Win 7 Antispyware

I'm finishing up setting Windows 7 Ultimate x86 in family member's laptop. Will be running in different LUA accounts, each for each specific task like general web browsing, home banking, general stuff.

The web browser is Chromium, which I have set to an explicit low integrity level; this means that the web browser won't be able to download anything, because access would be required to %USERPROFILE%\AppData\Local\Temp, which runs with a medium integrity level. Chromium runs with low, so it cannot access Temp folder; this kills the download. No drive-by exploits, etc. Anything my family members wishes to download, assuming it's safe, will be downloaded via download manager.

This is obviously only concerning web browsing, which is what concerns me the most for this family member. Other stuff in place as well, which bets on prevention also.

This makes it non-intrusive and easy to deal with. To download something nothing as simple as starting the download manager, copy the link and the download manager intercepts it.

 

That's excellent advice, IMHO. Simply blocking ads will eliminate most malware exposure, unless they surf dodgy sites. Also, it's good to break the habit of passively clicking on stuff.

The next step would be NoScript. However, the learning curve can be tough, because most websites will be broken until properly whitelisted, and the default whitelist is short.

 

Yes, a very good suggestion.

What will happen if one of the white-listed websites becomes compromised by hackers? Will NoScript be of any good?
Note that I'm not a Firefox user, and therefore I don't know how exactly NoScript works. Does it have some sort of backup protection for the white-listed websites?

 

as it happened recently with the DNS hijack of Secunia (that probably a site one ought to whitelist in NoScript). than you are at the mercy of the security implemented by the browser, which is not really top-notch in FF. hence the browsers should be hardened in the first place

 

So, basically - I know some will come hard on me - NoScript is a sort of placebo, but not a true medicine. Once you tell it to white-list this or that website, maybe not now, but maybe tomorrow you'll be completely...

 

Or maybe never...

 

it is not a placebo per se, it is something strengthening a weak browser. the moment you put something into white list you are back to the bare of the (weak) browser. users should bother the browser developers about security and less so much about shiny UI or another extention

 

That's not really true, is it?
Even whitelisted sites can still have full block settings for java, flash, i-frames; the works.
It depends on the settings, Noscript offers more options than just a single 'allow-everything' whitelist setting.

It's no silver bullet or holy grail though and I do agree that FF shouldn't rely on it's extensions too much, a sandbox would be nice.
Then again, Sandboxie is nice already.

 

emphasis can. there were some numbers somewhere - only approx. 20 % of FF users utilizing NoScript to start with and then I wonder how many of them are savvy enough to deal with the fine tune options of NoScript. basically there should be no white list and anything required to properly interact with a site should be temporarily enabled only after the browser reached the (correct) webpage and established a security baseline (something similar being currently tested in Chrome developer builds - just as build-in option and not another extension)

or to rephrase, it would be curious to learn how many NoScript users believing to run an iron clad setup with FF and NS and are trigger happy to click on anything there to click on, despite using white listing (and wonder where/how their machines get hit). Or more interesting the number of (bare metal) FF users trusting to use a safe browser.

that would be one step in the right direction, the FF pre-beta 8 x64 has at least a plugin container process separated from the browser. bu there are still a lot of other things missing security wise

 

I'm going to try to clear up some misconceptions in regards to NoScript:

Common misconception is that NoScript is just an add-on that allows you to 'whitelist' Javascript only and hence is 'useless' if the white-listed domain is 'compromised'. Most do not realize that NoScript extends into providing other forms of protection features as such:

a) Protection features that are available even in a "Default Allow" mode, although it is not recommended.

Source: NoScript Features - Usable Security

b) Beyond JavaScript: blocking Java, Silverlight, Flash and other embedded content

Source: NoScript Features - Content Blocking

In regards to the original query of the theoretical scenario of a white-listed domain being 'compromised', the answer lies in here:

Source: What is a trusted site?

Another misconception is that with a sandboxed browser (such as with Sandboxie), the likes of NoScript is made entirely useless. That itself is only half the truth as while a sandbox may help prevent threats from reaching your OS such as drive-by downloads, it doesn't help in preventing threats that may happen within the browser itself without you realizing it:

Why should I allow JavaScript, Java, Flash and plugin execution only for trusted sites?

The idea is to keep your white-list relatively 'small' and for sites that you can trust. Trust in this context being as such:

Is default-deny for JavaScript necessary for good security?

So what should I white-list?

Blogs typically are fine to view/read without javascript. Forums (e.g. Wilders), video sites (e.g. YouTube), web-mail (e.g. Hotmail, Gmail, Ymail) typically need javascript, so you might as well add in those that you 'trust' and frequent to your whitelist. Bank sites, Amazon, eBay, PayPal, also typically need javascript...if you use those services, add in them as well. Everything else will come in at a later time as and when you browse. NoScript will initially 'break' some sites that needs javascript but once you've added those that you 'trust' and make use of the 'temporarily allow' for those sites that you don't rarely visit and don't 'trust', it'll soon be in flow with your browsing pattern...

Don't bother going through all the hassle? Then, use the "Default Allow" mode. If you find the entire concept a trouble, then you don't have to use it.

Summary:

I'm NOT saying NoScript is for anyone/everyone and certainly it isn't a magical all-in-one cure for all browser-related risks. Whether or not one deems it as necessary is a personal judgment and choice - some consider it nothing more than annoyance and who am I to argue against that personal taste/experience It's a simple fact that different people work differently.

I've been with and without NoScript and it's definitely not the end of the world if I don't use it since I don't believe in the idea of being paranoid...it's unhealthy for the mind imo. I don't see it as a necessity myself - more like a tool to quieten down the web in general and gives me a certain degree of control over my browsing routine. Not everyone needs/wants that kind of control....