The not so definitive security guide...

I have been downsizing my applications of late since I am tired of 'percieved threats driving complex precautions'. So, here I present a list of applications or techniques I employ that hopefully reduce my time spent protecting myself from an as of yet unknown risk. lol.

Please also consider that all network precautions are taken in fact that a router using NAT is in existence.

First and foremost is to have a clean OS to begin with. I myself roll my own XP Unattended dvd's. They are SP2 with RyanVM update packs and Bashrat's Driver Packs. Once a clean install is performed I take the following steps:

Windows Worm Cleaner - or equivilent, maybe xpy?
This is to close ports except for netbios communications.

Promptly install 3 alternative web browsers: Opera, Kmeleon & Firefox.
Any of them will be better than IE. I use Opera as main, and occasionally use Kmeleon. Rarely use Firefox.

Set preferences in browsers to use localhost 8080 as proxy, and then install Proxomitron. No fancy filters really in Proxomitron. Just to keep all the ads/etc to a minimum.

As of late have also been using Tiny Watcher. Simply keeps track of what I have installed, allowing a small level of control in case something malicious should ever get installed, which I doubt.

Now I have to decide on what firewall to use. I am now interested in an on-demand firewall that does not normally run. And I wish to use it for outbound application filtering only. I have a list of small products that are free, such as Soft Perfect (no applications though, but does do DNS resolution on learning mode), R-Firewall (does have dns plugin, so so firewall), Primedius (simple allow this exe or not, that is it) or a paid for Outpost v2 (which I would still use v1 if it worked with my current rig). I am not interested in a firewall that does everything for me. I do not want the bloat. I just want to be able to turn it on if I wish to see what is happening.

Ok. So I have a firewall I can use if needed. That still leaves some basic things left, like an Anti Virus. I choose to use Avira AntiVir. AVG is ok, but I don't like it. Some also like to use Avast, Comodo, etc etc. Really, Avira has some really good results lately in tests, and it is a very small footprint. Personal preference.

Now how about a HIPS? There are many. As my goal here is to build a layer of protection that is small and fast and most importantly does not require me to spend hours setting it up and learning it's interface, I choose Threatfire. It does successfully detect trojans and the like, I have tested it with a few. It also is intersting in that it speaks to me that programs I wrote may be malicious. I found that interesting, as no other tool has yet to do that for me.

So what could be left now? For starters let's do a netstat -ano and see what ports are open. For me at this point, I have only ports 137,138 and 139 open. Not bad.

I feel at this point that my system is potentially safe for looking at email and surfing forums etc. But, maybe I want to browse around sites I don't implicitly know. I will now turn to Sandboxie. Simple and effective virtual sandbox for my browsing now. Should I be feeling the need to do driver level stuff I will switch to using VMWare, but usually I don't need to do that.

So now let's speak of some applications that I have found to be extremely useful in my geekness.

Beyond Compare - I have yet to find a better tool for comparing, anything.

Install Rite - really want to know what an app is installing? Want to know what has changed? It does this and much much more.

Auslogics Registry defrag - useful sometimes.

JkDefrag GUI (JK Defrag) - if you have not used it, you should look into it.

OK, so there is a short list of possible companion utilities for system security/stability. Granted they are not technically security apps, but they are very good tools for either maintaining stability or digging around.

Where would we be though if we did not include Process Explorer. A great tool to find why something is running and what started it or where it lives.

For that matter, should something actually get onto my system, how do I deal with it? There are a number of tools at my disposal.

Let's start with a couple items to examine what is starting itself up, other than the Startup folder itself. SysInternals made a great one in Autoruns. Very comprehensive. There is another that is a bit more lightweight but effective, Mike Lins Startup Control Panel.

How about services? I very much like to use Pserv, much easier interface than the mmc module. Regarding services, there are many many that can be disabled. I am currently, including firewall etc, running 25 services. That is a very high amount for me, but between the AV/HIPS, mouse, vmware and others, it has crept up a bit. Black Viper made a very good guide to the XP Services that could be disabled. A good place to start.

We must also be able to deal with perhaps hidden windows from a mal-content application. Here I would use FaberToys. It does some cool stuff for digging around.

An older version of HiJack This is also handy to keep around at times.

It is helpful to use the application Unlocker to unlock files you wish to delete that are being held open by some parent process. Want to see Threatfire talk to you, just start Unlocker...

I have long since dropped the whole Spybot/Adaware type stuff. I don't keep cookies. I don't have a large cache. I have broadband, so why worry about it?

I have a good set of reg tweaks that are put into place on every install. This and many utilities from my unattended dvd really go a long way to allowing me to go about pretty much problem free. Not keeping any potential sensitive data on my computer is also a good dose of prevention. USB sticks are great for that, or if you have a local network.

My server however does have a firewall installed, and locked down very tight. I set it for my access only with various tricks.

So where does that leave me? With an AV that pretty much takes care of itself, a 0 day/HIPS application that rarely presents itself and a firewall that only gets used when digging. Only 3 ports open on bootup. A good alternative browser that is filtered with Proxomitron or a sandboxie browser. That is pretty much it. Other tools used only when needed.

Not what one might call the uber or ultimate setup. But it is all pretty much scripted install or painless setup. And no nagging 'allow this' screens to speak of.

So what of system security? No firewall? So what. I only install what I know. I have a sandbox or vmware to play with new stuff. I don't really want to clutter up my OS anyway any sooner than is needed.

There are many many other tweaks that make using my computer streamlined. I want to code that script or play that game or listen to that cd or watch that movie or research that bug or shop for a new lcd monitor, not spend hours saying 'yes you can go out on port 567 using TCP protocol' or 'no, do not allow global hook'.

Roll your own dvd install I say. 20 minutes and 2 cups of coffee later you have your fresh OS installed, all your apps in place with minimal setup left. Don't like it? Contract a bad virii? 20 minutes and 2 cups of coffe later you are back to fast booting sweetness. Find a new killer app? New set of backgrounds. New reg settings to speed up that DNS cache? Roll another dvd in an hour, and 20 minutes and 2 cups of coffee later you have a brand new install, complete with your new favorite additions.

Edit: Almost forgot to mention a nice one. Often I have disabled my network connection when doing things. I always hated having to go into the network properties to enable it. I dug around and wrote a vbs script to toggle a named network interface enabled/disabled. Eventually I incorporated that into an AutoIT application. Another good one that is really easy is to make a couple batch files that use netsh to change your gateway to something that is not a gateway, such as 192.168.1.200, and another batch file to set it back to normal, ie. 192.168.1.1. Very easy way to just unplug access to the net and do your thing. I find myself using both of these more and more. Tis too simple to just unplug it rather than some 'block all' in a systray menu.

Sul.

 

What about rootkits, that infect your hardware components ? Even restoring a clean image, won't help.

 

Too true. What does a firewall, (not a firewall suite mind you) have to offer? Component control for an outgoing app? Hash check etc? What does an AV do? Avira 'supposedlyl' has a rootkit scanner onboard, although I have not tested that. What of Threatfire? Is it a HIPS or a 0 day alert type thing?

I concede, that if those products do not protect, then what will? For that matter, what would be the most common way to even be the victim of one of these?

Ah, as I have only spent a very brief research session with rootkits, I have not the knowledge to answer your fine question.

So what of it? Do the apps I have listed not give adequate protection? Please do enlighten me if you have some readily available wisdom to impart, as I have too much to do in the next few days to give much time to researching it in depth.

Thank you.
Sul.

 

The good guys have already proven, that such rootkits can be created.
When the good guys can create them, the bad guys will certainly create them or created them already, it doesn't really matter.
You don't even know you are infected and they don't need your harddisk to operate.

You can only hope, that your security softwares will kill them in time and that such rootkit will never hit you, one hit is enough.
My enthousiasm of protecting my computer as good as possible is over and security softwares fail too much, alot more than recovery softwares.
I can only do my very best, but the days of simple malware are over, now we get the worst.

 

Well, that sums up my opinion as of late. Thus I seek a level of protection that will theoratically stop most common issues (which should have been taken care of by my habits already) with minimal impact or intervention. Quite frankly, the time I have spent protecting myself from unseen horrors could have been invested in making more than enough cash to buy a couple new computers. I have no more time to devote to this.

Thanks for your time though.
Sul.

 

This discussion exemplifies why I tell my teenage kids' friends to get MACs.

At least for the time being, they are not subjected to the world of malware that we see on these sites.

Yes, a comparable MAC is about 30% - 40% more, but if it allows a student, or anybody else for that matter, to avoid dealing with all this crap, it's worth it.

And more worth it for me, who doesn't have to worry about the hours of frustration running hijack this, ultimate boot cd, vundofix etc...

 

This is indeed true, it's a pure waste of time to get something back,what you had already in the beginning : a clean computer.

 

I'm sure it's a hobby for you Erik, trying to keep one step ahead of the game.

I also enjoy it, and learning about the inner workings (to the degree I can) of Windows.

Like you I image, so I'm not too worried, but when it comes to helping friends and family with their 'slow' or 'unresponsive' Windows PC's, it's a royal pain in the arse.

I just don't (yet) have these same problems with my kids MACs, and they don't even have a basic AV on them.

 

Yes it's a hobby. Although I work in the computer department of our company, I have nothing to do with computers. My work is analyzing people's job, document flows, data flows, document design, screen (GUI) design, ...
I don't even know on which computer the application will be programmed : mainframe or pc. Our programmers take care of that.
Sometimes there is no programming at all, not profitable enough, ... in such case I improve the manual job.
At work, I use my computer as a sophisticated typewriter, I'm not allowed to do anything else with my computer.
I'm usually on location, hardly in the computer department itself.
I was a beginner programmer for awhile, but a bad one and I didn't like the job, but it was long enough not to be fooled by other programmers, when they tell me, it isn't possible.

So I have to do it all at home and I would be still in the Dark Ages without having forums and internet.
My recovery (IB + ISR) is finished, I can't do much better anymore.
My security however can still be improved, I don't think a router, firewall, Anti-Executable and DefenseWall is enough. It's a pity I'm not a malware expert, so most of my anti-malware is based on logical thinking and guessing without having real knowledge.

 

To continue this fine discussion, I have tried out many many more firewalls. It is amazing how many you can dig up if mr google is cooperating.

Regardless to say, finding just the right one is always a lesson in patience. I did find one that looks interesting, although what little feedback I could find on it seemed somewhat negative. Isafer. It is supposed to be a portable firewall. lol, I don't know about that. It is open source, and if I used the installer, seemed to work ok. Pretty simple, with a basic choice of allow based on exe or based on ip rules. Worked well enough.

I stopped using TF and started using DSA. DSA is, again, somewhat lean, but works very well, uses little resources and is free. Granularity is missing, but it performs well enough. It has also 'supposedly' a firewall portion built into it. I have not been able to verify that yet.

So currently am testing DSA for applications, especially things like injection. It handled a particularly nasty virii in VMWare very well. Even allowing it brought up more prompts telling me bad stuff was happening.

In additon to DSA and an anitvirii, I am using SoftPerfect firewall. It is very small, like 1-3mb footprint depending. It handles many protocols (lacking in many others), give prompts for new rules if in learning mode, has capability to turn logging on or off and does do DNS resolving when in learning mode. I have used it many times before but always liked the per exe basis better than just per protocol/port/direction approach.

In slimming down, it is performing well. I tried to use Isafer in combination with SoftPerfect, where Isafer was only watching for exe and if allowed was doing nothing else, then SoftPerfect would pick up with it's simple rules. It works very well and as a whole the two only use about 10mb. Don't know if using DSA is the same thing or not.

Cheers.
Sul.

 

until now i'm using Returnil and SBIE (for restrictions) as my only resident security.
for on demand MBAM and SAS to scan once in a while.
for last resort,imaging and FDISR.
yes i'm behind a NAT router.
using it now for 4 mnd and happy with it.