Defensive desktop security software outside the Windows mainstream

This is intended to be a list of all Windows or multiplatform security software that is not part of the mainstream sold by AV and firewall companies.

Please read this first:
For the purposes of this thread I am excluding
- all anti-executable software
- all HIPS and sandboxes
- all antiviruses, signature or behavior based
- all virtualization software not explicitly designed as a form of access control
- all forensic software such as on-demand AVs and antirootkits
- all network IDS/IPS, antivirus proxies, or anything designed for servers
- all software that does not run on Windows, or support Windows in some way
- all vaporware, or otherwise unreleased software

I am also excluding, for ethical and political reasons:
- all software that is not available to the public. I have a special bee in my bonnet about this, because I think that Jane Q. Public deserves better than to be specifically denied access to security software that actually works.
- all software that requires a large up-front payment for the full version, does not make a trial or demonstration version available, and makes unlikely or patently false promises about its capabilities. Those of you doing this know who you are. When I see products like this, I assume by default that they are scams.

In short: I want to create a list of currently active projects that provide Windows desktop security with some level of future proofness. This means, among other things:
- not requiring extensive knowledge on part of the user
- not requiring massive configuration changes to Windows
- not relying excessively on user decisions, and not always failing if the user decides wrong
- not being based on "enumerating badness"
- not seriously inconveniencing the user
- not being based on trivial stuff like intercepting process creation calls

Okay, that's all. I will start a list of categories that I know of.

Web content blocking
- Noscript
- RequestPolicy
- uMatrix/HTTPSwitchboard
- Script Defender
- ScriptSafe

These are powerful, but not infallible if the user messes up (or even not, sometimes). They're also pushing it a bit on the user decision side.

Heuristics for alerting users to malicious web content
- Web of Trust
- McAfee Site Advisor

Good idea, but there are questions of reliability when crowdsourcing this stuff. Likewise, maintenance by corporate entities strikes me as raising several conflicts of interest.

Exploit mitigation
- EMET
- Hitman Pro.Alert
- Malwarebytes Anti-Exploit

These seem pretty effective at blocking userspace shenanigans, but their mechanisms are quite opaque unless you're a software engineer, and that worries me a bit.

I'll also admit that I feel there's conflict of interest inherent in the desktop security industry. AV and security companies make a killing on Microsoft's OS not being secure, and therefore have a vested interest in either maintaining a level of insecurity or maintaining FUD about it. Market forces drive them to make products that are not future proof, so that they keep having something to sell, and as such I am very skeptical of the long-term efficacy of anything they market... Even exploit mitigation software.

Oh, one more:

Containment by hardware virtualization
- Qubes OS
A bit too reliant on the user for my liking, but it's the only one (and it can run Windows in a DomU).

... And, as far as I can tell, that is all.

Anyone want to add a category, or an item therein? I will update the list as people post...

 

Well a good alternate DNS service helps too. One that blocks a wide array of known malicious sites. I know a lot of people hate on Comodo in here, but I know that Comodo Secure DNS has a very extensive database of known bad/malicious/rogue sites. And scam sites too, like for fake AV's and things of the like that scan your computer for free, put the malware on there, then offer a buttload of money to take them away. I hear Norton has a good one too. For privacy Chaos Computer Club and Swiss Privacy Foundation are good ones. And many swear by OpenDNS & DNScrypt.

Not sure I'd exclude AV's. I know you're taking about defensive strategy here, not reactive, but an AV can be defensive if set up the right way... like to "Deny Access" (an option in Avira) instead of cleaning, quarantining or deleting. Not to mention you've taken away so many other options for people, like sandboxing, virtualization, HIPS, anti-ex. A common user would be screwed/naked without having an AV and with all that stuff excluded as well. Web scanning can be seen as defensive too, since it stops it at the point of attack.

In regards to web content blocking I'd add Adblock Edge/Plus with some good filter lists (EasyList, EasyPrivacy, Malware Domains). CS Lite Mod. And Private Tab.

If a Firefox user, benefits can really be had if one knows their way around the about:config. I consider tweaking/hardening in that manner, as I do in my OS as well, more important than any software I use.

 

I think you might as well scrap exploit mitigation and web content blocking. The first one can cause compatibility problems, which will make some apps not run correctly or not at all. The second one will break 70% of all sites. Except for specialized blockers like Ghostery.

Actually, it's possible for certain script-blockers to work almost the same as Ghostery. For example, I use ScriptKeeper (for Opera 11 and 12) and when run in "Relaxed Mode" (plus a little bit of white-listing) it breaks only 5% of all sites.

https://addons.opera.com/nl/extensions/details/scriptkeeper/?display=en

 

Policeman for firefox

 

For me it's key security is seamless, and invisible. Otherwise it's more of a hassle than a benefit.

So I am always on alert for good security products/hardware/addons.

 

Does Chromium sandbox model count? While I know you are excluding 'sandboxes', Chromium's sandbox leverages Windows own security model (does not install drivers)
http://www.chromium.org/developers/design-documents/sandbox

There's also Modern Apps with AppContainer IL...

 

@safeguy - good question. For the purposes of this thread, I'm going to say it doesn't.

 

How about ad blockers?

uBlock
AdBlock(+)

 

Good question, and like I said, even stuff like "Web content blocking" and "anti-exploit" can cause problems for the average user.

 

I know a lot of people feel like you about blocking scripts but I disagree. Blocking content with NoScript has never caused me issues. Not even when I was an average user or before I got to the average level. Maybe it took me a year of using NoScript before most things related to blocking content started making sense but once I got into it, its easy. Last time that I had to completely disable NoScript in order to get something working in a new unknown site was more than 5 years ago (that's well within my first year as a NoScript user).

Now, within a few seconds, I can figure what to allow and what not to allow in order to get things working in any new site that is totally unknown to me. After using NoScript for a while, you become familiar with the names of domains so just by looking at them you can easily tell whats required.

Bo

 

Pete, I was one of those users that religiously used to get infected once every six months. And spend hours scanning the computer every two or three days. That was boring and stressful. Six years ago, as I started using and learning Sandboxie and NoScript, that horrible cycle came to a full stop. Since then, no more scans no more infections and no more stress.

Bo

 

It's simple for me.. If a solution isn't standard, then each one has to be evaluated for effectiveness, and reliability/scalability. We can't deploy solutions that are custom in most situations, or ones that fall outside of the mainstream. For example deployment of Classic Shell or any Adblockers isn't a permissible thing simply because they aren't part of the core package, or support metric, and can 'break' things. Then we end up supporting extra products, services, or addons beyond the scope of the contract. Imagine a new version/update of Windows breaking Classic Shell, then having to support 11,000 machines using it without getting paid to do it from the client? It's a terrible thing to consider, and experience in the MSP field has taught us to be very very careful. I remember one client deploying 900 licensed versions of WinZip. The license expired, and we had to explain to them why they had to pay us $4,200.00 to remotely uninstall WinZip and revert the default handler to Windows itself on over 900 machines. These kinds of little things become BIG problems in business.

On the home front;

If a solution can be installed, and functions largely without any interaction, and is seemless, then it is something I will consider. But I cannot run around 'fixing' 40-50 devices in the home, or working on exclusions for pages/sites/domains/products. So deployed solutions need to largely be hassle free, seamless, and durable. It's quite possible this lowers protection over all, but a compromise has to be made. This is why I am a big advocate of hardware based solutions, as they have a single point of control/maint. are easy to deploy, and upgrades rarely break anything.

 

No you misunderstood, I'm also a fan of script-blockers, mostly because they speed things up, and of course the extra privacy is also nice. But I don't think they can be used by average users, because they will always break stuff at some point, except for tools like Ghostery.

Same goes for anti-exploit, great tools but they can always cause issues, of course no problem to us "expert users", but "average Joe" will become annoyed by it. But perhaps I'm missing the point of this thread, because the only thing that gives hassle free protection are AV's.

 

Lucky you. I believe the aggregate of go to techs experiences are 10x more likely to be blank stares. And after the next fubar learning to stay safe happens less than 10% of the time.

Edit: I mean: .... less than 1% of the time.

 

The following may violate the "letter" of your requirements, but it might fit the "spirit": partition virtualization of system partition, with user documents stored in a separate data partition.

 

I agree, but as to anti-exploit the reason is that some AV/IS implements exploit mitigation too so if they have to be excluded, anti-exploit should be too. As to contents blocker, yes it is not usable for common people. And WoT or site advisor is not far much different from antivirus proxy.

As OP didn't define what "security" means, I'll add these:

Patch management/Update checker (eliminate most exploit ITW)
-Secunia PSI/CSI
-Filehippo Update Checker
-Software Update Monitor
-Ninite Updater

Encryption software (prevent data leakage)
-Truecrypt
-Veracrypt
-Diskcryptor
-Bestcrypt
-EncFS
-Boxcryptor

Keystroke encryption (prevent keylogger)
-Keyscrambler
-Zemana Anti-logger Free

SSL enhancement (prevent MITM attack)
-SSL Eye
-Perspectives
-CertCentry

System utility with malware inquiry
-Process Explorer
-System Explorer
-Process Hacker
-AnVir Task Manager

I agree with Rasheed again, script blocker like NoSciprt is problem for novice user and they just want browser display the page they clicked immidiately w/out any interaction. Not many people have intention to learn about NoScript or domains. For such people, only full-automated system will meet their need and IMO such solution is quite limited, maybe AV/IS and anti-exploit except EMET.

 

I actually love this as a concept, but the problem is more one of efficacy and convenience. If an attacker or malware gets admin access (which is easy if you run as "limited admin"), it's all over - instant rollback software cannot be trusted to roll back changes made as admin.

Meanwhile, routine updates become rather difficult. And it does nothing to protect from data theft, which is probably the biggest issue for most people...

Still, it would be nice to have rollback software that was theoretically safe. It could probably be done with a hypervisor such as Xen... FWIW I once tried to set up something similar, with Windows running in Virtualbox on top of a GrSec kernel and minimal Linux install, but GrSec kept killing Virtualbox for doing silly things in kernel space

Edit: @142395, good point re defining security. In this case I'm defining it as safety from the OS being forced to do something the user does not want or ask for.

Edit 2: I should start a new topic about the VBox thing actually.

 

I had a reply but the forum ate it... Let's try again:

https://www.wilderssecurity.com/threads/tdl-tdss-trojan-series-bypassing-isolation-software.276152/

That's an older rootkit that bypassed then-current rollback software. I'm sure there are more out there right now.

The issue is that, if you can elevate to SYSTEM, you can do pretty much anything, including unhooking or bypassing a filesystem virtualization driver. If malware is running at the same privilege level as the security software, then the security software cannot be trusted to protect the OS from it.

That's why I specified "theoretically" secure, not "practically." Practical security is all well and good, but what's practically secure today may not be tomorrow, and we all know how annoying it is for end users to be in an arms race. IMO desktop security needs to rely on something more than malware writers being cheapskates.