Safe browsing for a non-techie?

I use ESET NOD32, Sandboxie, Noscript on Firefox, etc for my browsing needs. Sandboxie of course requires knowledge about where to move files you've downloaded if you want to keep them. NoScript requires you to teach the application about what to allow, etc. All this can be too much for a non technical user.

I need a solution for my Dad. He is in his 70's and relatively non-technical.

While he doesn't go to seedy web sites, there is still the possibility he can stumble upon something bad. I'm also worried about keyloggers, trojans and other things that may attempt to steal his bank account passwords.

What is the best program that offers relatively seamless protection without the requirement to be "aware" of where things are saved (like Sandboxie) and offers better protection than running a browser natively? He uses Firefox primarily, and for physical safey I have his profile run from a TrueCrypt drive. But when I setup his laptop initially, I did not foresee him needing a HIPS.

To understand where he's at.... I installed NoScript for him in Firefox and it lasted a day before he insisted I remove it. Most people don't understand what is safe or not..... so I need something with intelligence behind it.

Suggestions?

Edit: Being free is not a requirement. Seamless, updated automatically, and a good trade-off between secure and non-intrusive.

 

DefenseWall should satisfy your Dad's needs.

 

+1

 

Still surfing Wilder.....

Got another question.

How is Prevx? Or what does it do/not do compared to DW?

 

Yes that's a straightforward option for him.

 

Hi, I am not an expert, just a reader of this forum, so apologize for summarising stupid things. To get you going this is what comes to mind (based on having read several postings as addition to Blackcat's suggestion)

a) Windows Firewall (when your father is on Vista, use the freebie Vista FireWall control for easy outbound protection, set UAC on quiet with Tweak UAC, see https://www.wilderssecurity.com/showpost.php?p=1400026&postcount=3)
b) AVG free 8.5 with now new link scanner functionality, seems to work fine, see https://www.wilderssecurity.com/showpost.php?p=1446765&postcount=4570 and see this thread https://www.wilderssecurity.com/showthread.php?t=239375 and this https://www.wilderssecurity.com/showpost.php?p=1447248&postcount=1 ), I tried it also and when you hide the AVG search bar without switching off the plug-in, it keeps working)
c) Keylogger free for IE (for worse case scenario a keylogger might get through, see https://www.wilderssecurity.com/showpost.php?p=1447489&postcount=10)

Regards

 

I don't think defensewall is designed for non-technical folks.

 

yes it is,my happy clicker wife use it plus it comes out the box ready to be use

 

This is what I installed for my family, considering they use Internet Explorer, and now updated to version 8, which is even safer than version 7.

The Opering System they're running is Windows Vista SP1 with UAC enabled, which will make Internet Explorer work in Protected Mode, which will lower the rights of what the browser can do to the system.

DEP is enabled, as well.

I disabled all cookies, and only when needed, and for sites as bank, email, and the likes, they're allowed.

I've installed AVG 8 Free version on their system, because it provides the full power of LinkScanner Pro, which will prevent access to malicious domains and to domains containing active threats.
I've also installed MyWOT just as a second opinion. Doesn't hurt.
I've also installed HauteSecure, which is currently at beta stage, for a while, and it's development, for what I know it's on hiatus. But, it fits the purpose I installed it for, which is to prevent unauthorized changes to important settings of Internet Explorer. It always provides an excelent out-of-the-box protection. I also have it set to block any attempt to load toolbars to it. Only if a safe installation is occuring, it is allowed.

I also installed SpywareBlaster and Spybot - Search & Destroy. The last, only set for immunizations. Both will prevent, to the extent they can, the propagation of malware via browser. (I had to disable the domains immunizations of Spybot in IE, otherwise it will make the system crawl. Something, I believe, Microsoft is working on...)

With this setup, for protecting you father's browser experience you wouldn't pay a cent. My family's system never had an infection, since they got it, 2,5 years ago.

If you want something paid, and easy, as in set and forget, you could pay for ZoneAlarm ForceField, to work along side those I mentioned, except with HauteSecure, since there's a known conflict between them.

P.S: As for the rest of the protection, I installed Outpost Firewall Pro, in advanced mode and allowed it to automatically create rules for well-known and digitally signed applications. Everything else was set by me. No alerts, unless they update or upgrade an application.

 

There are many solutions. And all will have merits. I will share the solution that I have found works the best for people who are very minimal in knowledge.

If they can, run them as a User. This is likely to cause problems for the inexperienced, as there are many times they need to be admin to do things. Vista UAC helps in this respect, as the admin account is not fully admin with it enabled.

In XP, what I do is create a folder in My Documents called 'My Downloads'. Then I tell all browsers not to ask where to download to, but to place all downloads in the directory 'My Downloads'. I always always always tell people to use Firefox, Kmeleon or Opera, and strongly discourage IE. Just because IE is targeted and normally has flaws exploited.

After the browsers are directed to not ask where to download to, but just do it, I set up some SRP rules. They are simple. As an admin, I direct all browsers to start in the 'Basic User' mode. I also have media player, outlook express or whatever email client they might use start in 'Basic User' mode. Then I make an SRP rule that the directory 'My Downloads' should also be 'Basic User'. This rule ensures that anything starting from 'My Downloads' is restricted to a Users rights, not an admins.

The result, is a free way, with no popups to restrict those programs and that directory to having no rights to modify c:\ , c:\windows or c:\program files directores. Can't install. Can't delete. Can only read and execute.

Using KAFU will then set the autostart areas of registry and startup folders for the user to read only, so that the 'User' rights in those places are also restricted.

The only thing I have to inform people of is that they can no longer just run something like Adobe Flash Player install from the browser, as it cannot install because it is restricted. And further, that if they need to install something like that, they want to download the setup.exe. Going one step further, when they download the setup.exe, it should be saved to the 'My Downloads' without question. If they try to run setup.exe from 'My Downloads', it will fail, because again that directory is being restricted. This takes care of any mishaps that might happen by some malware, because everything is saved to that folder by default.

What I then direct people to do is, IF they KNOW somethign is safe, remove it from the 'My Downlaods' directory and place it somewhere else. Then they can execute and install, in this example, setup.exe for Flash Player.

This is not as strong as DW. Or as robust. Or, as anything. It is not guaranteed to be 100% safe. But it is free. It is easy. It has no popups other than saying 'some action performed is restriced by a security policy'. Most basic users seem to be able to comprehend it.

IMO it goes a long way towards an easy setup that has no popups asking the user what to do. IMO it is the popups that are the downfall of most security applications. Lack of knowledge leads to improper answers, which can easily neuter the protection, or lock things down with too much protection. If lock down occurs, it is common for a basic user to disable the protection all-together to get thigns working. Again, this is due to not understanding how to properly make the security program work.

Couple this with a good free Antivirus and it works well for peeps who don't install a lot of things and don't go places that would be considered dangerous.

I personally think using Sandboxie would be the best method of protection for users like you describe. They don't need to know how to set it up. You just need to teach them what a folder is, and set SB up so it puts things in one place for them that they can navigate to.

Admittedly, not the best solution for all users, but my experience shows truly basic users appreciate the simplicity of it.

Sul.

 

It is specially designed for non-technical users.

 

DefenseWall is a no brainer. Perfectly configured out of the box and the user only needs to understand running an application as trusted if they are installing software or updating a browser like Firefox. I don't see how it can get any easier.

 

Ilya,

That is the issue with consumer to consumer communcation, everyone enttled to his/her opinion. When repeated enough it gets credential by its own (in the Netherlands we call that a "monkey sandwich story", meaning no one has ever seen somebody eating a sandwich with a monkey burger, but at least 40% know someone who knows someone eating it).

See this post, even Mac users were comfortable with it when forced dual boot systems see https://www.wilderssecurity.com/showpost.php?p=1447308&postcount=28

Fact is that you have to keep replying on these statements

Regards Kees

 

Thanks Ilya, it's nice to know that defensewall is meant for average users . And tbh, I haven't tried it myself, but I presumed it's difficult to deal with because it's a HIPS program. On second thought, I might give defensewall a whirl

 

@Hanzo,

Respect the way you respond to this


@Ilya,

We discussed this when evaluating names for the new V3.0. When you choose a category (HIPS) you inherite all the prejudice and C2C opinions which comes with that category, self inflicted pain it is. What was good for your launching application won't do for the new V3. Use DefenseWall family name with a different subscriptor (so you inherite all the goodies of DefenseWall being customer responsive, user friendly and secure).

Warm regards Kees

 

Kees, I understand the things you say. Even more- I understand that majority of people have no idea what the hell HIPS is. Completely.

 

ZA ForceField does the job and requires little if none interaction.

Fax

 

I started playing with DW, but I must have missing the DW 101 class.

Do you have to constantly allow things to be trusted if you install something you download? So if I send something to my Dad, or he wants to install a legit program, he must go through the menus to "trust" the installation? Because if you forget, and once you start installing something, it's a mess of processes.

 

Yes, you do. Whitelisting elements will be implemented with v3.

 

I don't understand the part about the TrueCrypt thing.

There are many options.

The one I'm going to suggest is definitely not popular here: a security suite !

If you get a good one, it will protect you against a lot ! It's better to use a product he understands, than one he doesn't.

For a suite, one typically looks for the antivirus first.
Maybe Avira or Avast are ok, but they can have many false positives, and I think there was one other issue with Avast that I can't remember.
What about Kaspersky ? You can configure it for him to be relatively non-intrusive, and yet offer strong protection. There are others, like Norton (which I'd hate to recommend), see av-comparatives.
I know people here LOVE FireFox. I've never used it, and I know that IE 7 can be relatively safe if you increase the security settings, and ditch the concept of 'trusted zones'. And if your AV/AS (or Winpatrol ? I'm not sure) monitors/blocks (attempted) changes to IE 7, IE can be safe enough.
Of course, it's important to configure ! I don't know which AVs have HIPS, I think Kaspersky does, a HIPS component in a suite can be powerful, of course it needs to be configured like everything else, and your father needs to be able to understand and handle any prompts !

Something else that warns him of dangerous (infected or scam) websites is a good addition. Maybe a combination of of something that scans the URL for malware (Finjan ?) and a community based judgement like WOT.
One can always add something like MBAM and SAS for on-demand scans, but these can have their own issues.

Use Microsoft updates, update potentially vulnerable software like the Acrobat Reader or Flash.

As always, a good and simple imaging system (external harddive, software, bootable CD for restoring images) is a good complement for when something goes wrong, or just for when you think you MAY have been infected ! (if my computer tends to behave funky I tend to restore an image, LOL)

And there is no escaping from the social engineering part (education), like not clicking on ads.

For as far as banking is concerned: I always reboot for a banking session, and do so again afterwards.

 

As an example, I have a Cisco account and downloaded the Cisco VPN client. It's a pretty intrusive install since it modifies your network settings, adds an adapter, etc.

I could not get it install, even after I marked the download as trusted before starting.

 

Here is my security setup for my dad:

ThreatFire, firewall (take your pick), antivirus (take your pick), non-IE web browser (Opera in my dad's case), SnoopFree, and Returnil free. A separate data partition contains My Documents, browser bookmarks, downloads, etc. I do all installations, maintenance, and backups for him. In your case, you might also wish to add KeyScrambler or similar for additional keylogger protection. If you don't want user intervention, you may wish to drop outbound firewall and SnoopFree. If not running as a limited user, you could also add 'Basic User' Software Restriction Policies for those programs that are most likely to be exposed to malicious content. You could also add Prevx 3.

 

Disable DW's protection and install. If you still can't install- the issue is not on my software's side.