Please advice

Discussion in 'other anti-malware software' started by Newby, Jan 12, 2007.

Thread Status:
Not open for further replies.
  1. Newby
    Offline

    Newby Registered Member

    I saw a security outline here in Wilders (to see whether all things are covered, no redundancy). Tried the free programs mentioned. Had some startup issues with SSM and SensiveGuard (answering the pop-ups during training).

    I surf with Firefox. I do not use P2P or chat programs. Surfing habit is information gathering, tracking items of interest (hobbies, travel etc).

    I have 1 GB Ram, still 759MB left free, browsing is fast (but that is difficult to compare with my old PC).

    Do I need more (I do not have black list on all area's) or less?

    (according to ICE CZAR I do not need anti spy aps when using sandbox)

    Attached Files:

    Last edited: Jan 13, 2007
  2. Pedro
    Offline

    Pedro Registered Member

    Hi there,
    Don't take me too seriously, but why do you use SSM if you're a newbie like you name yourself? SSM is good if you want to play with security apps, and you can learn with it, like what runs on windows, what services do what, etc., but you disconnected the UI.:doubt:
    A sandbox will isolate whatever is in it. Only if you download (i'm sure you do), then you'd need to scan the files. My sig. has a link for AS's.
  3. Newby
    Offline

    Newby Registered Member

    Hi Someone

    Your questions/remarks

    1. SSM = HIPS for security educated

    Well sometimes you do not have to know things, but just follow the discussions on a security board to think out a work around.

    I read some post of MUF and dja2K on a discussion of CyberHawk versus SSM.
    What I understoof was, that SSM controls more things, is difficult to set up, but also has a learning option, so I figurred let's install CyberHawk, put the learning option of SSM on for a month. In the mean time CyberHawk will protect me against the most terrible things (it only signals strange behavior). After this month I turned off the learning mode, uninstalled CyberHawk and disconnected the user interface like (I think) Herbalist adviced in one of the forum discussions..


    2. Needing to check downloaded files for spyware.
    From what I understood (from Aigle) GeSWall tags the downloaded files. So it can not modify the vulnarable files of XP. Also (Trjam) showed a link to a test site of AntiSpyware aps which showed very disappointing results. These results made me understand the rather explicit opinion of ICE SCAR (AS have no use with a sandbox).


    I looked for the references in your signature and downloaded Antispyware Ad-Aware, Spybot and SuperAntispyaware. They only found some very low treath rated MRU refences. I checked out what MRU meant in normal English (Most Recent Used). So I ran CCcleaner and ran the scans again. Now they found nothing.

    For a newby it is difficult to understand your setups. I get the impression that there are three main streams on this forum:
    A) A bunch who prefere a AV + FW + several AS
    B) People believing that an AV + FW + HIPS (classical or sandbox) is sufficient
    C) A minority using Hardware FW + AV + Classical HIPS + Sandbox

    Then I saw this outline (the clip in my first mail), which made me understand a little what you folks call a multi layered security setup. Then I decided to find a freeware single purpose ap for every layer (or to be honest copy the setup more or less).

    I have no idea how to interpret your preferences, so I will do the following. I will scan at weekly intervals my PC with AS, when they keep on finding nothing I will scan at monthly intervals (after all when I am not feeling ill, I won't see a doctor every week to check me up).

    Thanks
    Last edited: Jan 12, 2007
  4. Pedro
    Offline

    Pedro Registered Member

    I think you got it. From here on it's just opinions. Some more relevant than others, of course.

    Note that GeSWall just prevents malware (downloaded from untrusted....) from doing harm (a good discussion can arise here lol). It will still be there. It's based on policies, using the MMC (Microsoft Management Console) to tagg and protect you.
    Sandboxie will drop everything from a session. It will depend on your preferences.

    Your tactic on the SSM is good i guess. You just have to check what the free version doesn't cover. (but you pretty much know what i know, maybe more lol)
    Eventually i uninstalled SSM. Me no like no more!:gack:

    About the main streams: sometimes it looks that way, but it's too simplistic to think like that. There are alot of approaches here! Some don't use anything more than a firewall!! Not for you and me, but they'll probably be fine! (knowledge is power etc.)

    Something i didn't cover? What the heck, i'll let somebody who knows better answer you!

    CHEERS

    edit: the ssm approach would work IF your pc was clean, otherwise ssm leaned malware in action lol. With CH i don't know if that makes a difference, i never tried it.
  5. Ilya Rabinovich
    Offline

    Ilya Rabinovich Developer

    That is anti-virus analytic's job. Usual user won't be ablr to determine if software contains malware or not.
  6. Newby
    Offline

    Newby Registered Member

    Someone,

    I am sure you more about it:)

    I like SSM with UI disconnected, because it does not throw pop-ups, it simply stops it. After the month training period I did not get pop-ups. I am not into trying software so it is okay this rigid protection.

    I used this installation on my new PC. Now I do not understand CB, but the reviews on this forum were quite positive. CB only threw one pop-up.
    I googled before choosing Allow or Block. So it was on a fresh install (I had downloaded the security software before I installed XP on the new machine).
  7. Newby
    Offline

    Newby Registered Member

    Ilya do you mean, you agree with ICE, AntiSpyware on demand scans are useless (they do not seem to find anything).
  8. Newby
    Offline

    Newby Registered Member

    Thanks for the reply. I must say that I have looked at the web site of SanboxIE and it was one of the few sites which could explain something with clear pictures. I downloaded Sandboxie, it installed correctly, but it did not seem to do anything (this was on my old PC, which was going to be given away)

    When I started Firefox I did not get the (I can not remember which) symbols in the Firefox, which indicated SandboxIE was working. Then I read a post that file virtualisation sandboxes are not transparent, because the user has to know in which zone (lost zoneo_O) the applications and files are.

    Also I read that even an experienced user like EASTER had thrown away some files when using Shadowsurfer (or Sandboxie I can not recall), so I decided this type of aps was over my head.

    Thanks for attending me on SandboxIE

    Edit: when typing this post, I just wondered maybe SandboxIE is only intended for IE (Sandbox IE?)
    Last edited: Jan 12, 2007
  9. Pedro
    Offline

    Pedro Registered Member

    SandboxIE was built for IE, but it's more comprehensive now. It will work on any browser i think.

    The symbols would be # Firefox # , if they don't appear, it's not sandboxed. You have to run FF from the Sandboxie console or right click on FF and choose there. Note that i never used SandboxIE, but i read a lot about it. I think it's one of the best.

    The thing is, if you want to keep some files, you have to know where to look (in the virtualised area or whatever), to retrieve them.

    If you're in the mood for testing, one app that you might want to try is Defense Wall, whose author has answered here, Ilya Rabinovich :) . His concept is closer to what i want in a sandbox, because DW will act like (kind of) GeSWall and has the option to erase the session. I'm not sure how it would do this. I haven't tried it, and i must!

    By the way, for Firefox, a great extension: NoScript.
    Have you tried Opera?
  10. EASTER.2010
    Offline

    EASTER.2010 Guest

    Shadowsurfer for my units running XP Pro is done a fairly bang up job of keeping any single "Shadow" session thoroughly & fully in check then dumping that session completely and is why i prefer it over the more expected ShadowUser. I found no holes for malware to sneak in since using it. If i research either locally or especially when going to a virii/malware dropping website url, i simply extract the file i want in the old fashioned manner of CUT/PASTE into and onto my UNSHADOWED/UNPROTECTED other hard drive volume that houses Windows 98SE. Works flawless for my intentions and without issue.

    Newby
    Was your experience with SensiveGuard and SSM related only to excessive popups? prompts only?, and if so which one?
    Other than that i am curious about SensiveGuard myself and looking for some suggestions based on experience on just how well it can perform.

    Thanks
  11. Ilya Rabinovich
    Offline

    Ilya Rabinovich Developer

    Yes, I believe that AS scanners has very low detection rate (>40%) and, thus, almost useless. The only great thing that AS mey give you- advanced toolkit for manual malware removal. Personally, I like AVZ.

    But the point is slightly different. For example, you downloaded software and it installs BHO. Will you be able to determine if this BHO malicious or not? Maybe, it is just a part of the installation package? Or it is Adware/Spyware, integrated into it? Only professional with high experience may do this by analyzing its code and behaviour. So, if you not sure in software you've downloaded and want to make sure there is no anything malicious there- call your anti-virus vendor's analytics, it is, obvious, their job!
  12. Newby
    Offline

    Newby Registered Member

    Would not SSM warn about the start up, besides I have Sensitive Guard warning me when the following files are changed/added/etc in C:\

    *.exe, *.com, *.dll, *.lib, *.cmd, *.ini, *.scr, *.sys, *.vxd, *.hta

    I do not know a **** about what this protects against (just looked at the anti executable website and saw what it protected against and added them in the warnn list). Also I understood (but then again I dont know for sure) that Fierfox uses java and Internet BHO/Active X, so when browsing with Firefox should be safer.

    Also (thanks Someone) I looked up in Google at what no scripts implied. But I do not want reduced functionality. Good thing the reference you gave me also had a program called script defender. I downloaded this and installed it.
    Now I think as a newby that Scriptdefender will warn when a script executes.

    Thanks (I think I learned)
    Last edited: Jan 13, 2007
  13. Newby
    Offline

    Newby Registered Member



    Sentitive Guard warns any file on my D (data) drive is read when not initiated bu user activity, the same when one of the (*.exe, *.com, *.dll, *.lib, *.cmd, *.ini, *.scr, *.sys, *.vxd, *.hta) files is changed/deleted/created on my C drive (programs).

    As a newby I had to choose what Setting of sensitive guard to change from warn to deny when no user initiated action (Firefox).

    As for the pop-ups: SSM was driving me crazy before I discovered the learn mode. Sentitive Guard starts to get quit after 5 log in-log out's and after browsing say an evening or so.

    Had no trouble. CyberHawk only once gave a pop-up together with SSM and Sentitive Guard, I looked it up (was the update service of Antivir).

    Regards
  14. Ilya Rabinovich
    Offline

    Ilya Rabinovich Developer

    I'm sorry, but you are wrong. FF has plugins and extensions too. They are just installs and works other way that ActiveX/BHO.
  15. Chuck57
    Offline

    Chuck57 Registered Member

    Sandboxie will sandbox everything on your PC if you want it to with a right click and select run sandboxed. I use Internet Explorer 6, since Firefox for some reason doesn't run well on this computer.

    I've used Sandboxie, but now run BufferZone free which will do almost the same as Sandboxie.

    DefenseWall is an awesome program and well worth the very reasonable price for rock solid protection. I've also run it and may end up finally settling on it over the others.

    I think any of the above, Sandboxie (shareware but will keep running after the 30 days with I think minor limitations), Bufferzone free, and DefenseWall are well worth checking out. With a good antivirus only, I think any of the above are enough for solid protection.

    I know Ilya beat BufferZone once. Don't know about Sandboxie, and I don't know if BufferZone has made changes since he embarrassed them or if anyone else has accomplished that feat.
  16. Pedro
    Offline

    Pedro Registered Member

    Thanks for the correction Chuck57.
    Difference between free and registered:

    "Which features are unlocked in the registered version?

    In the registered version, Sandboxie can be configured to issue a warning SBOX1118 whenever a particular program is launched outside the sandbox.

    You can also configure Sandboxie to automatically sandbox particular programs, even when they are not launched explictly through Sandboxie.

    Since version 2.47, registered users can run sandboxed programs in any number of sandboxes at the same time, while non-registered users can run sandboxed programs in only one sandbox at a time. "

    Newby: Where did you get Scriptdefender from my references? o_O
    I don't know Script Defencer, although i checked it out now. Seems ok.
    NoScript doesn't mean reduced funtionality. If you trust the site, allow for this site - you'll never have problems with the site. Or allow temporarily if you just want to check it out. Remember, as an experienced member once said (not me), you don't want malware sites to work! (funtionality).
  17. egghead
    Offline

    egghead Registered Member

    What is it's full name o_O?
  18. lucas1985
    Offline

    lucas1985 Retired Moderator

    Check here
    Download the avz4en.zip (English version)
    Use it with caution.
  19. herbalist
    Offline

    herbalist Guest

    Newby,
    SSM will alert to new startup entries, assuming that you have the modules enabled. It will not tell you if the entry is from a legitimate app or malware. A good place to start looking for info on new startup entries is Sysinfo.
    New startup entries are not unusual during an install, but they should be checked into, especially if the type of software shouldn't need to autostart.
    The learning mode on SSM should only be used on systems that you're certain are clean, not just scanned with an AV which probably won't find a rootkit and may not alert to most adware. Thoroughly checked with every available tool, online and locally installed. Learning mode can be dangerous.

    The "IExplorer" module in SSM will alert to new BHOs. BHO's are not always malicious. Adobe Acrobat reader adds one. So do many download managers. Firefox might be safer "as installed" compared to IE6, which is horribly configured and needs its settings tightened. The difference is much less than it used to be. Now that FF is getting popular, it's being targeted more. Extensions are being used with FF like BHOs are for IE6, a means to deliver malware to users who aren't careful.

    No-Script is a good addition to FF. While there is some overlap in function between Script Defender and the No-Script extension, one doesn't replace the other. No-Script works strictly with the browser while Script Defender works on an operating system level. Script Sentry is another system-wide script defender that works well. Both of these work by association, becoming the default application for files with script extensions, which allows you to examine the file before allowing it to run or blocking it. Script Sentry maintains its file associations a little better than Script Defender by checking and reclaiming them at bootup. Either one will work with No-Script. If you're adventurous, look into Proxomitron. It can do everything No-Script does and much more, plus it works with all browsers.
    Rick
  20. egghead
    Offline

    egghead Registered Member

    Gracias :D
  21. lucas1985
    Offline

    lucas1985 Retired Moderator

    You´re welcome :)
  22. herbalist
    Offline

    herbalist Guest

    Ilya,
    I can see why you like AVZ. Powerful, yet unbloated, no excessive use of the registry, no wasteful autostart processes. That's how software should be written.
    Now if I can figure out how to integrate it into SSM and a few other apps for automatic file scanning, I'll be quite happy.
    Rick
  23. Ilya Rabinovich
    Offline

    Ilya Rabinovich Developer

    It is, mostly, not for automatic file scanning, it is for carefull manual malware removal. This tool is "from profy to profy". Also, it allow to execute clean-up scripts built by the professional helpers. File scanning is just a secondary tool for me.
Thread Status:
Not open for further replies.