones (P2P client will be running in separate SBIE sandbox with access to only two directories). EDIT: I wonder whether wouldn't it be easier to inflict policies through SRP...

Honestly, I don't like the 'trusted apps' approach, ok - I do understand that there's a lot of people who will be mad because of the pop-ups, but honestly, one or two days and I have everything set up the way I like.

Thanks!

 

The problem with immunet free is that does not include the bitdefender engine, no? just clamav and the immunet engines.
Immunet plus include bitdefender, do you have a license?

I dotn't know which one can be better if Immunet Plus or avira free, but if you still have to buy Immunet plus I will look to buy another AV.

 

Good point, however if I am going to pay for an app, this would rather be SBIE or virtualization software.

One thing though, if I understand correctly - Immunet plus has Immunet, ClamAV and Bitdefender engines?

 

here: http://www.immunet.com/plus/compare/index.html

Immunet Free does not include bitdefender, only clam av and I would say that is not one of the best ones.

 

That's right, but the ClamAV is not the reason to install Immunet, the reason is that I just want to have an additional cloud protection _with_ blocking and looks like Immunet has this. Anyway, other cloud AV than Immunet and Prevx? Panda? Comodo?

 

Using system hardening (through EMET), backups and images for recovery and a DNS service with malware filtering functionality provides a great foundation for building your security setup on, combined with an up to date system and common sense ofcourse; because those security measures don't have a performance penalty in them.
However I don't think it serves any goal to have virtualization AND sandboxing AND intrusion prevention AND antivirus AND a secondary antivirus AND Prevx SafeOnline AND BitDefender TrafficLight AND second-opinion on-demand scanners. It is just pure paranoid.

 

Yes, it's too much I think everybody pass this period in his live, them we survive with a couple of tools and without AV

Panda is a standalone AV, almost any av on the market has cloud (Norton, KAV, ESET...) but they are not like Immunet or Prevx they are not compatible with other av's

 

You could add Comodo Cleaning Essentials on-demand. I currently recommend Hitman Pro and Malwarebytes more though.