What is your security setup these days?

Emsisoft Online Armor freemium + Emsisoft AntiMalware lic - very light.

 

This last week I've been trying lots of combinations, even looking for a substitute set-up for Sandboxie, but now back where I started, Sandboxie and Emsisoft Anti-Malware.

 

Tough to do, eh? I hope we never need one!

 

Windows 7 Ultimate behind router with NAS for backup

System wide security policies:

• Block riskware services and unknown outbound firewall connections
  
• Deny elevation & installation of unsigned executables and drivers
  
• Full UAC, DEP, SEHOP and running only ASLR enabled programs

Additional user space restrictions:

• Deny execute in all non UAC protected folders for Basic Users
• Deny execute for Windows/VB/Power-scripts for Basic Users
  
• Disabled Startup/Registry/USB-autoruns for Basic Users

Internet facing intrusion mitigation:

• Deny execute file ACL for Everyone in drive-by folders (public, media, mail and internet)
  
• Run Outlook and WMP as Basic User with high IE-zone and EMET overflow protection
• Run Chrome in sandbox, allow javascript from [*.]NL and [*.]COM, uBlock extension and locked settings

 

Hi Kees,
some problems with the mitigations ROP of EMET?

 

Yes that is why I enabled TP5 only for WMP and Outlook, switched to MBAE for browser and dropped IE for Chrome. Not using IE has the advantage of increasing IE-zone security settings which are used by other windows aps. This has a security benefit of for instance Windows Media Player. Not using flash OCX also has the advantage that embedded flash is not executed in all sorts of windows files (Word, Media files, PDF, etc). I had not realized this spin-off, so back to Chrome again.

 

What Software Restriction Policies are you guys using with 8.1?

 

God I hope that never happens either.

 

I have created them using tutorial here: http://www.mechbgon.com/srp/

 

Is this only for LUA's?

 

No, you can enforce it for Administrators also. I have it set up for all users and all software files also (including DLLs). You have to use UAC on max so that software can't be copied to whitelisted areas without a prompt.

 

Great, I will check it out

 

Also add PS1 and VBS in "Designated File Types" setting.

 

Thanks for info. Is there any other file type that should be added to that list? What about BIN, PAF, VBE...?

 

As far as I can remember, nobody ever mentioned about those file types to be included under SRP's supervision. I'm not entirely sure about BIN and VBE, but for PAF (assuming that you are talking about portable apps), it will execute EXEs and DLLs anyway so SRP should've taken care of it. I myself had experimented with SYS previously, but I still can't tell if it's beneficial to add it to the protection list (or if it would really work to begin with). HitmanPro actually can be used as an easy way to test it BTW.

 

As described here SRP doesn't apply to drivers and kernel-mode software. I don't know if adding SYS and DRV would make any change.

 

I've added SYS to my designated file types and run HitmanPro. I got no problems and no blocked entry in event viewer. OTOH I use compatible disk access instead of direct disk access (because of BSODs) so I don't know if Hitmanpro installs driver in that mode...

 

I read a post last week by a long-time member at Wilders that Shadow Defender did the same thing as Sandboxie in a less convoluted way. But I'm still unclear about who owns it and its odd history. I also set up VMWare Player and VirutalBox virtual machines, but had troubles with the video drivers for Mint. And other combinations of AVs and anti-exs, HIPS, firewalls, etc didn't quite make up for not having the browsing protection that Sandboxie gives.

 

Hello!
Now I'm trying Online Armor free + AVG free. So far so light.

In AVs I use only "Quick Scan" mode. There's no "Quick Scan" in AVG. Only "Full Scan", "Specific Folders" or "Rootkits".

 

360 IS, AdGuard..Hitman Pro/Herd Protect on demand.

 

AVG free now is automatically updated.

 

What do you mean by that?It was the same before,ONE update daily.(in settings you can choose at what hour if my memory serves me well )

 

Yep, it was one update daily. Now it's automatic update only. Here you can only make off "Enable this task".

 

It seems that AVG free will update like almost the paid one?In base of your screenshot,it seems so.If that's true,these are really great news.

 

Yeah, the only thing I didn't like in AVG freemium - its restriction to daily automatic updates. Now to my surprise it's gone.