Relief or regret finding the right security?

Dear members,

After a year of looking for a good working security setup I found suitable security setups for our home computers with the aid and info provided on this forum. I was triggered by the free advice my company provided to enhance PC security on compuers with access to the company network.

When diiging into this issue, i got intriged by finding a best suitable setup. It is fun, because it feels like a quest. First you make big improvements (turning), than enhancements (twisting) and finally you are tuning (tweaking).
Along the discovery road the reward becomes less and the effort increases until you finally reach a point and say okay that's it.

It is odd when you kind of reach your goal and do not feel relief but regret, because the learning curve flattens out.

This is what my setups are:

PC -1: Used by 15 yr old son, fanatic gamer and tries out a lot of software (AMD 3900 Athlon64). My son surfs with Firefox

Firewall: Only hardware inbound FW, behind router
Antivirus: Antivir free
HIPS: CyberHawk free
Sandbox: GeSWall Professional 2.5 paid

Why only inbound firewall?
I think it makes more sence to prevent a theft, rather to spend energy on th ethief to run away. Also I prefere hardware FW above software FW, they are more or less idiot proof and easy to install.

Why Antivir?
It is free and gets great ratings, I do not need an e-mail scanner because our ADSL provider offers it as a free additional service.

Why CyberHawk?
It is an behavioral HIPS. So it only checks anomolies and does not trow pop-ups when installing new software (which he does a lot), so CH is easy to use and gets reasonable ratings in tests.

Why GeSWall?
I do not like file virtualisation (like Sandboxie or BufferZone). I want a seamless integration with the working environment. I like the architecture (uses microsoft security framework). When using GeSWall is silent (although setting up an unlisted ap can be troublesome) and is a very fast performing ap. My son only uses standard threat gate aps.

Why using seperate aps: I like to have aps which either use black lists, behavorial blockking or white list approach, targetted on a specific part of teh PC functionality. Overlap is a useless waist of CPU power and causes incompatibility/system instability.

Only non-cpu eating extra ap we use is SpywareBlaster as a block list for bad IP's.


PC-2 used by my wife and occasionnally by me (3400 AMD Athlon). My wife does not want to have any security pop-ups. She surfs with IE7 because her favourite download site needs it for payment.

Same inbound FW and AV as son.

HIPS: SSM free
Sandbox: Defense Wal paid

Why SSM free?
I tried Process Guard, Dynamic Security Agent, ProSecurity and Antihook also, but I prefer SSM because of its disconnect user interface and its paranoid learining option. The disconnect user interface prooved to be the best solution for not throwing pop-ups at an innocent user. A classical HIPS is suitable because the applications never change on this PC (besides upgrades of software), so a classical HIPS is very easy to use.

Why DefenseWall paid?
Simply because it out performs others in test. It also does not use file virtualisation (so seamless integration). Because she uses IE I just wanted one of the best un-intrusive sandbox (it is also cheap). DW runs out of the box with no configuration. Off course you can improve it settings by making the P2P directories also untrusted, the floppy drive and DCD/CD Rom drive.

Spyware Blaster is also used tp block bad IP's.

On both PC we do not have additional anti-spyware, or on-demand scanners any more. After 9 months of not finding any mal-ware I stopped doing regular scans. I only scan with Antivir before backups to last actual on external harddrive (I also keep a clean install on the external harddisk of both images).

I realised that CB, SSM, GW and DW all fall into the HIPS arena, but they do not overlap (I think PrevX is great because it is easy to use, but from a best of breed aspect I have a natural dislike against security programs which offer an all in one solution with black list, white list, behavior security).

Good bye and enjoy playing around in wilders

 

Just a correction: SpywareBlaster doesn´t block IPs. It sets the "killbit" for a large amount of crap ActiveX and malware and adds lots of bad sites to the IE "Restricted Sites" zone. Also, it blocks ad cookies in Firefox.
If you want IPs blacklisted, install Peer Guardian and use it with Bluetack´s lists

 

That's right, bad websites and active X-bits

Oh and XP is also hardened on both machines

 

Hi, folks; The setup appears to be nearly foolproof, except..... IMO,in the following situation; what would you do if a sleep cell sends out info, since you have no outbound firewall control, you have issued them an alltime exit visa. Leaks, leaks is what is going to take you down. Think about it.

 

A) the 3400 PC
When this misterious "sleep cell" manages to pass through the Antivir+SSM free+DefenseWall combo, I doubt a firewall should be able to notice it and prevent such well compiled malware. Remember it is a stable machine (no software tried out by the user).

b) the 3900 PC
With the Antivir+CyberHawk+GesWall pro combo "a sleep cell" has to break through GeSWall and needs to show ''normal" behaviour to pass by CyberHawk to succeed. With this setting an outbound firewall might be a viable last stronghold. So the data gets stolen (work for school). Big deal. I think my son will notice his ping going down in gaming (because the outbreak uses bandwith), so when that should happen i will have a look at Comodo release 3.

To me security is a balance between risk and workability and the risk an assessment of probability and impact.

I can not imagine scenario A to happen/think a software firewall is resistant to such smart malware either.

The most likely scenario for B to happen, is that my son downloads a program in trusted mode (GeSWall). Starts the program and allows it once (CyberHawk) it to do weird things. To his defense: until now his PC has been clean for nearly a year and he checks downloaded programs at virus total, so I trust him to be smart (thus safe).

When a user should make 2 triggy security decisions after each other, I trust this type of user also to allow a third pop-up of an outbound firewall. There is no security against ignorant users.

 

I would think Comodo Firewall, AVG Pro 7.5 Antivirus, and Cyberhawk behind a Wireless Router Firewall should even be good enough protection for someone using Firefox with NoScript. (Guess who?) Plus leaving out Geswall and SSM Free would be a much simpler scenario as well. Of course I know people who only use Windows Firewall and Avast Home behind a Wireless Router with a SPI Firewall who use Firefox without NoScript and never get infected, (my wife) so I would think this. I do need to get out of these forums though, because I downloaded and almost installed GesWall Free after reading your thread. Not that it isn't any good, or your set up isn't great, but using CPF, AVG, and CH is where I finally have to say good bye, and have fun playing around in Wilders. LOL. Of course that is until the new CPF v3 comes out, or the next version of CH, or.... LOL.

 

Just because you're satisfied with your current setup doesn't mean you can't continue to try out new security-ware or test new configurations and ideas. If nothing else, you could pick up a lower cost unit just for experimenting with. With SSM for instance, you can always work with tweaking its registry module or start getting detailed with parent-child dependencies, library permissions, etc. You can always start working with other aspects of security, like content filtering, customised to your preferences. If you enjoy learning how things work, check into Proxomitron and using it to filter web content. There's so much you can do with it. Ad blocking, script control, popup control, both overall and on a per site basis. Bypass lists. Block lists. There's modifying web content so sites are displayed according to your preferences. Just about any content that can be put on a webpage can be modified and controlled with Proxomitron. For those who enjoy learning and want to know how web content works, Proxomitron is a good teacher. Besides, controlling web content really contributes to your Pcs overall security.
Rick

 

I really was surprised that I am amble to insert and change registry entry items in SSM free version. You never read in WIlders people sharing their settings. I wonder why?

 

We are all always in search of that PERFECT BALANCE of TOTAL SECURITY and for me anyway all these safety developers engaged in servicing our confidence & concerns makes sitting in front of this screen for hours/days/weeks and months JOYFUL and FUN now. Creativity overrides for me the anxious concerns if i might ever be able to piece together the FINAL CONFIGURATION to end all searches for this what you say is a QUEST!

There is always another new discovery that will take precedence over the regularly accepted model of PC Security that we thought was all that was needed. And i guess that's part of the fun, finding another new invention (softs), that prove their metal & keep which makes your investment solid & safe to turn to and doesn't leave any room for wondering "IF" you can enjoy today's communication age of the internet as we've come to know it.

Regards EASTER

Fine choice without a doubt. I have used it before and even though i have taken leave from it for now, if my privacy browsing ever became again a serious concern by miners & trackers trying to slip a system damaging intrusion proggy in on me i won't hesitate a moment to connect it to my units again. Right now HIPS pretty well ward off such attempts and i regularly dump tracking codes that are designed to monitor my surfing habits.

 

ProSecurity has a very capable learn mode, and has a feature that acomplishes the same as disconnect GUI in the form of stopping popups and relying on the rules already present, please see Settings->General->Show warning boxes
you also can set this from:
Traybar icon->Show warning box

WG

 

So you can stop PS from throwing pop-ups, even when there is no rule specified?

 

Okay, okay

I am now trying out sensitive guard. But this will give overlap (which I dislike) with CyberHawk on PC2.
Reason for trying Sensitive guard, it also warns when not user initiated files are created (like exe etc) or private folders are read/copied. So this software firewall adds something extra.

How to read diagram

Infection stages are listed in the left column (so it makes more sense to spend your money on the earliest stages) Protection level (from weak to strongest is left to right) are listed in the four outmost right colums.