Would this be a good setup for a novice PC user?

Hi,

A friend of mine who is a security novice had his PC infected with fake security software. So I cleaned up the PC and figured out a (hopefully) safe and friendly setup.

Problem is that I do not want him to answer any pop-ups (he is likely to choose the wrong option anyway).

So I first convinced him to buy a external harddrive. I have the image backup/restore covered with Paragon free, data backup/recovery with syncback free. He has the same router as me, which I have configured (highest encryption, longest possible encryption key, all FW options ARP/Dos attacks etc enabled, hidden the SSID, set inbound filtering to deny all IP's in range of his IP address, only allowing his own to go outbound, enabled DHCP reservation to make sure teh same IP - allowed - IP address is allocated, enabled MAC control, this all to minimise 'man in the middle' risks).

I have A2 free, MBAM, SAS installed for on demand scans before backup (which I will do, because I see them at least once a month).

Realtime setup XP Home, SP3 (E2100 dual core with 2GB Ram)
- windows firewall
- GesWall free with Kees trick to use the full data base of the paid version, I have split the harddisk into two phisical partitions, one for programs and one for data with an 'install' directory on the C partition to make use of the weakness of GesWall that it changes the status from untrusted to trusted when copying a file from one partition to another. I have also limited Chrome access to D:\downloads and virtualise other disk access (thrown away after chrome closes), likewise registry access of Chrome
- Comodo Memory FW
- Avira free, with check on write only, on all file extensions, with heuristics high
- Spyware terminator with all shields to auto accept or block. I can check the log once a month to see what happened. I also have enabled the HIPS for novice users (it really works well, with minimal pop-ups and some behavioral assessment of new executables). I have also installed the Web Security Guard. Hidden the Crawler toolbar and deselected the search classification. Web Security Guard only notifies for high dangers. It greys out like Vista's UAC (cool!).
- Keyscrambler free for IE7

Instructed to do shopping and on-line banking with IE7 (safe), all other browsing with Chrome (fast). Also to respond to Avira by choosing delete (only warns for new arrivals) and deny to HIPS of ST. When installing it is okay to go into installing mode of ST. When CMF throws a pop-up, also choose deny.

Question:
I have tested the HIPS component of ST on novice level, it really is quiet. Only barks when a new executable tries to install permantly. Which of teh Wilders members actually have experience with ST HIPS in low?

Considerations
Because the instruction is simple choose delete or deny when something pops up, I think this is a workable solution. A simple limited user solution is not applicable, because he makes music CD's himself and that program requires admin rights (do not have the name at hand now). I considered TF, but when the guy swithces to his admin account to install a malicious AV, I do not trust him to answer pop-ups. By the way I have set GW to be absolutely quiet in high protection mode.

Feedback appreciated.

Kees

 

"I see them at least once a month." You could use something like LogMeIn to do some of your work remotely unless you think that's too intrusive.

 

Major bloat imho. I also fix computers and do custom install setups for people.
I first ask them what they want to be able to do with their computer. Having extensive knowledge of what programs are safe, easy and able to accomplish whatever it is they want, I also make suggestions on other things they may be interested in accomplishing. That being said, latest version of returnil + custom rules set for it's anti-executable tool.

If the system started out clean prior to you setting their system up, the router, imaging program and a (optional) on demand anti-malware scanner is all you really need. Show them the basics about staying safe. One thing is for certain about most customers I talk to, they rather be able to use their machine for whatever it is they want to accomplish, than waste their time worrying about "am I infected"? etc. etc. etc........
Only weakness I see, would be human error and badly coded installed programs used.

 

IMHO:
- I would have used a limited user account, and when he wants to do something important (setup ecc) switch to admin user..
- I agree with you on a simple AV (AntiVir is pretty good) and Spyware Terminator, as you said...
- I would have used Opera or FF (with AdBlockPlus, WOT and NoScript, if he wants to learn how to use it)...
- I would have modified Host file and used OpenDNS with restricted rights...

this is the best config with no popups, and also GesWall/SandboxIE can be used for everyday browsing...

Sorry for my bad english,
Regards

 

1. I don't fix computers, I want to stay as fas as possible from it. Bloat can be prevented with the occasional blurb

2 Human error reduction with a simple setup. That is exactly what I am seeking feedback on

Thx

 

Thx 4 the reply. I will check OpenDNS

 

i am using mvps host file and openDns and it is cool to have

 

Thx 4 the reply, I will have a look at it. Only thing what is on my mind, is that I keep it very quiet to my friends that PC security is some sort of hobby to me. I normally keep my mouth shut, but this friend was told to format his disk and re-install his OS by a so called PC expert friend.
This would mean that they should lose all their pictures. So I told them afterwards that I had asked with our IT manager at work and our IT-manager advised to try a few things first (and had given me the programs). I still pretend to be a PC noob, because I do not want to be asked whether I can fix things. With Log me in, I would acquire the remote admin status, which would blow my noob cover.

 

To the OP: that's a lot !

An imaging setup can be very useful, just make sure he knows how to use it !
Preferably, for imaging purposes, allow the system to boot with the necessary software on CD or something similar. I'm not familiar with this imaging software.
And to create images when appropriate.

Since he's a security novice, I think a simple setup is appropriate, unless he's willing to spend time and effort to learn, and to risk making wrong decisions.

I would suggest a good security suite. That's right, all-in-one. Properly configured. IE 7 (I have no experience with version 8 ) can be quite safe as long as you set the security settings above average/normal, preferably for all zones. A lot of security software monitors attempted changes to IE 7. I can't recommend Firefox because I've never used it, and it isn't safer per se.

Customer support could also be a consideration, but with imaging software it becomes less of an issue, and you can never know when they will let you down/rip you off.

He's using a wireless network ? Make sure the firewall handles it properly.

Maybe one or two compatible antispyware applications, real-time or not.

VIPRE could be a good alternative, possibly complemented by the Sunbelt firewall (a trial would be recommended). There are no good comparative tests available for this product (it's new), but their Counterspy was always very good at dealing with spyware, so I do have some faith. It's said to be light.

Something like Sandboxie could be good too, but since he's a novice he's probably better off with a good tool that can scan files/whatever by signature.

A large list of programs can be overwhelming.

I've explored a non-signature solution too, but then there are issues like entering a credit card number at an infected website, in which case Sandboxie probably would not work, but a good suite would provide better protection. Again, for a novice.

And of course 'the biggest vulnerability is the person behind the computer'. Some basic education, like not clicking on ads, understanding rogue security software, and other social engineering approaches. Plus updating software.

OK, enough for today

 

Thx a lot

 

Would probably add SpywareBlaster as it is simple to use and may help should your friend decide to use IE7 more often. I also like the OpenDNS suggestion.

 

May I ask how you do this?

 

Kees,

I always got the impression from Wilders that ST ain't so hot.

Has something changed for you to endorse it?

Ian

 

That is totally true. It is not strong enough to face the strongest threats, but running it after GesWall, it shields use way less CPU than Windows Defender and the way it deals with intrusions can be better configured. It has a nice feature recognising installation programs and the HIPS when set in low/novice mode, does some behavioral analysis (file information like product/company name, whether it is digitally signed/requires admin elevation, initiated by user or process). Its HIPS is really a very basic Anti Executable which allows all the installed programs). Because GW protects the system, this executabes/installs have to be explicitely set to trusted. So it is more a second safety net for staged spyware attacks and social engineering installs (because the check list/control list of the shields section has nice logging capabilities). It is a pitty you can not set your own allow/block rules for this execution analysis (I am sure I could make a strong silent set out of it).

Bottem line: I would not use it as a first line of defense, but together with Avira free (and awesome heuristics), EdgeGuard Solo policy restriction, a full featured policy sandbox like GesWall or DefenseWall or a virtualisation sandbox like Sandboxie or SafeSpace, it is a nice freeware option.

The webshield is also great (has real time website analysis, has disabling trick bits like Spyware blaster and you can fully hide the crawler bar - disabling all crwaler features, except their website rating datat base).

Cheers Kees

 

Thanks for that.

As usual, a post I can understand.

Ian

 

i can tell you that the spyware terminator's shield is very strong at guarding the front door but for removal mmmm what about spyware terminator+ malware bytes antimalware for removal