The correct security approach?

I've done a lot of experimenting on windows security in the past few years, and have tried a lot of security applications out there. I personally think there needs to be an approach to windows computer security, and some approaches are better than others. Please note that this is just for educational and discussion purposes and that I know many people who use no security and never get infected.

Here is how I've personally approached security in the past:

Initial security approaches (early days):
1. Real-time Antivirus (that's all folks)
2. Windows Firewall
3. Not running unknown/untrusted applications, avoiding untrusted web-sites if possible, keeping software up to date etc.
Here, I thought that a decent antivirus was all I needed. Then, around 2004, I discovered that a more solid firewall was necessary:

1. Real-time Antivirus
2. ZoneAlarm Firewall
3. Not running unknown/untrusted applications, avoiding untrusted web-sites if possible, keeping software up to date etc.
Here, I thought I was bullet-proof, and that this was all I would ever need. Then I heard of a free firewall that got 100% leak protection out of the box:

1. Real-time Antivirus
2. Online Armor Free
3. Not running unknown/untrusted applications, avoiding untrusted web-sites if possible, keeping software up to date etc.
Here, I discovered my first classical HIPS, and I was very impressed by it. I even got used to the pop-ups and learned how to confidently deal with most of these pop-ups. Arguably, this security approach is close to being bullet-proof, because it has this classical HIPS component which does NOT rely on signatures that need to be updated and which does NOT only detect a proportion of malware out there. Then, I got sick of the slow-down at start-up (the long pause on the Welcome screen), and made a switch:

1. Real-time Antivirus
2. Comodo Firewall Pro
3. Not running unknown/untrusted applications, avoiding untrusted web-sites if possible, keeping software up to date etc.
I was very impressed once again. My system ran lighter than ever, and I felt just as protected with this Firewall/classical HIPS on board. Then, I discovered programs like DefenseWall and Sandboxie, with Sandboxie giving me the security approach I'd been looking for all this time:

1. Real-time Antivirus
2. Comodo Firewall with Defense+
3. Sandboxie
4. Not running unknown/untrusted applications, I can now surf wherever the heck I want to haha, keeping software up to date etc.
Here is where the break-through came. As I learned more about Sandboxie, I discovered that it could cover everything (except eg. LAN network protection), and that this security approach might be the best and most convenient there is (for me). I even realised that I didn't need a real-time antivirus anymore:

1. Sandboxie
2. Comodo Firewall with Defense+ disabled (only enabling it in Paranoid Mode if I ever connected to LAN networks etc, or wanted to analyse the behaviour of unknown/untrusted applications).
3. Running unknown/untrusted applications in a virtual machine etc, running newly downloaded files from unknown/untrusted sources (regardless of file type) sandboxed, continuing to surf wherever the heck I want to haha, keeping software up to date etc.

So there you have it. Anyone care to share what their security approaches have been like? I think it's important to have one, and to understand it well. The following security approach is very welcome too, but lacks detail haha:

1. Common sense.

Also, this is probably a good security approach to have (for a lot of people), and I'm sure we'll get many people posting about it here:

1. LUA, SRP etc etc

 

It is odd that with all your testing of security combinations you are not concerned with backup solutions (that is according to the poll you don't use any imaging software).

I went through various stages like everybody who has an interest in keeping their computer in pristine conditions, and in the end it comes down to two essential types of applications:light virtualization and imaging software. I bought 2 computers in the last 2 years, and my first concern was to have an imaging program to make sure that no matter what happens my system can be recovered within minutes.

 

You, my friend, have developed "Wilders Syndrome"

It happens to us all. Do I understand correctly that you've now gone to a Sandboxie-only approach? I heard that somewhere deep in the forums, lol. I believe the common sense approach is the best and lightest form of security you can get. However, some interpret that as not needing ANY security program. I'm afraid that unless you can judge malware from innocent files just by looking at them, that kind of security utopia isn't here yet. Common sense to me is keeping your browser updated, tweaking it just slightly to keep malicious scripting at bay, and scanning everything you download with a reliable AV/AS before execution.

I tell you what SSJ, after going so long using Sandboxie and merely using it as a "cleaning tool" instead of active protection against malware, I'm nearly ready to go the route of AV only with an on-demand AS as backup. Using Firefox every day and with Internet Explorer 8 tweaked a bit, I'm just not seeing the "malware epidemic" that so many are afraid of.

 

I don't understand. Imaging software is first and foremost geared at reinstalling your system in case of hard drive failure.

 

These are some of my favorite types of threads because you get to see others viewpoints/approaches and often you can get some good food for thought out of them.

Myself, I am self-taught geek, starting with the original Apple my dad brought home when I was a kid, ranging through the years up to today. My dad worked on mainframes for varying companies over the years, being primarily a computer programmer (punch card days) to IT etc. You know, when your dad gives you a dozen computers in various states of working order, and you have to build your own, install the OS and find why hardware don't work in those days was harder than todays plugnPray.

Anyway, whilst I initally used to just tweak the OS for performance in 311/95/98 days, because you only had 1gb hdd, and 233mhz cpu etc, you had to. Security was not that important because the internet was just a big forum for some time. I forget the year, but maybe 97/98 the dotcoms really took off, along with of all things 'personal firewalls'. lol, looking back I remember when ol' Norton was the thing to have, but only to scan floppies. As time progressed into ME/2k and then XP, the gigahertz barrier was broke, sdram was abundant at 133mhz, hdd's were spinning at 7200rpm with ata66/100 speeds, and things started to work better. Gone were the days of looking to make it perform better, now it was more focused on making XP/2K consume as little because the programs were utilizing the extra power. To this day I think many experienced users who have great machines (myself anyway) still try to keep those resources low because of the programs habits of using all they can.

As the internet boomed, of course the haxors/script kiddies took advantage, and you basically had to respect the threats they posed. Enter more AV,AS,AM,FW,HIPS etc etc. And so it progresses, a never ending route from close the exploit to new exploit. Too bad the OS in major use (M$) was so slow to respond. The reason does not matter, as the top dog gets targeted the most, so it is what it is.

Now today, having run through so many different versions of windows, and so many different worries about what is vulnerable, and so many security schemes built around either protecting data or protecting the integrity of the OS install, I have some definite different viewpoints than just a couple years ago.

I think much of what you need to know or do about security lies in just what you use your comptuer for, how much you know, and what you stand to lose. For many people I know, average users, they do online purchasing or banking. They need some protection from keyloggers and such, any malware/virii that might try to steal thier data. But there are numerous ways to deal with it, if the user is willing to take a few extra steps to insure thier protection. Sadly, many are not. But I think most would be.

It is so common that people use their computer as entertainment, and they put pictures/music/video/documents on thier computer. They don't have much to lose that is sensitive, only things they have not backed up or the inconvenience of putting it back on thier computer. I really think that if everyone had a regular backup scheme, whether data backup or imaging the drive, it woudl solve a large majority of issues. Consider that you store your data on an external drive. This is good in case you need to reinstall the OS, but the data is not really safe on a hdd. Optical media (or flash these days) really is the only way to be sure your data is backed up. But SOOOOO many I know don't want to do that. It is like it is taboo to them or something. The way I look at it, if it is important, it goes onto a mirrored raid array AND optical/flash media. The rest, I keep on hdd and if it goes TU, I will dload it again or whatever.

Think of it like this, if you only have to worry about online banking, and you don't store any account data/passwords, and you use SBIE or LUA/SRP or VM or other such simple method, what do you stand to lose from infection? Infecting others, yes. Losing data? If it is backed up, no. If it is sensitive and you have a good scheme, then no. So why get all fussy about using HIPS and Firewalls that you have to continually maintain settings/configs for, that use your resources for.

You know, there are many ways today for users to be free of needing complete control, having to answer yes/no to everything. But, you have to desire this, and learn a little something to do it. It is not really hard, but you have to want to.

Some just like to play. Or be in complete control of everything that comes and goes. lol, I wonder what % here fall in that category. I used to. And some are tired of that and want something more transparent. Some don't care as long as it works. Some flat don't have the slightest care until something goes wrong. And some I am sure just don't get it, don't have a mind to follow such things, which is fine too. (I think the same people that have a hard time programming the vcr/dvd players might have a hard time with computers, but who knows).

So what is the correct security approach? IMO, if you don't back your data up or know what you are doing on restore/reinstall, maybe it is best you use a suite or learn 3rd party tools to keep everything at bay. Maybe you should just switch to LUA and learn how to live in that realm.

If you do know what you are doing, it opens the doors to many possible solutions, ranging from very secure/complicated to very easy and mabye not as secure. I fall there now. I want it easy, and I am not afraid to catch something. I have never caught anything myself other than a BHO I should have caught but was careless on a shareware install. I don't want to get bitten, but I certainly do not fear it. Inside 5 minutes I can be back to where I was. If my data drive is formatted, worst case scenario is I have to spend the time copying from dvd or server raid drives back to my data drive.

But like I say, it really depends on a few factors. You know, hopefully people get bitten who are not interested, and it makes them become interested so it does not happen again. I know lots who have had this happen. A few infections later, or lost photos etc, they suddenly become very attentive to what I was telling them before.

Ah, computers. Our world revolves around their use, our time is consumed by them, our security can be threatened by them, we can lose our identity/money from them. But oh, what a great great toy they are. So full of things to know, so fun to break and fix and figure out how they work.

Later.

Sul.

 

I am currently surfing on wilderssecurity with the browser on run safer in Online Armor Premium + the additional protection of NAV 2009 but I am also sometimes
protected by VMware since I am testing various defenses with it, currently privatefirewall and nod32 v.4 (av only). Am also behind a router and therefore protected by some hardware firewall as well. Well nothing is 100% safe but since I am doing some back up job with Acronis from time to time, well let's just say that I feel pretty safe.

 

When I started around win 98 , I got a good uninstall program.
That kept my PC in shape. Had no AV I think .. maybe an early AVG ...
I didn't bother with security until I got XP and had to go online
to register it. Wasn't sure if XP firewall would be enough, so got AVG anyhow , then started getting interested in security.

Found a wealth of knowledge at wilders.
But even here , people weren't always/often focused on exactly how [/I]people got infected, which was what I wanted to avoid !
Some posters were though , and really helped ( Rmus in particular ).

So now I'm much clear on how exploits work , and how my own attitude to risk influences me.
And much more disappointed/annoyed when I read all the FUD that the media comes out with when there is a computer virus outbreak .

 

Computers are technological jigsaw puzzles.

 

I like "computers serve to people" approach. So, there is no Trusted/Untrusted/Sandboxed/Unsendboxed/Quick Recovery/Immediate Recovery or similar endlessrecoveringjob for me. Just let Avira and Threatfire to find and kill malware for me. Know that I am old fashioned guy and that my pc is only 99,9% secure. In my country there is the saying "Life is harmful to health", so I do not care too much.

P.S. Thanks for great topic.

 

For free programs, go for the 'layered' approach.
First and foremost, install a good FW (hardware or software). I highly recommend Outpost Free.
Then a real-time anti-malware scanner like Avast or Avira and/or use a sandbox-type policy-based program like Sandboxie or GeSWall.
Alternatively, if you want complete control of any suspicious activity in your PC or an all-in-one suite, you can try COMODO Internet Security.
Having a rollback program like Macrium Reflect Free or a system virtualization like Returnil won't do any harm either.


For paid programs, an all-in-one suite would do just fine.
I highly recommend Norton 360.

 

The correct approach ... for me, is to turn the computer off at the end of the day and it to be still in the same, or as near to, condition it was when I turned it on, aka using virtualization products - Scrubbing the amassed crapware effects off, maintaining privacy, keeping Windows healthy.

Computers are Work/Pleasure, for me. I am now just picky about what I want remaining on them at the end of the day.

This site, Wilders, is probably the best I've come across for finding info about niche virtualization products that actually do as they say.

 

well a correct security approach is that which is understandable and usable.A pc should not be so tightly configured that let alone malware even the user can't get into it.

 

Your privacy is still compromised if you use a system virtualization alone.

It won't protect you from keyloggers and hackers. You need a firewall to compensate for this vulnerability.

I honestly believe that a firewall is the most fundamental part of ANY PC setup.

 

A properly configured SBIE setup can protect from keyloggers as it has the ability to restrict run or outbound access.

 

I agree with that. I definitely value *above all* the ability to control what of mine connects to the internet and what can potentially connect to me. My browsers are tighter than a ducks bum, for instance

I haven't lost sight of the firewall importance. Infact, Online Armor's firewall, that I use, goes much further than the traditional unauthorized connection protection. As someone that can't be bothered with limited user rights accounts; I can get "somewhere" near to the much recommended setting by adding as many functional Windows and 3rd party applications into permanent Reduced Rights/Untrusted state. As an XP user this has been as good as it's gonna get with LUA, for me.

The firewall lines are a bit blurred now for me - as to their role. But I agree with the point.

 

I agree that everyone needs to have a security strategy that covers their computing workflow and setup.

I would phrase that a bit differently:

My approach is to look at exploits in the wild. If I find one that can penetrate my defenses, then I will make a change.

Recent example:

Evidently thousands of individuals became infected by being re-directed from compromised (SQL injection) legitimate sites to one with malicious code. Upon investigation, I learned that the infections resulted from either an old IE6 exploit, or PDF exploit.

My Conclusion: already covered. No further action necessary.

----
rich

 

You are missing the whole point.

The phrase, "The correct security approach" implies one approach. "The" is a limiting adjectve.

No one can dictate for another, without understanding that person's computing workflow, technical expertise, state of mind, etc., The correct security approach. Anyway, I prefer the word "strategy" because it takes in one's mind-set, as well as security products.

In another thread, you are worried about LAN protection. For someone who doesn't use a LAN, this is a worry that is unfounded and irrelevant.

You also warn about using the Windows Picture and Fax Viewer. What if a person doesn't use it? Again, you are speculating and introducing a worry that is unfounded and irrelevant for that person.

In my view, you just can't make blanket statements about "The correct security approach."

----
rich

 

Agree.

 

well rmus if semantics is the issue then please do look at the " ? " at the end of the topic: "The correct security approach ? " so its a query not a statement

 

OK, I see that some think the "?" in the thread title softens the implication of the statement. So, I misinterpreted the meaning.

But I stand by my comment about "some approaches are better than others."

"Better" and "correct" are relative terms. Better in terms of what? That phrase is what caught my attention at first.

Probably not necessary, since you've now clarified it!

----
rich

 

Agree,

Our first and best security meaure consists of:
1. An offline harddisk
2. A monthly data backup (syncback free) with an old fashioned three generations repeating scheme (last month = child, last month -1 = parent, last month - 2 = grandparent)
3. A two generations image backup with a clean install image (with all our basic software, including some malware fighting software) using paragon.

Second level is a plain well configure router (all the usual stuff plus some specific measures against man in the middle threats).

Third level is changing all the defaults and using all the authentication abilities of hardware and OS, hardening by disabling all remote admin capabilities and distributed services needed in a business/corporate environment.

Fourth level the policy management capabilities of the OS

Fifth level a security software (either an HIPS or an AV), depending on the user (wife = DW, son = MSE, myself Appguard + SRP)

 

I really don't think there is a correct approach.

I bought my first computer in 98.
Came with Norton's Security Suite.
Used it for a year and moved on.
Since, I have tried many forms of security and many for at least a year.

NOD32, ZAPro, Kaspersky, Avast, Avira, AVG w/firewall, Trend Micro, GesWall etc,.etc.

In these almost 12 years I have never seen a virus, maleware or any other kind of nasty.

For the last 3 years my son has used AVG w/Firewall on his laptop with the same effects and he does alot more then I do.
I've suggested other forms of security but he likes the way AVG runs on his system.

My point being that I think there is more then just one's security set up.

Common sense plays a big part in my opinion.

My son and I would never open a suspicious e-mail, click on ads or go to questionable sights.

I think it comes down to what works the best on one's system with a little
common sense thrown in.

 

True off course, but what about a trusted friend, who might have his e-mail address hijacked from a third party of even his service provider.

The smart intrusions using social engineering and exploits are only common knowlegde to an incrowd after they have surfaced. So common knowledge will not help to this types of events.

It basically boils down to likely hood of an event is going to happen to you (and others in your home network) specifically and the impact they have.

Default deny execution (1) and policy management/virtualisation (2) are the two most proven prevent something from happening (1) and limit their impact (2).

Filtering out anomolies/un-addressed request (e.g. firewall at basic level and spam filter at specific level) and and known bad guys (anti virus) will reduce the chances of something to happen dramatically. Discussions on what is best is personal preferences within the options available.

Again commen sense will not help you much at low level intrusions (e.g. the firewall filtering out unsollicitated messages or messages with protocol errors at network level, or stack/buffer overflow exploits at process level or code exploits hidden in data formats such as PDF or JPG at data level).

Common sense is a toping on your approach and highly overrated for its effectiveness when dealing with low level intrusions.

Regards Kees

 

There is no single correct approach to security. Every method has its strengths and weaknesses, advantages and disadvantages. The best approach is the one that matches the users skill, needs, and available time.

I started with a security suite, Norton Internet Security, a firewall, AV, popup blocking, privacy defender combination. I fell for the "one suite does it all" advertising, 2002 I think it was. Less than 6 months later, a malicious webpage went right through the popup blocker, crashed the AV and then the firewall. The whole suite crashed followed by the OS. Upon reboot, Norton informed me that I was infected but it couldn't remove it. Later on, something on that system decided to connect out (dialup internet service at the time) in the middle of the night, granted itself internet access through the firewall and send out several megabytes of data. Whatever it was then deleted itself. Norton logged the entire event but did nothing to prevent it. That was the last security suite I've used.

Afterwards, I learned about free AVs, firewalls, and other tools. Installed AntiVir, which was a keeper for many years. Went through a few firewalls, Zone Alarm, Tiny, and eventually Kerio, which I still use. Found anti-spyware software. Somewhere during this time, I got the idea that if one is good, two or more is better. That evolved into 2 firewalls, 3 AVs, too many anti-spyware, and most every other free security app I could find. It was a configuration nightmare that went to hell every time one of them updated. My system was very bogged down and every time one of them updated, the new version was more bloated than the one before. I was dragging my system to a halt. Sure, my system was quite secure, but for the wrong reasons. There weren't any resources left to run malware.

I was forced to abandon this mess by AV updates that made it nearly impossible to run the AVs the way I wanted. I also lost all trust and respect for some anti-spyware apps/companies when I found that they ignored their own threat assessment criteria when an adware company threatened to sue them. After a very heated debate at their forum, several of us walked away and/or were banned for having the nerve to question them in open forum. Combined with similar incidents involving other signature based security software, I'd lost all trust in such products.

About this time I learned about System Safety Monitor, somewhere around version 1.8. By this time, I had a basic working knowledge of how Windows worked, but was very intimidated by SSM. It was a lot different in its early days, but was probably the best teacher I'd ever had regarding how an OS worked and how to defend it. By the time SSM 1.94 was released, it was at the core of my defenses. About that time, AntiVir updated from a smooth running, lightweight AV to a version with too many processes, unfixed bugs, stability issues, the works. Their forums were plugged with complaints for problems that weren't being fixed. I'd obtained more hardware by this time, so I made a copy of my system, secured it with SSM and Kerio, and made a serious effort to infect it. After about 6 months of malicious and drive-by sites, infected mail, and collecting every piece of malware I could get (about 40MB worth), I concluded that SSM was completely capable of preventing my system from being altered unless I chose to allow it, and SSM could be set up to say no for me. I no longer had to worry about what another user might do. Default-deny had impressed me enough to become my security policy. I threw out every AV, anti-trojan, anti-spyware, etc and started using the core package that I'm using now, SSM, Kerio 2.1.5, Proxomitron. Since then, I've applied the default-deny policy to the activities of the allowed processes, their internet access, and the web content reaching internet apps. It's been over 5 years since anything has infected my system. The performance improvement was amazing. With Norton, my boot time was almost 3 minutes. It was worse with my multiple firewall, AV mess. Now it's 45 seconds. With no AV in the way, my internet connection flies. For me, default-deny is THE correct security approach. My system will not change at all unless I specifically choose to change it.

I would not expect someone who isn't a computer hobbyist to adopt this approach. The time it takes to learn your system well enough to implement such a defense makes it the wrong security approach for most users. I wouldn't dare to implement this full package on any of my clients PCs, but I can use some of the components with more permissive settings. No matter what approach you choose, there's a price to pay, but that price doesn't have to be paid with money. I paid with time, time spent learning my system and the apps I use. Those who can't or won't invest their time pay with money and get a security suite.

Sandboxing is another approach that can be very good. I'm quite impressed with SandBoxie but I will not put it in the position of having to stand alone. On the Win2K system it's installed on, I use it to isolate the attack surface. The rest of the OS is still protected by my standard package and security policy. The same applies when I use a virtual OS. The host system is default-deny protected. IMO, that's the correct approach when using these tools. No matter how good they are, there's no guarantee that some malicious code won't find a way to break out of that containment and infect the underlying system. If/when that happens, chances are that you won't be aware of it. They should not be expected to stand alone.

System backups should be part of every approach, no matter what it is. I don't consider backups to be part of my security package. Except for test systems, I've never had to use one to fix an infection. That said, there's plenty of other reasons to have backups of both system and data:

• hardware failure
• accidental deletion
• file corruption
• a new application proves to be incompatible with other software
• a defective Windows update
• a security app update with false positives that deletes or quarantines system files
• an update to an app you use breaks something else or takes away features you want, and you want the old version back

What you use for backups isn't that important, as long as it works. Until you know that it can be trusted to work properly, you should find a way to test it. A 2nd hard drive bought used will do. Depending on what you use, a virtual system may work as well. Nothing is worse than needing to restore your system and finding the backups are corrupt or incomplete.