what would best compliment LUA(+SRP) ?

Hello..i switched to vista since they are impressive after SP1 and to my surprise their LUA is fully functional(as oposed to XP's)..with run as u can truly install aything..even better than surun in xp..anyways..i use LUA+SRP on that desktop now but would like something to make me feel more secure about usermode malware.shoot your opinions wilders

 

On my Vista systems I use Malware Defender HIPS in addition to UAC and SRP for my default quasi-admin account. Under a LUA (Standard) account, MD's GUI will not autostart when you log in because it needs admin rights. MD's protection is still in place and runs in a default-deny service-based mode with no alerts. To interact with MD, you just need to start the GUI using "Run as."

MD is a solid classic HIPS for Vista and worth an evaluation.

Nick

 

Chris2busy,

I would add the Norton UAC tool. This nifty utility remembers your UAC choices, after some Vista updates the settings get lost, but it is still less hassle than Vista's UAC.

DriveSentry takes care for a lot of HKCU registry settings. I have no idea how strong the black list is, so for effectiveness against run once/load once user mode malware of the 'on write' (in stead of on execution) protection, I have no idea.

Avast has a strong feature against file infectors (it builds a data base of max three versions). Although old fashioned malware, lately there has been a revival of this type of malware. Not user mode, but a pain to remove when a file infector hits you. So adding an old fashioned AV (you could use Avast's P2P, Webmail, Messenger and internet shields only, to prevent overlap on the file drivers of DriveSentry to keep you system snappy and fast).

The IDS of Mamuto and A2 Malware paid also provide some protection against user mode malware (they are more aggressive against them than ThreatFire).

Regards Kees

 

First off i want to thatnk you for your replies
I have tried MD and unfortunately found it too power hungry for my taste.

@Kees1958
I haven't tried mamutu nor the latest TF.is there any way to create custom rules so that they would look after ONLY areas that are being non protected by LUA ? (say C:/Users/whatever) ?would be a resource and performance gain definately..also will kafu.exe do the same thing for Vista as it did for XP ?
T.i.a

 

I heard easter saying that the new threatfire version can make great custom rules?That would be great..does anyone here know what directories/registry/startup entries does not vista LUA cover up? This can be a revolutionary in terms of performace setup

 

@ kees1958

I know you have experience with sandboxie so would sbie itself suffice for a such purpose?i have no extra settings other FF to be the only app to be able to have net access(and direct bookmark acess).is that enough or should i add some extra rules to sbie config ?i also noticed that the C:/Sandbox folder has no permissions assigned to it..this could be bad?

 

Yes, see setup tips of ThreatFire in castle cops search for list of freeware

 

Add these entries https://www.wilderssecurity.com/showpost.php?p=1342623&postcount=59

Cheers

 

Have not used SBIE for at least three years. For what I recall the sandbox folder contains all data created by sandboxed programs. To keep the lit on the sandbox, it has no permissions

FF only is good, at least when you only want to sandbox the FF browser.

I now only use TF, Poweruser, some SRP policies and Chromium. The sandbox of Chroimium would have protected its user of 70% of the internet based malware of the past year, according a Stanford University study

 

thats good news
By the way you have done a heck of a job here https://www.wilderssecurity.com/showthread.php?t=183020
kudos to you mate!will be fun playing with it a bit in virtualbox before trying it!

 

Only 70%? This could be considered as very ineffective protection.

 

For a freebie compared to the competition (other browsers) it is not bad, off course my favourite policy HIPS/sandboxes are in descending order: DefenseWall, GesWall, SafeSpace (helas gone), Sandboxie

Since you implemented more or less all my wishes, I have not mentioned DefenseWall much lately. But to your credits: my Mom of 75 is comfortable with defense wall because it is so user friendly, seamless and strong security:
a) leave it chained as untrusted by default (no accidental risk of throwing files away like SBIE when clearing the sandbox)
b) change status to trusted with richt click when you want to install something

Cheers Kees

 

if you consider that its included in the browser itself it is pretty impressive actually..e.g we cannot say that about firefox(bare bones-not with noscript and the rest of the gadjets).although i think i'll stick to sandboxie..google's browser is still fresh and much targeted app.

 

Hello chris2busy,

I have a Vista laptop and a Vista test box with UAC enabled on both. I have no AV or HIPs installed of any kind. For Internet access, I use a LUA + SRP + added DFTs and ARs. On the test box, I throw fresh, zero-day malware at it regularly and then wait for any sign of penetration. I haven't been able to infect myself yet.

 

Interesting..But what are ARs?Im not familiar with the term....

 

AR = Additional Rules Too many times people overlook this step.

 

care to share your rules mate?
also..what is DFTs?