What is your security setup these days?

Sandboxie along with Comodo Firewall ProActive setting. Nice little combo so far. No A/V. Rest as per Sig..

 

Nice setup... very much like mine. Only my Comodo says it's in "Firewall Security" configuration. I'm not sure what exactly they base it on... which they apply to you. I mean I have my D+ in Paranoid Mode. How much more proactive does it get than that? Maybe you have to use the sandbox module (and autosandboxing too perhaps) to have it as proactive? I have the sandboxing disabled and all boxes unchecked.

And have my FW in Custom Policy Mode, Very High Alerts, all things in Advanced checked. Treat unrecognized as Untrusted. The 2 cloud options unchecked, the rest checked. All checked in monitoring settings.

Does it get any more proactive than that? lol... seriously.

Oh, I also recommend deleting the "vendor.n" file in the "database" folder to clear the Trusted Vendor list. You decide what to trust and not to trust, don't let anyone else decide that for you. Block both cfp.exe & cmdagent.exe in your FW Application rules to prevent it from phoning home. And also remove the Comodo certificate from the Trusted Publishers list (Internet Options) to stop those processes from hurling themselves into the Trusted Files list in D+. These are good steps to harden Comodo and keep it honest (just in case it weren't). Not saying I don't trust it, but why take the chance I figure.

VT Hash Check is another good on demand scanner.

 

They run beautifully and light together. So light I barely notice they're even there. I've been running this combo for years with no problems. Back when I used a real-time AV I found that Avira played the best with them.

 

Hey Graf,
I keep vacillating back and forth between BL and TC. BL won't run on my computers unless I use a key on a flash drive, due to the absence of a TPM.
TC, while involving a steep learning curve, strikes me as a good way to go, especially FDE.
I think I will probably start with BL, though, and see if it feels right to me.
Back ups, as always, will be critical.

 

Good stuff.

 

I'd like to hear some feedback about this router. I was considering buying the R8000 Nighthawk X6 AC3200 model, but it was a bit pricey for me.

 

Thanks : ) You know me... anal retentive about this kinda stuff.

I also disable automatic updating, balloon messages, and the message center in Preferences > General. And also uncheck the box in the "Update" tab for good measure. And disable logging too (for both the FW & D+)... it definitely makes it lighter, silent blocking. Especially for me since I block so much stuff, allowing only what is absolutely necessary. If I didn't disable logging my activity light would flash perpetually from all the packets it's intercepting on their way out.

Some people don't trust Comodo. Well if you take these steps even if you don't trust it there really isn't jack it can do. Kinda funny relying on the strength of a product to use to block itself, but hey... I also use a kinda similar method to prevent a sandboxed app from even realizing that it's sandboxed, and Sandboxie from realizing it's sandboxing the app. And I trust Sandboxie more than I trust my own mother.

 

Proper rule for svchost.exe, explorer.exe, and rundll32.exe = Block here on my box.

 

Thanks for the tips. Will look into them. So far quite happy with Comodo as it sure is running light.

EDIT:
"Oh, I also recommend deleting the "vendor.n" file in the "database" folder to clear the Trusted Vendor list."

I don't have the "vendor.n" file. More about that here...https://forums.comodo.com/firewall-help-cis-b135.0/-t104371.0.html Also the "database folder" is empty. I don't have cfp.exe file but have cmdagent.exe file.

Another Edit:
Luciddream, I see you are using Comodo FW 5.0 that is probably why we would have different settings as I am in 8.0.0.4434.

 

Holy cow! I foolishly thought I was first in line for a lucrative Invincea commercial contract with my "Sandboxie... and then some other stuff" security set up signature.
But then you come along with "I trust Sandboxie more than I trust my own mother", and all of my hopes are dashed!

 

That would mean that his mother would be virus free then for sure.

 

I was thinking of ordering a Fortigate 80D, new on the product matrix starting in November. Very powerful. $955 (my cost, wholesale) is a bit steep. Fortigate 80D has some monster power.

http://www.cnet.com/products/fortin...undle-security-appliance-fg80dbdl90036/specs/

 

After trying it for a while, it looks like HitmanPro.A RC3 is going to be staying on.

 

Good Morning! G-Data I.S.2015...AppGuard...and SAS Pro...Stay Sicher...My Friends...Lol! Happy New Year...too one and all! Sincerely...Securon

 

Whichever you may choose in the end, hope you'll be happy with it. I honestly never have enough courage to enter the drive encryption business. Even with my fallback plan I still feel not taking the risk.

 

Yeah I use 5.10, that's probably the discrepancy here. But I would hope there'd be a way to remove that vendor list in newer versions too. Deleting them one at a time (if you can even do that) would take a year.

I'd recommend going with 5.10. And 5.12 if you use a web scanning component to a real-time AV.

 

Currently running as Standard User Account with only Bouncer and EMET for security software. I like to keep things light and efficient.

While I try let my setup of multiple OpenWrt routers do most of the heavy lifting. So far I have ad blocking working great on the DNS level which then serves 1x1 transparent image to browsers, and also a basic Snort setup for IDS which I plan to expand further as I gain a better understanding of it. There is more that I intend to add with OpenWrt but with limited powered routers I would need to add more routers to my setup, likely. A poor man's method, I suppose. But it works for me and is fun learning.

 

Thanks, Graf. I think I understand your hesitancy.
I'm not trying to keep DHS or NSA from accessing my hard drives. But I do want to have them encrypted in case they are stolen. BL is native, and doesn't seem to have controversy surrounding it, so I will probably go that route.

 

I'll be sticking with the 8.0 version as it is working well here. You know the saying, "If it ain't broke, don't fix it." I actually installed CFW out of curiosity as all I was using was the Windows native firewall with no problems. But since CFW is working so well with Sandboxie and so light (which is a surprise) have decided to keep it. The last 3rd party firewall I used was Private firewall but I am liking CFW better. Anyway, back to the hockey game. U.S.A vs. Canada.

 

Using comodo firewall with HIPS enabled (sandbox disabled) alongside HMP.alert 3. This is a strong and light combination.

 

I added Virus Blocker to Untangle, 1 year Subscription. It's Hardware/UTM version of Bit Defender. Very powerful heuristics. So now before anything hits my devices it has to go through;

Connect Safe DNS
ASUS w/Trend Micro
Untangle Hardware UTM w/Virus Blocker(Bit Defender), Virus Blocker Lite(ClamAV), Adblock w/Cookies, PhishBlock, Snort(Intrusion Guard).

Then finally traffic is allowed to hit individual devices. Pretty remarkable I think.. Here's a picture of my Untangle Rack.

 

Online Armor
360 TS "Security" config
MBAE

Light and strong.

 

Chromebooks do not need to be always online, but that is a significant part of its feature set. Sure you can watch videos, play some games, edit documents, etc. But it will be noticeably limited, more so than Windows. That is until you unlock Developer Mode.

 

Chromebooks still need security. Also they aren't immune to phishing, tracking, and exploits. Generally cleaning up a Chromebook is a matter of resetting the browser, but there can be some stubborn stuff out there.

https://productforums.google.com/forum/#!topic/chromebook-central/NvsKa6v0YWg

 

Yesterday I was bored, so I created a subnet isolation for wireless clients vs wired. Sub-networks can be segregated, which in itself is a huge security upside. Also most virus', threats, spyware and hackers base their attacks on basic network configurations, making a network configuration which is non-standard makes such threats harder to intrude and cause any damage. Restricting network access to potential network intruders is another layer for security in situations where broadcast signals could be subject to snooping or attack.

I still don't have my network exactly where I want it. I am waiting for ASUS to release a cheaper version w/Trend. Then I can place the cheaper version w/Radios Off on the Gateway as a dedicated hardware Trend Appliance. Then move Untangle UTM transparently on the second tier, and then into a switch, then use the AC2400 ASUS as a WAP on it's own segregated subnet off of the switch with statics. When I reach that point I will have a network security architecture that would function at very nearly defense contractor security level. Just for the hell of it of course.