Security setup help

Hello, i´ve WindowsXP SP3 and my current security setup is:
- Passive protection: SpywareBlaster, MVPS Host
- Resident Shield: Avira Free
- On-Demand: MBAM (free version), A-Squared free
- Drive Imaging: Macrium Reflect free
- Windows firewall


I´m thinking in adding some other (free) protection layers. However, they must be very "user-friendly", because the computer is for family use (that´s why i´m not using CIS, SandBoxie, GesWall...).
I´ve thinked in NortonDNS, MBRGuard, Panda Cloud Av or Immunet (to run alongside with Avira free, can i do this? it would be usefull?).

What are your sugestions?
thanks!

 

I would recommend MBRGuard and Immunet

 

I agree @ MBRGuard

Please provide your PC specs.

 

Your on the dock and the ship is sailin my friend - hurry here - https://www.wilderssecurity.com/forumdisplay.php?f=97

The "MOST IMPORTANT" and first step of any system security should be "imaging"!

 

When i get home i´ll see and provide more details!

I´m already using Macrium Reflect free, i forgot to mention, thanks anyway!

 

Excellent

 

I no understand why use MBRguard when you use user limited and SRP. MBRguard sound like your protection fail and then attack your MBR. If malware get past until there might be best load new image. Or I wrong?

 

For family use, maybe using Shadow Defender on a 24/7 basis. Just exclude each members home directory so that they can save files etc there. You just inform everyone, "what you do will be gone on next boot if you don't save it to your home folder" and "if you want something installed permanently, I will have to do it" or if you trust them, show them what is going on. It is hassle free and allows users who don't understand as much to install that flash game and play, and all you need to do is reboot.

Sul.

 

After its initial set-up I find Sandboxie very user friendly.

Set-up the download locations, enable quick recovery and tell your family that when they download something click "Recover" on the window that will pop-up, if that window pops up and you haven't downloaded anything, click "Close" (which likely would never happen anyway).

 

Create a LUA, and use only it, whatever you do, except when you need admin credentials. In this case, log as admin.

Absolutely keep:
- Drive Imaging: Macrium Reflect free
- Windows firewall

If you have sensitive data, use a data backup as well.

You may use Avira, or any security tool, but only one.
Get rid of on demand stuff.

 

Excellent point. Neither a user nor any user-process should be able to write to the MBR in Windows XP/Vista/7. However, should a privilege escalation attack or an inter-process memory code injection ('process hopping') to a 'privileged' process succeed, then the MBR can be altered. Such attacks represent a small percentage of overall attacks at present.

Now, those that run their PC with local admin rights... Well, one might consider a 'no smoking' sign because that can be explosive. But MBRguard is lighter and incurs no social stigma.

Cheers,

Eirik

 

How much small? come on. With automatic updates on, on a user machine, risk is null (or so close to it that it can be safely ignored). Except if you wish to sell a security product

That is unfair.
Do you undermine running as LUA would incur a social stigma? That's once again taking users for monkeys. A pince of education, a pince of care, a pince of doubt, and your social stigma should be gone for good.

 

I vote in favour of what Lucy recommends here

 

I agree most. Very nice. One thing I dont agree is get rid of on demand stuff. ok? Why get rid of? Good keep at least one scanner.

 

Read what Lucy say above. Very nice say. And you mis guide bad. Very sad. When combine user limited with SRP/applocker very rare can bypass. Only POC bypass SRP before and none bypass Applocker yet. No malware bypass user limited and SRP/applocker EVER. Ok? me, wat0114, Lucy, tlu windchild and many other alway say this but none or few seem listen. always think install other software is best. sad case.
Lucy right in say choose one app to use with user limited and SRP/applocker. I use sandboxie. Very nice ok!

 

Alex,

I am assuming you are running as Admin. You have gotten some replies to run as limited user, which is a good advise, but impacts (limits) the way the computer can be used.

So for me to answer this question it is important to know a few things
a) do you (or others) install a lot of new programs?
b) do you or other burn CD/DVD's (you have to tweak the registry to enable this under Limited User).
c) do you use wireless pc connection or cable (under LUA you can;t reset/repair the wireless client, you are able to scan for wireless networks and connect, but with a lot of interference in the neigbourhood this can be a nuisance).

Assuming you are running Admin now, these are some good add-ons to your setup

Getting most of the limited user benefits

a) MBRGuard. link http://www.blueridgenetworks.com/support/mbguard/mbguard.php
This protects the Master Boot Record against unusal access. For people running Admin and no HIPS, it is a must have. Advantage it does not require user interaction

b) EdgeGuardSolo, see http://www.blueridgenetworks.com/support/products/edgeguardsolo/index.php, download link http://www.blueridgenetworks.com/forms/es_register.php

The note tells you that EdgeGuard Solo is not compatibile with Chrome. It is, but you have to install Chrome from the Google pack link http://pack.google.com/intl/nl/pack_installer.html?hl=nl after you have uninstalled chrome. REASON: Google pack chrome version installs in the regular Program Files directory, so EdgeGuard Solo works perfectly with it.

Search for a file named Bookmarks and safe it on another location. Afterwards look for the same file and copy it back again (so all your bookmarks in Chorme are kept).

Make sure you add all your browsers, e-mail programs and office programs in the programs list of Edgeguard. Programs running under EdgeGuard have the same security as programs running under limited user, without the usage limitations. EdgeGuard is like MBRGuard a completely silent program.

c) Trusteer Rapport, download link http://www.trusteer.com/product-0
This will protect you browser process itself against manipulation and blocks unknown DLL's (modules). See the picture below for best settings. Trusteer also protects your privacy at protected websites. You can add 40 websites yourself (typically your on-line banking log-in). Just read teh help to see how. Trusteer is very very quiet and only pops-up when keylogging activity is spotted, otherwise it silently denies malware activity.

Easy way to implement a software restriction policy = OPTION
d) OPTION to protect against drive by infections = equivalent of deny execute software restriction policy with Trust-No-exe
http://www.beyondlogic.org/solutions/trust-no-exe/trust-no-exe.htm
This program denies execution of software not located in C:\Windows and C:\Program files. It can be set from the Windows XP cofiguration screen to set it on off. With this software it is not possible to run the chrome which you have downloaded from the internet (becasue it runs in your Documents and Settings). The Chrome version downloaed with google pack will work (because it is installed in the Program Files directory).

As said D is an option.

 

Thank you all for your very usefull replies!

My computer is an Acer Laptop with Windows XP professional SP3 32bit., running with Admin. rights.
Intel Core 2 Duo processor T6400 (2.0 GHz, 800 MHz FSB, 2M L2 cache
1407 MB nvidia GeForce 94000 G Turbo Cache
4 GB DDR3
320GB HD

The computer is used mainly for surfing the web, download video and music, and for work with documents (doc, docx, pdf...).

First of all, thank you Kees for your very comprehensive answer!
I know that using a limited user account is very important in terms of security, but for me is very limitative in terms of usabilty. We install new programs and burn CD/DVD's only occasionally, and we use a wirelles connection.

- Concerning to Sandboxie, is there any option that allow the files to be saved to the designated download locations without any prompt?
If yes it would be a option to consider, since sandboxie not only isolates the browser from the S.O, but also allows to run the browser with limited privileges!

- MBRGuard - Is there any way to check if my MBR is already infected with a rootkit before i protect it? I´ve done a full system scan with MBAM and A-Squared, and a Rootkit scan and full scan with Avira free, that reported no infections, is that enough?

- Trusteer Rapport - seems very very nice! It will slowdown a lot the browsing? Can i use it together with keyscrambler personal? (and is there any free and more complete alternative to keyscrambler personal?)

About EdgeGuardSolo and Trust-No-exe - if i install SanBoxie i don´t intend to use EdgeGuard, because Sandboxie allows to run the browser with limited privileges and i´afraid of problems because of running more programs under limited privileges (updates, usability, errors...). About Trust-No-exe i´ll not use it because i´ve games in another partition (also, much malware can install and run from C:\Windows and C:\Program files wright?).

Thanks!

 

Alex,

Personally I would only implement MBRGuard and Sandboxie. When you are concerned about rootkits, I advise you to switch from Avira to Avast Free and only install file shield and behavioral shield. Avast rootkit protection is based on Gmer and the behavioral guard has a limited scope (on rootkits mainly ), so Avast will keep CPU and I/O the low (lowest system impact of all AV's I have tried with file shield and behavioral shield only).

Add Hitman Pro free to the mix for occasional scan and your are well protected. I would ditch Spyblaster since its protection does not add much with the above setup.

 

AlexC uses admin account, so...

in my case, MBRGuard under LUA/SRP looks worthless, but the resource usage is like almost nothing... I just want to keep it.

 

You keep it for no reason. It may cause conflict ok?

 

Okay, okay.
I don't have much apps anyway. https://www.wilderssecurity.com/showpost.php?p=1693600&postcount=8870

 

Not that I know of. It would surely severely cripple the protection offered by Sandboxie. Any virus/malware could save to that location.

You can turn off the prompt and the files will be kept in the sandbox. You can manually invoke Quick Recovery and if the contents of the sandbox are set to delete after the last program has closed, Quick Recovery will pop-up.

 

Hello,

I gave up on SandBoxie. My goal is to achieve maximum protection with minimal user interaction and max.usability only with freeware. So, until now, and following some great advices given in this thread,i installed MBRGuard and EdgeGuard Solo.
Also gave up on Trusteer Raport because of the very high ram comsuption, and also experimented some problems in browsing but i´m not sure if was due to Trusteer, and problems in uninstalling. So the current security setup in my pc is:

- Macrium reflect free (drive imaging)

- Spyware Blaster; Hostsman (program that manage the HOSTS file; i´m currently using MVPS hosts); NortonDNS

- MBRGuard; EdgeGuardSolo (set to limit user rights in IE, Opera and MSOffice applications); Panda USB Vaccine

- KeyScrambler Personal

- Avira free (thinking in swich to Avast free, because of the behavioral bloker and the various "shields")

- MBAM and A-Squared (on-demand scanning)

- Windows Firewall

What do you people think\advice?

Was also wondering if there´s any free application that blocks screen capture. Is a feature i never use, and i was thinking in security in online banking.
Any highlights on this?

Thanks in advance, great forum