What is the best security setup?

Hi guys I was wanting opinions about the best and most effective programs and combinations of programs that provide the most secure computer possible at the present time without too much resource use or expert knowledge needed.

I'm a pretty average computer user myself but from what I've read please include(if needed):

*Firewall
*Antivirus
*Antimalware
*HIPS
*Proxies
*System hardeners
*Any other programs required for maximum security

I'm looking for the optimal setup and I bet some of the pros in this forum can formulate a lethal combination to knock out the security threats that linger in the darkness.

 

Firewall: Router (Zyxel P334) + Software fw (there are numerous free ones. I'm using Sygate until a find a replacement).

AV: Avast

Antimalware?: You mean antispyware. Ewido

HIPS: Don't use it

Proxies: Proxomitron (don't use it because of Sygate)

System hardener: HostsMan, Spywareblaster, ID-Blaster Plus & Windows Worms Doors Cleaner

Any other: Run a limited account when accessing the Internet, Sandboxie, Browser - Firefox with numerous extensions (adblock plus, no-script, user-agent switcher, Dr-Web anti-virus link checker, no referrer, etc., etc.) & common sense.

 

There is no single best setup. The best security package is one that matches your skill level and is compatible with your OS and software.
As for your list, A firewall is a necessity. It's one of the most important parts of a security package, IMO more so than an AV. If you ask which is best, the replies will name most of the better ones. I'm partial to Kerio 2.1.5, an older rule based firewall that's very light.
HIPS applications are one of the best security developments around for Windows. Long overdue, real security that doesn't rely on constantly outdated signature or reference files. I like System Safety Monitor, a very powerful and highly configurable application. Proxomitron is well worth looking into, but not the easiest program to work with. Properly configured, it can serve as a script blocker, popup blocker, ad blocker, and much more. There are packaged configuration files available for it that are pretty effective. The more you learn about how it functions, the more you can do with it.
Regarding anti-malware and anti-spyware apps, a well configured HIPS can make these unnecessary. I'm also convinced that HIPS can replace a resident AV, provided the user configures it well and makes informed decisions as to what is allowed to run. That said, HIPS is not a replacement for an AV scanner. While a HIPS app may prevent a virus or malware infected file from attacking your system, it doesn't stop you from sending it to someone else, such as an infected e-mail attachment. Depending on the HIPS application you choose, you might also want something to protect your registry. System Safety Monitor does this as well. Proxies are more for enhanced privacy than security. I use one occasionally but not for normal usage. System hardening is always desirable. Other items you might want to look at are file integrity checkers and file system monitoring apps. A secure file deletion app like eraser is also very useful for keeping temp files, the browser cache, etc cleaned out. Something to control what scripts are allowed to do is also useful. I like Script Sentry for this purpose. If keeping your files private and unavailable to others is important, you may also want to look into encryption software, both for your file system and for e-mail.
It isn't hard to go overboard with security applications. Anti-spyware and anti-malware apps are the ones this most often happens with, since none of them detect everything. All of them together don't detect everything.
The best way to start a security package is to begin with your core software. I consider the firewall, HIPS software, and Proxomitron to be the most important parts of my package, with the rest having supporting roles. A lot of people also consider the AV as part of their core system. HIPS controls what is allowed to run, and depending on which HIPS you choose, it can also control what each executable file is allowed to do and what else it can start. System infections are either running processes or are installed by a running process. If an infecting process can't run, it can't infect you, which is why I consider HIPS to be part of my core security. Other people don't consider HIPS to be that important. You'll have to decide on that for yourself.
Rick

 

very good post herbalist

anyways heres what i use:

Firewall - looknstop

Antivirus - nod32

Antimalware - ewido

HIPS - prevx1

Proxies - proxomitron

System hardeners - windows worms doors cleaner, harden-it, bugoff

Any other programs required for maximum security - nlite, peergaurdian, extensions for firefox (javascript options, permit cookies and siteadvisor)

in addition, i also disable any unnecessary windows services

 

I'll suggest a few programs that I have experience with and hold in high regard.I won't say that any of them are the "best".Opinions can vary with different individual users.

AntiVirus
Avira(AntiVir)is a free a/v program.They have a Premium version that may be very good too.

Firewall
I like Comodo.It's easy to use and gets "Tru Stealth" at Shield's Up.

Antimalware
BoClean Worth the $.
Free scanners like Ewido,A-Squared,and SUPER Antispyware are good options.
Spyware Terminator is fairly new and free.It has a scanner plus real-time monitoring.

 

I'd stay away from this application. It is linked to spyware.

I actually had pop-ups via IE in the start menu linking to Sniff'em (another product promoted in the page where I downloaded Harden-it) which kept on coming back even though I got rid of H-it. I ended up uninstalling IE and now everything seems fine.

Here's McAffe SiteAdvisor analysis:

http://images6.theimagehosting.com/0.f4f.th.png


http://images6.theimagehosting.com/1.751.th.png

 

the product itself has given me no problems, so ill stay with it. i dont care about the website.

as for bugoff, i may consider just keeping it on my dads computer since he does use IE.

 

First and foremost...get behind a router. I flat out will not support any home users PC that is not behind NAT.

If a PC is plugged directly into a broadband modem that is in pure bridged mode..that PC will have a public IP address. And be subject to all the bad "noise" from the internet...all the bad stuff out there.

Do not leave your Administrator account with a blank empty password.

Run all Windows updates.

Run a top quality antivirus program. Now..here's where all the opinions turn more into who favors what, "fanboy" stuff, where most people figure what they're running..is what's best. Several good options here. Similar to anti-spy and anti-malware programs, and which browser to use.

 

so u recommend even users of a standalone computer shell out for a router (with firewall) even if they dont need a router?

 

A router is the foremost layer of defence against external intrusion. Compare it as the bricks of the house.

A single home user in here, and you still need it.

Know some users who don't even have a software firewall, others just the built-in Windows one. If I wasn't a P2P user I'd completely prescind of one.

Regards.

 

YeOldeStoneCat,

So,you recommend a router for single home pc on dialup?
I thought that was not neccessary.

 

Router: D-Link DI-624

PC firewall: Usually Outpost Pro 3.51, but trialing Comodo 2.3.4.45

HIPS: System Safety Monitor free

Antivirus: NOD32 with antispyware detection on

Pop-up/ad blocker: Ad Muncher

Browser: Firefox 95% of time

Also using Ad-aware for on-demand scanning.

 

{firewall} {Anti Virus} Kaspersky internet security 6.0.0.303e

{Anti Spyware / malware/} Spyware Doctor 4.0 / Ad-Aware plus/eTrust PestPatrol

 

For dialup, no since you don't have an always on connection, and it is difficult since most cheap grade routers only have ethernet ports

Cheers,

Alphalutra1

 

If you always run as admin on Windows XP, what is the protection benefit against online, not local, attackers?

 

Yes...I don't like any end user PCs that have a public IP address. A NAT router takes away sooooooooooooooooooooo much of the garbage that flies around the internet. It shields a computer from all the noise out there...without it..your PC is bombarded within seconds of being online..if it has a public IP address.

Those of you on this forum who, like me, work on computers for a living...I'd wager a few pints of Guinness...that would notice a trend...PCs that happen to be plugged directly into a broadband modem, having a public IP address, seem to always be infested to a greater degree. Oh sure there are a couple here who will disagree just for the sake of disagreeing..but I'd wager the silent majority are nodding in agreement.

This is not to say that you cannot have a computer on a public IP address..and be safe. Sure you can. But it takes quite a bit more work..that machine has to be 100% locked up tighter than a nuns butt the second it's plugged in. And it requires more frequent attention..because you're relying on software to protect you. And software can break. Software can have vulnerabilities. Software can be more easily defeated.

A router, by default, it's a brick wall. You can take your brand new PC...plug it in...and safely begin your windows updates, installing your AV, other precautions..and begin to use it rather worry free.

They're dirt cheap these days...picked up for practically pocket change. It's such a reliable first line of defense...stopping the majority of problems at the front door. Stopping all the attacks on the PC(s) that the user is not in charge of. The rest of the PCs health..is in the hands of the user. Needs the user to intentionally do something now to infect it. IE visit bad websites, use P2P file/warez trading software, inappropriate e-mail handling, etc.

 

A lot of problems can hit your PC assuming the Administrator password is left <blank>. I'm separating this from local user permissions..that's a whole separate issue that boils down to end user awareness. From some worms, to the most amateur script kiddie...take a PC..leave the Administrator password blank..and go plug it directly into a broadband modem, or stick it in the DMZ of your router. Wait a little while. After a short period of time..check out that PC...I'd love a penny for every person that had full access to c$ and remote registry service and during that time period.....I'll go by myself a nice new BMW Z8.

 

Thanks YeOldeStonecat.
If you take that same PC (with no router or hardware/software firewall) and instead put an admin password on it, it will still get infected, only not as fast?

If computer is in DMZ do you recommend running as LUA (Limited User Account)?

What is the best (bang for the buck) NAT router that you've seen with a dial up modem fall back that would be good for average home users with dial up now who might later get broadband?
Or do you not recommend using these routers on the fallback dial-up as primary connection (maybe because the fallback doesn't work well)?

Here's one example:
http://www.b2net.co.uk/multitech/multitech_routefinder_dialup_router.htm
tech specs:
http://www.superwarehouse.com/ROUTEFINDER_4PT_10_100_SWCH_2PT_RS233_WAN/RF102S/p/51135

I haven't seen any strictly dialup routers since the old WebRamp.
Are there still dial up only NAT routers made?

 

Here the the best setup with the smallest hit to system resources.

1. Nat routing of your internet connection with all ports ghosted and firewalled.

2. Browsers / Outlook sandboxed (sandboxie)

3. Web based AV to check downloaded files/ weekly check (trendmicro is good)

4. Antispyware scanner to clean you system after excepting necessary cookies for gmail, ect.

I know people on this board will go craZY telling me you need outboand protection via a software firewall. Firewalls have a variety of ways to be circumvented.

1-4 will provide more then enough protection, and at no cost to system resources. The sandbox will also kill the need for realtime spyware/AV.

The best Security = 1 - 3 + Process control. A bit more obtrusive, but in my opinion worth it. Ghost Security is what I use and Appdefend has network control. Other good process guards are process guard and SafeNSecure.

 

Ahh,a man after my own thinking.

http://www.techsupportalert.com/best_46_free_utilities.htm#4

http://www.grc.com/securitynow.htm

Browser FF with Noscript run through SANDBOXIE!

Kav 6 and SAS as on demand.

 

This is only preferences....just my preferences as to what I want to support.

Honestly..technically being on dial up, you're still at risk from many of the things out there. IMO, it's not a matter of how long you're on a certain IP address. The hackers out there run a scan and pick you up..doesn't matter of you were on a different IP 5 hours ago, or you'll be on a different IP yet again tomorrow..the fact is..you're on a public IP RIGHT NOW..and picked up. Now..dial up, painfully slow access to a PC, they'll move onto easier targets..most likely. But the other part, actually a big part, of my point is...when there's stuff spreading like wildfire across the internet..some new worm that exploits a new vulnerability in Windows for example. Some DCOM or RPC exploit. PCs with public IP addresses are potential targets.

Someone will say "But I have a software firewall...that protects me, right?" Yes...they do. But..IMO...it's software you're relying on, potentially it can stop as a service, potentially it can be exploited by something (Symantecs has had a few exploits that drop it)...it's not 100% worry free. IMO..a router is, by default, must more 100% steel door blocking everything. I prefer NAT.

Dial up routers...yeah I remember those WebRamps...I've setup a half dozen or so of those years ago...had some models that supported 3x modems 'n stuff..Multi-Link or Colt style. 3COM also makes similar ones, naturally using their own modems internally, I've setup a few of those. OfficeConnect LAN modem or something it was called..dunno if you can still purchase them new, bet you can find some onf Fleabay. There is a wireless dial up router also, WiFlyer...currently in production.

Broadband routers with dial up for backup...last one I saw was an SMC model, which I can't stand anyways...so I don't have any rec's there.

Admin vs Limited user account...this will perpetually be up for debate. It has nothing to do with securing your PC from outside attacks if you're on a public IP or even on a large LAN (such as a college network). If you're logged into a PC with an LU account, and you leave your PC with a blank admin password...and if I can get to your IP address..and you don't have a software firewall...your PC is mine. The LU account only cuts down on the potential damage that current user can do to that PC during their logged in session. IMO good from keeping the little kid from hosing a PC as fast as he can...but not good for much else, I don't practice it...and since I support SMB networks for a living..all of them are networks that have users with local accounts that are in the local admin group out of necessity..but I have the PCs comfortably protected IMO and maintained..and I don't get issues.

 

Hello,
Windows-wise:
Best security setup - adapted to your needs.
That said, you just need a nice firewall and Firefox (with some magic dust added). Everything else is perks.
Mrk

 

Thank you for the answers and explanations YeOldeStonecat!

 

Sorry for sounding rude - but this is ridiculous. Everybody interested in this topic should read what Microsoft is saying about this including the links therein, especially Aaraon Margosis' Blog with his MakeMeAdmin approach.

 

Simple.

NAT route your internet connection w/ all ports ghosted

Use firefox for surfing with Javascripting turned off

Some sort of process control (ghost security, ect)

Sandbox your browser (sandboxie, greenborder, ect)

Run Browser/ Outlook as a limited user, using DropMyRights

Sandbox your POP mail and set mail viewing preference for Rich text (not HTML)

Dont download "free software"

Use Online virus scanning like trendmicro to do weekly scans.

Keep patches up to date.

The security setup I have described I have been using for over a year, w/o getting even 1 virus/ trojan/ ect. I do use a couple of spyware scanners, but all they usually come up with are tracking cookies which I have now taken care of with the sandbox. This setup will have a fractional impact on your system in terms of memory/ cpu time.

Dont believe the hype that you need a high impact firewall/ AV/ realtime spyware scanner to remain safe. Just a scare tactic to to sell product.