What is your security setup these days?

i find malware defender with sandboxie/or defensewall is more than enough

 

I am trying that combo out at the moment, see https://www.wilderssecurity.com/showpost.php?p=1444539&postcount=4531

Drive Sentry's community voting is good enough for 95% of the pop-ups, (I have set auto allow on 10 votes), so in practise other family members will have no trouble making a choice (because all community voting seen until now, makes sense for the remainder 5%, you will get a pop-up with a simple display). First layer is GW with network set to confidential (meaning no untrusted sources are allowed to go access network unless explicitely allowed).

Idea behind this setup
1. GeSWall as simple firewall and containment for internet facing aps with Chrome extra contained with GW virtualisation option to REDIRECT.
2. Drive Sentry only protects C drive plus registry, this is a precaution for social engineered installs (setting it to trusted with GW)
3. AVG Free checks downloaded files on D:\Data partition (can not be saved on C:\Programs partition due to GW restrictions), this is a precaution to prevent spreading malware to others by forwarding downloaded stuff. It also filters out known badguys at download.

Seems to work in practise with good performance, You can test linkscanner is working with http://www.explabs.com/test/

Blackcat makes a point, why change when it is not broken (to quote another Wilders member), but advantage of GW over SBIE is that on my rig chorme loads cols within a second (E5200 is a cheap low end dual core with mild overclocked to 3,06Ghz)

Regards Kees

 

Thank you for info - I was using Drive Sentry some time ago, however I did experience many BSOD's due to incompatibility between DS and SBIE. I hope that this has been already solved.

As for the current setup - it doesn't have much performance hit on my overclocked hardware, however I really think of trying something else, maybe a different (and lighter in the way that I'd be using less resident software) approach, consisting of GesWall, or whatever.

Moreover, I make extensive use of Returnil, so in the light of this current setup will probably change its state soon

EDIT: Why TF instead of DS? (btw. TF is one of my apps that makes me wonder if it's actually there, due to very few alerts, even when Sensitivity Level is set to 4, this is one aspect, the other one is the matter of how much does it overlaps with CIS)

Regards

 

You can therefore definitely lighten the load.

My initial comment on TF was a straight comparison between it and DS; IME it is quieter and picks up a lot more threats. The decreased number of alerts is a reflection of the intelligent way in which TF works and is not due to it missing malware.

But as mentioned previously if you are using CIS, do you really need additional behaviour blockers/HIPS?

I am now using just a Sandbox and a HIPS/Behaviour blocker in real-time together with UAC and Nortons UAC Tool; a very light setup but giving good protection.

 

This is an interesting concept. I have two questions though:
- why AVG? (instead of, for example, Avira or Avast or any other classic AV)
- I have two separate hard drives: one (WD Raptor) for system and the other for data, archive etc. I often use Returnil and save my data on the second phisical HDD and I wonder if wouldn't it be interesting to try GesWall for restricting writing to C:\ instead of Returnil? (just asking out of pure curiosity, of course I have a notion that both of the above apps present a different approach)

Thank you for the link.

Right, "if it ain't broke, dont fix it", but on the other hand I must honestly admit that I am a little bit bored with my current setup, I just feel like trying something new and different (yet I'd rather want to stick with CIS).
Last, but not least, you are right with your remark on E5200 - currently I use E4500 OC'ed to 2.93 GHz and it's running _very_ cool.

Kind regards

 

I was assuming this, good to know that I'm not (?) mistaken

Well, AFAIK CIS is a HIPS and TF is a BB, so they should compliment each other if my way of thinking is correct. Nonetheless, quite possible that they overlap each other in some way.

Still XP here

Regards

 

I have gotten a GW Pro lisence of Brian, since I discovered some bugs when they just launched. After infecting myself I was looking for a user friendly blacklist/soft HIPS, so I purchased a DS lisence (only 10 euro's life time) to protect C:\partition and exclude D:\partition. I added a second AV to watch D, becasue DS is very good in 'the wild' virusses, with its tickle update (immediate update) and less in 'old/zoo' virusses.

First why AVG. My first choice was Avira (its heuristics are impressive). I can set this to check at writes only (since I am using a policy HIPS, no need to check existing executables). then Avira missed the trojan hidden in the through the eyes of a kelogger test (which I set myself to trusted ). At the moment of notification only three paid major AV's did detect it (DS also did by the way ). Since I had DS watching C:\, I wanted to exclude protection of C, this did not work and I noticed some minor collapses between DS and Avira Free (e.g. right click CCleaner start caused a hang up).

Second choice was Avast (I like the fact that the freeware is fully functional including GMER based rootkit protection), works good with full functionng webscanner and e-mail protection. I can set it to check at writes only also. Only when adding C:\ to the exclusions, it still scanned my C:\ drives files when writing (possibly a user friendly restriction to prevent users from making stupid exclusions like the C:\ drive).

Third choice was AVG, which can not be set to check at writes only, but its exclusion of a path (C:\) works like a charm. AVG's startup reading I/O is about 40 x more than Avira and 30 times more than Avast, still it slows system start with only 2 secs. On the benefit side is the fact that AVG is as fast as Avast (Avira felt a bit slower, despite the fact that it uses lowest CPU time and perfroms less I/O than the others). The new 8.5 has linkscanners exploit shield included which works both on IE8 and Chrome. So path exclusion and linkscanner made me try AVG.

GW by default protects C:\Windows and C:\Program Files plus the registry (no need to tweak the rules in the console). An application is only allowed to access its own registry keys. I have only extra contained Chromium, just allowing it to write to D:\Downloads, and redirecting registry and other file access (changes will be thrown away after chrome closes). We use IE8 for banking and on-line shopping and CHrome for daily browsing. This makes GW act more like SBIE for Chrome specifically, not comparable with Returnil for your reference. Since all risky surfing is done with Chrome. I actually use Chromium, which always starts in -incognito mode). I prefere this over FireFox with the no script hassle etc. With Chrome you have highest posisble safety without losing functionality.

I have two webbrowser modes IE8 is policy contained and Chrome has its internal policy sandbox containing the rendering engine, while the Chrome application itself is virtually sandboxed by GW. Having read an article of Standford university (estimating that Chrome is 70% less vulnarable than other webbrowsers) and the interview of the browser hack contest (stating that due to the internal sandbox chrome was hard to crack). I thought when Chrome is hard to crack with one internal sandbox, what about 2 sandboxes (one internal policy and GW virtualisation). On top of that linkscanner stops access to pages with known exploits.

I do not use partitioning virtualisation, I rather fall back to an older image (external off line harddisk), with C and D partitions split it is a simple task done in a few minutes (have you also moved your web address book and mail folders to D:\?). My wife has a solid state disk in her laptop (DefenseWall + ThreatFire), I always wanted a raptor, but found it to expensive (now SSD are maturing as an feasible alternative, I am thinking of buying a SSD also, a small 30GB OCZ vertex).

Regards Kees

 

setting an AV to scan on write only, would that improve system boot times since files wont be scanned when windows is trying to load them?

 

I guess that also depends on how early your AV loads.

 

Demoneye is right. AVG reads a lot more than Avast and Avira at start up, but the AVG driver seems to load earlier, so the theoretical 20 seconds delay (with my harddisk) results in only 2 seconds slower boot time. But in theory it should speed up boot time.

Firzen, I would only set an AV to check at writes only when you use a policy HIPS or have Limited User, Software Restriction Policy plus Access Control Lists implemented through the OS. Otherwise it is not good practise. When you have raid setup or a new harddisk with sufficient Ram cache, writes do not hurt in system performance (since the writes are delayed).

Regards Kees

 

First things first, thank you for your detailed answer. Now let's move on. I'll quite possibly try GW. CIS is a very, very good product, but it ain't exactly user friendly nor "soft" in any sense - it's probably one of the first choices for someone who likes to test new things and always be on the cutting edge of current technology, but on the other hand, where I have a production machine and have to deal with a lot of other strange software it's pop-ups and some quirks can be sometimes troublesome.

Well, yes - it's heuristics are top notch indeed, but - frankly - it turned out to be a some kind of a double edged sword to me. In other words and to make it more simple and precise: I cannot/don't want rely on signatures/heuristics of one AV. And this makes DS more interesting for me. What's more, here on Wilders have been some reports successfully using both Avira and DS, so this makes me wonder whether was your experience with CCleaner an isolated accident or not.

Avast is quite popular here as well as is GMER, nevertheless some people had bad experiences with the former and I steered clear of it.

Good to know

Well, in my case the thing is that I have over 20 plug-ins for Firefox and it would be hard to move to anything else, but this is just another call to consider Chrome as a secondary browser.

I've been using two (and more) physical drives for a long time ago (remember having a first SCSI drive together with a full of blinking LEDs DPT controller something like twelve years ago) and to be honest, I'd never go back to one-physical-drive setup (as well as while having the same two discs I'd never made a RAID setup). And, obviously, I can confirm that having two drives makes restoring a breeze (unless you've bought a new drive and did't formatted it the proper way because of rush and now system sees it as a removable - now I have to borrow another drive and copy some Gigs of data and format again so it has not Simple but a Partition Layout).

The idea behind purchasing the Raptor was something like that "a 10K RPM HDD is quite something, so let's have that disk" - and what's more interesting, it turns out that such exotic (in some way) hardware keeps it's price quite well, so it the actual purchase was maybe even profitable in the longer run (the same applies to CPU heatsink, soundcard etc.)

EDIT: don't know how about SSD disks but Raptor really excels with I/O intensive tasks like A/V editing and so on.

Regards

 

I think CCleaner is an isolated incident, because the DS forum has lots of peope also using Avira.

When you run CIS with the top square defenses unchecked, and all others on, it is really quiet. CIS works perfect with GW (abd it is a super fast combo). Only thing I still dont like about D+ is that after a pop-up it automatically creates a custom rule (with all asks, in stead of copying the policy which triggered and a allow on that specific rule), so it has not goy rule inheritage yet. I posted a feature request on Comodo forum, don't know whether they will implement it though, since I have had zero reaction.

Regards Kees

 

I'm just about try DS once again, maybe with Avira, maybe not

Could you clarify what do you mean by that? Thanks in advance.

I was trying some of your tweaks for TF and I found that it can be a really useful application, however, I encountered a problem - for example, if I set a rule with iexplore.exe and firefox.exe (control of lauching both browsers by a third party apps) it once displayed alert and on the other occasion it didn't - now that I've restarted my system looks like it works ok. Did you experience anything similar with TF?

Playing with TF sparked some more questions, will post later

Regards

 

I find out I still had a Windows XP professional disk stored somewhere and decided to install it on a old laptop.
It just has a 1.6 Ghz processor and 384 mb ram, so the setup has to be light.
This is what I have come with:

Windows XP Professional SP3 32 bits.
Router with SPI capable firewall and NAT. Windows firewall.
DNS server set to OpenDNS
DEP for all programs.
SRP to prevent executables loading from documents and settings folder.
Drop My Rights to run internet facing applications in a LUA.
Avira Antivir Personal Edition with check at write only.
Imaging to an external HD with Macrium Reflect free. I like to fact it is done very fast because only 3.5 gig needs to be backed up.

Firefox and IE8 as internet browsers.
Proxomitron + Lastpass + myWOT + Noscript to complement browser security.
The latter one is installed on Firefox alone, IE8 is furtherly secured by setting
the security level for the internet to high.

I guess this laptop is ready for the scary internet.

 

removed winpatrol plus and spyware blaster and add AppRanger

xp2:Malware Defender/AppRanger

vistaefenseWall/prevx/WinPatrol plus

 

Removed Rollback RX for a while.
Now testing EAZ Fix.

If it works as good or better than Rollback RX, I might consider this as my next option once my subscription ends.

 

Previous setup:
DefenseWall

Vista FW + Vista FW Control

A2 Anti-Malware on demand

Shadow Protect

New Setup:
DefenseWall

Online Armor RC2
- No noticable slowdown compared to Vista FW + Vista FW Control

Avira Premium
- On demand scan with A2 takes 2.5 times as long as with Avira

Shadow Protect

 

i searched screenshots of EAZ-FIX and is it just me or does it look nearly identical to rollback rx?

 

Seems to be update for Spywareblaster 4.2 but that's about it.. I have no slow down in what I use under my sig.. Below I did have to add: m.webtrend.com to block in cookies under FF3.08 as this is one of those bad cookies trackers that seem to be showing up a lot more on PCTSDA.

 

It does and from what I understand it is pretty much the same.
I believe there's a third one also that is identical but can not remember the name.

 

Added Drive Snapshot

 

Yes it is almost identical

I still prefer the original Rollback RX.

 

avira (antivirus)
comodo (firewall+HIPS)
spyware terminator (realtime)
sandboxie
firefox

also various on demand scanners for spyware but above are the most important

 

Zone Alarm Internet Security Suite
SAS FREE
DR WEB FREE

 

Okay,

I have been trying to find a satisfactory setup for the shared desktop PC in the last few months. Juggling with combo's and lisences I have at my disposal. What strikes me is how difficult it is to find a satisfactory setup when there is more than 1 user.

What nagged me was that due my experimenting I always felt the need for a second safety net (in stead of a simple fit to purpose best of breed or integrated suite approach). This need made things complex because it had to be user friendly for my wife. So I thought she was the bottle neck.

On her 'travel' laptop she is very happy with ThreatFire and DefenseWall. DW never pop-ups and TF might have given a warning or two, but has the nice feature to search the Internet

I come to realise that in reality it is me who is the bottleneck. I am the one who infects our PC with my testing. In normal cicumstances we are not likely to face our digital life with the risks I impose on it. What a strange addiction amatouristic security is. In real life I won't throw stones at my windows, just to check whether it is fortified security glass. In real life, I will not drive my car to my neighbour's car, because the bumpers can absorbe collision under 30 km an hour.

With this new perspective I have setup the shared desktop in an all silent setup;

0: XP Pro, No execute SRP on Recycler of both partitions,, Temp directories of Admin/All user and TEMP IE directory Limited User rights on P2P/shared directories

1. GeSWall Pro: with some Internet facing aps (Chrome and LimeWire) only allowed to access specific directories and registry keys. I have set the autostart folders, tasks and Outlook express mail folders to confidential, also Internet access limited for untrusted applications (set network to confidential with Windows FW on, we are also behind a router/SPI firewall). GeSWall is configured to be absolutely silent.

2. AVG Free with nice safe search and linkscanner exploit shield (set to hide the AVG toolbar ). AVG at first read about 1,6 GB at boot up. I do not know what I have changed but now it is a solid 176 MB. It does not increase I?O only CPU time when protecting all partitions. I have set AVG to remove threats automatically.

3.Rising PC Doctor Free, checked all startup items (manually with OSAM/google) and marked them trusted with daily memory sweep, set all protection on, except the browser plug -in (see 4), did not check how USB protection works

4.Old freebie Browser Hijack Retailator to stop silently all Search and Home hijkacks (other disabled), also used it to disable teh PC Doctor URL filter (now RPCDOC is still thinking everything is enabled )

5. Keyscrambler Free for IE, display on icon (KS pop-up is a bit to flashy for me, icon is quiet )

Only Active X, BHO, Plug-ins are not blocked or notified, just put in a limited rights container by GeSWall, so they can do no harm.

Browsing daily with Chrome (double sandboxed), IE8 for banking and on-line shopping. IE8 searches results are rated through Linkscanner and exploit shields works for both Chrome and IE8. IE8 als has the smart screen filter feauture, a last check before on-line shopping. Bottem-line, when we would now be infected it is our own fault or better said my fault

So when Aigle keeps on testing with GeSWall thumb: ) I will know what is not covered, for now only Shut Down Simulator type of applications, outbound control is sort of taken care off: I have to set a new (downloaded) program to trusted with GW, this implicitely allows outbound traffic. Untrusted programs spawning IE to connect outside get only gibberish nonsense with KeyScramblers encryption)

Regards Kees