Wanted: Security setup opinions - antispy/malware reccommendations?

Hi everyone! I am looking for some opinions on my security setup, possibly some reccommendations. I am running all free apps and a very light system, and I want to keep it that way.

I am running:
2Wire 2701bv2 Gateway w/inbuilt firewall
Windows Firewall (SP3)
Avira AntiVir Premium (got a free licence through the recent promotion)
HostsMan for hosts file mod using MVP hosts, and 2 others (lots of blocked servers)
and, well, that's it.

In the past I was using the hardware firewall with AntiVir and HostsMan with Spyware Terminator (HIPS, etc) and Sandboxie. Probably total overkill, but definitely worked. I stopped using SBIE because the performance lag was terrible compared to how IE started up and ran without it. Wasn't worth it to me, although I loved the feeling of safety . I am using a reformatted, brand new XP Pro installation and haven't finished installing everything, and I don't know if I want to put ST back on...partly because of the performance hit, partly because the security prompts are annoying and uninformative...I am prone to just getting used to hitting 'Allow' and roll right into an infection since the prompts don't say whether it's malware or not.

So I was considering just downloading a really good on-demand spyware scanner like A-Squared, SAS, etc, but I also read that it's pointless to be running a scanner a few times a week while your system has plenty of time to be infected in the meantime. Real-time protection isn't a deal breaker for me as long as I know what I am doing with my system (and besides, for free, that leaves me with Spyware Doctor and Windows Defender by my estimation).

I practice very safe internet habits, although I download a lot of files. I am web savvy enough that I recognize a scam from about a billion miles away, but I am wary that some of my downloads might be troublesome, in which case Avira won't stop the fury unleashed within. With a huge hosts, hardware firewall (and one way Windows software firewall), and Avira, I thought I might be fine without any additional components (did I mention lightweight and free?), but I would like other opinions.

I also use CCleaner for routine maintainance, and enabled clearing of temporary internet files upon closing browser (I am using IE7).

So should I stick with ST? Is BOClean a viable alternative? Threatfire? I don't know all that much about this realm, and as far as I am concerned, viruses are kind of old and the new danger is much more present as other types of malware.

Thanks!

Kyle

 

I'm surprised by the performance hit you describe concerning Sandboxie. I haven't heard that before.

I really like Returnil and Sandboxie (see my signature) and I think their virtualisation offers good protection for little effort.

From my sig you'll see I use AntiVir as real-time protection and SAS on demand. I've recently changed from AVG and Spyware Terminator. I was happy with my previous set up but thought I'd try something new. AVG was user-friendly, and seemed to offer good protection, but took a very long time to scan (I'm not sure how long Antivir takes by comparison, one of the things I want to test) and Spyware Terminator was fast to scan but slow to update.

I could well go back to them depending on how I get on with Antivir and SAS.

To answer your qquestion, I'd recommend Returnil. It is a good solution to the problem you identify, namely that "viruses are kind of old and the new danger is much more present as other types of malware".

 

Here's a thread that references a recent malware scanner test.

 

Kylezo,
If you have a frozen system partition (Returnil) and your security fails, the malware will be removed during reboot.

If you have a normal system partition and your security fails, the malware will remain on your system partition, even after reboot.

It's up to you : keep your system clean OR collect malware on your system due to security failures.
It doesn't have to be always a security failure, a bad configured security software due to lack of knowledge can also be a reason why a malware bypasses your security.

 

Kylezo, you seem to harbor a similar philosophy of small footprints.

I am by no means uber security guy or anything, but I like most of your saying. Hosts files, I use them but very sparingly. A comprehensive list, by my own tests, does indeed slow surfing down. I am talking about very large lists though. Instead of relying on a list to stop you from going somewhere, you could use the Proxomitron and use regular expressions to match many of those.

Better yet you could use the excellent Blockpost plugin that is for Outpost firewalls. It lets you block domains, so instead of needing say 8 different host entries, you could block the domain by netblock (as in 44.44.44.1 - 44.44.44.41), much easier to maintain than a host file.

Sandboxie, for me, is reserved for browsing sites that I may not trust. Heading over to tomshardware I trust any browser. Heading over to hddapps.cz, maybe I will use sandboxie. Performance hit? I have not noticed it. But then again I don't really care at that point either.

Windows firewall is a firewall for inbound stuff. I would imagine that if you have all of your ports closed you would not need it behind a router. That leaves you with what software is potentially opening a port, in which case you will need a software firewall for outbound processes. I much like the SoftPerfect firewall for very small footprint but it is not a per application rule firewall, more like Windows firewall, but somewhat better. Does MAC rules too, which can make it very valuable for some uses. If you know what you install, and trust them implicitly, then why worry about a firewall at all.

I have been toying with Threatfire for some time, since it was Cyberhawk. I use it on other peeps computers and my wifes. I have been messing with it on my own lately. I must say that it picks up many things I did not think that it would, which primarily are situations that totally make sense. It also has successfully quarantined 41 of 43 little bugs that I have collected (in VMWare of course). It is fairly small at about 9mb footprint for 2 processes, and pretty quiet. Not much to speak of for setup either. However, the GUI frontend definately uses some resources, but you don't use it that often anyway.

Maybe not helpful, but maybe you get a new idea.

Sul.

 

Hello,
Blacklisting by using the hosts file is a waste of time and resources.
It's slow, a drain on local system, probably adds overhead to dns server because you're most likely not caching dns ... and simply ineffective.
Mrk

 

Hi all, thanks for the fantastic, quick replies.

I, too, was not expecting any kind of performance hits with Sandboxie, so I was surprised when I went back to IE how much faster it was - I had gotten used to the lag. Maybe it was just my system, and I'll definitely think about trying it again.

I have heard of Returnil, but never looked into it, so I will definitely take that into consideration. With a complete virtualization option like this, it seems kind of complicated to make WANTED changes to my computer. If I am downloading or installing things, and these changes are all virtual, do I have to reboot into a real 'unsafe' environment to get these things done? Then I have to do everything twice - test in Returnil and reality in Windows. Sure is good security practice though!

As for an outbound software firewall, I understand the need for that, but I don't think my surfing practices warrant it at this time.

BTW Scoobs, I use Driveimage XML too, for backup purposes - I thought to mention it but decided not to! And I used to use AVG and I find AntiVir to be slightly quicker in scanning, but moreover, I greatly prefer the UI and the footprint. Plus, a free subscription is welcome! This is besides reading over and over again that it has superior detection rates, but that may or may not be true.

About the hosts file, I use that fundamentally as an ad-blocker, which inherently speeds up my surfing. The very rudimentary 'protection' it offers is secondary, however welcome. I did a lot of reading (as you know I am into speed) about the possible performance hit of a large hosts file and the possible repercussions of disabling the DNS client service, which in theory overcomes all performance problems. From what I have read on a domestic system like this, run through a consumer ISP like AT&T, the DNS service has negligible, if any, effectiveness. However, I will definitely look more into that based on the comments here. Quick Google:
http://www.bleepingcomputer.com/tutorials/tutorial51.html
"NOTE: It is important to note that there have been complaints of system slowdowns when using a large hosts file. This is usually fixed by turning off and disabling the DNS Client in your Services control panel under Administrative Tools. The DNS client caches previous DNS requests in memory to supposedly speed this process up, but it also reads the entire HOSTS file into that cache as well which can cause a slowdown. This service is unnecessary and can be disabled."

As an aside, anyone ever heard of/used DNSKong?

Mrk, I have not noticed any slowdown or drain on any system resources at all, save for using up a few hundred KB on my hard drive, with a modded hosts file. From what I understand, the DNS service isn't all its cracked up to be based on the reading I have done. This is besides the fact that it is obviously effective, since it blocks ads with great consistancy. Do you have more information, or perhaps at the very least, an alternative? The Proxomitron seems like the only other service that would achieve a similar effect in blocking ads and domains, but I read about slowdown using that as well...and for me, re-encoding every page I visit on-the-fly seems like overkill. But I don't really know how the program works yet.

Of course there is no simple answer, at this point I am simply looking for the best option to round out my security.

Thanks again for all the informative responses, everyone! This place rocks.

Kyle

 

Hello,

DNS service isn't cracked up to be ...?

If you disable caching every single request will go to your ISP for resolution, causing a slowdown on your side and a great increase in load on the server.

Historically, DNS replaces the hosts file as a method of resolution.

Hosts files are linear (flat files) and thus SLOW. Furthermore, "bad" sites pop all the time so the method is very very ineffective.

Block ads? Use Firefox or Opera, problem solved.

Mrk

 

DNS Kong rocks. I used to use it as it has the capability to do netblocks. As an example, I used prevx when it first came out. After they updated engines, I found that the old one would try to go to sites that were no longer valid. I scoped them out and added like 15 entries or something into the hosts file so it would not try and update to a non existing site. It would have been easier to just use dnskong and stop the whole netblock for prevx. But at the time I just coded a quick app to add routes to go to an unused node on my lan. Worked ok. Either way, dns kong is a really neat app.

I think you are perhaps misunderstanding the power of the Proxomitron. I don't have it do much, only stop ads. And keywords and such. It does not take much really. I have been using opera since before 98 came out. It was super fast on dial up, and using proxomitron only made it better as those ads and such never were downloaded at all. Just a little box or something that showed it was there. I don't want it to recode every page that comes down the pike, mostly just stop popups and ads. Some keyword addition such as google ad stuff etc is easy to do. A short list of some known ad sites works well too.

If speed is what you are after, I would suggest giving opera or kmeleon a try. Opera has become more bloated in the last few years (since it went totally free), but it is still fast. I think at this point though that kmeleon is the fastest. The only downfall to anything other than IE (including using proxomitron) is that some sites just plain won't work with anything else. Not very many though. I find that if opera does not open them properly, bypassing proxomitron does the trick about 75% of the time, the other 25% I have to resort to kmeleon. Once in a blue moon I have to use firefox. I would bet that less than 1/2% of websites I go to actually require IE.

I have been running with the dns client disabled for years now, but recently have been playing with it again, along with some different reg tweaks. Verdict is not out yet for me. But then again,I disabled it because Outpost had a dns cache plugin that did a good job in it's place.

Sul.

 

Different browser is the only other option? I'm happy with IE, although I thought about switching to Opera some time ago...I decided against it since IE is already hard wired into my OS. It seems to suit me fine.

Thanks for the suggestion though. Since you are obviously quite convinced of the negative effects of disabling the DNS Client service, I will test out the different options on my system and see how performance is effected. I just tried turning the service back on with my large hosts file and everything slowed to a crawl while browsing. No benifit there...So I reverted back to the original, small hosts file and turned the service on...speed seems about the same, only with ads. So I am not seeing any pracical issue with turning the DNS Client service off, although you aren't the first person to warn that it is a terrible idea. Do you have any information that I could read up on to help me understand how or why this works?

I found this:

Anyways there seems to be a lot of conflicting info about DNS Client Service vs hosts modification. I am always open to more ideas. Don't really want to use a different browser, though. Maybe I will take a look at kmelon, this isn't the first I've heard of it. And how is DNSKong even used? I have been having a hard enough time just finding a download link that's not from 2000...

Lots of info here, not sure where to go next, but thanks for the reading material. In all honesty, I am not even sure what I am looking for, but thats why I made this post listing what I have/use - to get some ideas and feedback.

Thanks again for the replies!

 

Hi,

The purpose of the DNS cache is to offload the requests to servers. The already resolved domains will be retained in the cache for a period of time and served without further requests to servers.

Now, imagine every single machine disabled their cache. Then, every single request for name resolution would be forwarded to the next server and then to the next until the answer was found. This way, the 13 root servers that delegate the entire internet would simply crumble under the load of billions of requests every second.

With disabled cache - you are contacting your ISP and asking for name resolution. This takes time - hundreds of milliseconds, maybe even seconds - compared to your cache, which takes milliseconds.

Let's say you have 1,000 sites in your cache. Then looking up these the first time will take about 1,000 seconds, but all subsequent times the total would be only a second.

With disabled cache, looking up up these sites would take 1,000 requests (1,000 seconds) to the server EVERY SINGLE TIME, unnecessary bandwidth and load. Then, your ISP will have to upgrade their infrastructure to keep with the demand and thus raise the price of their services. Meanwhile, everyone will suffer from reduced performance and increased load.

Similar to disabling the browser cache. Try that. Pages will take much longer to load - every single time.

Now a simplified view on efficiency:

The whole idea of the DNS is to make the system logarithmic and not linear. This way, you make leaps between servers. At max, you need lan(steps) to find your site. Thus, if there are 1,000 sites, your search will take 10 hops at most to find the right server.

With hosts file you have a list of 1,000 entries. If your site is the first, you're lucky. If it's the last, you have to browse through 1,000 lines of text, which is the slowest possible method. Text files are slow.

Now imagine 3 million sites. Your hosts file would be huge - and Windows has a problem with huge text files - and take a long, long time to go through. Long in computer terms, that is.

With DNS, you simply make a quick jump to your ISP, it refers its own cache, if it can't find the result, it checks its own DNS and so until the answer is found. Usually no more than 15-20 hops, a hundred max!!! Less than 3 million or billion or whatever. Quite a few orders of magnitude.

So you lose time the FIRST time you lookup a site, let's say 5 seconds, but then, it's in your cache and you no longer need to go the long route to find the site records and translate the name to IP.

With cache disabled, you waste this time, bandwidth etc. With hosts file in action, you further slow down your work by forcing the machine to check the hosts file for matches before hitting the internet.

And now the practical implication:

There are 10 billion sites on Google only. And your hosts file blocks what? A million (probably far far less)? That's 0.01 percent. So, you're making a havoc of your machine and your ISP by blocking 0.01 percent of potentially dangerous sites.

To say nothing of:
Sites constantly come and go.
Legitimate sites can get compromised.
Someone updates those blacklists - do you trust them?

Not only is blacklisting ineffective and undermines infrastructure, it also creates a false sense of security and makes people use obsolete methods that should not be used today.

Finally, you can try a few articles on Wikipedia ... DNS etc ...

Mrk

 

If you want to continue using IE, you can try IEplus or IE7pro. Both addons include an ad blocker.

 

Understood about DNS caching. I have not noticed any problems with speed so far, although what you say makes perfect sense, sounds just like what I have read about. Makes me wonder why there are so many conflicting opinions about the DNS Client service.

I would like to re-iterate that I use the hosts file for ad blocking, not nasties-blocking. I agree with the outdated and ineffectiveness of blacklisting in that area. I will check out some IE add-on options to that end.

Mrk, thank you for the info on DNS.

So aside from this ad-blocking tangent, any suggestions on another arm of security for my setup?

 

Kyle, when on XP Pro consider two users one with limited rights using policy management and an admin. You can configure XP to pop-up a user-id/password when admin rights are required.
XP Pro gives you safety wothout performance loss, so only use AVIRA premium (AV + AS). I share Mrkvonic idea on blocking IPs through the host file, forget it.

Want to speed up startup of IE7, replace it by Opera, look for the skin vsta_skin-2_12, and google for opera buttons to get the picto grams for history and favourites, that is it. Now you have got Opera (much faster than IE7), looking like IE7.

 

Excellent thoughts, thank you Kees. Some might say my computer is an accident waiting to happen...I have removed all but the default administrator account on my computer. I suppose I could re-create the default limited user account and I know I read about a utility somewhere that can clone account settings/Documents. At this point, anyways, I have put pretty much everything into the "All Users" settings that I can, so at least those will stay.

As far as dressing up Opera goes, I looked into that and I will consider it, but honestly IE7 doesn't give me any grief at all. It starts up instantly. But I will try Opera to see if I like it more. I do use bittorrents, although I haven't read any of how well Operas inbuilt BT client works.

But at least with using Opera, that would solve the ad problem when I cut the hosts file out of the picture. For now, I am using a hosts file with just a few entries, the major advertisers, that cuts out a good percentage of the ads throughout the net. So now I have a small hosts file and I turned back on the DNS Client service. Still not confident enough about the details to reccommend that to others yet.

Wanna guide me to a resource on setting up limited users? I am the only person that will use this computer so I eliminated all other accounts out of convenience.

Thanks again!

 

Using third-part tools for duplicating user profiles is an unnecessary option. I suggest you do it yourself using Windows own duplicate tool:


1. Since you are already using an admin account, create two new accounts: your new limited user account, e.g. "newUser", and a temp. admin account named e.g. 'x'.

2. Reboot and login into to your new user account "newUser", then reboot again and this time login to your temp. admin account 'x'.

3. When you are now in your temp. admin account 'x', go to Control Panel/System Properties/Advanced/User Profiles and press "Settings". Highlight the profile you want to copy from, e.g. "oldUser", and then press "Copy to".

4. Browse after your new limited user account, "newUser", in your Document settings folder, i.e. "C:\Documents and Settings\username", and then press "Ok".

5. Now it starts copying and when it's finished you have your new limited user account with the same profile as your admin account.

6. Reboot into your old admin account "oldUser" and delete the temp. admin account 'x'. You're done!

It works very well.

I agree with Mrkvonic on this, blacklisting sites is ridiculous nowadays.

http://www.microsoft.com/protect/computer/advanced/useraccount.mspx


/C.

 

Cerxes, thanks for the awesome info. Seems simple, I think I'm going to go for it.

Wow, Microsoft tells you to test account types by trying to change the time. Not that I will ever need to do that, but dang, that's kind of why I have been resistant to using a limited user account anyways - can't even change the time. It sure will be fun trying to download, install and run utilities on a limited account.

 

Since youre planning on running a limited account, this thread may prove useful:

SuRun: Easily running Windows XP as a limited user

 

I have used them both as well as the quero toolbar for that purpose. And I believe that Quero blocks ads the best of the three.

 

Well here I am. logged in under my new limited user account, after following the simple and effective procedure outlined by Cerxes. However, there are some unforseen issues:

I did a lot of tweaking after my fresh install of XP Pro on this machine with Tweak UI and X-Setup Pro. The tweaks don't seem to have transferred. Additionally, I patched my uxtheme.dll to allow for 3rd party themes which seemed to work, except now when I log on I need to re-apply the theme under this account for some reason. Also, the scrolling on my touchpad (this is a laptop) does not function correctly, and in the settings for the device, it won't let me check it. The Enable Scrolling boxes aren't grayed out or anything, it's just that when I click them, no check appears. Like it is instantaneously cancelled.

That's all the differences that I've noticed so far, except the obvious - my MRU lists didn't transfer, temp files and stored passwords for web forms, etc. But that's not a huge issue. I'll see how debilitated this account really is and make a final descision, but this seems like a perfect option for security and speed. Thanks for the input on this, folks!

As for Quero, I never trusted it...don't know why...maybe I ought to give it a second chance. I was still trying really hard to decide between IE7Pro and IEplus, and having a really hard time. I am looking for a dedicated, utilitarian, minimalistic option for adblocking. I suppose that's a convo for a different thread though!

Thanks again, everyone!

Kyle

 

I also agree with this, I don't use it anymore. It also causes problems sometimes : for instance, I couldn't get access to the Online Store of Faronics, because it was blacklisted. It took me awhile to find the reason, waste of time.

 

I had some issues like that too, although with a less 'robust' file I never run into it anymore.

Still having issues with the limited account...can't customize start menu, still have to reapply my theme constantly, mouse scroll doesn't work at all...I'll give this some time and see if I can't work out the kinks, and maybe check out that SuRun program mentioned above.

 

Back again, I downloaded SuRun (considered DropMyRights but read some serious arguments against that in the thread referenced here...) because I was having so many issues with the Limited User Account. SuRun was unable to help me. I can't make any changes to my own account e.g. themes, sound schemes (I like to turn off all Windows sounds, I hate that clicking noise...), start menu customization for workflow...none of the changes stick. I tried running Control Panel as Admin with SuRun and even the changes there didn't stick.

LUA doesn't seem to be a viable option for me. Maybe I am better off running IE and uTorrent through DropMyRights, at least that will give me some added protection.

Seemed like a perfect solution from afar, though. Thank you for the suggestions, everyone.

 

I'm back!

I sent an e-mail to the author/webmaster of www.mvps.org with some excerpts from this thread asking if he can help clarify. Here is the response he sent me:

Private communications removed per the TOS. Feel free to explain the communications in your own words....Bubba

So...thoughts?

 

Kylezo

Try GeSWall free for 1 application or DefenseWall paid for all internet facing aps to run as (a stronger form) of limited user. DW also remembers what files you have downloaded, when from an untrusted source these files are also kept in the limited environment. Nce thing is that it won't throw pop-ups