No such thing as 100%

IMO, it's like having another layer and it really doesn't take that long to scan. Plus it does make me feel a little better. I may "trust" the source but people make mistakes or can be slow to fix a security problem and a site can get compromised.

I guess I should have not used the word trust but couldn't think of a better word. While nothing is 100%, I still do not trust anything 100%. It's just my method of keeping them honest and me safe.

 

agree 100% with your coment,a denny-default is the way to go to say to malware access denny

 

I assume you mean remote code execution (drive-by) exploits. Hence, I will argue that a router/firewall and browser properly configured to Default-Deny are all you need to secure against these exploits.

----
rich

 

I mean anything the user might encounter on the web or from web sources, including social engineering tricks.

 

And scanners can miss a new exploit whose signature or behavior has not been established.

I'm arguing for argument's sake and not wanting you to change your method -- just pointing out that choosing to download something puts the user in her/his most vulnerable state, since neither of the two methods is foolproof!

Your statement about "feeling a little better" is all that is important. We all do it and there is nothing wrong with that!

----
rich

 

By social engineering, do you mean the user is tricked into installing something? Once a user decides to install something, aren't Administrative privileges granted, as in this case with the Mac DNS changer exploit a while back:

DNS changer Trojan for Mac (!) in the wild
http://isc.sans.org/diary.html?storyid=3595

In this case, the Default-Deny has to be a user decision, don't you think?

----
rich

 

Please note, as in the above example with a MAC, that no Operating System is immune from infection by malware when the user grants Installation/Administrative/Root permission.

----
rich

 

This is addressed in the very first step of creating your security policy, defining the role(s) of the computer and the limitations of each role. Mine for instance is a platform for

1. accessing and saving information from the net
2. working with and saving locally produced data
3. electronic communication, IM, e-mail, etc
4. audio storage and playback

Gaming is limited to a couple of locally stored games and stuff like Yahoo games.

Yes, I consider social engineering to be user deception. I also consider all installing to be administrator functions that aren't available to users. On my PCs, what is and is not allowed to run are administrator choices. A user can't launch any executable that I haven't approved of. If for instance I had kids that wanted a certain game on the PC, they'd have to ask me to install it. I'd run the game through online AV scans first, then I'd monitor/record the install process and first launch on a testrig and evaluate its behavior. If I determined it to be trustworthy, I'd make a full system backup before installing the game on the home PC. After that, the firewall, HIPS, etc would be configured to allow the game only the access it needs to function. This policy is enforced for everyone, including myself. I don't run in an "administrative mode". During normal operation, I run as a user.

It takes some time to set up, but each user account/profile is set up to match that users needs. All the apps and tools they need for the tasks they want to perform are allowed, but I specified what specific apps will be used for those tasks, how the apps will handle different types of files, and where they can be opened. Example, they can browse anywhere on the web they want, but it will be with either SeaMonkey or K-Meleon and that web content will be filtered by Proxomitron.

Most likely, this is where my definitions of administrator, user, and default-deny differ from others.

 

Very true and I understood this very well when I went searching for malware and uploaded them to VirusTotal and Jotti. Less that 50% detected the 2 samples and 1 out of 2 of my anti-malwares missed them. It was a wake up call to me. I've thought about "self quarantining" a downloaded file for a week to give time for detections but I don't thing that's necessary for "trusted" apps. Plus it would border on being paranoid.

I figured you were and I agree (after reading many of your posts) that installing something new is risky. Since I can't analyze potential malware, scanning is the next best thing.

It's really good to find something that works for your habits. I don't do too many risky things and when I do Returnil's Session Lock is working. Sandboxie isolates my internet facing apps and won't allow any other apps to start in the sandbox and it blocks anything running in the sandbox from accessing my data partition. Online Armor alerts if anything weird starts up and hopefully protects outbounds. I'm sitting behind a router and Avira is baby sitting my potential mistakes. In all honesty, I could get by with a firewall, a few system/port tweaks, Sandboxie and discipline.

 

No argument here!

----
rich

 

my setup which makes my system 100% is I have 4 basic security layers.

1st layer. "Filtering" with most ports closed with firewall. and also all inbound traffic filtered with admuncher and FF no script.

2nd Layer. "Sandboxie" anything which happens to get passed my fisrt layer which is "Filtering" ends up trapped inside Sandboxie.

3rd Layer "HIPS" any thing which happens to get passed inbound Filtering and Sandboxie which at this point is highly unlikely my HIPS will block it.
Anti Executable or EQS.

4th Layer. "Returnil" any thing which gets passed my first 3 Layers which at this point is almost impossible a simple restart with returnil solves the problem.

So there you are a 100 percent proof setup

I have surfed thru millions of malware infested sites and am yet to find anything which can get passed my second Layer.

 

It works for me on my PC and on those I maintain for others. IMO, a lot of people approach PC security from the wrong direction. They start with wanting to choose the best security software, but they overlook the fact that how they use that PC is one of the most important factors in making that decision. The next most important factor (besides compatibility with the OS and installed software) is how compatible that software is with their level of knowledge and skill. A classic HIPS that enables the user to specify parent-child dependencies or control low level access and global hooks is not a good choice for a user who doesn't know what those things are. A user who doesn't understand the format used by IP addresses isn't going to configure a rule based firewall effectively.

A very large percentage of a security policy or strategy is not implemented on security software. It's achieved by configuring the individual applications and the OS itself. A lot of it is attention to detail and deciding beforehand how different types of files, media, links, etc will be handled, what the applications that handle that content are/are not allowed to do, etc.

 

arran,
I wouldn't define the "security layers" in the same specific manner, but our software choices are similar. I regard the firewalls role as traffic/internet access control. Whenever possible, I close ports by system configuration in addition to firewall blocking rules. The reasoning behind this 2 layers of blocking is if one fails. If something managed to restart a service that opened a port, the firewall still has it blocked. If something manages to successfully kill the firewall or it fails for some other reason, there's still no open ports to access. Like you, I consider the firewall to be the first layer of defense on the PC itself, with the hardware firewall considered as home network defense.

For content filtering, I opted for Proxomitron. It works with all browsers and many other internet applications. The firewall prevents the browsers and some other apps from connecting out directly, forcing them to connect through Proxomitron. If someone or something tries to access the web directly via the browser (changed settings or exploit code), that access is blocked.

SandBoxie is fairly new on my system. I view it as an isolation layer for the attack surface (apps with internet access and those that open content from outside sources). At present, I'm running a permanent sandbox but still exploring the possibilities.

I also run HIPS. On this PC, it's SSM. As far as the security apps themselves go, I consider it the core of my package. In my security policy, it's a policy enforcment tool. In addition to enforcing the application whitelist, it also enforces user permissions and system access.

Instead of Returnil, I have Acronis images of each OS. Before I install anything, I make a new backup. The PC has all the software I need and I'm satisfied with the apps I'm using, so there isn't much installing. Except for a couple of applications that conflicted with other apps on my system, I've never had to use them. Most of the Acronis usage is for switching between test systems and setups I use for projects and experimenting.

 

How new software and software installing is handled should be spelled out in your security policy. This is mine.

1. Upload file to as many online scanners as possible. Scan with all locally available tools.
2. Disconnect all external drives and storage devices not needed for the game/application to be installed.
3. Make a full system backup or image, preferably on an external device or media. Then disconnect or remove that device/media. A full system backup is more than just defense against malicious code. There's always a chance that a new install will conflict with something else on your system. Incompatibilities don't always show up right away.
4. Take a system snapshot with an install monitoring program like Inctrl5. If the installer is an executable, let Inctrl5 launch it. If it's a zip file or MSI, use the 2 stage mode and launch the installer manually.
5. Leave all security software running, throughout the install process, especially firewalls and HIPS, een if the installer wants you to shut them off. READ EACH PROMPT! The HIPS will alert you to any new processes, services, autostart entries, etc. Yes, it's a pain but you only have to do this once for an install. It's worth it if your PCs integrity is important to you.
6. When the install process is done, including a reboot if one is needed, run the install monitor again. The results will list every new file, folder, and registry entry made by the new software.
7. Take another system snapshot with the install monitor before starting the new software for the first time.
8. Launch the software/game and try it out. Depending on the type of app/game, investigate all outbound connections reported by your firewall. Are they necessary for the software/game to function? Where are they going?
9. Shut the new software down and finish the 2nd run of the install monitor. This will alert you to any new files the software downloaded and installed. If there are additions, scan them locally and with online tools. This will catch the majority of malicious code the software might try to slip in afterwards. If the new files include executables, don't allow them to execute before scanning them.

No, this isn't 100% foolproof, but it's as close as you'll get. If you have a test PC available, perform the install there first using the same method. Over the last 5 years, I've performed somewhere around 500 separate installs on the normal 3 operating systems I have. This doesn't count test systems. I'd estimate that I've used the backup images less than 20 times total. Most of the time it was because I was dissatisfied with the new software. A few times, maybe 6 or so, the backup images were needed to fix conflicts with existing software. I've never had to use a backup because of malicious code. The very few times the new app contained malicious or undesirable code, it was discovered earlier in the process. Installing and updating software is when your PC is the most vulnerable. That's the time when all your defenses should be on and all the precautions possible should be taken.

 

On paper, it looks like a lot of hassle but it's actually not as bad as it looks. The install monitor runs pretty quick. The online scans can check a file while you do something else. The most time consuming parts would be making the system backup and reading the prompts from the security apps, especially if the install is big. If the user has taken the time to separate the system (OS and applications) from the data files (user docs, pictures, etc), system backups go fast too. If the user has a backup schedule already in place, this part is done.

The biggest problem with modern malware is that "all hell" rarely breaks loose. There's usually nothing to indicate that the system has been compromised. Several years back, malware was very much "in your face," often obvious but hard to remove. Now it hides very well and its function is much more devious and potentially much more expensive. Even though a user might feel that it's too time consuming or too much hassle to follow such a procedure, the time costs will be much higher if the system does become infected, and the user will have no choice but to give it that time, restore the system (assuming they have a recent backup), or start over completely, which takes a lot of time. One way or another, a PC will get that time from you. In the long run, your option is deciding whose choice it is when that will be, yours or the PCs.

 

More like 50% security software, 50% common sense.

Security software are useless if the user is a click-happy surfer who visits dodgy sites and answers "Yes" to all alerts and does not know how to configure a hardware/software firewall properly.

 

yes agree,that's why i set a default-denny with my hips(malware defender) and pasword protected

 

I personally think everyone should simply use the layered approach they feel secure with. If it's proved vulnerable, they just add something that they think suits them. That, and use of as much common sense as needed.

 

Why sandbox starcraft.exe? Don´t you trust it even if it runs with admin privileges?

/C.

 

Then install as untrusted/sandboxed.

 

But you have to be careful, there's all kinds of super stealth malware that can detect it's in a vm, leap out of the virtual environment into the host and infect it instead

 

Well that super stealth malware will be leaping outta the frypan into the fire as the real system is virtualised as well.

 

Then, include a lite virtualiser in RAM cache mode. You will be surprised how fast and responsive your system is. As they say RAM is always faster than the spinning drive.

Then, you'll end up running a virtual machine running in a sandboxed environment under a virtual RAM system. he he

 

What do you think a VM does?

 

Of course, I'm only kidding Actually, I'll sandbox my vm only if I see evidence of guest-to-host-jumping malware. Currently, I'm using Malware Defender on the vm, and Outpost on the host to monitor activity. I have a problem in that I can't stick too long with one favorite security product