The wisdom of using Windows without on-access AV scanning?

Hi everyone... For various reasons, I recently gave up on Linux, and am now using Windows 2000.

The good: Windows is lighter and faster than Linux, by a long shot.

The bad: it seems to need antiviral software, and said software tends to bog it down a lot.

(Part of the issue might be my current use of Threatfire, but I'm not really sure.)

Anyway, I'm wondering if a Windows setup with only on-demand scanning would be considered problematic. I could do things like running day-to-day stuff as a restricted user and installing things with RunAs, using Sandboxie for programs that access the internet, and running software firewall; but would that be enough, especially given the probable unfixed vulnerabilities in Win2k?

 

If you know what you're doing, and it sounds like you do, then you'd probably be ok with just on-demand. TF indeed will slow things down a bit too btw. Check out the LUA/SRP threads here at Wilders also, for more useful info.

 

I think I would run my e-mail through sandboxie as well to prevent anything from getting in that way...

By making all external points go through sandboxie, you limit your exposure and vulnerability...

Another thought is to add another hard drive and obtain a software package to create an image backup of your system so that you can restore quickly in case something DOES manage to get through...

Windows 2000 is a great operating system, but it does have a few vulnerabilities, even with the available software. Many companies have discontinued support of 2000... so mainly you have to make up a lot of it by careful behavior on your part...

Regards -
-Bob

 

Pick up a copy of windows xp. Second hand / Discount are both quite cheep.

And you dont need an AV if you are a smart guy and userstand your processes.

 

As you seem used to the unix/linux world, my wild guess would be to use group policy / SRP while running under limited account as Kerodo proposed.

I am not saying you won't eventually need an AV, at least on demand, but it seems it would be the best way to start a secure use of windows...

 

Thanks guys (and gals).

This group policy/SRP stuff - are there any online resources on it?

 

The bible:
http://technet.microsoft.com/en-us/library/cc786941.aspx
and
http://www.mechbgon.com/srp/

Some discussions:
https://www.wilderssecurity.com/showthread.php?p=1230623#post1230623
https://www.wilderssecurity.com/showthread.php?t=232857
https://www.wilderssecurity.com/showthread.php?t=197456

Be careful though, I don't know the differences between Win2000 and XP... But you could find some good info on technet and windows site.

 

Thanks.

Huh, I didn't know about IE7's protected mode. Interesting, I may have to try that. It looks like Microsoft is really cleaning up its security act.

 

Protected mode works only on Vista, as part of UAC policy.

 

Oh. :\ And Chrome doesn't work on Win2k... Shame. Guess I'll be sticking with Mozilla then.

(There is a way of getting Chrome to work on Win2k, supposedly, but it seems to involve patching the kernel with a dubious third-party binary patch. No thank you. )

Although, regarding all these extra security features in XP - I may wind up buying a copy of XP Pro, if it's that much better.

 

If you get XP family premium, then you can follow the steps from tlu's thread about SRP, especially one of his last post where he gives the registry tweak as a .reg file.

If you have the pro version, then fair enough, you have everything to play!

 

SeaMonkey and K-Meleon are both very good on 2K.

Win2K can be run safely without an AV. I haven't used one on 2K in the last 2 years. You can build a very effective restricted or user mode with classic HIPS. I use SSM for this but there are others that will work just as well. A potent combination would be classic HIPS defending the OS itself, a good firewall to control traffic, and SandBoxie to isolate the attack surface (internet apps, software that opens files from outside sources, etc), and a non-MS browser.

 

HIPS... Hmm. Is OSSEC good for that or is it only Intrusion Detection?

And how about hardening tools? I've found Seconfig already, but how is Samurai? Is it still any good, or is it obsolete as of 2.7?

 

What post from tlu?

What means ACL?

 

If it's the same thing as on Linux, then it would stand for "access control list".

 

Yes, exactly

tlu is a poster:
https://www.wilderssecurity.com/showthread.php?p=1230623#post1230623

Pls, don't install all the programs and stuff to get SRP. A simple merge of his .reg file with the registry is more than enough:
https://www.wilderssecurity.com/showpost.php?p=1413066&postcount=134

 

Hi Gullible Jones,

I've been a happy user of Win2K for years. As others have noted, you seem to know what you are doing, and noone_particular's advice will keep you protected.

Yes, Win2K is light and fast. Unfortunately, there will come a time when other new software won't work on it...

But until then, enjoy!

----
rich

 

Hi Lucy,

Unfortunately, SRP is not available on Win2K. It's Group Policies is very limited, compared with SRP. Here's what it looks like:

​

An informative early (2001)Technet article mentions this:

http://technet.microsoft.com/en-us/library/bb457006.aspx

Things have certainly come a long way!

----
rich

 

... Wow. Shame about that.

Hopefully hardening, a good HIPS program, and running as a restricted user will be enough...

(Still looking for a free HIPS program BTW. Currently using Samurai, but it's more hardening software, seems kind of limited in the HIPS department.)

Edit: Scratch that, I just saw Samurai in action when I tried out the free version of PrevX... Pretty nice, it detects when drivers are loading and asks me if I want to load them or not.

(The driver in question was part of PrevX. Funnily enough, PrevX and Samurai seem not to like each other; PrevX reports Samurai as adware. I wonder why.)

Edit again: Hmm, I do not like PrevX. On reboot, it tells me my system is infected without specifying what the agent is... and then prompts me to scan the system, and shows no infectious agents detected. I don't appreciate that sort of rubbish from security software.

 

Trust No Exe runs on 2000, it is an easy replacement for SRP, simply apply a deny execute from user space

Surun is an easy way to implement LUA under 2000 (like in unix, you will like it)

Regards Kees

 

Ooh thanks, I'll check out Trust-No-EXE; that looks really cool. I'd also try SuRun but unfortunately I've already switched to admin mode.

 

Does not matter, just create a second admin, or unhide the internal admin