Protection against malware without AV

My current configuration...
Anti-Virus: GData AntiVirus 2009
Anti-Malware: ASquared Anto-Malware
Firewall: Comodo Firewall
Browser: Firefox with NoScript

I am looking for a another program, maybe two, to protect my system should the antivirus miss a 0day threat. I have tried ThreatFire, Pervx Edge 3, DefenseWall, and DriveSentry.

I disabled GData / ASquared and downloaded a 4 trojans and worms to test these applications. Out of 4 malware threats ThreatFire (set on max) detected one worm which was trying to inject code into Kernel32. Pervx detected 3 files. DriveSentry picked up all the threats on execute. I'm not sure if DefenseWall worked at all, it didn't seem to do anything, but did allow all the malware threats to execute and install into the system.

Am I right in saying that Prevx EDGE 3 is only a malware scanner based on a online database?
What exactly does DefenseWall do?
Finally which applications should I use to compliment my antivirus program?

Thanks for the heads up!

 

Welcome to Wilders.Your thread title is a bit misleading in terms of what you are asking.

I personally think that GData is enough along with Comodo and Firefox. You should learn how to effectively use DefenseWall -a sandbox HIPS- (I haven't heard one single complaint about it, although I don't use it myself) or try alternatives: Sandboxie (sandboxes your browser), Returnil (virtualizes your HD, it has a free version as well), Shadow Defender (another virtualizer, my choice).

Using a sandbox/virtualizer makes redundant any antimalware type of program like ASquared (IMO of course). If I were you I would make my first priority adding an imaging program that works to your system (which means backing up your system and trying to restore it).

 

Well you are going to get allot of different anwsers so here it goes!

I use NOD32 with Prevx Edge is all you need and use SUPERAnti-Spyware Free and Malwarebytes' Anti-Malware Free for weekly scans and WinPatrol Free is also good for changes made to your system!

And Comodo is a very good Free Firewall if you want to try another good one go with Online Armor Free or paid version!

In the end it will be up to you what you want to use!

TH

 

You're setup is fine, so you don't really need to add any other realtime protection.
Although you mentioned you used Threatfire and Prevx Edge.
I suggest you use any one of those as an additional layer of defense. It will compliment your current setup.
Though DriveSentry can cause a conflict with your primary AV (G-Data). Running 2 or more AVs simultaneously in realtime is NOT recommended.

You can also try using a variety of virtualization/sandbox programs.
Like previously mentioned by Osaban, you can try using Sandbox (sandboxes your default browser). Also add HD virtualization like Windows SteadyState, Returnil, or Shadow Protect, and you're good to go.

 

It's a policy-based sandboxing-style behaviour blocker that limits file, registry and system resources access for untrusted processes.

 

cool

 

I installed defensewall using the administrator account, but use a limited user for daily surfing.

Some malicious programs insist on running as administrator, when they do defensewall does not stop them infecting the system even as untrusted processes.

Any ideas?

 

that is very strange cause as now i dont know any malware that can bypass defensewall when malware is run untrusted is put to jail

 

I have a laptop with XPAntiVirus2009 which is keen to tell me I have 17 trojans and insists on $49 to fix them. Of course Defensewall should have "jailed" it, but its in the program files and registry.

 

It is rogue software. DefenseWall offers you Rollback function from Files and registry traces. So if you know how you can easily removed them from your disk. But you don't have to. Just click on the Stop Atack button in DW or restart your computer - all these files which rogue software installed to your computer do not have any rights to do mess in your system.

 

Did you get XPAntiVirus2009 before or afer you installed DefenseWall?

 

XPAntiVirus2009 is a malware itself. Do you really trust everything what is written (or told on TV, doesn't matter)?

 

Following up on Iyla's post, Just because a malware is on the HD or Registry does NOT mean it's executed.

This is how Comodo's Defense+ HIPS work. Defense+ stops malware from "executing", People get confused and say "Well hey, it's in my program folders" but Defense+ STOPPED it from executing, There is a difference. Execution is the key here.

Not sure how DefenseWall works though, But backing up Ilya's statement.

All in all. You need a layered security architecture with Prevention (Whether it would be DefenseWall or Comodo Defense+) as your first line of defense, and an AV comes 2nd as detection.

Cheers,
Josh

 

Totally agree.
1. prevention
2. detection
3. cure (i.e. backup software)

 

If it's operative(spamming false positives) it is allready executed.

 

now he has to get the fileassassin(mbam)to get rid of this litle bugger "Ditto"

 

Defense+, as far as I can tell, won't stop malware from executing. The user will.
Unless, a newest version automatically blocks known malicious software. Is that it?

 

no,you can easilly configure D+ to fully lock down your system tight, block the running of installers,drivers,dlls,etc,etc if you want to but is not by default you will have to dig into it and play with it to find it's fully potential (not out the box ofcourse)

 

Well, that wouldn't make the system very usable, or easily usable.

So, it still works the very same way I used to remember (not so long ago).

It was Exist's comment that made me wonder if now worked different, when he said

Defense+ won't block malware. Defense+ and other HIPS won't block, unless the user gets alerted for something, and the user then decides whether or not that's something that should be or not happening, and then, yes, block or allow.


Regards

 

If it you've executed the program and it's already installed on your system,
you will need to use a good anti-malware scanner to remove it.

I highly recommend MBAM or SAS.

 

Should DW stop malware infecting the system if the malware is run as administrator and DW is not? Even when the malware is untrusted.

 

DriveSentry is more of a classical HIPS with an AV component. Just disable one of AVs or have them scan at different times so they don't conflict. They can get along happily. I use Geswall as my sandbox. It works with any browser or program that connects to the Internet.

 

This discussion, 'Protection against malware without AV' seems oriented towards experienced users, yet I don't see that anyone except one person has mentioned what it is that you are protecting against.

'Malware' is a loaded word, which has no practical meaning without describing the delivery mechanism. Not knowing that, how do you know what you are protecting against?

If you take malware that is delivered via a Port, such as the worms, Blaster, Slammer, (they are still around!) and the recent conficker.a, then the appropriate protection is, of course, a router or firewall. A check of your log will show this protection doing its job by blocking the Trojan/Worm Ports. This can be referred to as the outer perimeter: Nothing gets inside.

​

How about malware delivered via a web exploit? If you have Opera or Firefox, what else do you need? Is there an exploit out there that delivers a trojan that is successful against these browsers when properly configured? Give a URL so we can test. All target IE.

These are the ways malware can sneak in, and unless someone can show a URL that has an exploit that can penetrate the above, then I submit that those protective methods are sufficient. The Firewall and the Browser effectively stop malware at the outer perimeter, if you will: Nothing gets inside.

The other way malware is delivered is when the user gives permission to install. Ilya in Post #12 has addressed sufficiently what you are protecting against. That said, we can eliminate consideration of that method of delivery in this discussion.

The recent PDF exploits have given concern to some, so in the event you think you might open one of these infected files, you say, How to protect against it? This is easy, because the shell code in these files calls out to download a trojan executable.

TROJ_PIDIEF.IN
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PIDIEF.IN&VSect=T

Now, we don't have one of these files to test, but we can simulate the remote code execution method with an Autorun.inf file.

Take any installation disk and put into your CD drive. You need to enable Autorun for this, because you want to test your protection against an unauthorized executable from running. Here, I use a Photoshop installation CD. It uses an executable, Autoplay.exe to start the installation process. If the installation starts, I submit you are not sufficiently protected at the outer perimeter:

​

However, since this executable is not permanently installed on my computer, I submit that it should not be able to run
without my permission:

​

This could be malware in a PDF rather than Autorun, and is easily prevented by many solutions other than AV.

I don't consider a Sandbox to contain malware after it executes as a solution, for in my view, it is a poor excuse for not understanding how to prevent the malware from penetrating the outer perimeter and executing.

CONCLUSION

1) No discussion of preventing malware is useful without knowing what you are specifically protecting against.

2) Looking at the way malware penetrates (is delivered), protection against malware without AV is certainly possible, and it can be argued that all that is really needed are

• a Router or Firewall
  
  
• a Browser other than IE.
  
  
• Ilya's advice in Post #12

3) For the "what if" remote code execution scenario such as a PDF exploit, anything that blocks the malware at the outer perimeter will work. So, add to the above:

• one other solution (I use 'solution' rather than 'product' because some use SRP which is not a separate product)

----
rich

 

The solution isn't everyone ditching IE, which is now safer than other previous versions, and start using, let's say Opera.

What would result from this action? Opera would be the most targeted browser, at the image of what happens with IE.

The more people using X browser, the more targeted it will become. The solution is for everyone not to use the same browser.

The reason why I don't use IE/Firefox for most of by browsing, is due to the fact that Opera isn't as widely used as IE and Firefox, hence less/practically not targeted.

But, what would happen if, let's say, 90% people would start using it? I guess that, by then, people would go back to IE, for not being as targeted as Opera? Then what, move to Opera again?...

Just like F-Secure mentions here, about the PDF exploits for Adobe and not only (http://www.f-secure.com/weblog/archives/00001623.html)

 

You make very good points, m00nbl00d.

While I used Opera/Firefox as examples of browsers that are not exploited, I did conclude by saying "a browser other than IE." There are many besides Opera and Firefox -- often some are mentioned in the Software forum here.

Yes, IE is becoming safer, but is still slow to patch exploits. I would not use IE without some added protection against remote code execution exploits.

As far as PDF readers: left unsaid is that many, including myself, use older versions of Adobe Acrobat which are not vulnerable to the current exploits. This can be confirmed in the Adobe advisories where the vulnerable versions are listed.

This of course would negate the need to worry about malware via PDF files, therefore, no other security product necessary. But you can apply this idea to other delivery methods of malware, which I did not discuss, such as SWF files (Flash).

Experienced users who take all of this into consideration just reinforce the idea that not much security apparatus is needed at all to maintain a safe computing environment.

----
rich