Where To Now?

I'd appreciate some input from the collective security minds of the Wilders people as to where to go next with my security set up.
The situation is now that I'm running with just KAV 7 , Windows Firewall & a Netgear Hardware Firewall with SPI.
In gradual succession I've dispensed with the following:
1) HIPS - too intrusive and I'm too stupid to understand cryptic messages.
2) Online Armor - Explorer lock ups galore and sloooowww computer.
3) Comodo Firewall - too many questions (if I want to be continuously nagged I can just go downstairs & talk to my wife! )
4) PrevX - too many FPs and never quite sure what it actually did do....
So......
I'm running XP with SP3 . PC runs fast & stable now without assorted gubbins detailed above.

I'm currently using SandboxIE / Shadow Defender when venturing to the (ahem) dark side of the web.
Can restore with the ever faithful FD-ISR & Shadow Protect and beginning to wonder am I kidding myself that all is too good to be true and should I adopt a slightly more 'safe' strategy.
I've thought about the following options:
1. Stay as I am and see what happens
2. Try Erik Albert's frozen snapshot strategy but really doubt I have self discipline to maintain this & I absolutely hate AE.
3. Run as LUA with SuRun +/- SRP - but this seems to cause users all sorts of wrinkles to iron out especially with SandoxIE (which is not coming off my PC)
4. Upgrade to the dreaded Vista as UAC looks to have pretty solid Rootkit protection.
any thoughts?

 

In all honesty if you happen to be using a browser besides IE (or at least have IE locked down tight), have Sandboxie, Shadow Protect, your router, image backup, and you have a good AV, you're set IMHO. Put Firefox with Noscript and AdBlockPlus in with all that and you're ready for just about everything bad the net has to offer (generally speaking here, yes, I'm aware there are some crazy rootkits and such out there).

I'm with you on HIPS, I don't want some program telling me about every fart my computer makes. Threatfire has been the quietest in that respect, but I just can't help but get uneasy about that thing so I've uninstalled it. As far as Vista, eh, screw it. "Windows 7" is SUPPOSEDLY going to get a beta at the very least at some point in 2009-2010. Obviously they know Vista wasn't the hotshot they expected, and 1-2 years is not enough time to bother investing in an OS that's gonna get replaced in that time period. Again, just my opinion.

 

Hello L Bainbridge
Make a move to VMs

All the $ you have saved = license for VMWare Workstation = unlimited options.

or Free VirtualBox.

Set-up a snapshot try the freeze.
Sandboxie and Returnil work inside VMs. ? Might be overkill lol
Add a cocktail of free AV or FW if you want...PrevX works in a VM
Get rockin': Stick Linux in a VM

The VMs are just files on the system 'till booted and as such can be copied moved imaged etc etc: works fine inside/with FDISR or Shadowprotect on host.

Expand your horizons.

 

My setup is similar to your existing one-running Windows Firewall and a Hardware Firewall,plus AntiVirus,all with SP3.
The only addition thrown in is Threatfire in default mode,virtually no popups

Everything going smoothly,fast and responsively-in my opinion quite enough security,especially as I also backup with SP.
No security problems whatsoever!!

Accept the benefits-dont feel guilty ,dont go for useless overkill.

 

That's because you don't use a frozen snapshot in the same way as I do. I tried to explain it at Wilders's FDISR forum and how I combine ShadowProtect and FDISR to accomplish this, but nobody seems to understand it, while it is so simple. It's not my fault that most users have a classical backup procedure. I don't backup my actual "infected" system partition anymore and that's what most users do.
Although this might not make sense to you, after all, what has a frozen snapshot to do with ShadowProtect, it certainly make sense to me. I just do things in a different sequence, other procedures, because the classical procedures are wrong.
Most users start like this : snapshot - archive - image. I reversed this procedure : image - archive - snapshot. You see the difference ? And I changed my backup procedure also.
All I do is boot, reboot and keep my system up-to-date. Is that discipline ? No every user does that.

 

L Brainbridge,
You hate AE, but AE is the most friendly one to stop unauthorized executables. AE's philosophy is very simple to understand.
I use AE, because I'm also too stupid to work with HIPS, Online Armor and Comodo.

I only use a firewall, AE and DefenseWall. I doubt it is sufficient enough to stop any malware immediately, but I remove any malware during reboot.

A malware can do 3 things :
1. Steal your data and that is VERY BAD, because you can't rollback a theft. There are several ways to prevent this.
2. Damage your system partition, but that is not a problem, because you can rollback to a healthy system partition. Any ISR-software can do this + Image backup in worst case scenarios.
3. Infect your data files.

So if you can prevent the stealing 100%, your security setup is as good as finished.
The rest are damages, which are fixed during reboot : Returnil, ShadowDefender, etc.
You can use KAV to desinfect your data files.

 

I feel pretty much the same. And i could add one more reason. Firewalls with HIPS, on my system, seem to perform noticeably poorer than "firewall only" solutions. Meaning, that Kerio 2 or PC Tools Firewall perform much faster all internet tasks for some strange reason and with less CPU usage. I honestly think, that they neglect the filtering part of the firewall, because they are too occupied fixing bugs of the HIPS part. The problem is, that for me, my browsing speed is a priority over their 100% Matousec awards.

So, IMHO, you can do the following things.

1) Virtualization. Sandboxie/Returnil/Safespace.
2) Threatfire. It does have false positives, but usually easy to spot.
3) Go for the "light" HIPS way. It's what i am currently doing. HIPS are difficult to understand and annoy you with many and cryptic pop ups? Then use a HIPS with only execution protection enabled (like Process Guard Free). At least, you can be sure that in your PC only the things that you have authorized will execute. You will get a pop up once and nothing more.
4) Use a combination of the above.

 

Thanks everybody for their answers.
Erik Albert - I think I finally understand how you use the Frozen Snapshot system and the logic for this.
It's definitely an option now but I might need a bit of handholding into how to get there.(still not sure about AE though !!)
The other option is a VM for online work using something more secure than Windows - maybe one of the flavors of Ubuntu. The logic being *nix is less susceptible to data theft (e.g. keyloggers etc.) and turning off the VM presumably abolishes the threat of rootkits etc. persisting.
I think in the 1st instance I'll have a play with Threatfire and see what I think but if I get the same antibodies to this that I got to PrevX, I'll explore both of the above 2 options.
Thanks to all of you

 

It's just an option, you don't have to use it, it's only info. You have to develop your own security/recovery solution, the one that makes you feel secure.