What is your security setup these days?

Haven't seen too much for Macs on here so...

OS X 10.11.1
Standard user account and a separate Admin account for administrative tasks
OS X Firewall enabled
OS X FileVault encrypted system drive
VeraCrypt for encrypted containers and external drives
Avira Antivirus
Little Snitch
Tunnelblick
Modified hosts file (http://someonewhocares.org/hosts/)
Ghostery
HTTPS Everywhere
OpenDNS and privacyfoundation.ch when I'm not using a VPN's DNS

 

It sounds like you use Outpost. Agnitum still relies on windows to auto-inject that file using AppInit / a registry entry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

Starting around the time Windows 8 was released (maybe earlier?) MS recommends devs NOT use AppInit any more and I would not be surprised if it was removed entirely in a future build of Windows: https://msdn.microsoft.com/en-us/library/windows/desktop/dn280412(v=vs.85).aspx

So far I haven't found anything better than SysInternals (Now owned by MS) AutoRuns combined with Process Explorer to figure out what's loaded. Maybe the NVT program Kernel Mode Drivers Manager for kernel modules (seems to show stuff LoadOrder doesn't, eg dlls) but that wouldn't help in this case.

 

Thanks, Syrinx. I forgot Autoruns might show something.
Yes I use OSS mostly, Private fw sometimes. I was answering somebody's question about 64bit HIPS and I guess the context didn't come through.

 

Sandboxie and NoVirusThanks EXE Radar Pro.

 

My security setup

Real-time:
SecureAPlus
Blue Coat K9 Web Protection

Windows:
Windows Defender = Off
Windows Firewall = On
Windows SmartScreen = On
Windows Update = On
UAC = Default
Security & Privacy tweaks applied

Network:
Router NAT
Manual configuration/Hardening
Verisign Public DNS

Browser:
Mozilla Firefox
DuckDuckGo
Adobe Flash = Ask to Activate
uBlock Origin
Security & Privacy tweaks applied (about:config)

On-demand:
Shadow Defender
AdwCleaner
Kaspersky Virus Removal Tool
Malwarebytes Anti-Malware

Other Tools:
CCleaner
PrivaZer
Autoruns
O&O ShutUp 10
Spybot Anti-Beacon
VPN (Occasional use on mobile devices)​

​

 

Hi all.

Windows 10 64 PRO + EAM + Webroot +Crystal Security + GlassWire Beta + WinPatrol free

Have a Nice day

 

Have a nice day to you too, @old school and welcome to forum.

 

ESET NOD32 9
McShield

Windows Firewall
K9 Web Protection
UAC default

Zemana Antimalware 2 w/ Realtime Protection (Yes! Realtime! I tested it and working!)
Emsisoft Emergency Kit 10
Shadow Defender

Autoruns
CCleaner

 

Thanks @Minimalist

 

I just found out it as well.

 

Using AppInit_DLLs registry for dll injection at boot time is a security risk. One of the oldest methods of malware dll injection is to load its dlls in that registry key. You will receive a warning message in your WIN event log that dlls are being loaded but monitoring which ones are doing so would be abandoned over time since it would be assumed that only Outpost's dlls are loading.

Question is if Outpost's HIPS monitors AppInit_DLLs registry key to ensure only its dlls are loading?

 

hi all I really missed DefenseWall,i was out of the net for long time and I was hopping to see a defensewall 64 bit version.

 

Do these pics answer your question?


If that value is not "" it means Outpost watches it, right? (I'm learning as I dig out the info for you, in case you haven't guessed) If yes, does it mean no other can load?

 

Setup I called it "NoMoney"

1. Windows XP Home (Admin Account)
2. Malwarebytes Anti-Exploit
3. NoVirusThanks EXE Radar Pro (Beta)
4. Chrome starts with DropMyRights (ublock Origin, LastPass)
5. CryptoPrevent
6. Yandex DNS (Safe) on router
7. K9 Web Protection
8. Unchecky
9. 1806 registry trick (Thanks Kees)
10. No Java

 

LoadAppInit_DLLs registry field just controls whether dll loading from the AppInit_DLLs registry field is allowed. A dword value of 0 = no; a value of 1 = yes. If you check the LoadAppInit_DLLs registry field, it probably is set to 1. Outpost is monitoring the AppInit_DLLs registry field directly for any changes to it.

One recommendation I make for WIN 7 users is to change the RequireSignedAppInit_DLLs registry field from the default dword value of 0 to a value of 1. This will ensure only signed dlls are loaded from the AppInit_DLLs registry field. I assume your NVidia and Outpost dlls are signed that currently reside in that registry field.

Note: On some WIN 7 builds, the RequireSignedAppInit_DLLs registry field is missing. In that case, a new like named field must be added to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key with a dword value of 1. I assume you know how to properly edit the registry. If you don't, then ignore this recommendation.

 

Windows 10 Pro 32 bits Desktop (G3240 CPU 4GB RAM 64 GB SSD 2x500GB HD)
1. Disabled autoruns, 16bits, cmd, scripts, shared, offline, sync and remote
2. Deny elevation of unsigned executables, internet apps in AppContainer*
3. Block active content in trustcenter, block third party with uBlock0
4. WFW blocks in-and outbound connections using Open DNS URL
5. Deny execute Software Restriction Policy for all users/files

Safe Admin policy: 1=reduce surface, 2=restrict rights, 3=mitigate threats, 4=filter internet, 5=deny execution
note: Chrome using its own low/untrusted rights sandbox, reading emails in plain text in Outlook 2007

 

LoadAppInit_DLLs = 1.
I don't see NVidia in the key. EDIT: ignore this line as I misunderstood something.
Outpost and NVidia drivers in system32 are signed. Why did you pick NVidia, there's intel, realtek, others...
RequireSignedAppInit_DLLs is missing. I'll add it. Makes sense. Restore image if it breaks the laptop.

This thread is mostly about users' setups. I feel out of place doing Outpost details at this point (I love it, I'm learning). It started with just answering a query one page back(#37245), but it might not be wise to continue in this thread. Suggestions?

 

Changed to what is in my signature... No complaints so far.

 

OK. To be continued here:
https://www.wilderssecurity.com/threads/opinion-on-outpost-firewall.381328/
or start a new thread in the firewalls section.

 

Aren't you taking this obsession with "Windows Security" a bit too far? I almost never see you post anything about anti-malware tools anymore. Come on, this ain't fun anymore.

 

This is exactly what I'm using at the moment, but the plan is to add HIPS and perhaps anti-exploit. I already used MBAE Premium, but combined with ERP it gave me shutdown problems. And I'm reluctant to try HMPA, because of all the issues that are posted.

 

Little Snitch looks kinda cool.

 

Not had any problems using HMPA with (light usage of) SBIE, and ERP. Only one small issue, but that is due to using WSA. Maybe give it a trial?

 

You are right. I have tweaked this safe-admin setup passed the limits of where I am enjoying it myself. I am done with third party security and security in general, reducing my contribution to Wilders to a boring securing windows niche.

I also stopped throwing malware at my desktop setup, because my friend (a malware reverse enginer) moved abroad (cutting me off from the honey pot collecting with new in the wild malware samples). The public available malware is not able to pass the combo of my hardened Windows with Chrome sandbox.

But have a look at the 'other malware section" there are really few HIPS-based applications left to play with.

Re-HIPS might be a nice free policy based HIPS, but AppGaurd (paid) is king of the mountain. Same applies for Cybergenic Shade, it has an even higher hill to climb to compete with Sandboxie in the application virtualisation market. Both might face hard time in consumer market since all windows Apps run in AppContainer and office is available as free cloud application (making added value of guarded apps questionable) and Chrome Sandbox (Chrome and AppContainer-apps making added value of Sandboxie questionable).

The most (free) interesting security programs at the moment are Bouncer and Smart Object Blocker. But they are power users tools, due to limited or lacking using interface their user-base will be limited. Since I already have a Windows 10 Pro version, the added value of Bouncer/SOB is limited for me personally.

The improvement in security in general sort of takes away the fun of throwing rocks at your own window(s) when you know it is without risk. For me the balance shifts from "when it is not broken, you have not tried hard enough" to "when it is not broken, don't fix it". When I don't break or fix things, there is little to post about